b'<html>\n<title> - ASSESSING THE STATE OF FEDERAL CYBERSECURITY RISK DETERMINATION</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n    ASSESSING THE STATE OF FEDERAL CYBERSECURITY RISK DETERMINATION\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                           CYBERSECURITY AND\n                       INFRASTRUCTURE PROTECTION\n\n                                 OF THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JULY 25, 2018\n\n                               __________\n\n                           Serial No. 115-73\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                     \n\n        Available via the World Wide Web: http://www.govinfo.gov\n\n                               __________\n\n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n34-445 PDF                  WASHINGTON : 2019                     \n          \n-----------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6b0c1b042b081e181f030e071b4508040645">[email&#160;protected]</a>\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Sheila Jackson Lee, Texas\nMike Rogers, Alabama                 James R. Langevin, Rhode Island\nLou Barletta, Pennsylvania           Cedric L. Richmond, Louisiana\nScott Perry, Pennsylvania            William R. Keating, Massachusetts\nJohn Katko, New York                 Donald M. Payne, Jr., New Jersey\nWill Hurd, Texas                     Filemon Vela, Texas\nMartha McSally, Arizona              Bonnie Watson Coleman, New Jersey\nJohn Ratcliffe, Texas                Kathleen M. Rice, New York\nDaniel M. Donovan, Jr., New York     J. Luis Correa, California\nMike Gallagher, Wisconsin            Val Butler Demings, Florida\nClay Higgins, Louisiana              Nanette Diaz Barragan, California\nThomas A. Garrett, Jr., Virginia\nBrian K. Fitzpatrick, Pennsylvania\nRon Estes, Kansas\nDon Bacon, Nebraska\nDebbie Lesko, Arizona\n                   Brendan P. Shields, Staff Director\n                   Steven S. Giaier,  General Counsel\n                    Michael S. Twinchek, Chief Clerk\n                  Hope Goins, Minority Staff Director\n                                 \n                                 \n                                 ------                                \n\n      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION\n\n                    John Ratcliffe, Texas, Chairman\nJohn Katko, New York                 Cedric L. Richmond, Louisiana\nDaniel M. Donovan, Jr., New York     Sheila Jackson Lee, Texas\nMike Gallagher, Wisconsin            James R. Langevin, Rhode Island\nBrian K. Fitzpatrick, Pennsylvania   Val Butler Demings, Florida\nDon Bacon, Nebraska                  Bennie G. Thompson, Mississippi \nMichael T. McCaul, Texas (ex             (ex officio)\n    officio)\n             Kristen M. Duncan, Subcommittee Staff Director\n           Moira Bergin, Minority Subcommittee Staff Director\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable John Ratcliffe, a Representative in Congress From \n  the State of Texas, and Chairman, Subcommittee on Cybersecurity \n  and Infrastructure Protection:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     3\nThe Honorable Cedric L. Richmond, a Representative in Congress \n  From the State of Louisiana, and Ranking Member, Subcommittee \n  on Cybersecurity and Infrastructure Protection:\n  Oral Statement.................................................     4\n  Prepared Statement.............................................     5\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Prepared Statement.............................................     6\n\n                               Witnesses\n\nMr. Ken Durbin, Senior Strategist, Global Government Affairs, \n  Symantec:\n  Oral Statement.................................................     8\n  Prepared Statement.............................................     9\nMs. Summer Fowler, Technical Director, Cybersecurity Risk and \n  Resilience, Software Engineering Institute, CERT, Carnegie \n  Mellon University:\n  Oral Statement.................................................    13\n  Prepared Statement.............................................    14\nMr. Ari Schwartz, Managing Director of Cybersecurity Services, \n  Cybersecurity Risk Management Group, Venable LLP, Testifying on \n  Behalf of the Cybersecurity Coalition and Center for \n  Cybersecurity Policy and Law:\n  Oral Statement.................................................    18\n  Prepared Statement.............................................    19\n\n                                Appendix\n\nQuestions From Honorable James R. Langevin for Summer Fowler.....    33\nQuestions From Honorable James R. Langevin for Ari Schwartz......    34\n\n \n    ASSESSING THE STATE OF FEDERAL CYBERSECURITY RISK DETERMINATION\n\n                              ----------                              \n\n\n                        Wednesday, July 25, 2018\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n                         Subcommittee on Cybersecurity and \n                                 Infrastructure Protection,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10:38 a.m., in \nroom HVC-210, Capitol Visitor Center, Hon. John Ratcliffe \n(Chairman of the subcommittee) presiding.\n    Present: Representatives Ratcliffe, Bacon, Donovan, Katko, \nRichmond, and Langevin.\n    Mr. Ratcliffe. Good morning. The Committee on Homeland \nSecurity, Subcommittee on Cybersecurity and Infrastructure \nProtection will come to order.\n    The subcommittee is meeting this morning to receive \ntestimony regarding how the Federal Government understands and \nmanages enterprise-wide cybersecurity risks. I now recognize \nmyself for an opening statement.\n    As we convene today, this subcommittee is concerned that \nthe Federal Government is not yet equipped to determine how \nthreat actors seek to gain access to our private information. \nThis challenge is one of the reasons I introduced, and \nyesterday the full committee passed, the Advancing \nCybersecurity Diagnostics and Mitigation Act. H.R. 6443 will \ncodify and provide direction to DHS regarding the CDM program. \nThis was a bipartisan effort and I thank the Ranking Member, \nMr. Richmond, as well as Mr. Katko, Mr. Donovan, Mr. \nFitzpatrick, and Mr. Langevin, for working with me on this \nimportant issue because there is an evident lack of strategy in \nmitigating risk across our Federal agencies.\n    Cyber work force gaps and legacy IT systems are \nvulnerabilities in the Federal Government\'s cybersecurity \nposture but the efficacy of our basic cybersecurity practices \nremain common liabilities. To this end the Office of Management \nand Budget and Department of Homeland Security released a \nreport earlier this year entitled Federal Cybersecurity Risk \nDetermination Report Action Plan. This report spoke to many of \nthe challenges faced in securing enterprise-wide Federal \nGovernment IT systems.\n    Perhaps not surprisingly OMB and DHS determined that 74 \npercent of Government agencies have cybersecurity programs that \nare either at risk or at high risk. The risk assessments \nperformed by these agencies showed that a lack of threat \ninformation results in ineffective allocations of limited cyber \nresources. This overall situation creates enterprise-wide gaps \nin our network visibility, IT tool, and capability \nstandardization, and common operating procedures, all of which \nnegatively impact Federal cybersecurity.\n    Given the significant and ever-increasing danger of threats \nand the absence of good data inventory, risk management must be \nfully integrated into every aspect of an organization. Leaders \nof Federal agencies at all organizational levels must \nunderstand the responsibilities and they must be accountable \nfor protecting organizational assets and managing security and \nprivacy risks.\n    The OMB and DHS report identified four main actions that \nare necessary to address cybersecurity risks across the Federal \nenterprise. First, Federal agencies must increase their \ncybersecurity threat awareness. This seems like a too obvious \nof a recommendation but often those charged with defending \nagency networks lack timely information regarding the tactics, \ntechniques, and procedures that our adversaries are using to \nexploit Government information systems.\n    Second, OMB urged agencies to standardize IT and \ncybersecurity capabilities to control costs and to improve \nasset management. Generally speaking agencies do not have \nstandardized cybersecurity processes, which ultimately impacts \ntheir ability to efficiently and effectively combat cyber \nthreats.\n    The Continuous Diagnostics and Mitigation program or CDM \nwill accelerate both IT management efforts and cybersecurity \nimprovements across the Federal Government. In fact, my bill, \nthe Advancing Cybersecurity Diagnostics and Mitigation Act will \nrequire the program to evolve thereby ensuring that agency CIOs \nand DHS have the visibility necessary, not only to combat \nthreats, but also to target modernization resources and efforts \nwhere they are most needed.\n    The third recommended action is that agencies must \nconsolidate their security operation centers to improve \nincident detection and response capabilities. OMB found that \nonly 27 percent of agencies can detect and investigate attempts \nto access large volumes of data. This troubling statistic \nshould cause us all to pause.\n    While the report identifies that Federal agencies currently \nlack network visibility, the DHS\'s CDM program can assist with \nthis issue by providing insight into what is occurring on \nnetworks--after all, you cannot defend what you cannot see.\n    Finally, OMB recommended that agencies increase \naccountability through improved governance processes, indeed \nboth the Federal Information Security Management Act and \nPresident Trump\'s Executive Order on Strengthening the \nCybersecurity and Federal Networks and Critical Infrastructure \nalready identify the agency head as the official ultimately \nresponsible for each agency\'s cybersecurity.\n    Of course, agency heads often delegate cyber risk \nmanagement responsibilities to the chief information officer \nand chief information security officer but agency leadership \nshould increase its oversight of and its engagement in their \nagency\'s cybersecurity ecosystem.\n    Ultimately a collaborative approach to mitigating cyber \nthreats is meant to prioritize meeting the needs of DHS\'s \npartners and is consistent with the growing recognition among \nGovernment, academic, and corporate leaders, that cybersecurity \nis increasingly interdependent across sectors and must be a \ncore aspect of risk management strategies.\n    We are in an era that requires flexibility, resiliency, and \ndiscipline. I look forward to a candid conversation with our \nwitnesses today about ensuring our Federal networks can embody \nthese goals. Your thoughts and opinions are important as we \noversee the state of Federal Government cybersecurity risks.\n    [The statement of Chairman Ratcliffe follows:]\n                  Statement of Chairman John Ratcliffe\n                             July 25, 2018\n    This subcommittee is concerned that the Federal Government is not \nequipped to determine how threat actors seek to gain access to private \ninformation. There is an evident lack of strategy in mitigating risk \nacross Federal agencies. Cyber workforce gaps and legacy IT systems are \nvulnerabilities in the Federal Government\'s cybersecurity posture, but \nthe efficacy of our basic cybersecurity practices are common \nliabilities.