[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
















        MAXIMIZING THE VALUE OF CYBER THREAT INFORMATION SHARING

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                           CYBERSECURITY AND
                       INFRASTRUCTURE PROTECTION

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           NOVEMBER 15, 2017

                               __________

                           Serial No. 115-39

                               __________

       Printed for the use of the Committee on Homeland Security




[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                                     


                                     

        Available via the World Wide Web: http://www.govinfo.gov
                                    ______
 
                          U.S. GOVERNMENT PUBLISHING OFFICE 
 
 29-472 PDF                     WASHINGTON : 2018 
 -----------------------------------------------------------------------
   For sale by the Superintendent of Documents, U.S. Government Publishing 
   Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
          DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                           Washington, DC 20402-0001

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Sheila Jackson Lee, Texas
Mike Rogers, Alabama                 James R. Langevin, Rhode Island
Lou Barletta, Pennsylvania           Cedric L. Richmond, Louisiana
Scott Perry, Pennsylvania            William R. Keating, Massachusetts
John Katko, New York                 Donald M. Payne, Jr., New Jersey
Will Hurd, Texas                     Filemon Vela, Texas
Martha McSally, Arizona              Bonnie Watson Coleman, New Jersey
John Ratcliffe, Texas                Kathleen M. Rice, New York
Daniel M. Donovan, Jr., New York     J. Luis Correa, California
Mike Gallagher, Wisconsin            Val Butler Demings, Florida
Clay Higgins, Louisiana              Nanette Diaz Barragan, California
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Vacancy
                   Brendan P. Shields, Staff Director
                 Steven S. Giaier, Deputy Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                  Hope Goins, Minority Staff Director
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                    John Ratcliffe, Texas, Chairman
John Katko, New York                 Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York     Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin            James R. Langevin, Rhode Island
Thomas A. Garrett, Jr., Virginia     Val Butler Demings, Florida
Brian K. Fitzpatrick, Pennsylvania   Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
             Kristen M. Duncan, Subcommittee Staff Director
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on Cybersecurity 
  and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island:
  Oral Statement.................................................     4
  Prepared Statement.............................................     7
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     8
The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas:
  Prepared Statement.............................................     9

                               Witnesses

Mr. Robert K. Knake, Whitney Shepardson Senior Fellow, Council on 
  Foreign Relations, On Behalf of The Global Resilience 
  Institute:
  Oral Statement.................................................    11
  Prepared Statement.............................................    12
Ms. Ann Barron-Dicamillo, Vice President, Cyber Intel & Incident 
  Response, American Express:
  Oral Statement.................................................    18
  Prepared Statement.............................................    20
Ms. Patricia Cagliostro, Federal Solutions Architect Manager, 
  Anomali:
  Oral Statement.................................................    23
  Prepared Statement.............................................    24
Mr. Robert H. Mayer, Senior Vice President for Cybersecurity, 
  USTelecom Association:
  Oral Statement.................................................    27
  Prepared Statement.............................................    29

                             For the Record

The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island:
  Letter.........................................................     6

                                Appendix

Questions From Congressman James R. Langevin for Robert K. Knake.    47
Questions From Honorable James R. Langevin for Ann Barron-
  Dicamillo......................................................    48
Question From Honorable James R. Langevin for Patricia Cagliostro    49
Questions From Honorable James R. Langevin for Robert H. Mayer...    50

 
        MAXIMIZING THE VALUE OF CYBER THREAT INFORMATION SHARING

                              ----------                              


                      Wednesday, November 15, 2017

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Cybersecurity and 
                                 Infrastructure Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:47 p.m., in 
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe 
(Chairman of the subcommittee) presiding.
    Present: Representatives Ratcliffe, Garrett, Fitzpatrick, 
Donovan, Katko, Langevin, and Jackson Lee.
    Mr. Ratcliffe. The Committee on Homeland Security's 
Subcommittee on Cybersecurity and Infrastructure Protection 
will come to order. The subcommittee is meeting today to 
receive testimony regarding how to maximize the value of cyber 
threat information sharing. I now recognize myself for an 
opening statement.
    The severity of the threats we face in cyber space can't be 
overstated. Seemingly, every week there's a new headline about 
a new breach, a new hack, or a new trove of sensitive 
information that's been compromised. Or there's a new report 
highlighting the vulnerabilities of our Government, the private 
sector, and the American people face from malicious actors.
    Those on the operational front of cybersecurity know the 
threat landscape is evolving at every second. In cyber space, 
it's nearly impossible to concisely declare who the threat 
actor is, what they're going to do next, and what the cascading 
effects may be.
    The industry method is to prioritize, assess the risks that 
networks face and prioritize actions to address those risks, 
and then keep moving down the list. We in the Government must 
learn from the private sector, assess risks, prioritize 
mitigation, and keep moving.
    As I've said before, whether we rise up to the challenges 
in cyber space will play a large part in determining whether 
America remains the world's superpower.
    To effectively address these threats, I couldn't agree more 
with the consensus opinion that the private sector and the 
Government need to collaborate. I see a big part of our 
collective responsibility being to ensure that this 
collaboration results in not just rhetoric, but in a tangible 
improvement in our country's cybersecurity posture.
    What we're here today to examine is perhaps one of the most 
readily visible and promising forms of this collaboration: The 
sharing of cyber threat indicators between the private sector 
and the Federal Government.
    In an ecosystem where there is no silver bullet, it's 
incumbent upon us to conduct rigorous oversight of our 
information-sharing programs to help increase the participation 
in and volume of cyber threat information shared with the 
private sector.
    The private sector is the front line for action in cyber 
space. In supplying the private sector with an increasing 
amount of actionable information, we enable our partners to 
tilt the scales away from our cyber adversaries.
    As a committee, we are continually seeking to learn about 
possible ways that the Department can help to increase the 
resilience of private-sector networks and fine-tune their own 
efforts for the response, analysis, and mitigation of cyber 
threats.
    According to DHS, the Automated Indicator Sharing program 
has shared over 1.3 million unique indicators, more than 
264,000 shared in September alone. There are currently 135 non-
Federal entities participating in AIS, 22 of which are sector-
specific organizations comprised of groups of companies. DHS 
estimates the actual reach of AIS indicators to be greater than 
10,000 organizations.
    As encouraging as it is to see these programs take shape 
and fill the very important role of convening partners and 
bridging information sharing from the Government to the private 
sector, we can do better. A recent report from the DHS Office 
of Inspector General reinforces this notion that there's more 
work to be done.
    Today I look forward to hearing insights and 
recommendations from our witnesses that we can take back to DHS 
to continue to strengthen its work sharing cyber threat 
information. We are tasked with overseeing the crucial DHS 
programs, knowing that improvements are always possible.
    Each of you has a unique perspective that will provide 
invaluable knowledge that we can build on as DHS continues to 
refine its programs. We will need creative and possibly 
significant changes to the way that we do things if we expect 
to gain ground in this fight.
    In a space this transformative and this disruptive, the 
best option is continued partnership. As disparate as the 
opinion of the private sector and the Government can be on many 
issues, when it comes to security, we are all looking for able, 
willing, and effective partners. The information technology 
landscape is central to every sector of the economy and every 
consumer and individual who depend on these systems.
    The automation of cyber threat information and the 
incorporation of Classified and Unclassified information are 
areas the Government can work on in order to increase the 
effectiveness of the information being provided to the private 
sector.
    It is for this reason that we have gathered this panel of 
experts to talk to the efficacy of cyber threat information 
sharing and improvements that can be made with it. We look 
forward to hearing from the witnesses, their perspectives and 
understanding of the current state of cyber threat information 
sharing, and their vision and their recommendations for a safer 
future.
    Again, thanks to our witnesses for your willingness to 
share your expertise with us today.
    [The statement of Chairman Ratcliffe follows:]
                  Statement of Chairman John Ratcliffe
                           November 15, 2017
    The severity of the threats we face in cyber space cannot be 
overstated. Seemingly every week there's a new headline about a new 
breach, a new hack, or a new trove of sensitive information that's been 
compromised. Or there's a new report highlighting the vulnerabilities 
our Government, the private sector, and the American people face from 
malicious actors.
    Those on the operational front of cybersecurity know the threat 
landscape is evolving at every second. In cyber space it is nearly 
impossible to concisely declare who the threat actor is, what they are 
going to do next, and what the cascading effects may be.
    The industry method is to prioritize; assess the risks that 
networks face and prioritize actions to address those risks, and then, 
keep moving down the list. We in the Government must learn from the 
private sector, assess risks, prioritize mitigation, and keep moving.
    As I've said before--whether we rise up to our challenges in cyber 
space will play a large part in determining whether America remains the 
world's superpower.
    To effectively address these threats, I couldn't agree more with 
the consensus opinion that the private sector and Government need to 
collaborate. I see a big part of our collective responsibility being to 
ensure that this collaboration results in, not just rhetoric, but, in a 
tangible improvement to our country's cybersecurity posture.
    What we're here today to examine is perhaps one of the most readily 
visible and promising forms of this collaboration--the sharing of cyber 
threat indicators between the private sector and Federal Government.
    In an ecosystem where there is no silver bullet, it's incumbent 
upon us to conduct rigorous oversight of our information-sharing 
programs to help increase the participation in and volume of cyber 
threat information shared with the private sector.
    The private sector is the front line for action in cyber space. In 
supplying the private sector with an increasing amount of actionable 
information, we enable our partners to tilt the scales away from our 
cyber adversaries.
    As a committee, we are continually seeking to learn about possible 
ways that the Department can help to increase the resilience of 
private-sector networks and fine-tune their own efforts for the 
response, analysis, and mitigation of cyber threats. According to DHS, 
the Automated Indicator Sharing program has shared over 1,335,036 
unique indicators, 264,234 shared in September alone, and there are 
currently 135 non-Federal entities participating in AIS, 22 of which 
are sector-specific organizations comprised of groups of companies. DHS 
estimates the actual reach of AIS indicators to be greater than 10,000 
organizations.
    As encouraging as it is to see these programs take shape and fill 
the very important role of convening partners and bridging information 
sharing from the Government to the private sector, we can do better. A 
recent report from the DHS Office of Inspector General reinforces this 
notion that there is more work to be done.
    Today I look forward to hearing insights and recommendations from 
our witnesses that we can take back to DHS to continue to strengthen 
its work sharing cyber threat information. We are tasked with 
overseeing the crucial DHS programs, knowing that improvements are 
always possible. Each of you has a unique perspective that will provide 
invaluable knowledge that we can build on as DHS continues to refine 
its programs. We will need creative and possibly significant changes to 
the way that we do things if we expect to gain ground in this fight.
    In a space this transformative and this disruptive, the best option 
is continued partnership. As disparate as the opinion of the private 
sector and the Government can be on many issues, when it comes to 
security, we are all looking for able, willing, and effective partners. 
The information technology landscape is central to every sector of the 
economy and every consumer and individual who depend on these systems.
    The automation of cyber threat information and the incorporation of 
Classified and Unclassified information are areas the Government can 
work on in order to increase the effectiveness of the information being 
provided to the private sector. It is for that reason that we have 
gathered this panel of experts to talk to the efficacy of cyber threat 
information sharing and improvements that can be made.
    We look forward to hearing from the witnesses their perspective and 
understanding of the current state of cyber threat information sharing 
and their vision and recommendations for a safer future. Again, thank 
you to our witnesses for your willingness to share your expertise.

    Mr. Ratcliffe. I now recognize the Ranking Member, my 
colleague and friend from Rhode Island, Mr. Langevin, for any 
opening statement that he may have.
    Mr. Langevin. Well, thank you, Mr. Chairman.
    Good afternoon to our witnesses.
    I want to begin by thanking Chairman Ratcliffe for holding 
today's hearing on cyber threat information sharing and his 
leadership on this issue more broadly.
    Two years ago, Congress passed the Cybersecurity Act of 
2015 to remove barriers to fuller and faster cybersecurity 
threat indicator sharing, both between Government and the 
private sector and among private entities. This legislation was 
the result of years of negotiation between experts from 
industry, academia, private advocates, and security 
professionals. At the time, there was broad consensus that we 
were not sharing, analyzing, and integrating data around cyber 
threats as well as we could be.
    To answer this gap in our cybersecurity posture, 
representatives from both sides of the aisle came together as 
partners to deliver legislation that removed the legal hurdles 
that prevented the free flow of threat indicators and to 
provide liability protections to encourage sharing.
    Today those barriers are gone. There are ironclad 
authorizations for companies to share indicators within 
industry and back and forth with the Federal Government. There 
are liability protections to ensure that these actions do not 
inadvertently put companies at risk. There are even protections 
on the data themselves to ensure that they are not used for any 
regulatory action by the Government.
    The Cybersecurity Act of 2015 also created a channel for 
the Government to better disseminate information that would 
otherwise be Classified. By placing these signals amongst the 
contributions from all participants, DHS can basically disguise 
the original sources. During the period of October 2015 to 
April 2017, the Department shared some 2,290 formerly 
Classified cyber threat indicators through the Automated 
Indicator Sharing program, or AIS.
    However, despite these advancements, we have a long way to 
go in operationalizing the law and policy that has been 
developed. AIS is a good example--is a great example, I should 
say. Barely more than 100 companies right now have elected to 
join the program and contribute to the common threat picture, a 
level of participation that is simply, quite frankly, 
unacceptable.
    Part of this is on the Department, as we have heard 
numerous times before this committee that the indicators shared 
by the Government are often late and lack important context. 
But part of this also falls on industry. After all, with only 
roughly 100 private-sector participants, it seems many people 
knocking the data being shared by AIS haven't applied much 
effort to analyzing the data. 2,290 formerly Classified threat 
indicators, I believe, certainly count for something.
    So that's why I'm grateful to Chairman Ratcliffe and 
Ranking Member Richmond for continuing to study this issue. We 
need to know what is and isn't working with the law and with 
the Department's efforts. We also need to know what activities 
are being enabled that weren't happening before passage of the 
law and the iron-clad authorizations that I mentioned.
    I've said many times that information sharing is not a 
silver bullet. In fact, there is no such thing in 
cybersecurity. But I do believe in its promise to help better 
our cybersecurity posture, and we in Congress owe it to the 
American people to ensure that we are meeting that potential.
    So I will be interested in hearing from the witnesses what 
we in Congress can do to improve the Department's efforts and 
to improve uptake among private-sector participants.
    Personally, I think that we may need some more assistance 
from the Department in building a robust ecosystem around the 
feed rather than just relying on it being out there. I hope the 
Department looks to the financial sector's expertise, with 
Soltra Edge for guidance. But I also hope that the private 
sector, innovative as it is, applies some of the creativity to 
the data coming out of DHS rather than waiting.
    Finally, there are two related issues that I want to 
mention briefly.
    First, I believe that it will be extremely difficult for 
the Department to make any lasting changes in its policies 
without permanent political leadership in place. I hope the 
administration moves swiftly to fill critical vacancies at the 
National Protection and Programs Directorate. Cybersecurity is 
a National priority, and the personnel decisions made by the 
White House need to reflect that.
    Second, a brief comment on the new Vulnerabilities Equities 
Process, or the VEP charter that's released today. Now, I'm 
grateful that the document continues the presumption of 
disclosure and ensures a broad array of Government 
stakeholders, including DHS, have a seat at the table when 
discussing vulnerabilities.
    I'm also pleased by the increased level of transparency 
indicated by the publication of the charter in Unclassified 
form and by the annual reports, including to Congress, that it 
requires.
    We owe the selfless Americans who serve their Nation as 
members of the intelligence community an enormous debt of 
gratitude, a debt that is far too infrequently acknowledged. As 
Members of Congress, we also owe them rigorous oversight to 
ensure that the tools they develop remain secure.
    I believe that the VEP is an appropriate process for 
selecting the very few vulnerabilities where disclosure will be 
delayed. However, that process falls apart if the exploits 
cannot be kept in Government hands, and Congress must do more 
to ensure those safeguards are in place.
    So, with that, I'd like to thank the witnesses for being 
here today. I certainly look forward to discussing ways to 
improve our collective cybersecurity with all of them.
    Before I yield back, Mr. Chairman, I have a letter that I'd 
like to submit for the record from the Electronic Privacy 
Information Center on some of these topics as well.
    Mr. Ratcliffe. Without objection, it will be admitted into 
the record.
    [The information follows:]
    Letter Submitted For the Record From Honorable James R. Langevin
                                 November 15, 2017.
The Honorable John Ratcliffe, Chairman,
The Honorable Cedric L. Richmond, Ranking Member,
U.S. House Committee on Homeland Security, Subcommittee on 
        Cybersecurity and Infrastructure Protection, H2-176 Ford House 
        Office Building, Washington, DC 20515.
    Dear Chairman Ratcliffe and Ranking Member Richmond: We write to 
you regarding the hearing on ``Maximizing the Value of Cyber Threat 
Information Sharing.''\1\ EPIC is a public interest research center 
established in 1994 to focus public attention on emerging privacy and 
civil liberties issues.\2\ We are particularly interested in the 
privacy issues raised by the government's cybersecurity policies that 
implicate the collection and use of personal data.
---------------------------------------------------------------------------
    \1\ Maximizing the Value of Cyber Threat Information Sharing, 115th 
Cong. (2017), H. Comm. on Homeland Security, Subcomm. on Cybersecurity 
and Infrastructure Protection (Nov. 15, 2017), https://
homeland.house.gov/hearing/maximizing-value-cyber-threat-information-
sharing/.
    \2\ See About EPIC, EPIC.org, https://epic.org/epic/about.html.
---------------------------------------------------------------------------
    At the end of 2015, the Cybersecurity Act of 2015 was signed into 
law.\3\ Title of I of that act, known as the Cybersecurity Information 
Sharing Act of 2015 (CISA), created a mechanism for the Federal 
Government to disseminate cyber threat information to the private 
sector and for the private sector to provide cyber threat information 
to the Federal Government.\4\ Much of that information concerns the 
activities of individual Internet users.
---------------------------------------------------------------------------
    \3\ Consolidated Appropriations Act, 2016, Public Law 114-113, 
December 18, 2015, 129 Stat 2242, 6 U.S.C. 1501-1510.
    \4\ Id.
---------------------------------------------------------------------------
    CISA and earlier bills, such as the Cyber Intelligence Sharing and 
Protection Act (CISPA), were criticized for the potential to compromise 
American's privacy.\5\ With passage of the Cybersecurity Act of 2015, 
the risk to privacy still remains.\6\ The bill relies on a complex 
procedure to ``scrub'' identifying information from the computer logs 
that are turned over by private firms to the Federal Government. This 
information is explicitly acquired without the privacy safeguards that 
would otherwise apply under the Federal wiretap.
---------------------------------------------------------------------------
    \5\ See Jeramie D. Scott, Cybersecurity: the view from Washington, 
Daily Journal (Jan. 28, 2015), available at https://epic.org/epic/
jeramie-scott-cybersecurity-oped.pdf; Wired staff, CISA Security Bill 
Passes Senate With Privacy Flaws Unfixed, Wired (Oct. 27, 2015), 
https://www.wired.com/2015/10/cisa-cybersecurity-information-sharing-
act-passes-senate-vote-with-privacy-flaws/; Danny Weitzner, The New US 
Cybersecurity Bill Will Invade Your Privacy, But It Won't Keep You 
Safe, Quartz (Nov. 8, 2015), https://qz.com/543692/americans-should-
probably be-more-freaked-out-about-that-new-cybersecurity-bill/.
    \6\ See Taylor Armerding, Information Sharing Bill Passes, But 
Privacy Debate Goes On, CSO (Jan. 14, 2016), https://www.csoonline.com/
article/3021907/security/information-sharing-bill-passes-but-privacy-
debate-goes-on.html.
---------------------------------------------------------------------------
    Effective oversight of the government's collection and use of 
personal data is particularly important in the realm of cybersecurity 
where it is easy to obtain vast troves of personal information with 
little accountability. The history of the U.S. government's 
surveillance of domestic communications in collaboration with private 
companies \7\ makes it imperative that Congress ensure that CISA 
safeguards Americans' privacy.
---------------------------------------------------------------------------
    \7\ EPIC, EPIC v. Hemisphere, https://epic.org/foia/dea/
hemisphere/.
---------------------------------------------------------------------------
    We urge you to ask detailed questions about the dissemination of 
information from companies to the government, including:
    1. What personal information is disseminated to the government in 
        the context of providing cyber threat information?
    2. What processes do you use to mitigate the privacy risks before 
        providing cyber threat information to the government?
    3. What are the privacy risks with the current mechanism to provide 
        cyber threat information to the government?
    4. What more could be done to safeguard the personal data of 
        Americans?
    We ask that this letter be entered in the hearing record. EPIC 
looks forward to working with the Subcommittee on these issues of vital 
importance to the American public.
            Sincerely,
                                            Marc Rotenberg,
                                                    EPIC President.
                                      Caitriona Fitzgerald,
                                              EPIC Policy Director.
                                             Jeramie Scott,
                                    EPIC National Security Counsel.