\n    To this end, the Office of Management and Budget and Department of \nHomeland Security released a report earlier this year entitled \n``Federal Cybersecurity Risk Determination Report and Action Plan.\'\' \nThis report spoke to many of the challenges faced in securing \nenterprise-wide Federal Government IT systems.\n    Perhaps not surprisingly, OMB and DHS determined that 74 percent of \nGovernment agencies have cybersecurity programs that are either at-risk \nor high-risk. The risk assessments performed by these agencies showed \nthat a lack of threat information results in ineffective allocations of \nlimited cyber resources. This overall situation creates enterprise-wide \ngaps in network visibility, IT tool and capability standardization, and \ncommon operating procedures, all of which negatively impact Federal \ncybersecurity.\n    Given the significant and ever-increasing danger of threats and the \nabsence of good data inventory, risk management must be fully \nintegrated into every aspect of an organization. Leaders of Federal \nagencies at all organizational levels must understand their \nresponsibilities and must be accountable for protecting organizational \nassets and managing security and privacy risks.\n    The OMB and DHS report identified four main actions that are \nnecessary to address cybersecurity risks across the Federal enterprise. \nFirst, Federal agencies must increase their cybersecurity threat \nawareness. This seems like too obvious of a recommendation, but often, \nthose charged with defending agency networks lack timely information \nregarding the tactics, techniques, and procedures that adversaries use \nto exploit Government information systems.\n    Second, OMB urged agencies to standardize IT and cybersecurity \ncapabilities to control costs and improve asset management. Generally \nspeaking, agencies do not have standardized cybersecurity processes, \nwhich ultimately impacts their ability to efficiently and effectively \ncombat threats. The Continuous Diagnostics and Mitigation program, or \nCDM, will accelerate both IT management efforts and cybersecurity \nissues across the Federal Government. In fact, a bill that I introduced \nlast week H.R. 6443, the Advancing Cybersecurity Diagnostics and \nMitigation Act, will require the program to evolve to ensure agency \nCIO\'s and DHS have the visibility necessary not only to combat threats, \nbut also to target modernization resources and efforts where they are \nmost needed.\n    Third, agencies must consolidate their security operations centers \nto improve incident detection and response capabilities. OMB found that \nonly 27 percent of agencies can detect and investigate attempts to \naccess large volumes of data. This troubling statistic should cause all \nof us to pause. While the report identifies that Federal agencies \ncurrently network visibility, DHS\'s CDM program can assist with this \nissue by providing insights into what is occurring on networks. After \nall you can\'t defend what you can\'t see.\n    And finally, OMB recommended that agencies increase accountability \nthrough improved governance processes. Indeed, both the Federal \nInformation Security Management Act and President Trump\'s Executive \nOrder on Strengthening the Cybersecurity of Federal Networks and \nCritical Infrastructure already identify the agency head as the \nofficial ultimately responsible for each agency\'s cybersecurity. Of \ncourse, agency heads often delegate cyber risk management \nresponsibilities to the chief information officer and chief information \nsecurity officer, but agency leadership should increase its oversight \nof, and engagement in, their agency\'s cybersecurity ecosystem.\n    Ultimately, a collaborative approach to mitigating cyber threats is \nmeant to prioritize meeting the needs of DHS partners, and is \nconsistent with the growing recognition among Government, academic, and \ncorporate leaders that cybersecurity is increasingly interdependent \nacross sectors and must be a core aspect of risk management strategies.\n    We are in an era that requires flexibility, resiliency, and \ndiscipline, I look forward to a candid conversation with our witnesses \nabout ensuring Federal networks can embody these goals. I look forward \nto hearing from our witnesses. Your thoughts and opinions are important \nas we oversee the state of Federal Government cybersecurity risks.\n\n    Mr. Ratcliffe. The Chair recognizes the Ranking Member of \nthe subcommittee, the gentleman from Louisiana, Mr. Richmond, \nfor his opening statement.\n    Mr. Richmond. Good morning.\n    I want to thank Chairman Ratcliffe for holding today\'s \nhearing on the Federal Cybersecurity Risk Determination Report \nand Action Plan.\n    It is no secret that Federal networks are an attractive \ntarget to our adversaries and cyber criminals alike. Thales \neSecurity 2018 Data Threat Report found Federal agencies \nexperienced more data breaches than any other sector.\n    State actors such as Russia, China, Iran, and North Korea \nhave become more sophisticated, more emboldened and more brazen \nand the data stored on our networks about American citizens, \nour National security plans, and our economy, is important to \nthem.\n    We have authorized and funded programs to defend our \nFederal networks and this subcommittee has performed rigorous \noversight over many of them, this Congress. I am familiar with \nthe challenges related to implementation of the Department of \nHomeland Security\'s Continuous Diagnostics and Mitigation \nprogram, CDM, as well as cyber threat information sharing so I \nwas not terribly surprised by some of the Federal cybersecurity \nrisk determination reports general findings.\n    But the devil is in the details. I could have told you for \nexample that the collective ability of our Federal agencies to \nunderstand what is happening on their networks isn\'t what it \nshould be but I did not realize that fewer than half of the 96 \nagencies surveyed can detect encrypted ex-filtration of \ninformation at target levels or that only 27 percent can detect \nand investigate attempts to access large volumes of data.\n    I knew that resource challenges have stunted the maturation \nof programs designed to protect Federal networks but I was \ntroubled to learn that agencies are not equipped to make \nstrategic investment decisions with money Congress provides.\n    While I could have assumed that agencies could improve \ntheir Cyber Incident Response procedures or how cyber risks are \ncommunicated, I could not have predicted that just over half of \nthe agencies surveyed had validated Cyber Incident Response \nroles in the past year and only 59 percent of agencies have a \nmechanism to issue enterprise-wide cyber threat alerts. We have \nto do better than this.\n    The Federal Cybersecurity Risk Determination Report \nidentified important actions the Federal Government should \nundertake to resolve existing capability gaps. Many of the \nproposed solutions leverage CDM tools, some of which have yet \nto be fully implemented or may not be deployed anytime soon.\n    Yesterday, this committee approved legislation Chairman \nRatcliffe introduced, and which I co-sponsored, to make the CDM \nprogram more robust, more accountable. I would be interested in \nhearing from our witnesses about how the Federal Government can \noptimize the potential of CDM and improve its implementation.\n    Additionally, I would be interested to know if the \nwitnesses disagree with any of the action items identified in \nthe risk determination report or if they are critical or issues \ncritical to risk management that the report failed to address.\n    Finally, I will be interested in hearing the witnesses\' \nthoughts about the importance of leadership from the White \nHouse when it comes to improving the cybersecurity of our \nFederal networks.\n    Before I close I want to point out on a separate subject \nthat we are heading into August recess without making any \nprogress toward reauthorization of the Chemical Facility Anti-\nTerrorism Standards, known as the CFATS program.\n    Ranking Member Thompson and I have repeatedly asked the \nMajority to hold oversight hearings with the Department and \nbegin work on negotiating and forming CFATS\' reauthorization \nlegislation. Neither has happened and I am concerned that we \nmay not have enough legislative days left to get \nreauthorization past the finish line. I hope the majority will \nmake CFATS a priority when we return from the August recess so \nwe can avoid a temporary extension.\n    With that I thank the witnesses for being here today. I \nlook forward to their testimony.\n    I yield back the balance of my time.\n    [The prepared statement of Ranking Member Richmond \nfollows:]\n              Statement of Ranking Member Cedric Richmond\n                             July 25, 2018\n    Good morning. I would like to thank Chairman Ratcliffe for holding \ntoday\'s hearing on the Federal Cybersecurity Risk Determination Report \nand Action Plan.\n    It is no secret that Federal networks are an attractive target to \nour adversaries and cyber criminals alike.\n    Thales e-Security\'s 2018 Data Threat Report found Federal agencies \nexperience more data breaches than any other sector.\n    State actors--such as Russia, China, Iran, and North Korea--have \nbecome more sophisticated, more emboldened, and more brazen.\n    And the data stored on our networks--about American citizens, our \nNational security plans, and our economy--is important to them.\n    We have authorized and funded programs to defend our Federal \nnetworks, and this subcommittee has performed rigorous oversight over \nmany of them this Congress.\n    I am familiar with the challenges related to implementation of the \nDepartment of Homeland Security\'s Continuous Diagnostic and Mitigation \nProgram (CDM) as well as cyber threat information sharing.\n    So I wasn\'t terribly surprised by some of the Federal Cybersecurity \nRisk Determination Report\'s general findings.\n    But the devil is in the details.\n    I could have told you, for example, that the collective ability of \nour Federal agencies to understand what is happening on their networks \nisn\'t what it should be.\n    But I didn\'t realize that fewer than half of the 96 agencies \nsurveyed can detect encrypted exfiltration of information at target \nlevels, or that only 27 percent can detect and investigate attempts to \naccess large volumes of data.\n    I knew that resource challenges have stunted the maturation of \nprograms designed to protect Federal networks, but I was troubled to \nlearn that agencies are not equipped to make strategic investment \ndecisions with the money Congress provides.\n    And, while I could have assumed that agencies could improve their \ncyber incident response procedures or how cyber risks are communicated, \nI could not have predicted that just over half of the agencies surveyed \nhad validated cyber incident response roles in the past year and only \n59 percent of agencies have a mechanism to issue enterprise-wide cyber \nthreat alerts.\n    We have to do better than this.\n    The Federal Cybersecurity Risk Determination Report identified \nimportant actions the Federal Government should undertake to resolve \nexisting capability gaps.\n    Many of the proposed solutions leverage CDM tools, some of which \nhave yet to be fully implemented or may not be deployed any time soon.\n    Yesterday, this committee approved legislation Chairman Ratcliffe \nintroduced, and which I cosponsored, to make the CDM program more \nrobust and more accountable.\n    I will be interested to hear from our witnesses about how the \nFederal Government can optimize the potential of CDM and improve its \nimplementation.\n    Additionally, I would be interested to know if the witnesses \ndisagree with any of the action items identified by the Risk \nDetermination Report or if there are issues critical to risk management \nthat the report failed to address.\n    Finally, I will be interested in hearing the witnesses\' thoughts \nabout the importance of leadership from the White House when it comes \nto improving the cybersecurity of our Federal networks.\n    Before I close, I want to point out that we are heading into August \nrecess without making any progress toward reauthorization of the \nChemical Facility Anti-Terrorism Standards (CFATS) program.\n    Ranking Member Thompson and I have repeatedly asked the Majority to \nhold oversight hearings with the Department and begin work on \nnegotiating informed CFATS reauthorization legislation.\n    Neither has happened, and I am concerned that we may not have \nenough legislative days left to get reauthorization past the finish \nline.\n    I hope the Majority will make CFATS a priority when we return from \nAugust recess so we can avoid a temporary extension.\n    With that, I thank the witnesses for being here today, and I look \nforward to their testimony.\n    I yield back the balance of my time.\n\n    Mr. Ratcliffe. I thank the gentleman.\n    Other Members of the committee are reminded that opening \nstatements may be submitted for the record.\n    [The statement of Ranking Member Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                             July 25, 2018\n    Good morning. I want to thank Chairman Ratcliffe and Ranking Member \nRichmond for holding today\'s hearing on the ``State of Federal \nCybersecurity Risk Determination\'\'.\n    At the outset, I would like to echo Ranking Member Richmond\'s \ndisappointment that we are heading into August recess without making \nany meaningful progress on reauthorizing the Chemical Facility Anti-\nTerrorism Standards Program (CFATS), which expires in less than 6 \nmonths.\n    As far as I know, the CFATS program has bipartisan support on this \ncommittee. It is also popular with the regulated community, and, most \nimportantly, makes our communities safer.\n    Given the limited number of legislative days left, I hope this \ncommittee acts quickly when we return in September to fulfill our \nobligations as authorizers and put CFATS on the track to \nreauthorization.\n    Turning to the subject of today\'s hearing--although I am pleased \nthat OMB and DHS have undertaken a review of the risk determination and \nacceptance choices across the Federal Government, I am troubled that \nmany of our cybersecurity capabilities are not as mature as they ought \nto be.\n    When I joined the Select Committee on Homeland Security in 2003, \nevery expert I heard from told me that the Federal Government was 10 \nyears behind where it should in with respect to cybersecurity.\n    Despite the investments we have made since then, it seems we are in \nthe same boat--10 years behind where we need to be.\n    Federal agencies still struggle to access timely, actionable threat \ninformation and share it enterprise-wide.\n    Agencies still do not have full visibility of what is happening on \ntheir networks or who has access to different pieces of information.\n    And we still have not figured out how to strategically allocate \nfunding to address risk.\n    Despite the devastating data breaches like the 2015 Office of \nPersonnel Management heist of the personal information of 22.1 million \npeople, non-defense agencies spent less than $51 million encrypting \ndata rest in fiscal year 2017.\n    Meanwhile, of the $80 billion we spend annually on IT systems \nacross the Federal Government, 80 percent is spent maintaining legacy \nsystems that are more vulnerable and less secure.\n    We need to start putting our money where the risk is.\n    This is not the first time we have heard these recommendations.\n    So, there is one thing I would like to know from our witnesses \ntoday: How can the Federal Government finally jump the 10-year gap \nbetween where we are and where we should be?\n    I know it will take technology. I know it will take money. And, \nimportantly, I know it will take leadership.\n    I am concerned that the White House has limited its ability to lead \nas effectively as it could in this space by eliminating the \nCybersecurity Coordinator position and dragging out the appointment of \nthe Federal CIO and CIOs and large agencies.\n    Nevertheless, as Members of Congress, we will continue our rigorous \noversight to hold the administration accountable for the action items \noutlined in the Federal Cybersecurity Risk Determination Report and \nAction Plan.\n    With that, I look forward to hearing from our witnesses, and I \nyield back the balance of my time.\n\n    Mr. Ratcliffe. We are pleased to have a distinguished panel \nof witnesses before us today on this very important topic.\n    Mr. Ken Durbin is a senior strategist of global government \naffairs for Symantec. Mr. Durbin has been providing compliance \nand risk management solutions to the public sector for over 25 \nyears and has authored multiple articles on CRM issues. Thank \nyou for being here this morning.\n    Ms. Summer Fowler is the technical director for the \ncybersecurity, risk, and resilience in the Software Engineering \nInstitute at Carnegie Mellon. In this role Ms. Fowler is \nresponsible for executing the strategic plan for a research \nportfolio focused on improving the security and resilience of \norganizational assets. Ms. Fowler, thank you for being here to \nprovide your insights today.\n    Finally, Mr. Ari Schwartz is the managing director of \ncybersecurity services in the risk management group of Venable. \nMr. Schwartz is testifying today on behalf of the Cybersecurity \nCoalition and Center for Cybersecurity Policy and Law.\n    Prior to his time at Venable, Mr. Schwartz served on the \nNational Security Council as a special assistant to the \nPresident, and senior director for cybersecurity. Thank you for \nbeing here today Mr. Schwartz.\n    I would now ask the witnesses to stand and raise your right \nhand, so I can swear you in to testify.\n    [Witnesses sworn.]\n    Let the record reflect that each of the witnesses has been \nso sworn. You may be seated.\n    The witnesses\' full written statements will appear in the \nrecord.\n    The Chair now recognizes Mr. Durbin for 5 minutes for his \nopening statement.\n\n STATEMENT OF KEN DURBIN, SENIOR STRATEGIST, GLOBAL GOVERNMENT \n                       AFFAIRS, SYMANTEC\n\n    Mr. Durbin. Chairman Ratcliffe, Ranking Member Richmond, \nthank you for the opportunity to testify.\n    I would like to start by setting the stage with regards to \nthe current threat landscape. Attackers continue to evolve; to \navoid detection, attackers are employing what we call living-\noff-the-land--using operating system features or legitimate \nnetwork administration tools to compromise victim\'s networks.\n    Using good programs to do bad things is difficult to detect \nbecause it is disguised as normal operations. We recently \ndiscovered one such attack that had compromised satellite \noperators, telecommunications companies, and a defense \ncontractor.\n    We identified the attack using an advanced hunting tool we \ncall ``Targeted Attack Analytics\'\' which crawls through massive \ndatasets looking for minute indicators of malicious activity.\n    Cryptojacking is another common attack. We have seen the \nrise of a new category of web-based coin-miner attacks that use \nan individual\'s browser to hijack their computer\'s processing \npower to mine cryptocurrency. Detections of coin-miners on \nendpoint computers increased by 8,500 percent in 2017.\n    We saw an uptick in supply chain attacks where attackers \nhijacked software updates to gain entry to well-guarded \nnetworks. The Petya outbreak was the most notable example of a \nsupply chain attack. Attackers used accounting software as the \npoint of entry.\n    Now turning to the Federal Cybersecurity Risk Determination \nReport and Action Plan, the report is a tough but fair \nassessment of the current state of the Executive branch\'s \ncybersecurity posture and it looks to build on existing \nsecurity frameworks to make improvements.\n    I want to take a moment to commend OMB for recognizing the \nvalue of the NIST Cybersecurity Framework or CSF as a tool to \nimprove the current state of the Executive branch\'s risk \nmanagement efforts.\n    Typically, an agency collects data from over 200 FISMA \ncontrols, across 10 control families, to evaluate cybersecurity \nreadiness. That same data can be consolidated into the 5 CSF \nfunctions for a clearer view into their cyber readiness. The \nreport made several recommendations.\n    In the first the report notes that 38 percent of Federal \ncyber incidents did not have an identified attack vector and \nrecommends implementing the Cyber Threat Framework or CTF to \nhelp categorize cybersecurity risks. However, it is not clear \nhow categorizing attacks would have helped protect against the \ncyber events that compromised information and systems.\n    To reduce the number of identified attacks, I recommend \nthat along with implementing the CTF, OMB put a strong emphasis \non cybersecurity solutions that automate the detection and \nremediation of cyber events through communication between \nstrategic control points, hunting for indicators that are \ncompromised.\n    I commend OMB\'s efforts to develop a risk-based budget \nprocess to direct IT purchases to reduce identified risk. \nAnother way to reduce identified risk would be to require \nagencies to add recommendations contained in IG FISMA audits as \nline items in their budget requests to ensure they receive \nadequate prioritization.\n    The report also recommends standardizing IT and \ncybersecurity capabilities. This can be achieved through the \nContinuous Diagnostics and Mitigation or CDM program. CDM \nachieves the same goals by focusing on standardized \ncapabilities rather than a standardized vendor. However, the \nCDM program needs to be accelerated: 5 years after CDM was \nlaunched, phase 1 to 4 has still not been fully deployed.\n    The third recommendation is to consolidate agency security \noperation centers to improve overall incident detection and \nresponse. While this is part of the solution, detecting the ex-\nfiltration of data requires more than consolidation, which \nbrings me to the fourth recommendation, accountability.\n    I want to focus on the data-level protection\'s aspect of \nthis recommendation. Far too often we see the Government equate \ndata-level protection with the encryption of data. While \nencryption is important, the Government\'s focus needs to be \nexpanded to include prevention, specifically data loss \nprevention or DLP. DLP can discover and categorize sensitive \ndata and can enforce policies about what can be done with that \ndata. DLP can automatically encrypt data before it is \ntransmitted even if the end-user forgot to encrypt it \nthemselves.