    Mr. Langevin. Thank you, Mr. Chairman. I yield back.
    [The statement of Hon. Langevin follows:]
                Statement of Honorable James R. Langevin
                           November 15, 2017
    Two years ago, Congress passed the Cybersecurity Act of 2015 to 
remove barriers to fuller and faster cybersecurity threat indicator 
sharing both between Government and the private sector and among 
private entities.
    This legislation was the result of years of negotiation between 
experts from industry, academia, privacy advocates, and security 
professionals. At the time, there was broad consensus that we were not 
sharing, analyzing, and integrating data around cyber threats as well 
as we could be.
    To answer this gap in our cybersecurity posture, Representatives 
from both sides of the aisle came together as partners to deliver 
legislation that removed the legal hurdles that prevented the free flow 
of threat indicators and to provide liability protections to encourage 
sharing.
    Today, those barriers are gone. There are iron-clad authorizations 
for companies to share indicators within industry and back and forth 
with the Federal Government. There are liability protections to ensure 
that these actions do not inadvertently put companies at risk. There 
are even protections on the data themselves to ensure that they are not 
used for any regulatory action by the Government.
    The Cybersecurity Act of 2015 also created a channel for the 
Government to better disseminate information that would otherwise be 
Classified. By placing these signals amongst the contributions from all 
participants, DHS can disguise the original sources. During the period 
of October 2015 to April 2017, the Department has shared 2,290 formerly 
Classified cyber threat indicators through the Automated Indicator 
Sharing program, or AIS.
    However, despite these advancements, we have a long way to go in 
operationalizing the law and policy that has been developed.
    Barely more than 100 companies have elected to join the program and 
contribute to the common threat picture, a level of participation that 
is simply unacceptable.
    Part of this is on the Department, as we have heard numerous times 
before this committee that the indicators shared by the Government are 
often late and lack important context.
    But part of this also falls to industry--after all, with only 
roughly 100 private-sector participants, it seems many people knocking 
the data being shared by AIS haven't applied much effort to analyzing 
the data. Two-thousand two hundred formerly Classified threat 
indicators certainly count for something.
    That is why I am grateful to Chairman Ratcliffe and Ranking Member 
Richmond for continuing to study this issue. We need to know what is 
and isn't working with the law and with the Department's efforts. We 
also need to know what activities are being enabled that weren't 
happening before passage of the law and the iron-clad authorizations I 
mentioned.
    I have said many times that information sharing is not a silver 
bullet--in fact, there is no such thing in cybersecurity. But I do 
believe in its promise to help better our cybersecurity posture, and we 
in Congress owe it to the American people to ensure we are meeting that 
potential.
    So I will be interested in hearing from the witnesses what we in 
Congress can do to improve the Department's efforts and to improve 
uptake among private-sector participants.
    Personally, I think that we may need some more assistance from the 
Department in building a robust ecosystem around the feed--rather than 
just relying on it being out there--and I hope the Department looks to 
the Financial Sector's experience with Soltra Edge for guidance.
    But I also hope that the private sector, innovative as it is, 
applies some of the creativity to the data coming out of DHS rather 
than waiting.
    Finally, there are two related issues that I want to mention 
briefly.
    First, I believe it will be extremely difficult for the Department 
to make any lasting changes in its policies without permanent political 
leadership in place, and I hope the administration moves swiftly to 
fill critical vacancies at the National Protection and Programs 
Directorate. Cybersecurity is a National priority, and the personnel 
decisions made by the White House need to reflect that.
    Second, a brief comment on the new Vulnerabilities Equities Process 
(VEP) Charter released today. I am grateful that the document continues 
the presumption of disclosure and ensures a broad array of Government 
stakeholders, including DHS, have a seat at the table when discussing 
vulnerabilities. I am also pleased by the increased level of 
transparency indicated by the publication of the Charter in 
Unclassified form and by the annual reports, including to Congress, it 
requires.
    We owe the selfless Americans who serve their Nation as members of 
the intelligence community an enormous debt of gratitude, a debt that 
is far too infrequently acknowledged. As Members of Congress, we also 
owe them rigorous oversight to ensure the tools they develop remain 
secure. I believe that the VEP is an appropriate process for selecting 
the very few vulnerabilities where disclosure will be delayed. However, 
that process falls apart if the exploits cannot be kept in Government 
hands, and Congress must do more to ensure those safeguards are in 
place.
    With that, I would like to thank the witnesses for being here 
today, and I look forward to discussing way to improve our collective 
cybersecurity with them.

    Mr. Ratcliffe. I thank the gentleman.
    Other Members of the committee are reminded that opening 
statements may be submitted for the record.
    [The statements of Ranking Member Thompson and Honorable 
Jackson Lee follow:]
             Statement of Ranking Member Bennie G. Thompson
                           November 15, 2017
    When this committee was formed, the Nation was still reeling from 
the September 11, 2001, attacks, and the difficult reality that there 
were significant information-sharing gaps between our intelligence 
services and law enforcement.
    In the months the followed 9/11, the Bush White House warned of 
``invisible enemies that can strike with a wide variety of weapons'' 
and urged the Congress to stand up a consolidated Department of 
Homeland Security to protect against the known threats of the day and 
the unknown threats of the future.
    Fifteen years later, the threat landscape has changed dramatically. 
The ``invisible enemies'' we face are hackers hiding in plain sight, 
casing our networks to figure out how to penetrate deeper, steal data, 
and manipulate networked systems. Fortunately, we do not need to 
relearn the lessons that 9/11 taught us.
    We know that information sharing--in this case, among the public 
and private sector--can help mitigate or even prevent cyber intrusions. 
And the Cybersecurity Act of 2015 put in place the mechanisms necessary 
to facilitate and incentivize robust information sharing. That said, 
the more things change, the more they stay the same.
    After 9/11, we had to overcome an initial reluctance among the 
intelligence community and law enforcement to liberally share threat 
information with other agencies that needed to know.
    Among other things, information sharing struggled to overcome 
challenges related to turf wars, fear of reputational damage, and 
balancing the need to protect information and the need to share it so 
law enforcement would be able to act.
    Similarly, today DHS is struggling to incentivize private-sector 
participation in its cyber threat information-sharing platforms, 
despite Congress acquiescing to demands for strong liability 
protections.
    We hear from stakeholders that the information shared is not 
actionable, that too much of the information necessary to make 
indicators actionable is Classified, and that there is a lack of 
confidence in the validity of some indicators because of a lack of 
adequate vetting.
    These are all issues that Federal, State, and local law enforcement 
had to overcome in the years following 9/11, and, with the help of 
Congress and DHS, they have made tremendous progress.
    I have every confidence that the same will be true for cyber threat 
information sharing.
    That said, I am concerned that we continue to hear the same pattern 
of criticisms over DHS cyber threat information products, and I will be 
interested to know how DHS solicits and incorporates feedback into its 
programs, from Automated Indicator Sharing (AIS) to the Cyber 
Information Sharing and Collaboration Program.
    I also look forward to hearing from witnesses how DHS can attract 
better participation non-Federal network owners and operators, who 
control 80 percent of our Nation's networks.
    I have heard some concerns that potential participants are holding 
out until DHS's programs prove greater value, but I would caution that 
DHS's voluntary programs are only as good as the participants make 
them. If the private sector refuses to participate in two-way 
information sharing, DHS's are doomed to fail.
                                 ______
                                 
               Statement of Honorable Sheila Jackson Lee
                           November 15, 2017
    Chairman Ratcliffe and Ranking Member Richmond, thank you for 
convening today's hearing of the Homeland Security Committee 
Subcommittee on Cybersecurity & Infrastructure Protection on the topic 
of ``Maximizing the Value of Cyber Threat Information Sharing.''
    Today's hearing will give Members an opportunity to hear from 
stakeholders to learn their perspectives on the Department of Homeland 
Security's (DHS) execution of its cyber threat information-sharing 
responsibilities as established by the Cybersecurity Act of 2015.
    I look forward to hearing from today's witnesses:
   Anne Barron-DiCamillo, vice president, cyber threat 
        intelligence and incident response, American Express;
   Trish Cagliostro, Federal solutions architect manager, 
        Anomali;
   Robert Knake, senior research scientist, Northeastern 
        University Global Resilience Institute; and
   Robert Mayer, senior vice president, cybersecurity, US 
        Telecom Association (Democratic witness).
    Today presents an important opportunity to engage stakeholders on 
private-sector reluctance to participate in DHS's Automated Indicator 
Sharing (AIS), and how DHS can improve confidence in its cyber threat 
information work that is being shared with private industry.
    The information shared is only as good as the level of trust that 
is put on it by the intended audience.
    We need to understand how the cybersecurity work of DHS is 
perceived.
    Over the past year, Russian actors targeted U.S. election 
infrastructure, hackers escalated efforts to breach the domestic energy 
sector, and WannaCry and NotPetya ransomware wreaked havoc on public 
and private infrastructure around the world.
    According to Symantec, ``The world of cyber espionage experienced a 
notable shift toward more overt activity, designed to destabilize and 
disrupt targeted organizations and countries.''
    Protecting against these growing cyber threats will require public 
and private-sector entities to share cyber threat and incident 
information that is timely and actionable.
                            dhs cyber assets
    The NPPD Office of Cybersecurity & Communications (CS&C), 
specifically the National Cybersecurity and Communications Integration 
Center (NCCIC), carries out the bulk of the DHS responsibility of 
facilitating the sharing of cyber threat information.
    Although DHS is authorized to deploy a range of tools, resources, 
and programs to carry out its cyber mission, it has limited authority 
to regulate privately-owned networks and cannot require private 
entities to adopt specific security measures, grant access to their 
systems, or share information.
    Instead, the success of DHS efforts relies on voluntary 
participation from the private sector.
    DHS voluntary cyber threat information-sharing programs include:
   Cyber Information Sharing and Collaboration Program (CISCP);
   Enhanced Cybersecurity Services (ECS); and
   Automated Indicator Sharing (AIS).
    DHS must be prepared to collect analysis and deliver actionable 
information that is relevant to the industry or entity who is the 
intended audience.
    The bulk of our Nation's critical infrastructure is owned and 
controlled by the private sector.
    The partnership to protect the electric grid, water systems, mass 
transit systems, and the telecommunication networks must be a 
partnership that works well for the private and public sector.
    Earlier this year, the full Homeland Security Committee marked up 
H.R. 3202, the Cyber Vulnerability Disclosure Reporting Act.
    This bill seeks a report on the Department of Homeland Security's 
policies and procedures for coordinating cyber vulnerability 
disclosures such as Zero Day Events with private-sector partners.
    The Jackson Lee cybersecurity information-sharing bill requires the 
Secretary of Homeland Security to submit a report on the policies and 
procedures developed for coordinating cyber vulnerability disclosures.
    The report will include an annex with information on instances in 
which cybersecurity vulnerability disclosure policies and procedures 
were used to disclose details on identified weaknesses in computing 
systems or digital devices at risk.
    The report also provides information on the degree to which the 
information provided by DHS was used by industry and other 
stakeholders.
    The report may also contain a description of how the Secretary of 
Homeland Security is working with other Federal entities and critical 
infrastructure owners and operators to prevent, detect, and mitigate 
cyber vulnerabilities.
    The reason that I worked to bring this bill before the committee is 
the problem often referred to as a ``Zero Day Event,'' that describes 
the situation that network security professionals may find themselves 
when a previously-unknown error in computing code is exploited by a 
cyber criminal or terrorist.
    The term ``Zero Day Event'' simply means that there is zero time to 
prepare a defense against a cyber attack.
    Cyber attacks that target computer networks or computing devices 
primarily focus upon exploiting errors in computing code.
    If the defect in software is discovered by network engineers and 
software development companies can work to develop a ``patch'' to fix 
the problem before it can be exploited by those who may seek to do 
harm.
    Because vulnerabilities can be used by adversaries it is important 
that this sensitive information be managed securely so details are not 
routinely made available neither to the public nor to Congress.
    This bill will provide the committee with the opportunity to 
understand the process and procedures used by the Department of 
Homeland Security and the benefit these disclosures may have for 
private-sector entities participating in programs in support of 
cybersecurity.
    I look forward to hearing from today's witnesses.
    Thank you.

    Mr. Ratcliffe. We are very pleased to have a very 
distinguished panel of witnesses before us today on this 
important topic.
    Mr. Robert Knake is the Whitney Shepardson senior fellow at 
the Council on Foreign Relations and is testifying today on 
behalf of the Global Resilience Institute.
    Welcome to the committee, Mr. Knake.
    Ms. Ann Barron-Dicamillo is the vice president of cyber 
intel & incident response at American Express.
    We're glad to have you with us today as well.
    Ms. Patricia Cagliostro is the Federal solutions architect 
manager at Anomali.
    Thanks for agreeing to testify today.
    Finally, Mr. Robert Mayer is the senior vice president for 
cybersecurity at the USTelecom Association.
    Mr. Mayer, welcome to you as well.
    I'd now ask the witnesses to stand and raise your right 
hand so I can swear you in to testify.
    [Witnesses sworn.]
    Mr. Ratcliffe. The witnesses' full written statements will 
appear in the record.
    The Chair now recognizes Mr. Knake for 5 minutes for his 
opening statement.

STATEMENT OF ROBERT K. KNAKE, WHITNEY SHEPARDSON SENIOR FELLOW, 
     COUNCIL ON FOREIGN RELATIONS, ON BEHALF OF THE GLOBAL 
                      RESILIENCE INSTITUTE

    Mr. Knake. Thank you, Chairman Ratcliffe. Thank you, 
Ranking Member Langevin, and distinguished Members of the 
committee.
    I want to start out by saying that I think we've made 
tremendous progress on this issue over the last 5 years in 
particular. I would recognize the Cyber Information Sharing Act 
of 2015 as really having cleared the underbrush on 
cybersecurity information sharing. There really should no 
longer be any reason why a company says they cannot legally 
share information.
    So I think we've done that. I'm proud to have supported 
that work when I was working in the Obama administration, and 
had always a very good relationship with your committee and 
your staff members.
    Now I think the question is not how do we get rid of 
disincentives, but how do we incentivize sharing and how do we 
put in place the mechanisms we need to make information sharing 
possible?
    I'd focus on two areas. The first is I think that we've 
already done almost everything we can to declassify information 
for information sharing. I think Classified information exists 
for a reason. It needs to be protected. Yet at the same time, 
many private-sector companies that operate critical 
infrastructure need that information.
    So the only way that we can solve that problem is if we 
extend Classified connectivity for information sharing to 
critical infrastructure companies. That would, I think, be a 
very significant move that also has strong precedent. The 
Department of Defense has operated something called the Defense 
Industrial Base Network now since 2008. They've shown that it 
is possible to share Classified information with private 
companies for their own defense.
    I think what we need to do on this topic is to create 
something that I'll call CInet, or Critical Information 
Network, with a Classified component and share that with, I 
would say, the section 9 companies under Executive Order 13636 
to start. Those companies, I think, have been recognized as 
facing a severe threat from our Nation's adversaries and they 
need to be brought into that Classified network.
    So I think we could do that under existing authorities that 
Congress has granted to the Secretary of Homeland Security and 
that the President has already extended to the Secretary. I 
think that is entirely possible and achievable. I'd recommend 
that we proceed with a pilot effort in that regard. I think it 
could be done for a limited amount of money and under existing 
authorities.
    The second topic that I'll touch on just briefly is the 
need for what people call a NTSB for cybersecurity, a National 
Transportation Safety Board for cybersecurity. This is the idea 
that when a plane crashes, investigators show up and they 
immediately try and find, why did a plane go down, why did a 
train derail?
    In cybersecurity, we need that. When an incident happens, 
what everybody wants to know is why did it happen and what can 
they do to protect themselves, were they affected by the same 
incident, were they targeted by the same adversaries? We have 
no mechanism to do that now other than leaks and media reports 
and rumor, innuendo, and surmise.
    From my perspective, the appropriate way to do this is not 
to take this NTSB analogy too far. That's a Government mandate. 
That's a regulated program. Rather, what I'd like to see is a 
voluntary effort that is possibly advocated for or created by 
DHS, but led with the private sector, that I think is backed by 
insurance, where you would get the equivalent of an insurance 
discount if you agree to have investigators come in, figure out 
what went wrong, and share that information, possibly 
anonymously, with the rest of the sector.
    I think if we had that kind of setup and that pre-
commitment to engaging in this way, we'd be able to get the 
most valuable information out of a company that's been targeted 
by these adversaries. If you were able to do that, I think you 
would address one of the hardest problems in information 
sharing, which is the fact that if you have been targeted, 
sharing information about that doesn't help you, it helps 
everybody else. It's a tragedy of the commons. I think a 
program like that would overcome those hurdles.
    So I'll stop there. Thank you for the invitation today.
    [The prepared statement of Mr. Knake follows:]
                 Prepared Statement of Robert K. Knake
                           November 15, 2017
                              introduction
    Thank you Chairman Ratcliffe, Ranking Member Richmond, and Members 
of the committee for the opportunity to testify on this important 
matter. While much work remains to be done, I believe it is important 
to start by noting that much has been accomplished. Information sharing 
has been the focus of the cybersecurity community for the better part 
of a decade and has enjoyed bipartisan support.
    When I was director for cybersecurity policy at the National 
Security Council from 2011 to 2015, I had a productive bipartisan 
working relationship with Congress that resulted in several successful 
pieces of legislation. Important with respect to the topic of today's 
hearing, was the passage of the Cybersecurity Information Sharing Act 
of 2015 that succeeded in resolving many of the reasons private 
companies believed they were unable to participate in cybersecurity 
information sharing. By explicitly offering liability protections and 
other safeguards, CISA has removed major barriers to information 
sharing.
    The primary challenges that remains are creating meaningful 
incentives whereby the sharing of cyber threat information has real 
value for network defenders and providing a secure operational 
environment for allowing the most sensitive information to be shared. 
In my testimony today, I will focus on two areas that I believe deserve 
the committee's attention: (1) The need for a secure network for 
Classified information sharing, collaboration, and operations for use 
by critical infrastructure; and 2) the need for a mechanism to quickly 
investigate and share information on the causes of cyber incidents.
    developing a secure network for classified information sharing, 
                     collaboration, and operations
    Through programs like Automated Indicator Sharing (AIS) and the 
Cyber Information Sharing and Collaboration Program (CISCP), the 
Department of Homeland Security is fulfilling its mandate to broadly 
share information the Government has with private companies and State, 
local, territorial, and Tribal governments that need it to protect 
themselves. When combined with vendor products and private-sector 
collaboration through Information Sharing and Analysis Centers, 
Information Sharing and Analysis Organizations, and efforts such as the 
Cyber Threat Alliance, these programs meet the needs of most companies.
    Yet, Government policy recognizes that a small set of private 
companies that operate the Nation's critical infrastructure are under 
near-constant threat from sophisticated actors. These ``Section 9 
list'' companies (those identified pursuant to Section 9 of Executive 
Order 13636), require the ability to communicate with the Government 
over Classified channels in order to protect the Nation's critical 
infrastructure from our adversaries.
    Solutions to the problem of Classified information sharing to date 
have been partial at best. Federal agencies continue to try and 
declassify or ``tearline'' more cyber threat information, separating 
out actionable threat information from intelligence. Federal agencies 
are also routinely providing Classified in-person briefings to cleared 
individuals in the private sector.
    These measures can never fully address the challenge of providing 
detailed and timely information to key infrastructure owners and 
operators. Given the clear and present on-going threat of cyber 
attacks, Section 9 companies must be able to receive Classified threat 
information in real time and to be able to coordinate securely with 
Government and other private companies on network defense. What they 
need is a Classified network for sharing critical infrastructure 
information. In addition to information sharing on cyber threats, I 
believe that such a network could address two other challenges.
    President Eisenhower famously said, ``If a problem cannot be 
solved, enlarge it.'' There is a tendency to view the idea of a 
Classified network for critical infrastructure as too costly and 
difficult to manage for the value it would provide. As one Government 
leader who considered the topic asked, ``is the juice worth the 
squeeze?'' My answer to that is an emphatic yes. The Government owes it 
to its partners in the private sector to provide them the detailed and 
timely intelligence that they need to protect themselves and this 
cannot be done in Unclassified form; Providing a Classified network for 
Section 9 companies would help to ensure a higher degree of assurance 
for critical infrastructure operations and provide a necessary fall-
back communications system in the event that the public internet is 
disrupted. Given the on-going threat and the significant economic and 
security consequences associated with disrupting the Nation's critical 
infrastructure, there is ample justification to develop a new network.
Sharing Classified Information and Threat Collaboration
    When the Government has information that private companies need to 
protect themselves, it has an obligation to provide that information. A 
duty to warn exists as one of the rationales for the collection of 
intelligence and is embedded in the authorities granted to the 
Department of Homeland Security at its creation. To this end, the 
intelligence community, the FBI, and DHS deserve credit for initiating 
a program in 2013 to provide notification to private companies if they 
were the victim or target of malicious cyber activities. Government 
notification is now one of the leading ways that companies discover 
cyber incidents.
    Through this program and related efforts, the Government has 
wrestled with the challenge of sharing Classified information with 
private companies. De-classification remains a slow and cumbersome 
process in large part because there is, in most cases, a good reason 
that Classified information should not be put into the public realm.
    When information cannot be declassified, Government agencies have 
attempted to address the challenge in two ways. Through in-person 
briefings, they convey information to cleared personnel at relevant 
companies. These briefings are valuable for raising awareness but are 
not useful for operational purposes. The Enhanced Cybersecurity 
Services (ECS) program attempted to address the operational challenges 
associated with Classified information by deploying Classified 
signatures to managed security service providers that could be used to 
block attacks. ECS, based on a successful pilot effort within the 
Defense Industrial Base (DIB), is certainly part of an overall 
solution.
    What ECS does not provide is context and multi-party communication. 
A signature alone is not sufficient to protect companies. Organizations 
under threat from the Nation's adversaries need to understand who is 
targeting them, why they are being targeted, how to protect themselves 
against the threat, and what threat actors may do next.
    The Department of Defense has largely solved this problem for DIB 
companies. DoD successfully piloted and moved into production the 
Defense Industrial Base Network (DIBnet), a Classified network for 
communicating with DIB companies. The network is used both to share 
Classified information on threats and to securely convene to coordinate 
incident response. For DIB companies, DoD has shown the importance of 
being able to deploy both Classified indicators and to communicate the 
context around threats. The DIBnet concept should be extended by the 
Department of Homeland Security to other critical infrastructure 
sectors.
    Several colleagues of mine and I worked with the Intelligence and 
National Security Alliance (INSA) to develop a proposal for creating a 
Classified network for sharing Classified information and threat 
collaboration for the financial services industry based on DIBnet. I 
have included the paper, ``FINnet: A Proposal to Enhance the Financial 
Sector's Participation in Classified Cyber Threat Information Sharing'' 
for the record.
    In the paper, we argue that the authority to establish a Classified 
network for critical infrastructure is already vested in the President 
and the Secretary of Homeland Security. Executive Order 13691 of 
February 13, 2015 ``Promoting Private Sector Cybersecurity Information 
Sharing'' gave the Secretary of Homeland Security the necessary 
authority to establish a Classified network for critical infrastructure 
companies. That order also directed the updating of the National 
Industrial Security Program Operating Manual (known as ``the NISPOM'') 
to better accommodate the needs of private companies that are not part 
of the Defense Industrial Base. Congress followed this action by 
charging the Federal Government with developing mechanisms to allow for 
``the timely sharing of Classified cyber threat indicators and 
defensive measures in the possession of the Federal Government with 
representatives of relevant Federal entities and non-Federal entities 
that have appropriate security clearances . . . '' as part of CISA.\1\
---------------------------------------------------------------------------
    \1\ 6 USC 1502.
---------------------------------------------------------------------------
    We believe that DHS, Treasury, FBI, and Secret Service should work 
together to pilot the FINnet concept with a small number of financial 
services firms that have mature security organizations and are willing 
participants. Companies from other sectors could also be brought into 
the pilot. This pilot should be launched right away and initially 
operate at the Secret level, using secure phones, laptops, and 
encryption cards to communicate securely over the public network 
infrastructure. If the pilot is successful, it could be migrated to 
dedicated network infrastructure that would provide higher degrees of 
assurance.
    Crucial to the success of the DIBnet is that it is backed by the 
Defense Cyber Crime Center (DC3). DC3 provides companies connected 
through the DIBnet with ``analytic support, incident response, 
mitigation and remediation strategies, malware analysis, and other 
cybersecurity best practices to participating companies.''\2\ In short, 
DC3 takes a customer service approach to the DIB. It fosters 
information sharing among participating companies by providing valuable 
services when companies share information with it. Such an approach is 
critical to replicating the success of the DIBNet for other sectors. 
Each sector needs a Government partner with a deep understanding of its 
sector, strong relationships with members of the sector, and the 
ability to provide value back to participating companies when they 
share information.
---------------------------------------------------------------------------
    \2\ Office of the Director of National Intelligence, Department of 
Homeland Security, Department of Defense, and Department of Justice, 
``Sharing of Cyber Threat Indicators and Defensive Measures by the 
Federal Government Under the Cybersecurity Information Sharing Act of 
2015,'' February 16, 2016, page 8.
---------------------------------------------------------------------------
Protecting Critical Infrastructure Operations
    The second challenge that such a network should address is the 
protection of critical infrastructure operations. As critical 
infrastructure grows more dependent on information technology, 
particularly given the growth of the so-called ``Internet of Things'', 
companies are connecting their operational technology to the public 
internet. While it is economical to use the public internet for this 
purpose, the risk that critical infrastructure could be disrupted 
through a cyber attack highlights the need for higher levels of 
assurance provided by a separate network. As the National 
Infrastructure Advisory Council (NIAC) concluded in its latest report, 
``Industrial control systems connected to business IT systems and the 
Internet constitute a systemic cyber risk among critical 
infrastructure.''\3\
---------------------------------------------------------------------------
    \3\ https://www.dhs.gov/sites/default/files/publications/niac-
securing-cyber-assets-final-report-508.pdf.
---------------------------------------------------------------------------
    The NIAC report recommends the establishment of ``separate, secure 
communications networks specifically designated for the most critical 
cyber networks, including `dark fiber' networks for critical control 
system . . . ''. The NIAC called for a pilot project to identify dark 
fiber that could be used for the network and test whether critical 
infrastructure could be operated if separated from the public network. 
Some utilities have already begun to migrate their operations to 
dedicated networks that they own instead of continuing to use the 
public internet. Piloting this concept is well warranted given the 
threats our connected infrastructure faces.
Coordinating Network Restoration
    The third problem that such a network could address would be 
coordinating network restoration in the event of an attack that 
destabilizes the public internet. While the internet has grown 
increasingly robust, it is not immune from disruptive cyber attacks. 
Some botnets have grown so large that a distributed denial-of-service 
attack could take down portions of the network. They have become so 
sophisticated that it can be difficult for network operators to 
separate the signal from the noise and filter out the attacks.
    In the period after 9/11, the Bush administration recognized the 
need to have a backup, redundant communications system to coordinate 
network restoration in the event of an internet outage. The Critical 
Infrastructure Warning Information Network (CIWIN) was created with two 
purposes: It would serve on a daily basis to provide information on 
threats to critical infrastructure and provide a back-up communications 
capability in the event of an internet outage.
    CIWIN ran over the internet's physical infrastructure but on 
dedicated circuits that would allow users to continue to communicate as 
long as the core routing infrastructure was still operational. In the 
face of budget cuts, the Department of Homeland Security canceled the 
program in 2013. The system had not been routinely exercised and no 
information was flowing over it.
    The need for such a system remains. The problem with CIWIN was that 
the information that was shared over it was Unclassified and could also 
be shared over the public internet so it was essentially a redundant 
network that would only be used if the public internet was compromised. 
However, the need to routinely share Classified information would mean 
the network would be used on a daily basis as part of operations. 
Business needs will dictate use of the most expedient medium for 
sharing information. Absent the presence of Classified information that 
cannot legally be shared on enterprise networks, operators will 
routinely fall back to sharing over Unclassified email, phone, and 
other systems.
    Taken together, I believe that the need to share Classified threat 
information, the need to provide higher levels of assurance for 
critical infrastructure operations, and the need for a redundant 
communications system in the event of an internet outage amply 
justifies the development of a dedicated secure network.
creating a ``national transportation safety board'' for cyber incidents
    Over the last decade, cybersecurity professionals have recognized 
that, try as they might, incidents will still occur. The concept of 
``cyber resilience'' is emerging to capture the idea that, while we may 
not be able to stop all harms from occurring in cyber space, we can 
rapidly respond, recover, and adapt, becoming stronger than we were 
before. Achieving resilience, however, is not something any individual 
organization can do alone. Instead, it requires a collective effort so 
that the lessons learned from an individual incident at a company are 
widely disseminated and countermeasures implemented.
    While a small number of defense contractors and financial services 
firms have recognized that sharing this kind of information is vital 
and, if done in the proper context, does not introduce risk to the 
firm, most companies fear the downside of sharing and see no potential 
upside. Companies fear that sharing information about a breach, even if 
it did not result in the loss of any data, will cause a public 
relations nightmare and result in a loss of stock value. It could lead 
to the firing of the CISO and even CEO. Even if these concerns were 
addressed, that would simply mean that there is limited downside. It 
would not mean that there is an upside or any kind of positive 
incentive to share this information. After all, sharing this kind of 
information does not directly help the company that has been breached; 
it only helps other companies detect or prevent a breach. Simply put, 
the challenge for information sharing is that the last thing a company 
that has experienced a breach wants to do is tell anybody else that it 
happened, let alone how it happened. Yet, it is in the National 
security interest that they do so as soon as possible.
    To address this problem, many in the security community have long 
advocated for the equivalent of the National Transportation Safety 
Board (NTSB). When a plane crashes or a train derails, NTSB shows up on 
the scene to investigate. The goal of NTSB is not to assign blame but 
to figure out what went wrong and to rapidly develop recommendations to 
prevent an incident like that from ever happening again. This 
information and those recommendations are rapidly shared with other 
airlines who quickly work to implement them. Such a virtuous cycle is 
what we need in cyber.
    The challenge is that a plane crash is a public event and a cyber 
incident is usually, at least initially, a private one. An NTSB for 
cyber incidents requires a new system of notification and disclosure. 
It also requires developing a rubric under which companies that are 
busy trying to contain an incident are also willing to cooperate with 
an investigation that is not about helping them but about helping 
everyone else learn from their mistakes. Constructing such a system is 
no simple task.
    A straightforward approach, which I do not recommend, would require 
disclosure of breaches to the Federal Government and would give a 
Government agency the authority to investigate and disseminate lessons 
learned. I do not believe such an approach I do not believe would be in 
the spirit of the public-private partnership we have worked to 
construct over the last two decades. It would create an adversarial 
relationship to the detriment of the cooperative environment we need to 
foster.
    Instead, I believe what is necessary is a voluntary program under 
which companies are incentivized to agree that in the event of incident 
they will disclose it and cooperate with investigators that have a 
mission to surface and share the causes of the incident with the rest 
of the community.
    One option that has worked well in a few incidents is to have US-
CERT accompany the FBI on the bureau's investigation to advise the firm 
on ``asset response'' with a secondary purpose of collecting and 
sharing information for dissemination. The challenge with this approach 
is that companies may not cooperate with law enforcement investigations 
and often have little interest in receiving assistance from the 
Government.
    In my view, a better approach is to use cyber insurance to 
establish an obligation to disclose and to allow an independent 
investigation into the causes of the incident to take place for the 
purpose of disseminating that information to other companies. Such a 
system need not require public disclosure of either the fact of the 
breach or the findings. A Council on Foreign Relations paper that I 
authored on, ``Creating a Federally-Sponsored Cyber Insurance 
Program,''\4\ called for an NTSB-like program be established as a 
requirement for participation in any Federally back-stopped cyber 
insurance program.
---------------------------------------------------------------------------
    \4\ https://www.cfr.org/report/creating-federally-sponsored-cyber-
insurance-program.
---------------------------------------------------------------------------
    While I support this recommendation, I do not believe that a 
Government-backstopped program must be a prerequisite for advancing 
this kind of information sharing. Insurance companies, if they banded 
together, could set participation in this kind of disclosure and 
investigation program as a requirement for their underwriting 
commercially available insurance or in order to receive a discount on 
policies. Doing so would be in the interest of insurance companies, as 
it would help to reduce their aggregate risk by speeding the 
containment of related breaches that may yet to be discovered.
    Congress should work with the insurance industry to identify 
whether there are any legal impediments to establishing this sort of 
program.
              what we are doing at northeastern university
    I recently joined the Global Resilience Institute (GRI) at 
Northeastern University. GRI's mission is to is to lead a university-
wide interdisciplinary effort to advance resilience-related initiatives 
that contribute to the security, sustainability, health, and well-being 
of societies. As with all efforts to create and sustain global change, 
they must start locally. Thus, we are working within the metro-Boston 
area to bring together the stakeholders who are willing to develop, 
test, and pilot the concept of a secure, redundant communications 
system that could be used for information sharing, collaborating on 
incident response, and restoring public networks should they become 
inoperable or compromised.
Mapping Critical Infrastructure and Dark Fiber in the Boston Area
    We are beginning this effort by developing a map of critical 
infrastructure in the metro-Boston area. Initially, because of the 
challenges associated with getting detailed infrastructure information, 
this will not be a comprehensive model, but it will provide a 
foundation for identifying critical assets that can potentially be 
connecting to the available dark fiber in the Boston area. This will 
allow us to identify the practical barriers for making these 
connection, focusing in particular on the ``last mile'' challenge--how 
much additional fiber would need to be strung to connect control 
systems to the network. Our initial assessment suggests that the costs 
are likely to be significantly lower than many expect.
Technical Design of a Secure Network
    We have also begun work to design the architecture for this 
network. As indicated elsewhere, a dark fiber network is the preferred 
option at this stage; however, we are investigating other transmission 
mediums for where fiber is either not practical or desirable. For 
instance, long-distance transmissions in rural areas might suggest 
microwave or other ``over the air'' technologies; likewise, in a 
coastal area like Boston, an over-the-air system might prove more 
resilient than fiber running underground or strung on telephone poles.
    While it is tempting to think of a secure network as a closed loop, 
such a network would have limited use. Data will need to be securely 
moved on and off the network. For cybersecurity operations, incident 
data will need to be pulled up from the public internet or enterprise 
business networks to be analyzed. Indicators of compromise extracted 
through analysis will need to be pushed down to be of use to network 
defenders. For industrial control systems, while communications with 
operations centers could take place on the closed network, signals from 
devices (at homes for instance) will need to be pulled up. Thus, it 
will be essential that the network allows, but strictly limit and 
monitor, communications to and from untrusted sources on the internet.
    The secure movement of data on and off the network can be 
accomplished with a series of ``guards'' or ``cross domain solutions'' 
that are used in Government systems to move data from Unclassified 
domains to Classified domains. We are exploring the commercial 
application of these technologies and believe a viable system can be 
developed.
    Admittedly, a perimeter approach such as we are advocating here is 
not a silver bullet. In fact, it has become popular in the 
cybersecurity community to declare that ``the perimeter is dead''. We 
think that such a notion is more marketing hype than reality for most 
companies. In the critical infrastructure space, it would not be 
responsible risk management to give up on limiting access to connected 
devices. Yet, we recognize that a ``hard exterior'' and ``soft middle'' 
is not the right solution. Even a separate network with the most 
advanced cross-domain solutions and best inspection technologies can be 
breached. We are also painfully aware of the risk of insider threats, 
particularly when dealing with industry. Thus, the design of the 
network needs to account for both the threat from external actors as 
well as malicious insiders.
    To address insider threats or to detect external threats that have 
compromised the security of the network, we believe that it is possible 
to develop a viable approach that will take advantage of new 
technologies that have been difficult or costly to implement in legacy 
networks. On a basic level, advances in software-defined networking and 
related technologies can allow the segmentation of traffic at multiple 
classifications. The network could easily accommodate Sensitive But 
Unclassified operational communications for critical infrastructure as 
well as Classified communications on cyber threats for network 
defenders. Traffic moving across the network can be inspected, not just 
on exit and entry, and data accessed by users tracked to monitor for 
potential malicious conduct. In short, advances in technology together 
with the proper governance structure can limit access to data to those 
who need to know. Objections to extending this connectivity to the 
private sector based on concerns over security can be effectively 
addressed.
Business Model
    As we have begun to develop this concept, a persistent question has 
been raised that should be familiar to all Members of the committee: 
Who will pay for it? I generally tend to favor the view that the 
necessary investment for cybersecurity is best treated as the cost of 
doing business for modern enterprises; however, I believe it is 
unlikely that the private sector will fund the development of a secure 
network on its own. A model in which the Government selects an 
independent network operator and pays the initial cost of a pilot 
project that guides the development of the network is likely the most 
viable path. After it is established, use of it by critical 
infrastructure companies could incur a fee to cover its costs. The 
process for selecting the Electric Reliability Organization established 
by the Energy Policy Act of 2005 may be a model worth investigating.
Next Steps
    As we continue to develop the concept of a Classified network for 
critical infrastructure, we will look for opportunities to collaborate 
with critical infrastructure companies in the metro-Boston area and 
beyond. Our plan is to be able to present a feasibility study on this 
topic within the next 6 months and to engage in a regional pilot within 
a year.
                               conclusion
    Thank you for the opportunity to testify on these important issues. 
As I hope my testimony conveyed, I believe that the remaining 
challenges in information sharing require identifying discrete problems 
and working to collaboratively develop specific solutions. As we pursue 
the development of these solutions and identify roadblocks, I look 
forward to continuing to engage with you, your staff members, and with 
my colleagues in the Executive branch to further develop these 
important concepts.
    I would be happy to answer any questions at this time.