\n    I recommend that DHS advance the data protection phase of \nCDM which would have the added benefit of protecting the high-\nvalue assets identified by agencies during the 2015 Cyber \nSprint.\n    I hope these observations build on OMB\'s recommendations \nand maximize their ability to improve our Government \ncybersecurity posture.\n    Thank you for the opportunity to testify.\n    [The prepared statement of Mr. Durbin follows:]\n                    Prepared Statement of Ken Durbin\n                             July 25, 2018\n    Chairman Ratcliffe, Ranking Member Richmond, my name is Ken Durbin, \nCISSP, and I am a senior strategist for Symantec Global Government \nAffairs and Cybersecurity. I have been providing solutions to the \npublic sector for over 30 years. My focus on compliance and risk \nmanagement (CRM) and the critical infrastructure sector has allowed me \nto gain insights into the challenge of balancing compliance with the \nimplementation of cybersecurity solutions. Additionally, I focus on the \nstandards, mandates, and best practices from NIST, OMB, DHS, SANS, etc. \nand their application to CRM. I spend a significant amount of my time \non the NIST Cybersecurity Framework (CSF)\\1\\, the DHS CDM Program and \nthe emerging EU Global Data Protection Regulation (GDPR.)\n---------------------------------------------------------------------------\n    \\1\\ NIST Cybersecurity Framework (CSF): Provides guidance to \nprivate companies on how best to prevent, detect, and respond to cyber \nattacks.\n---------------------------------------------------------------------------\n    Symantec Corporation is the world\'s leading cybersecurity company \nand has the largest civilian threat collection network in the world. \nOur Global Intelligence Network<SUP>TM</SUP> tracks over 700,000 global \nadversaries, records events from 126.5 million attack sensors world-\nwide, and monitors threat activities in over 157 countries and \nterritories. Additionally, we process more than 2 billion emails and \nover 2.4 billion web requests each day. We maintain 9 Security Response \nCenters and 6 Security Operations Centers around the globe, and all of \nthese resources combined give our analysts a unique view of the entire \ncyber threat landscape. On our consumer side, we combined Norton \nSecurity with LifeLock\'s Identity and Fraud Protection to deliver a \ncomprehensive cyber defense solution to a growing consumer base of \nnearly 4.5 million people.\n    In my testimony I will provide:\n  <bullet> an overview of the current threat landscape, including \n        highlights of our 2018 Internet Security Threat Report \n        (ISTR),\\2\\\n---------------------------------------------------------------------------\n    \\2\\ https://www.symantec.com/security-center/threat-report.\n---------------------------------------------------------------------------\n  <bullet> an assessment of the Federal Cybersecurity Risk \n        Determination Report and Action Plan that was released in May,\n  <bullet> high-level recommendations on addressing some of challenges \n        highlighted in the report.\n                          the threat landscape\n    From the recent Thrip attack on satellite and telecommunications \nsystems to the spread of WannaCry and Petya/NotPetya, to the rapid \ngrowth in coinminers, the past year has provided us with many reminders \nthat digital security threats can come from new and unexpected sources. \nWith each passing year, not only has the sheer volume of threats \nincreased, but the threat landscape has become more diverse, with \nattackers working harder to discover new avenues of attack and cover \ntheir tracks while doing so. Symantec\'s annual ISTR provides a \ncomprehensive view of the threat landscape, including insights into \nglobal threat activity, cyber criminal trends, and motivations for \nattackers. Below are some key highlights from this year\'s report and \nour recent work.\nAttackers are Evolving\n    Last month, we issued a report about a previously unknown attack \ngroup known as Thrip.\\3\\ Thrip is a sophisticated attacker that used a \ntechnique we call ``living off the land\'\'--using operating system \nfeatures or legitimate network administration tools to compromise \nvictims\' networks. Simply put, they use good programs to do bad things. \nThese types of attacks are difficult to detect because malicious \nactivity is disguised as normal system operations. This continued a \ntrend we reported on in the ISTR, that attackers are relying less on \nmalware and zero-day vulnerabilities. Instead, they are looking for new \nattack vectors that make less ``noise\'\' and can be hard for some \ndefenders to detect.\n---------------------------------------------------------------------------\n    \\3\\ https://www.symantec.com/blogs/threat-intelligence/thrip-hits-\nsatellite-telecoms-defense-\ntargets?om_ext_cid=biz_social_NAM_twitter_Asset%2BType%2B%2B-\n%2BBlog,Campaign%2B-%2BThreat%2BAlert.\n---------------------------------------------------------------------------\n    When we discovered Thrip, they had already compromised satellite \noperators, telecommunications companies, and a defense contractor. We \nidentified this malicious activity using an advanced hunting tool we \ncall Targeted Attack Analytics, which crawls through massive data sets \nlooking for minute indicators of malicious activity. When we find \nsomething--like Thrip--we update our protections to stop it in the \nfuture. Thrip was not the first living off the land attack, and it will \nnot be the last, and defenders must evolve to stay ahead of the next \nattack.\nCryptojacking\n    During the past year, an astronomical rise in cryptocurrency values \ntriggered a cryptojacking gold rush with cyber criminals attempting to \ncash in on a volatile market. This gave rise to a new category of \nmalware called ``coinminers\'\' that attach to an individual\'s browser \nand utilizes their computers processing power to mine cryptocurrency. \nDetections of coinminers on endpoint computers increased by 8,500 \npercent in 2017. With a low barrier of entry--only requiring a couple \nlines of code to operate--cyber criminals are harnessing stolen \nprocessing power and cloud CPU usage from consumers and enterprises to \nmine cryptocurrency. Coinminers can slow devices, overheat batteries, \nand in some cases, render devices unusable. For enterprise \norganizations, coinminers can put corporate networks at risk of \nshutdown and inflate cloud CPU usage, adding cost. Macs are not immune \neither, with Symantec detecting an 80 percent increase in coinmining \nattacks against Mac OS. By leveraging browser-based attacks, criminals \ndo not need to download malware to a victim\'s Mac or PC to carry out \ncyber attacks.\nIoT\n    IoT devices continue to be ripe targets for exploitation. Symantec \nfound a 600 percent increase in overall IoT attacks in 2017, which \nmeans that cyber criminals could exploit the connected nature of these \ndevices to mine en masse.\nTargeted Attack Groups\n    The number of targeted attack groups is on the rise with Symantec \nnow tracking 140 organized groups. Last year, 71 percent of all \ntargeted attacks started with spear phishing--the oldest trick in the \nbook--to infect their victims. As targeted attack groups continue to \nleverage tried and true tactics to infiltrate organizations, the use of \nzero-day threats is falling out of favor. Only 27 percent of targeted \nattack groups have been known to use zero-day vulnerabilities at any \npoint in the past. The security industry has long discussed what type \nof destruction might be possible with cyber attacks. This conversation \nhas now moved beyond the theoretical, with 1 in 10 targeted attack \ngroups using malware designed to disrupt.\nSupply Chain Attacks\n    Symantec identified a 200 percent increase in attackers injecting \nmalware implants into the software supply chain in 2017. That\'s \nequivalent to 1 attack every month as compared to 4 attacks the \nprevious year. Hijacking software updates provides attackers with an \nentry point for compromising well-guarded networks. The Petya outbreak \nwas the most notable example of a supply chain attack. After using \nUkrainian accounting software as the point of entry, Petya used a \nvariety of methods to spread laterally across corporate networks to \ndeploy their malicious payload.\nRansomware for Profit\n    In 2016, the profitability of ransomware led to a crowded market. \nIn 2017, the market made a correction, lowering the average ransom cost \nto $522 and signaling that ransomware has become a commodity. Many \ncyber criminals may have shifted their focus to coin mining as an \nalternative to cashing in while cryptocurrency values are high. \nAdditionally, while the number of ransomware families decreased, the \nnumber of ransomware variants increased by 46 percent, indicating that \ncriminal groups are innovating less but are still very productive.\n assessment of the federal cybersecurity risk determination report and \n                              action plan\n    The Office of Management and Budget (OMB), in response to \nPresidential Executive Order (EO) 13800, Strengthening the \nCybersecurity of Federal Networks and Critical Infrastructure, produced \na report that provides a tough but fair assessment of the current state \nof the Executive branch\'s Cybersecurity Posture. The EO and the report \nbuilds upon the efforts of previous administrations and works within \nexisting frameworks, including FISMA,\\4\\ FITARA,\\5\\ CDM,\\6\\ and CSF. \nWhile none of these are perfect, OMB sees their value and seeks to \nimprove them. The EO held OMB to a tight time line in which to produce \nthe report and OMB held agencies to a similarly aggressive time line. \nThis alone sent a strong message, both about the seriousness of the \nsituation and about the administration\'s commitment to improving the \nExecutive branch\'s cybersecurity posture.\n---------------------------------------------------------------------------\n    \\4\\ Federal Information Security Management Act: Requires \nGovernment agencies to implement security systems to protect \ninformation and information systems.\n    \\5\\ Federal Information Technology Acquisition Reform Act: Changed \nthe way the Federal Government buys and manages its computer \ntechnology.\n    \\6\\ Continuous Diagnostics and Mitigation: Four-phase program that \nmonitors what is on a network, who is on a network, what is happening \non a network, and how data is protected for Federal agencies.\n---------------------------------------------------------------------------\n    As a threshold matter, I would like to commend the administration \nand OMB for recognizing the value of the CSF as a tool to improve the \ncurrent state of the Executive branch\'s risk management efforts. The \nCSF\'s power is its ability to take a complex set of cybersecurity data \nand present them in a clear, logical, and simplified way such that one \ndoes not need to be a cyber expert to gain valuable insight and make \nimportant decisions. For example: An agency now needs to collect data \nfrom over 200 FISMA controls across 10 control families to evaluate \ncybersecurity readiness. That same data can be consolidated into the 5 \nCSF functions (identify, protect, detect, respond, and recover) for a \nclearer view into their cyber readiness.