    Mr. Ratcliffe. Thank you, Mr. Knake.
    The Chair now recognizes Ms. Barron-Dicamillo--did I say 
that right?
    Ms. Barron-Dicamillo. Yes, you did, sir.
    Mr. Ratcliffe. For her opening statement.

STATEMENT OF ANN BARRON-DICAMILLO, VICE PRESIDENT, CYBER INTEL 
             & INCIDENT RESPONSE, AMERICAN EXPRESS

    Ms. Barron-Dicamillo. Thank you, Chairman Ratcliffe, 
Ranking Member Langevin, and Members of the subcommittee. My 
name is Ann Barron-Dicamillo, and I am vice president of cyber 
intelligence and incident response at American Express. Thank 
you for this opportunity to be here today. I really look 
forward to the discussion.
    In my role at American Express, I'm responsible for 
managing cybersecurity operations and directing cyber threat 
intelligence globally for the company. Prior to my role at 
American Express, I was director of US-CERT at Homeland 
Security. My responsibilities there included leading 
cybersecurity incident response activities, as well as sharing 
relevant data from those events with both public and private-
sector companies on cyber threat information-sharing 
initiatives.
    While at DHS, I engaged in efforts to mature public-private 
cyber threat intelligence information-sharing programs like 
those encouraged by CISA. This legislation really helped 
address many of the concerns that I experienced while I was 
there around critical infrastructure sector partners, including 
American Express, engaging in cyber threat information sharing 
with the Government. It created the ability for DHS to 
establish machine-speed sharing, while protecting enterprises 
from associated liability concerns.
    One program worth discussing today, which was already 
mentioned by the Chairman, is AIS. AIS has had limited adoption 
to date and early challenges in demonstrating its full 
potential, as was mentioned by the Ranking Member.
    While AIS may be a good program for new entrants into the 
cyber information-sharing community, it would be more effective 
for more mature organizations in the broader critical 
infrastructure community if it offered three key things, and 
two of them were also mentioned by the Ranking Member: Timelier 
indicator sharing, richer context around indicator information, 
and continual improvements to the program to ensure quality 
information, quality over quantity.
    The timeliness of cyber threat information sharing has been 
negatively impacted, I believe, by the Government's 
overclassification of threat data, which is really minimizing 
the value that AIS can provide to the critical infrastructure 
community.
    The agency that is originating this information is sharing 
that information with DHS, and they're in charge of the 
classification or declassification of that information. When 
DHS has to go back and get the originating source to go through 
the process of declassifying it, it results in delays. That 
information many times, the threats associated with that can 
become obsolete, because of the shifting nature of attacks 
within the internet.
    Alternatively, if the information is scrubbed to remove the 
Classified status, the resulting information is often so 
cleansed or minimized that much of the relevant context that's 
needed to properly action it in my organization is removed.
    So some proponents have suggested the timeliness issue 
could be resolved by increasing the number of cleared 
individuals in critical infrastructure. However, increased 
access to Classified information for these individuals provides 
little actionable data that we can take back into our un-
Classified networks for implementation. Any shared data that is 
still classified at that level can't be actioned on an un-
Classified fabric.
    To speed up the timeliness of information sharing, we 
encourage our partners in law enforcement and the intelligence 
community to work to tear-line more of their reporting, so any 
actionable information, IOCs, hashes, and other things can be 
shared expeditiously with critical industry. If information is 
found in open source, the Government should act quickly to 
declassify the entire report as rapidly as possible.
    Also, the equities review process continues to be a 
stumbling block toward timely, broader, and more actionable 
information sharing from the Government to private industry. I 
fully understand the intelligence community must consider both 
public benefit and operational risk when disclosing 
confidential information about a threat. However, in light of 
the public sector's caution when it comes to sharing 
information about cyber incidents, private industry is instead 
turning to cybersecurity firms for timelier and more 
contextually complete information.
    At American Express, we rely primarily on FS-ISAC and other 
sources, both external as well as communities of interest, for 
a lot of our threat data. We engage in outbound sharing, 
primarily with FS-ISAC and other financial institution 
partners, through auto sharing of IOCs and other freeform 
communication.
    Much of the threat information sharing is still being 
primarily shared via email, as it allows for communication with 
important context, which includes things of who saw it, what 
was seen, when was it seen, where, which part of the network, 
as well as how it was mitigated or contained. This relevant 
information a lot of times can't be shared in some of these 
machine-to-machine systems.
    Today, the AIS program does not offer this type of valuable 
context for the indicators that are being shared. Just as the 
context is important for security analysts, the lack of the 
context prevents users of the information from confirming that 
these indicators have been properly vetted as well as received 
from trustworthy sources.
    Additionally, private-sector organizations have shared 
feedback with DHS that they would like to see a higher volume 
of contextually rich data versus just a larger volume of less 
insightful information.
    One way DHS can address some of these issues is through the 
adoption of technology that automates the ability to apply 
confidence levels by source to the indicator-sharing process. 
DHS should also consider working more closely with information 
recipients to learn what kinds of data and context are going to 
be most useful and pertinent to private industry for our own 
networks.
    Since CISA's passage, public-private information sharing 
has come a long way and many positive advancements have 
occurred. We strongly believe that a timelier, more contextual, 
higher-quality information-sharing program is the next step in 
the evolution of cyber threat information for DHS.
    I want to thank you for inviting me to be here today to 
discuss this very important issue, and I look forward to 
answering any questions you may have.
    [The prepared statement of Ms. Barron-Dicamillo follows:]
               Prepared Statement of Ann Barron-Dicamillo
                           November 15, 2017
    Chairman Ratcliffe, Ranking Member Richmond, Members of the 
subcommittee, my name is Ann Barron-Dicamillo, and I am vice president 
of cyber intelligence and incident response at American Express. Thank 
you for the opportunity to be here with you today. In my role at 
American Express, I'm responsible for managing cybersecurity operations 
and directing cyber threat intelligence globally for the company. I 
oversee an organization responsible for information security 
monitoring, security incident response, advanced cyber analytics as 
well as forensics and other applicable investigations. My organization 
is on the front lines of defense against active cyber threats, and we 
actively participate in information sharing with industry and 
Government partners. As an experienced information security executive 
with almost 20 years of extensive experience in operations and in the 
delivery of information security services, I have gained a deep 
knowledge of the cyber threat intelligence environment and a respected 
track record of assisting organizations make balanced and informed risk 
decisions.
    From January 2013 to February 2016, I was director of the United 
States Computer Emergency Readiness Team (US-CERT) at the Department of 
Homeland Security (DHS). My responsibilities included leading 
cybersecurity incident-response activities and network analysis, 
working to share relevant data with both the public and private sectors 
on cyber threat information-sharing initiatives. At US-CERT, I 
supported DHS's efforts to improve the Nation's cybersecurity posture, 
and I directly coordinated cyber information sharing to proactively 
manage cyber risks. My responsibilities also included driving the US-
CERT mission with CERTs around the world, overseeing the 24x7 
operations center, analyzing and reducing cyber threats and 
vulnerabilities, disseminating cyber-threat warning information and 
supporting incident-response activities with Government and critical 
industry partners.
    I've been a vocal proponent of Cyber Threat Intelligence (CTI) 
information sharing throughout my career in both my public- and 
private-sector roles. The fundamental importance of CTI information 
sharing comes down to one simple concept: ``One entity's detection 
could be another entity's prevention.'' As computer network defenders, 
information sharing becomes the foundation upon which we can build a 
robust cybersecurity program in the continual fight to thwart cyber 
criminals and other adversaries. CTI information sharing happens even 
before first-line defenders are engaged; it enables security operation 
analysts and hunters to be proactive in the search for malicious 
activities; and it gains us a broader perspective on the threat 
environment as it perpetuates across the web.
    While at DHS, I engaged in efforts to mature public/private CTI 
information-sharing programs like those created by the Cybersecurity 
Information Sharing Act of 2015 (CISA). This legislation addressed many 
of the concerns that had been expressed by critical infrastructure 
sector partners, including American Express, in engaging in CTI 
information sharing with the Government. It created the ability for DHS 
to establish machine-speed sharing while protecting enterprises from 
associated liability concerns. American Express' support and position 
on this issue is one of the many reasons I joined their cyber 
operations team, as it was clear that American Express understood the 
importance of cyber threat information sharing for the betterment of 
our public and private partners, both domestically and abroad.
    Since the passage of CISA, American Express has developed a more 
formal standard for sharing cyber threat information. We have engaged 
in more consistent sharing with the Financial Services Information 
Sharing and Analysis Center (FS-ISAC). We deployed and have matured a 
Threat Intelligence Platform (TIP), which currently ingests, on-
average, hundreds of thousands of unique threat indicators per month. 
Our TIP is used by my organization to proactively search for threats, 
both emerging as well as trending, in the ``Wild West'' of the internet 
for potential relevancy to our unique environment. The information we 
receive from the TIP includes indicators from the FS-ISAC. These 
indicators of compromise (IOCs) include those shared by the U.S. 
Government through DHS's Cyber Information Sharing and Collaboration 
Platform (CISCP).
    American Express is not a current participant in DHS's Automated 
Indicator Sharing (AIS) program. I understand the AIS bi-directional 
sharing program, to date, has had limited adoption and early challenges 
in demonstrating its full potential value. While AIS may be a good 
program for new entrants in cyber information sharing and a good start 
down the path of private/public sector information sharing, the program 
would be more effective at protecting organizations from cyber threats 
if it offered timelier indicator sharing, richer context around the 
indicator information, and continual improvements to ensure quality 
information. The following goes into greater detail regarding these 
points.
               improve timeliness of information sharing
    An issue that minimizes the potential value of the AIS portal 
information is that the agency that originated the information or 
indicator is in charge of the classification or declassification of 
that information. If the information provided is categorized as 
Classified, the need to go through the process of declassification 
results in delays in DHS's information-sharing process, making the 
details of threats quickly obsolete because of the quickly shifting 
nature of attacks. Alternatively, if the information is scrubbed of its 
Classified status, the resulting shared information is often so 
cleansed or minimized that much of the relevant context needed to 
properly action the information has been removed.
    Some proponents have suggested that the timeliness issue can be 
resolved by increasing the numbers of--and expediting the process to 
clear--private-sector individuals at companies, so as to be able to get 
access to Classified information. However, increased access to 
Classified information by critical infrastructure personnel provides 
little actionable data for those individuals to take back to their 
Unclassified networks for implementation, as the data is still 
Classified at a level that can't be removed or actioned on an 
Unclassified fabric.
    When I was at DHS, to try to help address the classification issue, 
I encouraged my partners in law enforcement and intelligence to work to 
``tear-line'' more of their reporting so any actionable information 
could be shared more expeditiously with critical industry stakeholders. 
(Tear-lining is the process of sanitizing Classified information below 
the tear line to convey the substance of the information without any 
identifying or sensitive sources or methods.) If relevant context is 
getting lost through the tear-line process, then the Government should 
act to declassify the entire report as rapidly as possible.
    In addition, the equities review process continues to be a 
stumbling block toward broader, more actionable information sharing 
from the Government to private industry, and over-classification of 
entire reports continues to be an issue across the board in the 
intelligence community in all kinds of different contexts. In some 
instances, the usefulness of the information is essentially eliminated 
if the context is removed or if the limited information around the 
threat is misleading, leaving the private sector with a clue of a 
threat but not the ability to take meaningful, intentional steps to 
protect its network against an existing threat.
    Having worked in these circles responding to cyber events while in 
the public sector, I fully understand the intelligence community must 
consider both public benefit and operational risks when disclosing 
confidential information about a threat. However, in light of the 
public sector's caution when it comes to cyber incidents, private 
industry turns to private cybersecurity firms for timelier and 
contextually complete information.
    DHS can best address timeliness of cyber information sharing by 
working with the originating agency of the information to expedite the 
equities review process. Alternatively, DHS could work toward tear-
lining the reporting, or better yet, if the information is found in an 
open source, work toward declassifying the reporting.
            provide context for effective threat mitigation
    At American Express, we rely primarily on the FS-ISAC and other 
sources of external threat data from vendors and other communities of 
interest. We engage in outbound sharing primarily with the FS-ISAC and 
other financial institution partners. Threat sharing within the FS-ISAC 
occurs in two distinct ways: (1) The automated sharing of indicators 
via STIX (Structured Threat Information eXpression) and TAXII (Trusted 
Automated eXchange of Indicator Information); and (2) the sharing of 
unstructured, free-form emails that describe threats and provide 
context, including various indicators, and that are exchanged between 
different trust communities vetted by existing members for operational 
experience. The bulk of threat information sharing is still primarily 
via email, since it allows for communication of important context, 
including who saw it (e.g., sector-specific or wide-spread), what was 
seen (e.g., specific exploit to a known vulnerability or software 
version), when it was seen (e.g., when the activity began), where 
(e.g., impact to specific operating system endpoints or servers or 
hardware components) or on which part of the network it was seen (e.g., 
cloud-based, traditional network, or mobile), and how it was mitigated 
or contained as relevant (e.g., whether there is a patch available or 
known signatures or scripts to mitigate the exploit ahead of the 
patch). These are the important details security analysts need in order 
to identify which indicators are the most relevant and important in 
their own networks, and how they relate to specific on-going attack 
campaigns.
    Today, the AIS program does not offer this type of valuable context 
for the indicators that are being shared. Just as the context is 
important to security analysts, the lack of context prevents users of 
the information from confirming that the indicators have been properly 
vetted and received from trustworthy sources. Providing mechanisms for 
representing and encouraging the supply of additional context, 
providing real-time feedback on data quality, and supporting different 
communities of trust are ways to advance the program. Additionally, 
private-sector organizations, like American Express, have shared 
feedback with DHS that they would like to see a higher volume of 
Unclassified sharing versus a larger volume of less insightful 
information.
    There are on-going collaborative developments in information 
sharing, both in the formation and evolution of information-sharing 
groups (ISACs, ISAOs, and other formal and informal threat-sharing 
communities) and in mechanisms for describing and sharing threat 
information. There are also efforts to make that threat information 
actionable by defensive measures, such as STIX and TAXII, the MITRE 
CAPEC (Common Attack Pattern and Classification) and ATT&CK 
(Adversarial Tactics, Techniques, and Common Knowledge), and the newly-
developing OpenC2 (Open Command and Control) standard. The 
implementation of STIX 2.0, which allows for representation of greater 
context and the identification of relationships between shared data, 
would be a beneficial step for AIS.
     continually improve to ensure quality and trustworthiness of 
                              information
    DHS should focus on ways to continually assess and improve the 
quality of the information-sharing process through adoption of 
technology that automates the ability to apply confidence levels by 
source to the indicator-sharing process. DHS should consider working 
more closely with information recipients to learn what data and context 
are useful and pertinent to private industry so that private industry 
can easily ingest relevant information in real time. In addition, DHS 
should work with the private sector to gain confidence in the validity 
and credibility of the information (through the context sharing 
described above) while ensuring that the voluntary reporting of threats 
to the AIS program does not lead to attribution of any particular 
industry or entity.
    Since CISA's passage, private- and public-sector sharing has come a 
long way and has made many positive advancements, but we believe there 
is more work to be done to overcome our adversaries. We strongly 
believe that timelier, more contextual and higher-quality information 
sharing is the next step in the evolution of cyber threat information 
sharing that will lead to increased private-sector participation in 
DHS's information-sharing programs.
    I want to thank you again for inviting me to be here today to 
discuss this very important issue, and I look forward to answering any 
questions you may have.

    Mr. Ratcliffe. Thank you, Ms. Barron-Dicamillo.
    I would now like to recognize Ms. Cagliostro.
    Am I saying that right?
    Ms. Cagliostro. Yes, that is correct.
    Mr. Ratcliffe. You're recognized for 5 minutes.

 STATEMENT OF PATRICIA CAGLIOSTRO, FEDERAL SOLUTIONS ARCHITECT 
                        MANAGER, ANOMALI

    Ms. Cagliostro. Thank you. Thank you, Chairman Ratcliffe, 
Ranking Member Langevin, and distinguished Members. I'm honored 
to appear before the committee today to discuss how we can 
improve the partnership between public and private sector to 
strengthen our Nation's security with cyber threat information 
sharing.
    I work for a leader in the cyber threat intelligence space 
called Anomali. We were the first company to automatically 
share intelligence back to AIS. We also integrate AIS with our 
technology and provide access to our customer base.
    Our deep integration with AIS and experience with 
facilitating sharing with ISACs and ISAOs provide unique 
insights into the critical factors for successful sharing 
programs and opportunities for improvement in the AIS program.
    In 2017, the Ponemon Institute commissioned a report that 
represented over 1,000 organizations from North America and the 
United Kingdom. This report provides critical insights about 
the threat intelligence industry that impact the adoption and 
participation in AIS.
    One of the biggest challenges identified by 70 percent of 
respondents was the volume of data available. To put this in 
perspective, there are hundreds of millions of indicators from 
hundreds of sources in the Anomali platform, and we've 
continued to see the volume of threat data grow exponentially 
since our inception. AIS is one of many sources that 
organizations have access to.
    The biggest value of threat intelligence is the ability to 
integrate with an organization's security controls to detect 
and prevent malicious activity on the network. Think of threat 
intelligence like the no-fly list that airlines use to prevent 
threats from flying. If the data wasn't integrated with airline 
systems, the value of the list would be diminished because it 
couldn't prevent high-risk passengers from flying.
    Threat intelligence is the cyber no-fly list, and when 
organizations integrate with their security controls, they can 
actively detect and prevent threats on the network.
    Once an organization can consume and integrate threat 
intelligence, they've reached a maturity level where they're 
ready to actually share intelligence. Sixty-two percent of 
organizations reported that they share intelligence today. 
About 50 percent of those said they share with just the 
security vendors, while only 30 percent actually share with the 
Government.
    When we think about maximizing the value of information 
sharing in the context of AIS, we need to keep in mind the 
state of threat intelligence. Organizations in both the public 
and private sector need tools to manage and integrate the 
overwhelming amount of threat intelligence before they're ready 
to share. When they are ready to share, trust and ease of use 
are critical for success.
    DHS should be commended for meeting the aggressive time 
lines outlined in the Cybersecurity Act of 2015, but with any 
large program there are always opportunities to improve. The 
primary goal should be to expand AIS participation to as many 
organizations as possible because more participants will 
ultimately impact the quality and improve the quality of the 
data shared.
    DHS can reduce the level of effort for organizations to 
participate in AIS by increasing the ways that people can 
access it and integrating it with analyst workflows. When an 
organization wants to connect to AIS, it can take weeks between 
legal reviews, between deploying technology for them to 
actually get connected. DHS should continue to work with third 
parties who can redistribute AIS through their sharing 
platform, like ISACs and ISAOs, and security vendors like 
Anomali, so organizations don't have to add additional 
technology in order to participate.
    Analysts collect and produce cyber intelligence as part of 
their daily workflow. In the Anomali platform, analysts simply 
check a box to automatically share with their community. 
They're more likely to share because it's easy. It doesn't add 
additional work for them. It's something they would have to do 
anyway as part of their regular workflow.
    The AIS program will benefit by integrating with security 
technologies like Anomali to make it easier for organizations 
to share back, so, again, as part of that daily workflow.
    Cybersecurity isn't a marathon or a sprint. There is no 
finish line in sight. We face a dynamic adversary, and we need 
to use every advantage that we have. The attack surface is too 
large and resources are stretched too thin for organizations to 
defend alone. Information sharing acts as a force multiplier 
and can help level the playing field.
    In the most recent election, the Colorado State ISAC 
partnered with Anomali to share intelligence in real time with 
various Federal, State, and local organizations to maximize 
their ability to defend the integrity of our elections.
    Real-world success stories of the power of information 
sharing, supported by public and private-sector partnerships, 
will continue to drive adoption and participation in programs 
like AIS.
    Thank you guys for inviting me today.
    [The prepared statement of Ms. Cagliostro follows:]
               Prepared Statement of Patricia Cagliostro
                           November 15, 2017
    Chairman Ratcliffe, Ranking Member Richmond, and distinguished 
Members, I am honored to appear before the committees today to discuss 
how we can improve the partnership between the public and private 
sector to improve our Nation's security with cyber threat information 
sharing.
    I work for a leader in the cyber threat intelligence space called 
Anomali. At Anomali, we have worked closely with the public and the 
private sector to enable information sharing for several years. My role 
is to lead a team of professionals in the global public sector to solve 
the biggest challenges in leveraging threat intelligence to stop 
critical threats and facilitate relationships between industry and the 
public sector.
    Anomali was the first company to automatically share intelligence 
back to the Department of Homeland Security's Automated Indicator 
Sharing program, referred to as AIS. We also integrate AIS information 
with our technology and provide access to approved customers. Our deep 
integration with AIS and experience with facilitating cyber 
intelligence-sharing communities provides unique insights into the 
critical factors for successful sharing programs and opportunities for 
improvement in the AIS program.
    In my testimony, I will describe the state of threat intelligence 
in the private sector, how we can reduce the barrier to entry for the 
private sector to share information through AIS and improve the quality 
of information provided by AIS.
                      state of threat intelligence
    In 2017, the Ponemon Institute commissioned a report: The Value of 
Threat Intelligence: A Study of North American and United Kingdom 
Companies that included over 1,000 respondents. (https://
www.anomali.com/resources/whitepapers/value-of-threat-intelligence-
ponemon-study) This report provides valuable insight into how the 
private sector uses and consumes threat intelligence. The report found 
that 80% of organizations use threat intelligence and of those 
organizations, 84% identified threat intelligence as essential to a 
strong security posture.
    One of the biggest challenges identified by 70% of respondents was 
the volume of available threat data. Today, there are over 400 million 
indicators of compromise in the Anomali platform and we have seen the 
volume of threat data from open, shared intelligence and threat 
intelligence vendors grow exponentially since our inception. Threat 
Intelligence Platforms like Anomali enable organizations to aggregate 
and consume the overwhelming amount of threat intelligence available to 
organizations.
    The biggest value of threat intelligence is the ability to 
integrate with an organization's security controls to detect and 
prevent malicious activity on the network. 65% of respondents cited 
integration as necessary to maximize the value of threat intelligence 
data. Think of the No-Fly List that airlines use to prevent threats 
from flying. If the data wasn't integrated with airline and airport 
security systems, the value of the list would be diminished because it 
couldn't prevent high-risk passengers from flying. Threat intelligence 
integration provides the cyber no-fly list by integrating with security 
controls to detect and prevent threats.
    Once an organization can consume and integrate threat intelligence, 
they have reached a maturity level where they are ready to share 
intelligence. Sixty-two percent of organizations reported that they 
share intelligence. Of those organizations, 50% share with trusted 
security vendors and 43% share with trusted peer groups while only 30% 
of organizations reported sharing with the government through programs 
like AIS and CISCP. Organizations identified a lack of threat 
intelligence expertise as the primary reason why they do not share 
intelligence.
    When we think about maximizing the value of information sharing in 
the context of AIS, we need to keep in mind the state of threat 
intelligence in the private sector. In my experience, these challenges 
are also relevant in the public sector. You have to help yourself 
before you help others and organizations in both the public and private 
sector need the tools to handle the overwhelming amount of threat data 
and integrate the intelligence before they are ready to share 
intelligence. When they are ready to share, trust and ease of use are 
critical for success.
                 barriers to entry for private industry
    The barrier to information sharing through AIS and the quality of 
information provided by AIS are intimately related because a 
significant portion of the information provided by AIS is shared by the 
participants. If participants do not share valuable information through 
AIS, the quality of the information that is delivered will be impacted. 
The level of effort to share intelligence through AIS and lack of 
expertise in threat intelligence act as barriers to entry to share 
intelligence through AIS.
    When an organization wants to connect to AIS, they must sign a 
terms of use document, setup a TAXII client, purchase a PKI certificate 
from a commercial provider, provide your IP address to DHS and sign an 
Interconnection Security Agreement. While this may not seem overly 
complex, this process can take private organizations weeks to complete 
because of legal reviews and change control processes. In the public 
sector, this can be even more time-consuming because additional 
processes and requirements can cause delays due to the time to get new 
technologies on-line.
    Once an organization is connected to AIS, they often find it 
difficult to share intelligence. While there are a variety of options 
available to private industry to share with AIS including TAXII client 
software, a DHS website and email, they add additional work for 
analysts outside of their workflow. Almost every organization is 
struggling with the resource shortage in cybersecurity, and adding 
additional work to share information will negatively impact 
participation rates.
    There is an extremely limited supply of skilled threat intelligence 
analysts. When organizations share intelligence, they may be concerned 
that they do not have the expertise to produce relevant intelligence 
that other organizations will find useful. Organizations are afraid to 
be the boy who cried wolf and look immature for sharing intelligence 
that other organizations will not find useful.
    These challenges are common for any information-sharing program and 
are the first hurdle that Information Sharing Analysis Organizations 
and Centers or ISACs and ISAOs must overcome. Anomali is the technology 
platform for several ISACs and ISAOs and has identified several 
solutions to reduce the barrier to entry for organizations to share 
that can be applied to AIS.
    When a new ISAC or ISAO partners with Anomali, the time line for 
their members to gain access and start contributing is extremely short. 
ISACs and ISAOs are provided with their own instance of the solution 
and the members are automatically added to the platform. They simply 
login to begin collaborating rather than waiting to deploy technology 
in their own environment. We also work with the ISACs and ISAOs to 
provide member outreach and deliver training so companies feel 
comfortable with the solution. There is data already present in their 
instance from open source and the ISAC which provides immediate value 
to the analyst. The AIS program would benefit from continuing to 
partner with third-party organizations like ISACs and ISAOs an security 
vendors like Anomali to streamline the process to gain access to AIS.
    Analysts collect and produce cyber threat intelligence as part of 
their daily workflow. In the Anomali platform, analysts simply check a 
box to automatically share intelligence with their community. They are 
more likely to share because it's integrated with their daily 
workflows, rather than an additional step or technology they must work 
with. The AIS program will benefit from outreach by DHS to the security 
industry to further integrate sharing with the technologies that 
analysts use every day.
    Analysts on the Anomali platform have a variety of options to 
contribute that range from providing net new intelligence to enriching 
existing intelligence. Analysts benefit from the diversity in sharing 
mechanisms because they can participate at the level they feel 
comfortable. Not all organizations produce net new intelligence and 
allowing analysts to enrich existing intelligence with data like 
sightings on their network or associations to an actor makes sharing 
less intimidating and reduces the level of experience an analyst needs 
to participate. The AIS program can benefit by expanding the types of 
intelligence analysts can share beyond just indicators of compromise.
                        quality of intelligence
    Measuring the quality of cyber intelligence can be incredibly 
difficult because the value will vary based on who the organization is 
and how they use threat intelligence. At Anomali, we work closely with 
our customer base to more intimately understand what factors impact the 
quality of intelligence they are leveraging. Ultimately, when 
discussing the quality of intelligence, organizations want relevant 
intelligence. They want to understand out of the millions of indicators 
that are available, which ones need their attention. Relevant 
intelligence is extremely powerful because it helps drive response and 
reduce time wasted on low-priority information.
    Think of cyber intelligence like a weather report. If I told you it 
was going to be 65 degrees, would you wear a jacket? Before you made 
your decision, you would want to know contextual details like where did 
I get the report from, has my source been accurate in the past, and 
when and where it was going to be that temperature. If I am a trusted 
source, you may just take my word for it because I know what makes the 
report relevant to you. If I knew that it is going to be 65 degrees, I 
would wear t-shirt and shorts. If you are like my college roommate from 
California, it's time for the down jacket.
    Like the weather example, organizations derive relevance from 
context about intelligence and the organization's own requirements to 
make decisions. The more context they have about shared intelligence, 
the easier it becomes to determine if it's relevant and select a course 
of action. In the Anomali platform we enrich threat intelligence with 
the contextual data and provide the tools that organizations need to 
easily identify relevant intelligence. Our data model has defined 
threat intelligence objects supported by flexible fields that allows 
organizations to capture and store additional types of contextual data.
    Today, AIS information has limited context which impacts the 
private sector's ability to determine relevance and determine the 
appropriate course of action. Organizations look at factors like the 
source, confidence level, impact type, timeliness, and sightings among 
other factors to determine relevance. The next iteration of AIS 
supports STIX 2.0 which expands the AIS schema to allow for more 
context which will improve the quality of the AIS data.
                               conclusion
    When I first started at Anomali, people often asked how we forced 
people to share intelligence. People assumed that when we talked about 
sharing, we had to be forcing people because no one would choose share 
unless they had to. Our approach wasn't to force people to share, but 
to create an environment where sharing was easy and organizations 
received value.
    The AIS program has come a long way since its inception and as the 
barriers to entry are reduced, more organizations will participate and 
increase the quality of the data provided.

    Mr. Ratcliffe. Thank you, Ms. Cagliostro.
    Mr. Mayer, you are recognized for 5 minutes.

    STATEMENT OF ROBERT H. MAYER, SENIOR VICE PRESIDENT FOR 
             CYBERSECURITY, US TELECOM ASSOCIATION

    Mr. Mayer. Chairman Ratcliffe, Ranking Member Langevin, and 
Members of the subcommittee, thank you for the opportunity to 
appear before you today for this important hearing.
    My name is Robert Mayer, and I serve as senior vice 
president for cybersecurity at USTelecom. I also serve as chair 
of the Communications Sector Coordinating Council, which 
represents the broadcast, cable, satellite, wireless, and 
wireline segments of the communications industry. The CSCC is 
one of 16 critical infrastructure sectors operating through the 
Department of Homeland Security's Critical Infrastructure 
Partnership Advisory Council.
    Today the wide variety and large volume of cyber threat 
information sources, along with the growing number of 
information-sharing venues, presents both opportunities and 
challenges in creating real value to information sharing.
    Since the passage of the Cybersecurity Information Sharing 
Act of 2015, much has been done to reduce obstacles to sharing 
and to facilitate enabling mechanisms and venues. The 
communications sector works on multiple fronts to share cyber 
threat information. In my written testimony, I note that for 
more than 35 years, dating back to the Cold War era, the U.S. 
Government has worked in operational partnership with the 
communications sector to better assure the reliability, 
availability, and resiliency of our networks.
    The relationship between the communications sector and the 
DHS National Coordinating Center for Communication stands alone 
among critical infrastructure information-sharing partnerships 
in both depth and length of partnership.
    Jointly, the relationship between the Communications Sector 
Information Sharing and Analysis Center, the Comm-ISAC, with 
over 65 participating private-sector companies, and the NCC, is 
one that many sectors are attempting to replicate.
    Five of the largest domestic network service providers have 
representatives embedded within the NCC and through the NCC 
work on the floor of the National Cybersecurity Communications 
Integration Center, or NCCIC, as it is known.
    Many more formal and informal structured and unstructured 
venues are described in the March 2017 FCC CSRIC report 
referenced in my testimony.
    As a practical matter, companies will participate in 
information-sharing activities to the extent that they perceive 
the benefits outweigh or at least match the costs. Any 
information-sharing venue and mechanism that does not provide 
contextualized, timely, accurate, and actionable information 
that improves the provider's security posture will not meet the 
test.
    The CSRIC report found that a critical organizational 
challenge facing our sector is the wide variety of private, 
public, public-to-private, and international activities devoted 
to cyber information sharing.
    Many organizations, especially smaller service providers, 
are unfamiliar with the breadth and depth of information-
sharing entities or lack the resources to commit to these 
enterprises. These organizations are in most cases unable to 
devote scarce resources to time-consuming efforts to filter 
numerous sources of threat intelligence, validate what is 
applicable, and then set implementation priorities.
    While there are no easy solutions for these companies, 
trade associations, like USTelecom, and the 13 other sector 
trade associations that are also members of the CSCC provide a 
critical link to information resources that can enhance their 
security posture.
    For many of the larger service providers, the distribution 
of Classified information from the Federal Government is an 
essential element of their overall risk-management 
capabilities, and this can impact the quality of information 
shared between private parties and within organizations.
    We continue to request Classified information when 
available, and we also ask that those pieces be downgraded as 
much as possible so that dissemination to the practitioners in 
the field can take place quickly.
    With respect to the DHS AIS portal, there is still 
important work that needs to be done to increase the value 
proposition for companies within our sector. Most of the 
concerns with AIS relate to the quality and usability of the 
information for the particular needs of an ISP and its 
enterprise. While the information distributed via AIS may be 
helpful to certain entities, the value proposition remains 
elusive for companies with more mature, sophisticated 
cybersecurity programs.
    To make cyber threat information sharing more viable and 
valuable, we encourage the Government to look across various 
information-sharing programs and analyze whether they are 
functioning as intended, meeting the needs of their target 
audiences, and identify gaps that need to be filled. Doing this 
will ultimately result in higher quality, contextualized, and 
more timely information being shared.
    The good news is that DHS is aware of the current 
limitations and is committed publicly to a multi-year effort to 
enhance the automated machine-to-machine sharing capabilities. 
DHS is to be applauded for its on-going and accelerating 
outreach efforts to engage industry and to increase the value 
of their information-sharing programs.
    We remain committed to bringing all available industry 
resources to bear in this vital area, and I look forward to 
answering any of your questions. Thank you.
    [The prepared statement of Mr. Mayer follows:]
                 Prepared Statement of Robert H. Mayer
                           November 15, 2017
    Chairman Ratcliffe, Ranking Member Richmond, and distinguished 
Members of the subcommittee, thank you for giving the communications 
sector and me personally the opportunity to appear before you today for 
this important hearing on maximizing the value of cyber threat 
information sharing.
    My name is Robert Mayer, and I serve as senior vice president 
cybersecurity at USTelecom which represents companies ranging from some 
of the smallest rural broadband providers to some of the largest 
companies in the U.S. economy. I also serve as chair of the 
Communications Sector Coordinating Council (CSCC) which represents the 
broadcast, cable, satellite, wireless, and wireline segments of the 
communications industry.\1\ The CSCC is one of the 16 critical 
infrastructure sectors under the Critical Infrastructure Partnership 
Advisory Council (CIPAC) through which the Department of Homeland 
Security (DHS) facilitates physical and cyber coordination and planning 
activities among the private sector and Federal, State, local, 
territorial, and Tribal governments.
---------------------------------------------------------------------------
    \1\ Communications Sector Coordinating Council, https://www.comms-
scc.org.
---------------------------------------------------------------------------
    I want to thank the Members of this subcommittee for emphasizing 
the concept of value in the context of information sharing. Of course, 
we endeavor to share cyber threat information not for information 
sharing's sake, but for the purpose of adding value to our operational 
and strategic cyber preparedness and defense efforts.
    Today, the wide variety and large volume of cyber threat 
information sources, along with the growing number of information-
sharing venues, presents both opportunities and challenges in creating 
real value to information sharing. Since the passage of the 
Cybersecurity Information Sharing Act of 2015,\2\ much has been done to 
reduce obstacles to sharing and to facilitate enabling mechanisms and 
venues. Still, this law is just the statutory foundation that will 
enable the actual sharing processes that need to be implemented; 
getting the right information to the right people at the right time 
with the appropriate privacy and security safeguards. This massive 
effort requires constant innovation, on-going evaluation and 
disciplined resource allocation. Below I briefly outline the work of 
our sector in this area, some on-going challenges, and the important 
role of the DHS as a facilitator of cybersecurity information sharing.
---------------------------------------------------------------------------
    \2\ Cybersecurity Information Sharing Act of 2015, https://
www.Congress.gov/bill/114th-congress/senate-bill/754.
---------------------------------------------------------------------------
    The Communications Sector works on multiple fronts to share cyber 
threat information, and individual companies use a variety of 
information-sharing platforms and services to achieve their objectives. 
From a sector perspective, two of the most prominent and robust 
information-sharing venues operate in partnership with DHS.
    First, the relationship between the Communications Sector and the 
DHS National Coordinating Center for Communications (NCC)\3\ stands 
alone among critical infrastructure information-sharing partnerships in 
both depth and length of partnership. Jointly, the relationship between 
the Communications Sector Information Sharing and Analysis Center 
(Comm-ISAC) and the NCC is one that many sectors are attempting to 
replicate. For more than 35 years, dating back to Cold War era 
existential concerns about telecommunications reliability and disaster 
recovery, the U.S. Government has worked in operational partnership 
with leaders of the communications sector to better assure the 
reliability, availability, and resiliency of our networks. DHS NCC 
provides our industry with 24/7 on-site watch desk functions, helps 
coordinate the communications sector for preparedness and response to 
both physical and cyber events, and acts as the information exchange 
portal to Government for us, and likewise as Government's portal to the 
Communications Sector. The Comm-ISAC includes over 65 private-sector 
companies that convene weekly, and on an as-needed basis, to share 
information about events and threats that have or could have adverse 
impacts on network service providers and their customers.
---------------------------------------------------------------------------
    \3\ National Coordinating Center for Communications, Department of 
Homeland Security, https://www.dhs.gov/national-coordinating-center-
communications.
---------------------------------------------------------------------------
    Second, aligned with NCC activities is the Network Security 
Information Exchange (NSIE) which meets every 2 months and is comprised 
of companies that support DHS's and the Communications Sector's 
National security mission.\4\ During these sessions, analysts and 
security managers discuss threats and other issues that directly 
implicate the reliability, resiliency, and integrity of the 
communications environment. Five of the largest domestic network 
service providers have representatives embedded within the NCC and are 
on-call to respond to Government inquiries related to infrastructure-
impacting events of either a cyber or physical nature. Since the NCC is 
one of three operational components along with US-CERT and the ICS-CERT 
on the National Cybersecurity and Communications Integration Center 
(NCCIC) floor, these same individuals are embedded within the NCCIC.
---------------------------------------------------------------------------
    \4\ Network Security Information Exchanges, Department of Homeland 
Security, https://www.dhs.gov/sites/default/files/publications/
NSTAC_08_0.pdf.
---------------------------------------------------------------------------
    The NCCIC is a 24/7 cyber situational awareness, incident response, 
and management center and operates as the principal Federal civilian 
interface for multi-directional and cross-sector information sharing. 
Through the auspices of the NCCIC, and more broadly the DHS Office of 
Cybersecurity & Communications, communications sector companies 
currently work with the DHS Automated Information Sharing (AIS) portal 
using the STIX/TAXII protocols, which is designed to facilitate real-
time sharing of cyber threat indicators.\5\ Many of the largest 
providers are working through the AIS portal, as well as other related 
venues, to improve and increase the effectiveness and efficiency of 
automated sharing for more end-users. Also under the NCCIC, member 
companies participate in the Cyber Information Sharing and 
Collaboration Program (CISCP) which provides a collaborative and 
trusted environment in which analysts from multiple sectors learn from 
each other to better understand and address emerging cybersecurity 
risks.\6\
---------------------------------------------------------------------------
    \5\ Automated Indicator Sharing (AIS), Department of Homeland 
Security, https://www.us-cert.gov/ais.
    \6\ Cyber Information Sharing and Collaboration Program (CISCP), 
Department of Homeland Security, https://www.dhs.gov/ciscp.
---------------------------------------------------------------------------
    Many more formal and informal venues and sharing mechanisms are 
described in the March 2017 report on Cybersecurity Information Sharing 
from the Federal Communications Commission's Communications Security, 
Reliability, and Interoperability Council (CSRIC) Working Group 5 
(CSRIC report).\7\ I now wish to touch on some significant findings in 
that report, as well as general observations about current information-
sharing venues and platforms.
---------------------------------------------------------------------------
    \7\ CSRIC Working Group 5--Final Report, Federal Communications 
Commission, https://www.fcc.gov/files/csric5-wg5-finalreport031517pdf.
---------------------------------------------------------------------------
    First, as a practical matter and returning to the question of value 
that is the focus of this hearing, companies will participate in 
information-sharing activities to the extent that they perceive the 
benefits outweigh, or at least match, the costs. Given the pressures on 
providers to ensure the confidentiality, integrity, and availability of 
their communications networks and systems, any information-sharing 
venue or mechanism that does not produce contextualized, timely, 
accurate, and actionable information that improves providers' security 
posture will not meet that test of value.
    More broadly, the CSRIC report found that a critical organizational 
challenge facing the communications sector is the wide variety of 
private, public, public-to-private, and international activities 
devoted to cyber threat information sharing.\8\ Many organizations, 
especially smaller service providers, are unfamiliar with the breadth 
and depth of information-sharing entities or lack the resources to 
commit to these enterprises. The rapid expansion of information-sharing 
venues such as the Information Sharing and Analysis Organizations 
(ISAOs) called for under the 2015 Executive Order ``Promoting Private 
Sector Cybersecurity Information Sharing'' threatens to dilute 
resources and expertise through redundant or conflicting activities and 
objectives.\9\
---------------------------------------------------------------------------
    \8\ Id. at 13.
    \9\ Executive Order--Promoting Private Sector Cybersecurity 
Information Sharing, The White House--President Barack Obama, https://
obamawhitehouse.archives.gov/the-press-office/2015/02/13/executive-
order-promoting-private-sector-cybersecurity-information-shari.
---------------------------------------------------------------------------
    For many of the larger service providers, the distribution of 
Classified information from the Federal Government is an essential 
element of their overall risk management capabilities and this can 
impact the quality of information shared between private parties and 
within organizations. Having access to contextualized and actionable 
Classified information is highly valuable. Similarly, not having access 
to such contextual information is detrimental to operations, but so is 
being unable to share some, or most, of the information with non-
cleared colleagues. We continue to request Classified information, when 
available, and we also ask that those pieces be downgraded as much as 
possible so that dissemination to the practitioners in the sector can 
take place quickly.
    With respect to the DHS AIS portal, there is still important work 
that needs to be done to increase the value proposition for companies 
within our sector. Most of the concerns with AIS relate to the quality 
and usability of the information for the particular needs of an ISP and 
its enterprise. AIS is, and was intended to be, a platform for broad, 
cross-sector sharing that has resulted in information being downgraded 
or simplified to be appropriate for all participating entities. While 
the information distributed via AIS may be helpful to certain entities, 
the value proposition remains elusive for companies with more mature, 
sophisticated cybersecurity programs.
    To make cyber threat information sharing more viable and valuable, 
we encourage the Government to look across the various information-
sharing programs such as AIS and CISCP and analyze whether they are 
functioning as intended, meeting the needs of their target audiences 
and identify gaps that need to be filled. For example, the Government 
needs to take the next step and determine whether there are more 
effective ways to share information with companies who have more mature 
programs, and specifically those who have been described as ``ICT 
enablers''--i.e., the ICT companies that provide key services that 
enable the cyber ecosystem. Doing so will ultimately result in better 
and more timely information being shared.
    I want to be clear that in highlighting current challenges we are 
working on with Government, I do not mean to suggest that there is not 
currently valuable information sharing underway. A Comm-ISAC member 
receives more than one dozen alerts a day through the NCC from NCCIC, 
US-CERT, ICS-CERT, ISACs, and joint law enforcement bulletins, and one 
company reports that it can trace the addition of 2,800 unique 
indicators in the past 10 months from the various DHS sources.
    The good news is that DHS is aware of the current limitations and 
appears to be committed to a multi-year effort to enhance the automated 
machine-to-machine sharing capabilities. Our industry is committed to 
this program as evidenced by broad sector participation in a pilot 
managed by CTIA.\10\ That program is about to be operationalized after 
testing new adaptations of the sharing platform to conform to 
communications sector operating environments.
---------------------------------------------------------------------------
    \10\ Protecting America's Wireless Networks, CTIA, https://
www.ctia.org/docs/default-source/default-document-library/protecting-
americas-wireless-networks.pdf at 9.
---------------------------------------------------------------------------
    Finally, I want to draw attention to the hundreds of smaller 
companies in our sector who face a different set of challenges due 
largely to their limited financial resources, technical skill-sets, and 
operational priorities. These organizations are in most cases unable to 
devote scarce resources to time-consuming efforts to filter numerous 
sources of threat intelligence, validate what is applicable, and then 
set implementation priorities. In many instances, they are unaware of 
information-sharing venues, especially those venues that are operated 
by the private sector and accessed via exclusive invitation. While 
there are no easy solutions for these companies, trade associations 
like USTelecom and multiple other associations that comprise the CSCC 
are providing a critical link to information resources that can enhance 
their security posture.
    Despite these and other challenges, and the risk of oversaturating 
the information-sharing space with low-value activity, I do want to 
emphasize that without effective information sharing we have no hope of 
combatting emerging threats to our National and economic security. DHS 
is to be applauded for its on-going efforts to engage industry and to 
increase the value of their information-sharing programs. We remain 
committed to bringing all available industry resources to bear in this 
vital area, and I look forward to answering any of your questions.