\nRecommendation No. 1: Increase Cybersecurity Threat Awareness\n    To highlight the need for increasing cybersecurity threat \nawareness, the report points out that ``38 percent of Federal cyber \nincidents did not have an identified attack vector.\'\' This equates to \n11,802 cyber incidents that ``led to the compromise of information or \nsystem functionality in fiscal year 2016.\'\' To improve this situation \nthe report recommends implementing the Cyber Threat Framework (CTF) \nwith the idea that it will help prioritize and manage cybersecurity \nrisks. The CTF was developed to enable consistent characterization and \ncategorization of cyber threat events; in other words, to provide a \ncommon lexicon to describe and understand threats. This, of course is a \nworthwhile pursuit, but it is not clear how the CTF would have helped \nprotect against the 11,802 cyber events that compromised information \nand systems.\n    I recommend that, along with implementing the CTF, OMB put a strong \nemphasis on cybersecurity solutions that can automate the detection and \nremediation of cyber events. Automated cybersecurity solutions that can \ncommunicate between strategic control points hunting for indicators of \ncompromise (IoCs) will help to reduce the number of unidentified \nattacks, and reduce the burden caused by the shortage of qualified \ncyber professionals.\n    I applaud OMB\'s efforts to develop a risk-based budgeting process \nto help direct IT purchases toward products, solutions, and services \nthat will have a direct impact on reducing identified risk. OMB may \nwant to consider taking this effort one step further to address one \nlong-standing issue around agency IG Report recommendations. IG Reports \nregularly contain risk-based recommendations that are carryovers from \nprevious year\'s reports, and often they remain unresolved due to budget \nor staffing issues. Adding IG recommendations as line items in an \nagency\'s budget request could be a way to ensure the recommendations \nreceive adequate prioritization. Additionally, DHS has modified the CDM \nprogram to allow agencies to submit Requests for Service (RFS) to \nfulfill specific needs. Known as CDM DEFEND, this may be another \nvehicle to address risk-based procurement.\nRecommendation No. 2: Standardize IT and Cybersecurity Capabilities\n    This recommendation harkens back to the massive GSA ``desktop\'\' \ncontracts of the 1980\'s and 1990\'s. For the most part those contracts \nmandated a standardized PC platform with specific software \npreinstalled. (The original contract required a Zenith 286 with DOS, \nHarvard Graphics, Lotus123, and WordStar.) This did have some of the \nsame advantages spelled out in the report, including consistent \nsoftware versions, ease of patching, known configurations, and \nsimplified troubleshooting. The downside was that even if a competitor \nof Zenith had a better PC it was next to impossible to justify not \nusing the desktop contract.\n    I believe the Continuous Diagnostics and Mitigation (CDM) concept \nachieves the goals set forth in this recommendation by focusing on \nstandardized capabilities rather than a standardized vendor. However, \nin order to be effective in meeting this goal, the CDM Program will \nneed move faster--5 years after CDM was launched Phase 1 has still not \nbeen fully deployed. DHS has taken steps to accelerate the program, \nlaunching CDM DEFEND, which utilizes the GSA Alliant Contract and \nextends the period of performance of awarded Task Orders.\nRecommendation No. 3: Consolidate Agency SOCs\n    Redundant Security Operation Centers (SOCs) working in silos are \nineffective when trying to defend an enterprise. Consolidating SOCs and \ncoordinating their efforts will improve overall incident detection and \nresponse. OMB states that only 47 percent of agencies can detect \nencrypted exfiltration incidents, and only 27 percent have the ability \nto detect an exfiltration attempt. Consolidation is part of the \nsolution but detecting the exfiltration of data by a SOC across an \nagency, especially a Federated agency requires more than consolidation. \nA SOC must have the right tools in place to tag and monitor the \nactivity of sensitive data on an endpoint, server, data center, in \nstorage, or in the cloud. A SOC also needs the ability to look into \nencrypted traffic and scan for sensitive data and malware. If a SOC \ndoes detect a data exfiltration threat, the SOC needs to have a \nsolution in place to mitigate the threat, preferably utilizing \nautomation.\nRecommendation No. 4: Drive Accountability Across Agencies\n    I would like to focus on the ``data-level protections\'\' aspect of \nthis recommendation. OMB acknowledges the call from industry, privacy \nadvocates, and the GAO for an increased focus on data-level \nprotections. However, the Government must expand the scope of data-\nlevel protection to include data-level prevention as well. Far too \noften we see the Government equate data-level protection with the \nencryption of data, both in transit and at rest. Encryption is \nimportant, but its focus is limited to data ``protection.\'\' This \nthinking needs to be expanded to include prevention--specifically \n``data-loss prevention\'\' (DLP) capabilities that prevent the misuse of \ndata in the first place. DLP solutions can discover where sensitive \ndata lives, categorize the data based on its sensitivity and control \nwho has access to the data. DLP can also enforce policies that describe \nwhat can be done with data. For example, DLP can block data from being \ncopied to a thumb drive, emailed to a personal email account, block \naccess to data from certain locations, or during certain times. DLP can \neven automatically encrypt data before its transmitted even if the end-\nuser forgot to encrypt it themselves.\n    CDM is slated to address Data Protection in Phase 4 of the Program. \nI recommend that DHS advance Data Protection so it is implemented \nconcurrently with on-going and planned CDM Task Orders. This would have \nthe added benefit of maximizing the effort undertaken by agencies \nduring the OMB mandated Cyber Sprint of 2015 and its follow-on \ncomponents. Under the Cyber Sprint agencies were to identify their \n``high-value\'\' assets but were not provided with solutions to protect \nthose assets. The Data Protection capabilities of CDM, along with CDMs \nfunding would go a long way toward protecting high-value assets in a \ntimely manner.\n                               conclusion\n    This committee understands as well as anyone that cyber threats are \ngrowing in number and complexity at an alarming pace and that \nGovernment agencies continue to be an attractive target. The OMB report \ntakes a clear-eyed and unbiased look at the current state of our \ncybersecurity preparedness and does not shy away from pointing out \nareas that need significant improvement, and makes recommendations that \nbuild upon proven efforts of previous administrations. I hope my ideas \ncan build on OMB\'s recommendations and maximize their ability to \nimprove our Government\'s cybersecurity posture. Thank you for the \nopportunity to testify before this committee, and I would be happy to \ntake any questions you may have.\n\n    Mr. Ratcliffe. Thank You, Mr. Durbin.\n    The Chair now recognizes Ms. Fowler for 5 minutes.\n\n STATEMENT OF SUMMER FOWLER, TECHNICAL DIRECTOR, CYBERSECURITY \n  RISK AND RESILIENCE, SOFTWARE ENGINEERING INSTITUTE, CERT, \n                   CARNEGIE MELLON UNIVERSITY\n\n    Ms. Fowler. Good morning.\n    Thank you, Chairman Ratcliffe, Ranking Member Richmond, and \nall subcommittee Members for this opportunity. On behalf of my \nteam at Carnegie Mellon University\'s Software Engineering \nInstitute CERT Cybersecurity Program or SEI, I am excited to \ncontribute today and share our research and experience in cyber \nrisk determination.\n    OMB\'s May 2018 report as has been noted contains four core \nrecommendations that we believe are excellent steps to \nimproving Federal cybersecurity posture.\n    Our work at the SEI can build on and enhance these \nrecommendations. Cyber risk management requires analysis and \nmitigation of two sides, both the threat and of the consequence \nor impact of risks that occur.\n    We know that our cyber exposure is increasing as software \nis embedded in more aspects of our lives and Government \noperations and our adversaries are using these exposures to \nlaunch more frequent and more sophisticated attacks. \nUnderstanding these threats is important but cyber risk \nmanagement is not only about managing cyber attack--failures of \ntechnology, breakdowns in governance or process, human errors, \nand even physical phenomena like natural disasters, are also \ncyber risks.\n    Addressing cyber risks holistically requires a resilience \napproach, a word I was very happy to hear Mr. Ratcliffe using, \nand that approach focuses on mitigating the impact of any type \nof disruptive event. Operational resilience is the ability to \nachieve mission objectives before, during, and after any \ndisruptive event, whether it is a cyber attack or a system \nfailure. Fundamental to operational resilience is identifying \nand prioritizing assets that are critical to each \norganization\'s mission.\n    Our team at the SEI has codified operational resilience in \nthe CERT Resilience Management Model. We have applied this \nmodel in partnership with DHS by assessing over 600 \norganizations across all 16 critical infrastructure sectors. \nThese voluntary assessments provide organizations with the \nbaseline understanding of their cybersecurity capabilities. The \nassessment team also provides the organization with resource \nguides and recommendations on how to make improvements.\n    The CERT RMM is used as a way to measure capabilities \nagainst the NIST Cybersecurity Framework and other industry \nstandards but the operational resilience approach moves beyond \nchecklist compliance, to enable organizations to make \ndemonstrable steps to improve cybersecurity posture.\n    Most importantly CERT RMM does not require an organization \nto start a new cybersecurity program. It allows an organization \nto baseline capabilities and build a road map for improvement \nthat is both complimentary to and improves organization\'s \ninputs to Federal programs like the DHS CDM program. CERT RMM \nalso provides a structured way for organizations to identify, \nanalyze, and mitigate the risks of older, or legacy, \ninformation technology as was noted in the OMB report as a \nmajor concern.\n    In many cases as the report recommends, depreciated legacy \nsystems will be modernized or moved to platforms like the \ncloud. The asset management practices in CERT RMM ensure that \nthe highest-priority assets for each organization are addressed \nfirst but introducing new capabilities like the Cloud also \nintroduces new cyber risks.\n    CERT RMM provides structured guidance on the management of \nsupply chain including new ways to continuously measure and \nmanage the risks of third-party dependencies. A holistic \nresilience approach is especially important as the Government \nintegrates cyber physical systems into the Federal landscape. \nCyber physical systems are often built with functionality as a \nprimary goal and cybersecurity as a secondary or tertiary goal \nat best.\n    The military and Federal Government are adopting cyber \nphysical systems in areas like medical devices, in VA \nhospitals, and census collection capabilities.