    Mr. Ratcliffe. Thank you, Mr. Mayer.
    Thanks again to all of our witnesses for your testimony 
today.
    I now recognize myself for 5 minutes for questions.
    Ms. Barron-Dicamillo, I want to start with you, because 
you've got sort-of unique experience, extensive experience with 
US-CERT at DHS. Now in the private sector at American Express 
you have the opportunity to be part of what I think is the gold 
standard organization with respect to information sharing on 
the private side, the FS-ISAC.
    We can talk about legislation all day, but the one thing 
that we can't legislate is confidence. So from your 
perspective, what are the one or two or three things that you 
would recommend that DHS do or do better, perhaps, to build 
confidence in the private sector in both the validity and the 
credibility of cyber threat information that's being shared?
    Ms. Barron-Dicamillo. So getting back to some of the 
comments I made in my opening remarks, I think DHS, a lot of 
times they're not the original source associated with 
information that they're sharing. So creating those closer 
partnerships with the community in which they're receiving 
information from, some of it comes from vendors and some of it 
comes from other Government partners.
    In doing that, they need to ensure that the message is 
being carried that methods and sourcing of the--the source of 
attribution, those aren't important actions for the community 
to implement within their network.
    Really, breaking apart those two things is a focus there, 
being that--continuing to communicate with their Government 
partners on the importance of that so that they can create 
those trusted relationships with private industry.
    I think, from my perspective, the confidence is going to 
come based on the value of the indicators that they share. When 
those indicators are proved to be unique and different from 
what we receive from other sources, that increases the 
confidence that they will get from the larger private industry 
community.
    Mr. Ratcliffe. Terrific. Thanks very much.
    Mr. Knake, before I came to Congress, my colleague Mr. 
Langevin worked on prior iterations of a bill we were able to 
successfully get across the finish line in December 2015, the 
Cybersecurity Act of 2015.
    From your perspective, has the passage of that legislation 
affected the flow of cyber threat information? Have you seen it 
change? Has the threat landscape that companies and the 
Government face, has that changed or been affected by our 
legislation?
    Mr. Knake. Mr. Chairman, in my view, what's happened is 
that we've taken away the excuses for not sharing information, 
but the reality is many companies still want to find an excuse 
not to share. So you can no longer say: ``Oh, we're worried 
about anti-trust issues, we're worried the FTC is going to come 
after us, DOJ is going to come after us.''
    The reality is that for those companies that had those 
fears before the legislation, the legislation didn't remove 
that as a barrier in their minds.
    So I do think there's a small element of needing to educate 
general counsels at large corporations on this issue. I spend a 
lot of time working with leaders in the community, encouraging 
them to push back when they are told by their lawyers that they 
cannot share.
    But in my view the real issue isn't the barriers to 
information sharing, it's the incentives for information 
sharing. You really need to find ways, we need to find ways as 
a community to encourage companies to want to share, right?
    They want to receive indicators all day long, but taking 
the act of extracting an indicator from their network and 
pushing it out to DHS is sometimes not worth the effort. In 
their minds, it does nothing to protect them. That I think is 
the main reason we haven't seen a flourishing of information 
sharing.
    Mr. Ratcliffe. So do you have any suggestions for how we 
further encourage that?
    Mr. Knake. I mean, I think the basic one I think would be 
to encourage it ahead of time, before an incident happens. So 
this is where I look to insurance as a possible incentive. If 
Government were to provide a backstop to cyber insurance, that 
in exchange for lower premiums you obligated your company to 
participate in this kind of information sharing, that I think 
is the kind of incentive that we need now to encourage 
information sharing.
    If you said, we have to do this because we're getting a 
lower rate, sort of like Progressive on your car insurance, 
right, under that model, I think we could incentivize more 
information sharing.
    Mr. Ratcliffe. Thanks very much.
    Ms. Cagliostro, very quickly. Last week, in a report from 
the Office of Inspector General on DHS's implementation of the 
Cybersecurity Act of 2015 it was recommended that in order to 
achieve their mission DHS should obtain, ``the tools and 
technologies needed to provide a cross-domain solution for 
sharing and processing cyber threat information between the 
Classified and Unclassified repositories.''
    As DHS evaluates potential solutions for this, what are 
your thoughts about the criteria for success for what those 
tools can be?
    Ms. Cagliostro. Sure. So when you talk about cyber 
intelligence, it's a little bit different than traditional 
human intelligence. In order to go and get access to human 
intelligence, you have to put resources in country, language. 
There's a tremendous time and effort resource commitment there.
    For cyber threat intelligence, it's a little bit different, 
because essentially I can deploy technologies and start 
collecting cyber intelligence, and there's a very low barrier 
to entry. That's why I think for when you're thinking about 
cross-domain and bringing intelligence both up and down in both 
directions, it's important to know at both levels where 
intelligence is located.
    So on the Classified side, for example, if it's already out 
there in the public domain, then why is it still Classified? 
Why is that indicator still Classified? The association to an 
actor, how we discovered it, that might be sensitive, but the 
indicator itself shouldn't be.
    So I think when you're thinking about tools and 
technologies, one of the big first steps should be aggregating 
the publicly available information, so that way we can more 
effectively and more quickly declassify tools.
    Then the second piece becomes it needs to be a machine-to-
machine process. My background's the Department of Defense. 
There's a number of ways to handle cross-domain. Some of it is 
very manual; some of it is automatic. I think it needs to be 
something that is a machine process. It shouldn't be someone 
once a day logging in to download files and copy them over.
    Mr. Ratcliffe. Terrific. Very much appreciate the 
responses.
    The Chair now recognizes the gentleman from Rhode Island, 
Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman.
    Again, I want to thank all of our witnesses for your 
testimony today and the work you're doing on this topic.
    So if I could, I'd start with Ms. Barron-Dicamillo.
    Thank you again for your work at US-CERT and, again, for 
your testimony here and for, again, your previous Government 
service.
    So it's clear that you've greatly contributed to advancing 
the cybersecurity of our Nation and that you appreciate the 
value of information sharing. However, I would just mention 
that in your testimony you state that American Express has not 
participated in the AIS program due to limited adoption and 
early challenges in demonstrating its full potential value, and 
that you engage in outbound sharing primarily with the FS-ISAC 
and other financial institution partners.
    So while I recognize that we can do more as a Government to 
increase the quality of the data that we share, the value of 
information sharing itself is predicated on all parties 
actively participating. We need major corporations like 
American Express to be involved.
    So what is your plan for joining this program and 
contributing the insights that you gain on a daily basis in 
defending your networks?
    Ms. Barron-Dicamillo. So through FS-ISAC, we actually 
participate in the AIS program. We're not a direct participant, 
but we get the--we share information through FS-ISAC, so we are 
outbound sharing that information, which is also shared back 
from FS-ISAC into the AIS community. Then AIS shares it through 
FS-ISAC back to financial institutions like us. So we do 
benefit from it through that relationship we have with FS-ISAC.
    The reason why we haven't joined specifically is associated 
with the CRADA agreement that you must sign when you join these 
programs at Homeland Security. In doing so, it precludes us 
from bringing on any additional cleared individuals within 
American Express, because you have to go through a private 
industry--or you have to go through the DOD private industry 
clearance process. When you have a CRADA agreement with DHS, 
you are forced through the facility clearance process versus 
the DOD clearance process for individuals.
    So we are not interested in creating infrastructure through 
the facility clearance process, and that's primarily the reason 
why we don't have the direct CRADA agreement with Homeland 
Security for CISCP or AIS.
    Mr. Langevin. So is that something that--a policy change 
between the company and DHS that needs to change?
    Ms. Barron-Dicamillo. It's probably a policy change between 
Homeland Security and DOD.
    Mr. Langevin. OK. Well, that's something that we can look 
at. Thank you.
    Ms. Barron-Dicamillo. I'm not the only financial 
institution that has that perspective. It would preclude any 
other critical infrastructure participant from engaging in 
those programs when they sign the CRADA, or engage in getting 
additional cleared individuals through the clearance process 
when they sign that CRADA.
    Mr. Langevin. OK. Thank you very much for that insight.
    So I thank the Chairman for the question that he asked, the 
second question, really what's changed. He asked Mr. Knake. So 
I'd like to give the opportunity to you, Ms. Barron-Dicamillo 
and Mr. Mayer.
    The Cybersecurity Act of 2015, again, made substantial 
changes to the legal authorities regarding cyber threat 
indicator sharing. So what are your organizations or, for you 
and Mr. Mayer, your member companies doing differently today 
thanks to those authorities and liability protections?
    I guess as a follow-up I could say, were any of those 
actions impermissible before the law and what changed the 
calculus in your organization?
    Mr. Mayer. Thank you, Congressman.
    I do think that the act had some significant benefits. I 
mean, if nothing else, it created awareness on the part of our 
member companies that information sharing was something that 
was available, and it took care of some of the liability 
concerns we had about sharing threat indicators.
    I would put it in the category of saying that the act was 
necessary, but it's not necessarily sufficient to incentivize 
all companies to participate.
    I think for our members who are more mature who have the 
resources around cybersecurity, for them a lot of the 
information they get from private sources, as well as their 
ability to track global network flows and do their own analysis 
around anomalies and things like that, it's faster, it's 
contextualized. It limits the incentive to participate in some 
of the information-sharing venues that currently exist.
    Having said that, I would say that there's no shortage of 
information-sharing activities that are underway in our sector. 
We have identified informal, formal, structured, and 
unstructured venues where information sharing is currently 
taking place. It's a very active community.
    Mr. Langevin. But I just want to know, really, what's 
changed? What more specific things have changed since the act 
was passed?
    Mr. Mayer. Well, I think people have become more aware of 
the need to share information, and there's a greater 
willingness to do that. I think what I see is that the 
information-sharing venues that exist are more robust today.
    Our association, for example, has recently created an 
information-sharing mechanism for small and mid-size 
businesses. What we've heard from them is they don't have the 
resources to participate in all of the information-sharing 
venues. They appreciate a central association helping them in 
terms of setting priorities and where to look for information.
    But we have to go by--we have to understand that each 
company is going to make their own determination about the 
value of participating in information sharing. There's no one-
size-fits-all here.
    So the answer to your question is, directionally, we've 
made progress in information sharing. I don't know how to tell 
you that it's correlated directly to the Information Sharing 
Act.
    Mr. Langevin. OK. Thank you, Mr. Mayer.
    Ms. Barron-Dicamillo.
    Ms. Barron-Dicamillo. I concur with the comments from Mr. 
Mayer. I think we've seen increased visibility associated with 
information-sharing organizations. There's been an increased 
participation beyond just the ISACs, so all different types of 
communities being able to engage in this, and those communities 
then engaging back with the Government.
    So the increased visibility across industry from the 
passage of CISA and I think the aspect of liability protection 
has also encouraged many to engage in ISAOs, ISACs, and others, 
which is that bridge toward information sharing with the 
Government.
    Mr. Langevin. Thank you very much. I yield back.
    Mr. Ratcliffe. I thank the gentleman.
    The Chair now recognizes the gentleman from New York, Mr. 
Donovan.
    Mr. Donovan. Thank you, Mr. Chairman.
    I preface this with all of our cyber hearings by you're 
talking to a guy whose VCR still blinks 12. So you have to 
speak to me in layman's terms.
    I guess the Chairman's goal here is to find out incentives 
for information sharing. I guess the first thing you have to 
look at is, like, what's the disincentives?
    So maybe all of you could just explain to me what the 
disincentives are. As a layperson, I would think that maybe you 
wouldn't want your competitors to know of your vulnerabilities. 
Maybe there's a fiduciary duty with your clients that if your 
data is vulnerable that that might be a disincentive of 
alerting the world that there's vulnerabilities in the system.
    So maybe you just could explain to me what the 
disincentives are for information sharing or exposures or 
attempts of attacks for each of you, and then maybe we could 
talk about the incentives.
    Your National Transportation Safety Board, for somebody who 
is not as familiar as you are, sounds like a wonderful idea. 
But maybe we could talk about the disincentives first. Can you 
explain to me a little bit about that and then we can figure 
out how to give incentives for people to do it?
    Mr. Knake. Thank you, Congressman.
    I would break the disincentives up into two categories. One 
would be reputational risk. If I'm saying, we've been targeted, 
somebody's penetrated through our network, they're inside, we 
found them there, here are the indicators that you can use to 
see if they're inside your network, that can introduce 
reputational risk. That could cause problems for stock. That 
could cause problems with regulators.
    The protections that were put in place I think address many 
of those concerns, to the extent they can be addressed through 
legislation, but there are things that are outside the control 
of that legislation.
    The other factor I would say is the work factor. If I'm as 
an organization going to share information with another 
organization, that's going to require me to do work. That's 
going for me to require that I take staff and give them the 
responsibility of sharing the information that other companies 
want. If I'm in the situation in which my network has been 
compromised, the last thing I'm thinking about is her network.
    So I think that those are the two things that keep 
companies from sharing information.
    Ms. Barron-Dicamillo. I concur with Rob's remarks. I 
definitely agree that reputational risk associated with 
information sharing is paramount. It's in the front of your 
mind when you're doing this. A lot of times you're ensuring 
that the source of information is not to be attributed.
    We leverage the traffic light protocol so that we can, as 
we're sharing information, we can tell the recipient, is this 
something that you can share publicly, or is this something you 
can share within your community, or is this something that is 
only between me and you as an individual.
    That's been really helpful for addressing the reputational 
risk associated with that. Then you understand where that 
information is going to go on the other side.
    Again, that is through a trusted relationship. So you have 
to have a trusted community in which you can share that 
information that adheres to those stipulations associated with 
the TLP.
    Then I definitely agree with the overhead to sharing. You 
have to have a robust program in place, because as you share 
information, you're going to get questions back. You want to 
make sure you have the resources to provide that potential 
context that might be needed for their individual environment.
    So there's definitely going to be--you're going to have to 
have the maturity within your organization to be able to--the 
resources to be able to share that information in a way that it 
doesn't cause them more work on the other end, and then trying 
to figure out how to implement things, which can sometimes 
happen and cause, you know, the lack of sharing.
    Mr. Donovan. Ms. Cagliostro.
    Ms. Cagliostro. I think there's two big reasons why people 
aren't sharing. I think the first is, is this kind of lack of 
expertise, especially in the small and mid-size market, where 
they don't feel comfortable. Maybe they don't know if something 
is going to be relevant to everyone else. There's insecurity, 
and you don't want to be the organization that's sharing 
irrelevant intelligence.
    When you think about some of the large organizations, they 
have full threat intelligence teams, they're producing 
intelligence, and so there's a lot more that they can share.
    For an organization that's a small or medium business, it 
might be as simple as they've seen this on their network.
    That can be useful information to other organizations as 
well. If you're in the financial services vertical and a ton of 
small banks are seeing a--you know, they're all seeing the same 
indicator, they don't need to share net new intelligence, but 
telling the other banks that they're seeing that is useful 
information.
    I also think that it's got to be really easy for people to 
share. We talk all the time about how often we don't have 
enough resource in cybersecurity and analysts are overburdened. 
No one in cybersecurity says, ``Man, I have way too much free 
time, I wish I had more things to do.''
    So when we think about sharing, it has to be something that 
is really easy for them. Like for Amex, for example, they're 
part of FS-ISAC. They're already sharing with organizations. 
What do they need to do? Why should they share with the 
Government? Why should they add this additional step in their 
processes?
    So I think when we're talking about how we can improve for 
AIS in particular and incentivize sharing, I think the first is 
to make it easy for people to do. They shouldn't have to stand 
up additional technology. They shouldn't have to go--it 
shouldn't be a separate workflow for them. It should be part of 
what they're doing already.
    I think the other side is that what's unique about the 
Government is that you have unprecedented visibility and 
unprecedented--unmatched visibility, rather. If I'm explaining 
to my executive why I'm sharing, they want to know, ``What's 
the justification, what's the benefit that I get from this?''
    If they could say, ``Well, I'm getting something that I 
can't get anywhere else, only the Government has it,'' I think 
that's something that's powerful. That's something where 
there's an immediate reason of, ``Oh, OK, well, you're giving 
me visibility that I have no other mechanism to get, please 
keep sharing with them, I would like this to continue.''
    Those, I think, are the primary ways we can improve it.
    Mr. Donovan. Thank you.
    Mr. Mayer. Congressman, I would echo the remarks around 
small and medium business. I think all of the issues that were 
raised there are, in fact, the case with our sector.
    What I would say is, in the case of the network service 
providers, especially from a critical infrastructure 
perspective, there's absolutely no disincentive to share, in 
fact just the opposite. There's a tremendous incentive to 
share.
    It's very common. First of all, we have formal venues where 
on a weekly basis the network service providers convene and 
talk about what's going on on the networks and what they're 
seeing. On a quarterly basis, the chief information security 
officers of the largest internet service providers meet to talk 
about what's happening in the environment globally and what 
they're doing to mitigate those risks.
    Importantly, when events arise, you immediately see the 
sector rallying to respond to those events. So, for example, in 
October 2016 when the Dyn attack occurred, our members, through 
the Comms-ISAC, immediately convened and were ready to respond 
in any way that was requested. We coordinated that activity 
through the National Coordinating Center.
    So the nature of the networks and their interdependencies 
and interconnection mitigates, I think, against any interest in 
not sharing information that impacts the network.
    This has been going on for quite a while. It's quite 
sophisticated. It's often, you know, private and behind the 
scenes. It does involve Government when necessary.
    So I think that it's a very effective mechanism, and we 
learn from our experiences with each event and it's gotten more 
refined.
    Mr. Donovan. Great. I thank you. All my time has expired, 
Mr. Chairman.
    Mr. Ratcliffe. I thank the gentleman.
    The Chair now recognizes the gentlelady from Texas, Ms. 
Jackson Lee, for 5 minutes.
    Ms. Jackson Lee. Thank you, Mr. Chairman, and to the 
Ranking Member.
    I would like to, before I start, take a moment of personal 
privilege to acknowledge the Texas National Guard and their 
leadership development class program. So if they would stand.
    We appreciate your presence here today.
    I want to applaud them for all the work that they did 
during Hurricane Harvey. You have at least two Texans in the 
room, I believe, with the Chairman.
    So we are greatly appreciative. As soon as I finish my 
questioning, I look forward to chatting with you. Thank you all 
very much.
    Mr. Ratcliffe. Thank you. I'm sure I can safely say that 
all Texans thank you for your efforts in those regards.
    The gentlelady is recognized.
    Ms. Jackson Lee. I thank you. It looks like the clock has 
run, but I thank the Chairman for his indulgence.
    Let me just read a statement that I thought was 
particularly potent and I think all of us can reflect over.
    Over the past year Russian actors targeted U.S. election 
infrastructure. Of course, they are not my words, but words 
from the intelligence community and particularly the Office of 
Director of National Intelligence.
    Hackers escalated efforts to breach the domestic energy 
sector and WannaCry and NotPetya ransomware wreaked havoc on 
public and private infrastructure around the world. According 
to Symantec, the world of cyber espionage experienced a notable 
shift toward more overt activity designed to destabilize and 
disrupt targeted organizations and countries.
    Let me also acknowledge that the NPPD Office of 
Cybersecurity and Communications, specifically the National 
Cybersecurity and Communications Integration Center, carries 
out the bulk of our DHS responsibilities relating to 
facilitating the sharing of cyber threat information. It is a 
fixture that we have in place.
    Although DHS is authorized to deploy a range of tools, 
resources, and programs to carry out its cyber mission, it has 
limited authority to regulate privately-owned networks and 
cannot require private entities to adopt specific security 
measures, grant access to their systems, or share information.
    So I am applauding and I do think it is important that we 
have this hearing, but I would like to emphasize with the level 
of breach that we experienced that this requires as much a 
concern about the private sector as it requires patriotism and 
the recognition that we must find a common path that gives 
comfort to the layered tech industry but as well protects the 
American people.
    I don't think any of you sitting here, of whom I appreciate 
very much your presence, want to be part of a breached 
electoral system, one that is not reliable, one that does not 
equate to the democratic principles that we are so attuned to.
    So as I pose my questions, I'm hoping that we can find a 
pathway. I am very interested in the thoughts offered that 
suggested that we must make it easy. We should not have to 
stand up new technology which means we don't have to complicate 
it for you. Then, of course, ``what's in it for us?''. That's a 
little difficult for me on the ``what's in it for us?'' because 
I'm not sure I fully understand what would have to be in it for 
us.
    So why don't I go to the witness who indicated that, and 
that would be Ms. Cagliostro.
    What would it mean to say, ``what is in it for us?''
    Ms. Cagliostro. So when I say that, I mean in the context 
of you have to think about the return on investment for 
organizations. In cybersecurity it is an incredibly research--
or, sorry, resource-strapped organization. CISOs are always 
asking for more money. There are very few organizations, I'm 
sure, that have spending decreasing.
    So when we think about information sharing, it is a cost 
like any other process or any other new tool or technique that 
we're going to bring on-line.
    In order for that cost to make sense, we have to empower 
organizations with the answer for the ROI question. Is it that 
we're giving them visibility they don't have? Is it that we're 
helping them to protect organizations that are ultimately 
liabilities to them because they connect to their network?
    So in the example of banks, big banks have connectivity 
into maybe smaller banks' networks. It is beneficial to share 
information with those smaller banks because they expose the 
bigger banks' network to risk.
    So when I say the ``what's in it for me?'', I mean more in 
the context of ROI. I completely agree with you, I think that 
patriotism should play a role in this as well, but I think if 
we really want to see success there we have to help 
organizations answer the ROI question.
    Ms. Jackson Lee. So would it be that the exposure, 
publicity, I guess that part of--I mean, I don't think the 
Government can give monetary value. So what would be the kind 
of exposure that they wouldn't get that would be positive that 
we could be engaged in for them doing information sharing?
    Ms. Cagliostro. I think that the Government has access to 
data, that is the thing that the Government has, and I believe 
the number was 2,200 indicators so far that have been 
declassified and released to industry.
    I think that--so today there's something like 100 million 
indicators. It is in our platform alone. There's a tremendous 
amount of threat data that's available out there.
    I think that the 2,200 number becomes a little bit less the 
large or an imposing number when you think about the context of 
available information. I think what Government can do is by 
accelerating and maybe increasing the level of what they're 
declassifying, then they're answering the question for industry 
and saying, ``Hey, I'm now giving you data that you can't get 
anywhere else.'' There's value here because you can't go to a 
vendor and buy it. You can't go develop it internally.
    Then that's an immediate quick answer that when a CISO or a 
CEO says, ``Why am I sharing with the Government?'' they say, 
because they're giving us visibility that we cannot achieve 
anywhere else and ultimately that's going to benefit our 
protections.
    Ms. Jackson Lee. Let me ask this question that if all of 
you would take a hit.
    I have a third question, Mr. Chairman, and I'll be 
finished.
    In your view, what do companies perceive is the value of 
sharing information with DHS--and you have answered it partly, 
but I would like to hear the other members--recognizing that 
there are issues with the timeliness and usefulness of some 
shared threat data? What features of DHS bulletins, alerts, and 
other products do companies find helpful? As well as what do 
you think is--so the value, and then what do you think the 
biggest challenge is?
    I would like to start with the first witness because I was 
interested in your comments about what would be helpful is 
determining or we should be determining how the cyber incident 
happened and what can we do to protect ourselves.
    I noticed that you said we can't require it, but I'm really 
looking for a way that we don't use the word ``require,'' but 
we have a cohesive relationship that it is beneficial that I'm 
willing to act positively to do it and it will help both 
business and government. So somewhere short of requiring, but 
obviously it has to be mutual benefit, as has been said.
    But the challenges and the value of sharing information.
    Mr. Knake. Yes, ma'am.
    I look at this--I look to the Department of Defense as a 
model on this. What the Defense Cyber Crime Center has done 
with their DIBnet program is they have created the mechanism by 
which companies can share, but they have also created a reason 
to share. It is really because they take a customer service 
approach to their community.
    If you as a DIB company share information with DCCC, they 
will share information that is pertinent back to you and to the 
rest of the community.
    You say, ``We saw this activity on our network,'' they'll 
push that through the intelligence community. They'll come back 
to you and say, ``Oh, that may be related to this, this, and 
this.'' They'll give you mitigation methods, they will do 
malware analysis, and they will push the findings from that 
analysis back to you.
    So I think if you want to get more information coming into 
DHS you need to think not in terms of the volume of overall 
data that you get back by participating, but what do you get 
back specifically related to the information that you share in. 
That would be how you would create a higher volume of 
information coming into Government.
    Ms. Jackson Lee. So it would have to be relevant to the 
particular producer of information sharing?
    Mr. Knake. Yes, ma'am.
    Ms. Jackson Lee. Would that be the gist of it?
    Ms. Barron-Dicamillo.
    Ms. Barron-Dicamillo. Yes, I agree with Rob and the 
challenge. I think I would say it is really to help operators 
institutionalize this information within their environments, 
they need to be able to almost share playbook-type details. So 
that kinds of context that, you know, that's going to be 
specific to how I would implement these indicators within my 
environment, which is more than just an IP address or a URL.
    So the playbook-type details that you need to implement 
this is just not available in a lot of the current information-
sharing systems. But the value is definitely inherent in all 
information-sharing programs, and it comes down to one person's 
detection is another person's prevention.
    So between these two, the value and the challenge, 
collectively, the ability to bring those two things together, 
and technology and these information-sharing programs are 
coalescing on those two that we're seeing through the evolution 
of better capabilities, more available systems, and such.
    Ms. Jackson Lee. I don't know if you want to add anymore.
    Ms. Cagliostro. Sure. So I want to agree with Ann on what 
she discussed with the context, because what tends to happen is 
that if organizations don't have that additional context, I 
think that's kind-of the easiest step to what I talked about 
with that return on investment. Even if it is not net new 
intelligence, but a course of action or a recommendation, I 
think that can be really helpful, as well.
    Ms. Jackson Lee. Mr. Mayer.
    Mr. Mayer. Congresswoman, thank you.
    I think you alluded to the fact that we're increasingly 
seeing nation-state attacks. That's just the reality of the 
environment right now.
    Ms. Jackson Lee. Yes.
    Mr. Mayer. In light of that, the Government brings very 
unique capabilities, especially within the context of the 
intelligence community, to bring contextual light to what the 
campaign is, who are the targets, what's at risk.
    Recently we have seen, and it is very encouraging, DHS 
invite more communications about providing context around some 
of these activities, advanced persistent threats, as they're 
called.
    The challenge for us, and it is very frustrating as you can 
imagine, is that there are instances where Classified 
information might be shared with people who are cleared, but 
the actionable part requires sharing that information with 
people inside your organizations who might not be cleared. That 
frustration is real and we have to work to resolve that.
    One of the ways we can do that, and DHS has offered to do 
this, is we need to create tear-lines, and we need to bring the 
technical people to the table so they can understand not 
necessarily the attribution, but what does the campaign look 
like, what's the context, who are the targets, what are we 
seeing. That's a two-way street.
    So just like we said we can't legislate confidence, we 
can't legislate trust, but we can start building that trust, 
and I think we are beginning to see that evolve. The question 
is can we ramp it up quickly enough in light of the 
accelerating attacks that we're experiencing.
    Ms. Jackson Lee. Mr. Chairman, I had--this was a third 
question.
    Mr. Ratcliffe. Yes, I'm sorry. The gentlelady's time has 
expired. The gentleman from Virginia has a 4 o'clock 
appointment, and I want to give him an opportunity to ask 
questions.
    Ms. Jackson Lee. Can I just put my question on the record, 
and then I'll yield to this gentleman if I can?
    Mr. Ratcliffe. You can.
    Ms. Jackson Lee. It was to you, Mr. Mayer, because of--and 
I keep thinking of call you mayor, so I'm trying to find out 
what city you're the mayor of. Mayor of cyber threats.
    But can you think about this? I will see whether or not I'm 
still here after the gentleman speaks. But you were concerned 
that we're learning a lot about--are we learning enough to 
react to the evolving cyber threats?
    Then last, this whole issue of new devices. Are we learning 
enough about new devices? My position is that we need a lot of 
work in that area.
    So thank you for allowing me put the question on the 
record.
    Mr. Ratcliffe. The gentlelady's time has expired.
    The gentleman from Virginia, Mr. Garrett, is recognized.
    Mr. Garrett. So it is my pleasure. I thank the gentlelady 
from Texas for some really good questions that I think dovetail 
relatively well with what we have in our 5 minutes.
    We talked about the actors being either nation-states or 
non-nation-states. I think that speaks to the nature of the 
threat. It troubles me because historically the paradigm of 
existential threats--and, obviously a lot of you all are 
involved in the private sector.
    But I think that Mr. Knake nailed it when he talked about 
the tragedy of the commons. If there's not cross-communication 
we're lost. If we learn from the attacks on the grid in the 
Ukraine or sort-of the probes in the Baltic States we 
understand that what might be used against the public sector 
one day may be used against the private sector the next. It 
really doesn't matter who the threat is, but it is different 
than what we faced in the past.
    So I wonder--and by the way, I want to get this on the 
record, Andy Greenberg's work, particularly in Wired, June 20, 
2017, and his book, ``How to Switch a Country Off,'' which I'm 
sure you all are familiar with, to the extent that there's 
stuff that's outside the realm of Classified that can be 
enlightening to individuals in the room and perhaps abroad who 
are interested in learning about this, that is sort-of 
sobering.
    Having said all of that, I'm an advocate for limited 
government. Having said that, if we don't information share, 
we're lost. If we look, I think, at what happened in Ukraine, 
almost everything that was used to flip the lights on and off 
at will on a time line at the choosing of the attackers was 
off-the-shelf, but the white list-black list information wasn't 
shared, and so it wasn't caught.
    Can you speak to the nature of how important it is to 
communicate privately, publicly, and with one another? I would 
love to get a 10- or 20-second bite on the nature of the 
threat, if you could give a 1 to 10 scale as it relates to the 
existential nature of the cyber threat. I think I know the 
answer. I want to hear from the experts and I want it on the 
record because I think America needs to know the answer.
    We'll just work out way down the panel.
    Mr. Knake. Thank you, Congressman.
    I would say that the expectation we should have is that 
everything we've seen happening overseas will happen in the 
United States under the right geopolitical circumstances. If 
the lights have gotten turned off in Ukraine when Russians saw 
fit to turn the lights off in Ukraine, the lights will get 
turned off in the United States when Russians see that it's in 
their interest to do that.
    So I think from that perspective we need to be planning, 
and we need to be planning not just for how we protect the grid 
but how we will respond and recover.
    Mr. Garrett. You're not a preparedness guy, but the impact 
of the lights going off is dead people, right? I mean, 
literally human lives are lost when the electricity goes out, 
whether it's people on ventilators, whether it's people who 
need their medicines refrigerated, et cetera, right?
    Again, I know the answer, you know the answer, but this 
needs to be out there so that the American people understand 
the gravity of the answer. But that's fair to say, right, human 
life would be the consequence?
    Mr. Knake. Yes. I think the important thing is to make our 
adversaries aware that we will view that as the consequence and 
we will respond accordingly on a National level.
    Mr. Garrett. We can move down the table. I've got a finite 
amount of time.
    Ms. Barron-Dicamillo. So I would say it is important to 
remember that a lot of the advanced persistent threat actors 
moonlight as cyber criminals. So they are using the same tools 
in their day job that they're using in the evening against--you 
know, for criminal or for monetary-type initiatives.
    So you have to look at them as the collective and look at 
the tactics, techniques, and procedures in a collective in 
order to be effective.
    Mr. Garrett. I'm not even going to try to butcher your 
name, ma'am.
    Ms. Cagliostro. It happens all the time.
    So you mentioned existential threat. I think those are 
scary words, and I think they're appropriate words.
    What's new--the threat is not new. We've always had 
conflict with other nations. There's always been pressure 
there. What's new is the reach that technology brings into our 
lives. The nation-state can--I have a cell phone, I have a 
watch. When you get into medical technology and device 
technology it is literally implanted in your body. Self-driving 
cars.
    As you see this evolve the existential threat continues to 
grow because it just becomes a larger and more personal way 
that you can be touched and attacked.
    Mr. Garrett. The scale--Mr. Mayer, we're going to get to 
you--and the scale required to launch a decisive or 
debilitating attack against a nation-state, it used to be 
measured in cavalry or battle ships or battle tanks or fighter 
planes, and now it can be an actor with internet access, 
correct?
    Ms. Cagliostro. Correct. Over the summer, I believe, or 
some point earlier this year, there was a botnet that used 
different devices, not traditional computers, servers, things 
like that. They infected devices that are in your homes. 
Because of the prevalence and the availability of those they 
were able to create a pretty powerful botnet that could deny 
service. So that's definitely something that----
    Mr. Garrett. Mr. Chair, I'm about to run out of time. I 
want to give Mr. Mayer a chance. But what I want to do here 
today is draw on the expertise of these folks, again sort-of 
recommend Andy Greenberg's work to the lay public, and 
certainly look forward to talking more about this moving 
forward.
    Because another thing that's refreshing is the bipartisan 
nature, I think, of the fact that we are addressing this. Sure, 
people want to score political points. Yes, the Russians are 
bad actors. This is about America's existential future.
    I think that the takeaway needs to be that the 
communication has to be public-private, and it has to be free-
flowing, because if the Ukrainians had good communication a lot 
of these things perhaps are stopped because their systems are 
updated to recognize the malware that was used against them, at 
least theoretically.
    But if it doesn't get updated every month--or every day 
even--off-the-shelf stuff brings the whole grid down.
    Mr. Mayer, I'm sorry, and I'm done.
    Mr. Mayer. No, thank you, Congressman. Real quickly, 
there's no question, I mean, the exponential growth of IoT 
devices presents a serious risk to networks in terms of how 
distributed denial-of-service attacks can occur, and there's a 
lot of work being done to implement defense mechanisms.
    But I want to just refer to something on US-CERT. It is in 
the--it is a top item on the alert. It is Unclassified. It 
speaks to a campaign against critical infrastructure involving 
electricity, water, transportation, and some others. All of the 
information or a good part of the information is in TLP, 
traffic light protocol white, and there's whole series of 
activities that can be done.
    That kind of information that's provided by the Government 
is invaluable and needs to get dispersed widely, not just in 
terms of remediating the problem, but making people aware of 
how significant the threat is, which is what I think you're 
speaking to.
    Coming from the public to encourage greater Government and 
industry collaboration in this area is very important. I think 
that it is bipartisan. I think that every Member of Congress 
can help move that forward.
    Mr. Garrett. Thank you. I apologize for going over.
    Mr. Ratcliffe. No apology necessary.
    I thank all of the witnesses for your testimony today. I 
thank all of the Members for their thoughtful questions.
    Members of the committee may have, in fact are likely to 
have some additional questions for the witnesses, and we'll ask 
you to respond to those in writing.
    Pursuant to Committee Rule VII(D), the hearing record will 
remain open for a period of 10 days.
    Without objection, the subcommittee stands adjourned.
    [Whereupon, at 4:04 p.m., the subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              