\n    To mitigate cyber risks, we must address both threats and \nconsequences in a balanced way with the focus on prioritization \nof assets that are most critical to our mission.\n    Thank you for the opportunity to participate today and to \ndiscuss how we can advance cyber risk determination and \nmanagement through operational resilience practices.\n    [The prepared statement of Ms. Fowler follows:]\n                  Prepared Statement of Summer Fowler\n                             July 25, 2018\n    Chairman Ratcliffe and Ranking Member Richmond, thank you for the \nopportunity to participate in this hearing on assessing cybersecurity \nrisk. I am the technical director of cybersecurity risk and resilience \nfor the CERT division, part of Carnegie Mellon University\'s Software \nEngineering Institute (SEI)\\1\\, a Department of Defense (DoD) \nFederally-Funded Research and Development Center (FFRDC). The SEI \nconducts research and development in software engineering and \ncybersecurity, working to transition new and emerging innovations into \nGovernment and industry. The SEI holds a unique role as a FFRDC \nsponsored by the DoD that is also authorized to work with organizations \noutside of the DoD, including engagement across the Federal Government, \nthe private sector, and academia. As such, we have been working with \nDepartment of Homeland Security\'s critical infrastructure protections \nsince they were established in 2013. Our research, prototyping, mission \napplication, training, and education activities are heavily \ninterrelated and are relevant to a broad range of problem sets, such as \nprotection of the Nation\'s critical infrastructure and improved \nsoftware engineering for large-scale systems of systems.\n---------------------------------------------------------------------------\n    \\1\\ https://www.sei.cmu.edu/.\n---------------------------------------------------------------------------\n    Disruptions of critical functions that are reliant on computer \nsystems are inevitable. No organization, government, or agency can \nanticipate every disruption or prevent every cyber attack. Agencies \nmust be able to anticipate and respond to changes in their risk \nenvironment at a moment\'s notice. Furthermore, despite these \ndisruptions, organizations should be capable of continuing operations \nand meeting mission goals.\n    We at the SEI applaud the work of the Office of Management and \nBudget, detailed in the May 2018 report ``Federal Cybersecurity Risk \nDetermination Report and Action Plan.\'\' As a high-level assessment of \nGovernment cybersecurity risks, the report identifies four core actions \nthat I believe will indeed, done correctly, mitigate a significant \nnumber of cyber risks across the Federal agencies.\n    Notwithstanding, there are some finer points, not included in the \nreport that are worth discussing and implementing. First, the report \nconcentrates on only one half of cyber risk management. In order to \nsuccessfully execute cyber risk management, agencies must ensure they \nanalyze and manage cyber risk or threats as well as the potential \nimpact of the cyber risks and threats on their organization. While the \nreport concentrates on the threat of cybersecurity and proposes better \nunderstanding of the cyber risk, outlining the potential effect of any \nrealized threat requires just as much effort.\\2\\ If agencies are to \nachieve the ability to complete their mission no matter the cyber \nthreat, it is imperative that we manage both the cyber threat and the \nconsequences of the attacks.\n---------------------------------------------------------------------------\n    \\2\\ As reinforced in NIST 800.39, Managing Information Security \nRisk Organization, Mission, and Information System View and NIST \n800.37, Guide for Applying the Risk Management Framework to Federal \nInformation Systems A Security Life Cycle Approach.\n---------------------------------------------------------------------------\n    Accomplishing this continuity of operations requires a resilience \napproach to cybersecurity--an integrated, holistic way to manage \nsecurity risks, business continuity, disaster recovery, and IT \noperations, executed in the context of each organization\'s mission and \nstrategy.\n    Second, by the report\'s own admission, it does not cover older, \nlegacy information technology (IT) or workforce challenges. Both legacy \nIT and the workforce shortage are significant and must be addressed if \nthe Federal enterprise is to understand the current cyber risk \nenvironment and credibly prepare for the future.\n    The SEI\'s Enterprise Risk and Resilience research includes \nadvancing cyber risk management and enhancing it via the planning, \nintegration, execution, and governance of operational resilience. We \nleverage our research to develop best practices, resilience management \nmodels, tools, and techniques for measuring and improving enterprise \nrisk management and operational resilience in the form of actionable \nguidance for the DoD and Federal civilian agencies.\n                         operational resilience\n    Operational Resilience is the ability to continue to operate, and \nto meet the organization\'s mission, in the face of evolving cyber \nconditions. In the ever-changing cyber and technological landscape, \norganizations need techniques that allow people, processes, and systems \nto adapt to changing patterns. These patterns include the incessant \nintroduction of both unique threat actors and the means by which \nsystems are exploited. Operational resilience is obtained by ensuring \nyour cyber risk management takes into account both the threat and the \nconsequences of cyber risk.\n    Cyber risk management, as proposed by the report, is a process to \nidentify, analyze, dispose of, monitor, and adjust approaches to \nhandling threats. Yet we know cyber risk management alone is not enough \nto ensure that we are prepared to address current and emerging threats. \nThe concept of risk management must adhere to formula between \nlikelihood of threat and consequence of impact.\n    At the SEI we have found cyber risk is best managed by determining \npotential impact first. This requires articulation of mission, \nenumeration of critical services or activities to achieve mission, and \nasset management.\\3\\ Once critical assets are identified, then we can \nwalk back toward a list of specific threat types and threat actors. \nCyber professionals whose efforts are concentrated in the assessment of \nthreats are often doing very good cybersecurity work; however, without \nconsideration of impact and asset management, they may not be \nprotecting the assets most critical to that particular organization. \nFocusing on mission objectives and critical assets creates operational \nresiliency in an organization regardless of the source or type of \nthreat. This focus on mission context also improves the ability to \ncommunicate risk, ultimately helping to address finding No. 4 in the \nOMB report.\n---------------------------------------------------------------------------\n    \\3\\ Asset management is a collection of practices to identify and \nprioritize the people, processes, data, technology, and facilities \nrequired to execute the activities.\n---------------------------------------------------------------------------\n    Examining consequences helps organizations to identify and mitigate \noperational risks that could lead to service disruptions before they \noccur. Organizations can then prepare for and respond to disruptive \nevents in a way that demonstrates balance of command and control of \nthreat mitigation, incident response, and service continuity. Finally, \nby establishing a robust understanding of assets, agencies can \nprioritize investments needed to protect, respond, recover, and restore \nmission-critical services and operations after an incident and within \nacceptable time frames.\n    Considering impact is key for comprehensive cyber risk management \nleading to resilience. If an agency looks only to malicious threats to \noperations, it risks missing 17 percent (1 in 5) of overall data \nbreaches, which are the result of human error. In the health care and \ninformation industries, these errors are much higher at 35 percent and \n26 percent respectively.\\4\\ Organizations cannot overlook the role of \nhumans in the management of cyber risks. A malicious act of deliberate \nsabotage or the unintentional actions of a confused system operator can \nboth lead to a profound disruption. A resilience approach is agnostic \nof the type of disruption and enables the organization to plan for, \navoid, detect, respond to, and recover from incidents including natural \ndisasters, human error, or malicious cyber attacks.\n---------------------------------------------------------------------------\n    \\4\\ Verizon 2018 Data Breach Investigations Report, https://\nwww.verizonenterprise.com/resources/reports/\nrp_DBIR_2018_Report_execsummary_en_xg.pdf.\n---------------------------------------------------------------------------\n    Furthermore, in today\'s ever-increasing global economy, many \norganizations depend on external entities for information and \ntechnology, increasing the potential risk to their missions and key \nservices. These third-party entities are an extension of the \norganization and are often given a trusted place in the management of \nsystems and processes. When trust in an external entity is misplaced or \nmisused, the consequences can be significant. Examples include breaches \ndue to a third party\'s failure to protect data, poor integrity of \nhardware and software deployed within an organization, or malicious use \nof trusted extrinsic relationships to gain access to or harm the \norganization. Agencies must approach the management of supply chain, \nalso called third-party or external dependencies, with a risk-based \napproach. This approach includes adopting new ways of continuously \nmeasuring and managing the risk from external dependencies.\n    Additionally, agencies can and should determine the maturity of \ntheir external dependencies-management practices. Guided by specific \nservice-level agreements, which establish meaningful measures of \ncybersecurity performance, agencies can better understand and manage \nthe capabilities of their external dependencies, thus increasing \norganizational resiliency. For example, external dependencies \nmanagement is especially critical as the Government continues to \nmodernize its IT capabilities using cloud service providers.\n    Last, for true operational resilience, agencies must move beyond \nsimplistic checklist compliance or penetration testing and take \ndemonstrable steps to improve cybersecurity posture. Our team at \nCarnegie Mellon University has codified operational resilience in the \nCERT\x04 Resilience Management Model (CERT-RMM).\\5\\ Developed by deriving \npractical tools and methods from the best concepts that academia has to \noffer and best practices from the public and private sectors, CERT-RMM \nhas been applied to measure and evaluate organizations of all sizes and \ncompositions. Developed initially in collaboration with members of the \nfinancial services community, CERT-RMM has been used more than 600 \ntimes by the Department of Homeland Security to measure the cyber \nresilience across all 16 critical infrastructure sectors. CERT-RMM can \nalso be used as a way to measure capabilities against the NIST \nCybersecurity Framework. Enabling agencies both to ensure compliance \nand to show measurable improvement in cybersecurity posture, CERT-RMM \nprovides a resource guide mapped to several industry and Government \nstandards.\n---------------------------------------------------------------------------\n    \\5\\ https://resources.sei.cmu.edu/library/asset-\nview.cfm?assetid=508084.\n---------------------------------------------------------------------------\n    Most importantly, CERT-RMM is a framework that does not require \nagencies to start over, but allows every organization, whatever its \ncurrent competence, a way to assess baseline capabilities and develop a \nroadmap for improvement as an enhancement to cyber risk management. \nThis also enables a way to address the next topic of legacy information \ntechnology (IT).\n                               legacy it\n    Organizations do not have unlimited resources with the option of \nreplacing older systems and software en masse to help mitigate new \ncybersecurity threats. Most, in both Government and the private sector, \nhave a mix of old and new systems all connected to each other and most \nlikely accessible to threat actors via the internet. While layers of \nsafeguards are placed between these systems and the outside world, \nlegacy IT remains a serious concern and has led to many notable cyber \nbreaches despite these defenses. Knowing where the most fragile legacy \nIT systems are located is essential. Consequently, at a minimum an \norganization must engage in effective asset management to gain a \ndetailed inventory of IT. Without a valid inventory, accompanied by a \nnetwork map, it is unlikely any organization could adequately defend \nitself or have appropriate continuity plans in place. Moving these \ndeprecated legacy systems to a more secure platform, like the cloud, is \na valid and appealing option. Asset management practices enable us to \nprioritize what needs to be moved in order to ensure that our highest-\npriority assets are addressed first. Asset management practices are key \ningredients that allow an analysis of the risk and reward of migrating \nlegacy IT to new operating models such as third-party cloud service \nproviders.\n                         workforce development\n    It is not a secret; there is a shortage of experienced and capable \ncybersecurity personnel. Some studies indicate that the global \nworkforce shortage will reach almost 2 million by 2022.\\6\\ Furthermore, \nFederal agencies face stiff competition from private industry for the \nlimited supply of cyber professionals that do exist. Consequently, \norganizations need a long-term plan for amplifying their cybersecurity \ncapabilities. Agencies would benefit from an accurate and objective \nevaluation of their cyber workforce, and with the right methods and \ntechnologies, organizations can identify gaps in essential competencies \nthat are unique to their workforce. This allows agencies to make \nbetter, targeted, hires as well as continuing education decisions for \ncurrent employees, resulting in more efficient use of taxpayer dollars. \nIt will take a combination of strategic hiring and developing staff in \nparallel to meet the need for qualified resources. Programs like \nScholarship for Service,\\7\\ which provides tuition and stipends to \nstudents studying cybersecurity and related fields, represent a vital \npipeline of cybersecurity professionals for the Federal Government. \nAgencies should leverage these options, along with partnerships and \ntraining such as the Carnegie Mellon University CISO Executive \nCertificate Program or incident handling courses, to maximum advantage \nin their workforce development strategies.\n---------------------------------------------------------------------------\n    \\6\\ https://iamcybersafe.org/gisws/.\n    \\7\\ https://www.sfs.opm.gov/--CMU-SEI is a participating \ninstitution.\n---------------------------------------------------------------------------\n    Additionally, we need to make cybersecurity an integrated part of \nour educational curricula starting with our youngest students. \nFollowing the 2007 cyber attacks that crippled dozens of its government \nand corporate sites, Estonia evolved its approach to cybersecurity to \ninclude robust educational programs at all age levels and is now \nrecognized as having the best cybersecurity in Europe. In 1961 our \nNation committed to a dramatic expansion of our space program with a \ngoal of being the first nation to land a human on the moon. Similarly, \naddressing our cyber risks with the goal of a Federal Government that \nis resilient against current and future cyber disruptions requires a \nNational initiative to prepare our workforce. It is essential that we \ncommit to research in emerging areas like artificial intelligence, \nautonomy, and data analytics methods, and the corresponding training, \nthat will advance our cyber risk management practices in the future.\n                               conclusion\n    Cyber risks are not unlike other risks that organizations face. \nConstrained by limited resources, we must mitigate cyber risks by \naddressing both threats and consequences in a balanced way. The goal is \nto ensure that we are operationally resilient, preserving the ability \nto achieve our mission, despite any disruptions, such as cyber attacks. \nTo be resilient requires us to understand and prioritize our assets, \nincluding technology, data, facilities, as well as people and \nprocesses, so that we can invest in the protection and continuity of \nthe assets most critical to our mission. This is a fundamental concept \nin operational resilience practices that will enhance Federal cyber \nrisk management capabilities.\n    Addressing these challenges and the actions listed in the report is \neven more necessary as we address the integration and risks of cyber \nphysical systems (CPS) in the Federal landscape. Cyber physical systems \nalready exist in manufacturing, health care, automotive systems, and \nfinancial services to name a few. These CPS systems were often built \nwith functionality as a goal and cybersecurity as a secondary or \ntertiary consideration at best. The U.S. military and Federal \nGovernment are also integrating CPS in areas like medical devices in VA \nhospitals, internet of things capabilities in the U.S. Mint, or census \ncollection activities. These capabilities present new attack surfaces \nfor our adversaries and require that we advance our cybersecurity risk \nmanagement practices with a focus on operational resilience.\n    Thank you again for the opportunity to participate in this hearing \nand to discuss how we can better address cyber risks through \noperational resilience practices.\n\n    Mr. Ratcliffe. Thank you, Ms. Fowler.\n    The Chair now recognizes Mr. Schwartz for 5 minutes for his \nopening statement.\n\n STATEMENT OF ARI SCHWARTZ, MANAGING DIRECTOR OF CYBERSECURITY \n  SERVICES, CYBERSECURITY RISK MANAGEMENT GROUP, VENABLE LLP, \nTESTIFYING ON BEHALF OF THE CYBERSECURITY COALITION AND CENTER \n                FOR CYBERSECURITY POLICY AND LAW\n\n    Mr. Schwartz. Chairman Ratcliffe, Ranking Member Richmond, \nand Members of the committee, thank you for the opportunity to \nappear before you today to discuss our views on the Federal \nCybersecurity Risk Management.\n    I do so in my role as coordinator of the Cybersecurity \nCoalition, the leading policy coalition of companies that \ndevelop cybersecurity products and services.\n    These issues before us today are not new. Twelve years ago, \nI was on an advisory board, the Information Security Privacy \nAdvisory Board that NIST hosts, and at that time the chairman \nof the Government Reform Committee was Tom Davis at the time, \nwould give grades to Cabinet agencies on how they were doing on \ncybersecurity.\n    We had before our advisory board the deputy CIO of one \nagency that had consistently failed for the past 8 years and so \nI took this time, and this deputy CIO was actually retiring \nfrom Government service at that time, so I thought that this \nwas a good opportunity to hear from him directly as to why \nGovernment agencies continued to fail. I asked the question you \nknow, what would it take for you to do to succeed?\n    He said, ``Well you know, one time many years ago I got a \nD, right? We got a D and no one paid attention to that at all, \nso we are better off failing, right? We can get resources if we \nfail. If we use the resources that we are given, the best we \nare going to do is a D or a D-minus. So what good is it for us \nto try and play to the tests and try and pass these tests as \nopposed to fail, right?\'\'\n    This was a security expert that knew what he was talking \nabout in the security space but had no incentive to do what \nGovernment was pushing him to do. I think those incentives have \nchanged in terms of the policy space but not in terms of the \nleadership space and not in terms of getting the attention and \ngetting the resources needed to actually fix the problems.\n    We have seen that the move to risk management I think helps \nagencies to tailor the test themselves so that it is based more \non risk to the particular agency as opposed to the basic \ncheckbox that we used to have, much more so and under the old \nFISMA guidance before the reform FISMA of 2014 came forward.\n    OMB suggests in their report that came out in May that the \ngoal should be to empower the CIO. This has been done for years \nand years and has not succeeded. Instead we should do exactly \nwhat Mr. Chairman, you suggested in your opening statement, \nwhich is to make sure that we hold the leadership accountable.\n    The Trump administration in their Executive Order says that \nthat is their goal to hold Secretaries and deputy secretaries \ndirectly responsible for what happens at the agency in terms of \ncybersecurity but the CIOs themselves have many, many jobs to \ndo and security is only a small part of what they do.\n    Instead we should move to do what has been happening in the \nprivate sector which is to have the CISOs report to the \nleadership directly themselves and make sure that the CISOs \nhave some ability to influence the policy and make sure that \nthen the leadership when they are asked questions from above \nthat they have the ability to go to the CISO and hear things \ndirectly from them.\n    The question is now, how do we hold that agency leadership \naccountable and we make it so that there is a reason to pass \nand to do the right thing in this space? From my experience I \nwould suggest that having the director of OMB responsible for \nmaking sure that agency heads are paying attention this issue \nas a central mission issue, right? When people don\'t become the \nSecretary of the Interior or the Secretary of Agriculture or \nothers, in order to do cybersecurity but you still have to make \nit part of their mission to do so.\n    That is going to take OMB, that is going to take the White \nHouse chief of staff, making these calls and making sure that \nit is not just an incident that gets the attention of the \nSecretary but that it is on the radar all the time. You can \nalso do this at the deputy director level with a deputy \ndirector of management and making sure that they are the ones \nmaking the calls.