    Questions From Congressman James R. Langevin for Robert K. Knake
    Question 1. In your position paper, you identified multiple 
obstacles in establishing a ``FINnet'', including the lack of cleared 
personnel, the absence of secure facilities, and a strong cultural 
difference regarding the handling of Classified material. Most 
significantly, the financial sector differs from the Defense Industrial 
Base in that it conducts business in the public domain as opposed to 
within the Classified spaces. How would Classified material shared on 
FINnet (or the CINet mentioned in the hearing) be utilized to defend 
Unclassified networks?
    Answer. If CInet were developed, the utilization of Classified 
information by the financial services industry and other sectors would 
be substantially the same as within the Defense Industrial Base (DIB). 
Classified information shared by DOD over the DIBnet is shared for the 
purpose of helping DIB companies defend their Unclassified business 
networks from threat actors.
    As with the DOD program, companies would not take Classified 
information off of Classified networks and use that information on 
Unclassified networks. To do so, would put at risk sources and methods 
used to collect the information as well as violate the law, which 
provides substantial penalties. Instead, indicators of compromise that 
relate to Classified threat information would either be downgraded so 
they can be used in Unclassified network defense activity or fed into 
the Enhanced Cybersecurity Services (ECS) program, which utilizes 
Classified indicators to detect and block attacks.
    A network like CInet would provide two things: (1) The context 
around threats; and (2) the ability to coordinate. On context, CInet 
would allow the intelligence community to explain the importance of 
certain indicators and what they may mean if detected within an 
organization. For instance, if an indicator is triggered by traffic run 
through the ECS program, companies would be able to communicate with 
Government agencies to understand what the indicator was for. At 
present, without this capability, companies participating in ECS have 
no knowledge of what the program has detected.
    On coordination, when an organization discovers an incident or when 
law enforcement or the intelligence community have reason to suspect a 
compromise within an organization, CInet would be an invaluable tool. 
It would allow organizations to securely exchange information with 
Government and with partner organizations. Such communication might 
include both advice on remediation as well as information coming out of 
the victim organization that others could use to see if they are 
compromised or prevent a future compromise.
    At the tactical level, participating companies would need to apply 
for facility clearances. They would then need to construct a secure 
storage area at the secret level--a Vault. They would need to hire or 
appoint a Facility Security Officer who would be legally responsible 
for ensuring that Classified information is protected. Companies would 
likely choose to locate their Vault's close to their Security 
Operations Centers (SOCs). A Vault would likely include one or more 
terminals that would connect to the Classified network. Each terminal 
would consist of a laptop and phone. Many companies would likely choose 
to have a small conference table within the Vault for Classified 
discussions. Information obtained on the Classified network would be 
used to help guide decisions for protecting the Unclassified network. 
Crucially, only officials within the company who have the appropriate 
clearance and the requisite ``need to know'' would participate in these 
discussions.
    The investment needed to stand up such an operation is relatively 
small for these organizations, many of whom have security budgets in 
the hundreds of millions of dollars; however, a good interim step might 
be to establish the network but place terminals in existing Government 
or defense contractor facilities. Organizations with cleared personnel 
could be stationed at these facilities or visit these facilities on an 
as-needed basis.
    It is also important to note that the Financial Services industry 
has recruited heavily from the U.S. military, intelligence community, 
civilian agencies, and defense contractors. Of the eight Global 
Systemically Important Banks (G-SIBs)\1\ that are based in the United 
States, five have Chief Information Security Officers (CISOs), or 
equivalent, with backgrounds in National security. For instance, the 
head of global cybersecurity at Citibank was previously the director of 
the National Cybersecurity & Communications Integration Center at DHS; 
the CISO at JP Morgan, came there from Lockheed Martin; the CISO at 
Goldman Sachs is the former assitant secretary of cybersecurity & 
communications at the Department of Homeland Security (DHS); the CISO 
at Wells Fargo is a retired Naval Officer who served at the NSA; and 
the CISO at Bank of New York Mellon spent 19 years at Booz Allen prior 
to taking on that role.
---------------------------------------------------------------------------
    \1\ http://www.fsb.org/wp-content/uploads/2016-list-of-global-
systemically-important-banks-G-SIBs.pdf.
---------------------------------------------------------------------------
    All these firms have hired team members below the CISO with 
Government or defense experience as have many other leading 
institutions. All have personnel that have maintained their clearances 
from Government or military service or received clearances from DHS. 
Many have built out intelligence fusion centers that rival the 
capabilities of Government agencies. They are actively tracking actor 
sets as these actors target their systems and are continuously sharing 
information with each other. In my view, they are at a stage of 
maturity where real-time sharing of Classified information would be 
useful and warranted.
    Question 2a. What would give companies an incentive to participate 
in a cyber NTSB given the evident reputational risks involved?
    Answer. For a Cyber NTSB to succeed, it will be crucial that 
companies are obligated to participate before an incident occurs. While 
an incident is unfolding, companies will always believe that the risks 
of sharing information about the incident outweigh the benefits. The 
reason for that is simple: No benefits will accrue directly to them. 
The value in sharing this information goes to the security of other 
companies that are receiving the information and, in no small part, to 
the National security of the United States. If, on the other hand, 
companies receive a benefit, such as Federally-backstopped cyber 
insurance, for commiting to notifying the Cyber NTSB and having its 
team come in in the event of an incident, the risks could be managed.
    Question 2b. Can Congress reduce these risks?
    Answer. Congress could reduce these risks by establishing the 
program in coordination with industry and directing relevant Federal 
agencies to develop rules that would ensure the anonymity of 
participating companies. Cogress should also ensure that information 
shared under the program is protected from regulatory agencies as under 
the existing Protected Critical Infrastructure Information program. Of 
course, such protections should not exempt companies from meeting any 
obligations to disclose incidents to regulators.
    Question 2c. How can no-fault post mortems be encouraged across the 
cybersecurity landscape?
    Answer. I continue to believe that the best way to promote no-fault 
post mortems is with insurance. A binding requirement through insurance 
contracts, whether backed by the Federal Government or by the insurance 
industry without Federal support, would provide the legal basis 
necessary to gain commitments to engaging in post-mortem information-
sharing programs.
  Questions From Honorable James R. Langevin for Ann Barron-Dicamillo
    Question 1a. Can you describe your involvement with both the DHS 
Cyber Information Sharing and Collaboration Program (CISCP) and the 
Automated Indicator Sharing (AIS) program?
    Question 1b. What are your engagements with the leadership of each?
    Question 1c. Have you run into any obstacles to your active 
participation in each?
    Question 1d. What is your plan for being an active participant in 
each?
    Answer. We currently receive the CISCP data via FS-ISAC and have no 
plans to change that process. We were informed by DHS that 
participating directly in the CISCP program would preclude the ability 
of additional AXP employees obtaining security clearances through the 
Private-Sector Clearance Program due to DoD policy.
    We do not currently participate in the AIS program but have been 
evaluating that program for possible future participation. We met 
recently with DHS leadership about both the CISCP and AIS programs. Our 
understanding from these discussions is that the data from the two 
programs has substantial overlap. We also have concerns about the 
validation of the data and the vetting of the participants for AIS. One 
of our current threat intelligence vendors is in the process of 
consuming AIS data which will then be validated. Once we have verified 
that process, we will further evaluate AIS participation.
    Question 2a. The Cybersecurity Act of 2015 made substantial changes 
to the legal authorities regarding cyber threat indicator sharing. What 
specific activities is your organization carrying out today thanks to 
those authorities and liability protections?
    Question 2b. What is your assessment of the effectiveness of the 
current liability protections?
    Answer. We have formalized our internal standards and operational 
procedures with regard to cyber threat indicator sharing to comply with 
the law. Our teams carry out these processes on a daily basis so we 
take advantage of these authorities and protections constantly. While 
the liability protections have not been tested in practice, we do 
believe that such protections encourage the sharing of threat 
indicators.
    Question 3. Have you utilized the previously Classified indicators 
that are provided within the AIS data feed to improve the protection of 
your networks?
    Our understanding is that we already obtain previously Classified 
indicators shared by Government participants of AIS via the CISCP 
reports to FS-ISAC.
    Question 4. What changes to AIS and supporting activities do you 
recommend to improve the effectiveness of the program?
    Answer. We recommend the following enhancements to AIS to improve 
the effectiveness of the program:
   Add support for STIX 2.0.
   Alleviate trust concerns for outbound sharing by additional 
        vetting of participants or supporting multiple trust levels or 
        communities of interest for sharing beyond the existing options 
        of DHS only, all USG, or all AIS participants.
   Address data quality concerns through development of best 
        practices, training, and mechanisms for assessing and providing 
        feedback to participants.
    Question 5. In your written testimony, you mention quality versus 
quantity of threat indicator information.
    Is there a need for high throughput data shared at ``machine 
speed'' even if it hasn't been thoroughly analyzed yet?
    Question 5b. Can companies conduct meaningful analysis on 
indicators shared through AIS absent contextual information, or is that 
essential for the indicators to be useful? What basis do you have for 
making that determination?
    Question 5c. Are the privacy protections put in place under the 
Cybersecurity Act of 2015 adequate, particularly if indicators need to 
be analyzed before sharing, which would allow time for more thorough 
privacy reviews?
    Answer. High-speed data is not very valuable without context. High 
throughput can lead to more ``noise'' in the system and can be 
paralyzing for less sophisticated organizations to act upon.
    Companies can potentially conduct meaningful analysis of AIS data 
without context but this requires more resources to validate and curate 
that data. The cybersecurity industry has coalesced around the need for 
more contextual information sharing as evidenced by Cyber Threat 
Intelligence vendors producing information-sharing playbooks.
    The challenge of privacy protections is that what constitutes 
personal information is shifting and changing with new technologies, 
and what information is sufficient to identify a specific individual 
also changes with context and technology. The DHS ``Guidance to Assist 
Non-Federal Entities to Share Cyber Threat Indicators and Defensive 
Measures with Federal Entities under the Cybersecurity Information 
Sharing Act of 2015'' is a helpful document which identifies some 
categories of personal information which is unlikely to be directly 
related to a cybersecurity threat, but we suspect this guidance should 
be periodically updated.
    We do think that the privacy protections, between the guidance to 
non-Federal entities and the further guidance to Federal entities and 
DHS on required reviews of specific fields such as raw email message 
bodies, appear to be sufficient to protect personal privacy and have 
not been a major impediment to participation in these programs.
   Question From Honorable James R. Langevin for Patricia Cagliostro
    Question. What changes to AIS and supporting activities do you 
recommend to improve the effectiveness of the program?
    Answer.
    1. Incentivize organizations to share back to AIS by enriching the 
        intelligence with additional data and require organizations to 
        share to gain access. The Government has unmatched visibility 
        and intelligence available in Unclassified and Classified 
        environments. This data can be used to enrich shared 
        intelligence that organizations do not have access to. By using 
        this data to enrich the intelligence and limiting only to 
        organizations that share intelligence back to AIS, you create 
        an incentive to encourage organizations to share rather than 
        just consume. For example, an organization shares an IP address 
        and the Government knows that IP address is associated with a 
        campaign that affects the financial services industry. The 
        Government would enrich the shared indicator with this 
        information and share the enriched indicator with organizations 
        that share with AIS.
    2. Create a grant program for security companies to develop bi-
        directional integrations with AIS. Today, many organizations 
        consume and integrate AIS with their security tools, but there 
        is limited availability of bi-directional integrations. 
        Analysts collect and produce cyber threat intelligence as part 
        of their daily workflow. In the Anomali platform, analysts 
        simply check a box to automatically share intelligence with 
        their community. They are more likely to share because it's 
        integrated with their daily workflows, rather than an 
        additional step or technology they must work with. AIS will 
        benefit greatly from bi-directional integration with the tools 
        that they perform their daily work in. This requires 
        development resources from the security industry. The 
        Government could create a grant program for the security 
        industry to pay for the development required to create bi-
        directional integrations with the AIS program.
     Questions From Honorable James R. Langevin for Robert H. Mayer
    Question 1a. The Cybersecurity Act of 2015 made substantial changes 
to the legal authorities regarding cyber threat indicator sharing. What 
specific activities are your member organizations carrying out today 
thanks to those authorities and liability protections?
    Answer. The ability to share information about cyber threats and 
effective countermeasures among industry players and between industry 
and Government is crucial, and the explicit liability protections for 
sharing in accordance with Cybersecurity Information Sharing Act (CISA) 
were welcome, as were the authorizations to monitor information systems 
and share or receive cyber threat indicators and defensive measures. 
The communications sector participates in structured cybersecurity 
information sharing through, for example, the Communications 
Information Sharing and Analysis Center (Comm-ISAC), the National 
Cybersecurity and Communications Integration Center (NCCIC), DHS's 
Communications Sector Coordination Council (CSCC), the National 
Security Telecommunications Advisory Committee (NSTAC), United States 
Computer Emergency Readiness Team (US-CERT), CTIA's Cybersecurity 
Working Group (CSWG), and among others.
    Since the passage of the CISA in 2015, we have focused on moving 
beyond information-sharing trials to automated sharing via new 
technologies. CTIA, through its Cyber Threat Information Sharing Pilot, 
has been working with large, medium, and small companies in both the 
wireless and wireline segments to support industry efforts to share 
cyber threat indicators and facilitate integration with the DHS 
Automated Information Sharing portal. The pilot program was completed 
this year and made strides to test the ability to automate the sharing 
of threat information among carriers to rapidly and effectively 
mitigate cyber threats, specifically focusing on Telephony Denial-of-
Service (TDoS) attacks.
    Question 1b. What is your assessment of the effectiveness of the 
current liability protections?
    Answer. While CISA has provided greater confidence to the private 
sector in their ability to share cyber threat indicators by removing 
certain legal barriers, valid concerns about liability remain. As an 
example, last year the Automotive Information Sharing and Analysis 
Center (Auto-ISAC) was subpoenaed as part of an on-going class-action 
lawsuit against Fiat Chrysler. While the Auto-ISAC was able to 
successfully quash the subpoena, the ordeal has reportedly had a 
chilling effect on participant's willingness to share information.\1\ 
There was another example of a broker and a security researcher teaming 
up to publicly release a vulnerability in a medical device in an 
apparent effort to short the stock of a medical device manufacturer.\2\ 
As a result of examples like these, companies must still conduct 
thorough legal and risk analyses before sharing cyber threat 
information. These reviews, while necessary, can potentially result in 
delayed sharing or an unwillingness to share until uncertainties 
surrounding liability are resolved.
---------------------------------------------------------------------------
    \1\ Joshua Higgins, Head of auto industry's ISAC cites ``chilling 
effect'' of lawsuit on cyber info-sharing, Inside Cybersecurity (Nov. 
2, 2017).
    \2\ See Linette Lopez, Carson Block has a new short, and his 
reasoning is super creepy, Business Insider (Aug. 25, 2016).
---------------------------------------------------------------------------
    Question 2. Have your member organizations utilized the previously 
Classified indicators that are provided within the AIS data feed?
    Answer. Yes, our members conducted an automated cyber-threat 
information-sharing pilot, that concluded in 2017, and the AIS data 
feed was incorporated into the effort. Other members receive AIS feeds 
on a regular basis and review and pass along information to front-line 
resources when it is timely, appropriately contextualized and therefore 
actionable.
    Question 3. What changes to AIS and supporting activities do you 
recommend to improve the effectiveness of the program?
    Answer. Based on the pilot experience referenced in response to 
question 2 above, the pilot participants explored use cases and 
scenarios associated with telecom-specific threats that are not 
currently covered in the AIS vocabulary.
    In particular, the pilot addressed Robocall trace-back and 
Telephony Denial-of-Service (TDoS) threat scenarios as well as SS7 
Blacklist Global Title information sharing.
    Given that AIS focuses on the sharing of declassified indicators 
shared at the un-Classified level, we would support the continued 
efforts of the participating AIS Federal agencies to declassify 
indicators and to enrich the contextual information provided with the 
indicators.

                                 [all]