\n    Of course, Congress in your regular oversight of agencies, \nwhen you have those Secretaries and deputy secretaries in front \nof you, you can ask these questions, at other hearings as well \nand make sure that they are being held responsible for what is \nhappening at the agencies.\n    Now, is the time to make sure that the agencies are being \nheld responsible for their failures and rapidly addressing \nthese known risks.\n    I thank you for again for having me today. I look forward \nto your questions.\n    [The prepared statement of Mr. Schwartz follows:]\n                       Statement of Ari Schwartz\n                             July 25, 2018\n    Chairman Ratcliffe, Ranking Member Richmond, and Members of the \ncommittee, I am Ari Schwartz. Thank you for the opportunity to appear \nbefore you today to discuss our views on the Federal Cybersecurity Risk \nDetermination Report and Action Plan. I do so in my role as coordinator \nof the Cybersecurity Coalition, the leading policy coalition of \ncompanies that develop cybersecurity products and services.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ About the Center for Cybersecurity Policy and Law and the \nCybersecurity Coalition: The Center for Cybersecurity Policy and Law is \na nonprofit (501(c)(6)) organization that develops, advances, and \npromotes best practices and educational opportunities among \ncybersecurity professionals. The Center provides a forum for thought \nleadership for the benefit of those in the industry including members \nof civil society and Government entities in the area of cybersecurity \nand related technology policy. The Center seeks to leverage the \nexperience of leaders in the field to ensure a robust marketplace for \ncybersecurity technologies that will encourage professionals, \ncompanies, and groups of all sizes to take steps to improve their \ncybersecurity practices. The Center hosts several initiatives focusing \non a range of critical cybersecurity issues, including the \nCybersecurity Coalition, Better Identity Coalition, and the Hardware \nComponent Vulnerability Disclosure Project. The Cybersecurity Coalition \nbrings together industry-leading companies to share their expertise and \nunique perspective on critical policy issues, both in the United States \nand internationally. The Coalition is focused on several active and \ncritical policy issues that require close alignment and coordination to \nprotect the vital interests of the cybersecurity products industry, \nincluding: Promoting responsible vulnerability research and disclosure; \npromoting effective privacy processes within cybersecurity policy; \nestablishing Government requirements for agency systems; increasing \ninformation sharing and threat intelligence; and promoting sound \ncybersecurity practices in government at all levels. Coalition members \ninclude Arbor Networks, AT&T, CA Technologies, Cisco, Citrix, \nCybereason, Intel, McAfee, Mozilla, Palo Alto Networks, Rapid7, Red \nHat, and Symantec.\n---------------------------------------------------------------------------\n    Over the past decade, the Federal Government has steadily moved \naway from ``check box compliance\'\' mandates to a risk management \napproach to address cybersecurity issues. Major steps in this move have \nincluded:\n  <bullet> The Cybersecurity Cross Agency Priority (CAP) goals,\\2\\ \n        which ensured that agencies would receive individualized review \n        of their risk management plans;\n---------------------------------------------------------------------------\n    \\2\\ See Obama Admin. Archives, Cross-Agency Priority Goal \nCybersecurity, available at https://\nobamaadministration.archives.performance.gov/content/\ncybersecurity.html.\n---------------------------------------------------------------------------\n  <bullet> The Federal Information Security Modernization Act of \n        2014,\\3\\ which provided authorities to increase risk \n        assessments of agencies;\n---------------------------------------------------------------------------\n    \\3\\ Pub. L. 113-283.\n---------------------------------------------------------------------------\n  <bullet> The Cybersecurity National Action Plan, which created a \n        Federal chief information security officer (CISO) at the Office \n        of Management and Budget (OMB); and\n  <bullet> Perhaps most notably, the Presidential Executive Order on \n        Strengthening the Cybersecurity of Federal Networks and \n        Critical Infrastructure,\\4\\ which required Federal agencies to \n        utilize the NIST Cybersecurity Framework \\5\\ to establish a \n        process to manage risk and holds agency heads accountable for \n        doing so.\n---------------------------------------------------------------------------\n    \\4\\ Executive Order 13800.\n    \\5\\ Nat\'l Inst. of Standards and Tech., Framework for Improving \nCritical Infrastructure Cybersecurity, Version 1.0 (2014).\n---------------------------------------------------------------------------\n    A risk management approach offers each agency the ability to focus \non their specific needs and enables them to demonstrate growth in their \ncybersecurity efforts while taking steps to address the most critical \nthreats to their mission.\n    OMB\'s May 2018 Federal Cybersecurity Risk Determination Report and \nAction Plan shows that, despite some limited progress, agencies have a \nlot more to do to effectively manage cybersecurity risk.\n    This is not an unexpected result. Agencies are not adequately \nresourced to manage cybersecurity risk, and do not have proper cross-\ndepartmental coordination processes to identify and resolve any \nbarriers to achieving this goal. The Federal Government has not \nprioritized cybersecurity risk management and simply changing policies \nto help agencies measure risk will not change their policies on its \nown.\n    So what will change agencies\' approaches to cybersecurity risk \nmanagement and drive real improvement? The May 2017 Executive Order had \nthe right idea. It is up to OMB and the President to hold agency \nleadership accountable to improve.\n    The OMB Report suggests that chief information officers (CIOs) are \nnot empowered to make the necessary changes and suggests that \nleadership should empower them to do so. While that is one approach \nthat seems to have worked for some agencies, we would recommend that to \nreally make a change in agencies, senior leadership needs to oversee \ncybersecurity risk management. In other words, security officers should \nnot be reporting to the CIO, but to the deputy secretary or the \nSecretary. A similar move has started to take place in private \ncompanies where CISOs are no longer reporting to CIOs but to CEOs or \nCOOs or directly to the Board of Directors. This shift in thinking has \nhappened because CEOs and Boards of Directors have felt pressure to \nimprove cybersecurity at companies as the result of countless breaches \nand incidents that have created real and material risk that simply \ncannot be ignored or delegated to only the information technology \nteams.\n    For this to work in the U.S. Government, the director of OMB, the \nWhite House chief of staff, and the President must hold the Secretaries \ndirectly accountable for cybersecurity risk management at the agencies. \nSimilarly, the deputy director for management at OMB must hold the \ndeputy secretaries accountable. Congress must adequately resource \nagencies and hold the leadership at all levels accountable for managing \nrisk through public oversight. Without this accountability, other \nmeasures, however well-intended and necessary, will not be able to \nsucceed to the extent needed to secure our Government.\n    At this point, every agency\'s leadership has been told that they \nare responsible for the cybersecurity of their agencies. Agencies have \nnow been measured and have not fared well.\n    Now is the time to hold the agency leadership responsible for \nfailures and to rapidly address these known cybersecurity risks.\n\n    Mr. Ratcliffe. Thank you, Mr. Schwartz.\n    I now recognize the gentleman from New York, Mr. Donovan \nfor 5 minutes.\n    Mr. Donovan. Thank you, Mr. Chairman.\n    Thank you all for sharing your expertise with us but to \nshow you how I lack expertise I have a VCR back home it still \nflashes 12 and you cannot see because you are facing us but all \nthe young people behind you now, Googling, ``What is a VCR?\'\'.\n    So just so I can understand the problem properly, if we are \nprotecting our gold in Fort Knox and there is only one entrance \nin there, we have a good chance of making sure anybody who gets \nthrough there is a person that ought to get through unless they \nare disguising themselves as someone else and I guess in your \nfield you would call that just looking like a friendly user to \nget into a network when you are actually an infiltrator.\n    The difficulty is when you have more than one entrance I \nguess or if you have secured your entrance but there are other \npeople who have entrances and are not securing it as well as \nyou are, that causes vulnerabilities in Fort Knox and causes \nvulnerabilities in systems I suspect because it was hard for me \nto grasp before I joined this committee on like, why cannot we \njust protect this?\n    If we know, as much as the bad guy, do we anticipate what \nthey are going to do? I think Ms. Fowler you used word \nresiliency and the Chairman used the word resiliency.\n    Before we have a tragedy or an intruder so could you kind-\nof like frame the problem for me so I could understand it \nbecause I think I have to understand the problem before we \ncould actually come up with or understanding what your \nsuggested solutions are?\n    Mr. Durbin. OK. Thank you for the question. It is a complex \nsituation, a lot of it has to do with the diversity of the \nFederal Government, the diversity of the agencies, how they are \norganized, some are more flat, some are federated, some have \nmore resources than others do so it is coming up with a common \nbaseline of what is it that we have and what is it that we are \ntrying to protect.\n    I believe that the CDM program in their Phase 1 certainly \nis trying to fix that situation by doing that definition. Phase \n1 the goal is to go out and identify all hardware and software \nassets because some have made the comment and it is very true, \nyou cannot defend what you cannot see.\n    So now that we are closing in on the end of Phase 1, we \nwill have a much better look at what it is we are trying to \ndefend so that we know, what all those different entry points \nare that you referred to and then we can work on providing \nprotections against all of those different attack vectors.\n    The other issues are legacy systems that we have talked \nabout. You have a disparity between different people\'s products \nand solutions that they are using for access management or for \ndetermining who is qualified, who has privileges to access a \ncertain system and should they have those accesses so a lot of \nthis needs to be discovered and baselined so that we have an \nunderstanding of what the problems are and then we can come up \nwith solutions to solve them.\n    Mr. Donovan. Thank you.\n    Ms. Fowler.\n    Ms. Fowler. Yes. I am excited to hear you use the word \nresilience because it really is about resilience. When you use \nthe example of gold that needs to be protected, it is not even \njust against someone who trying to steal that gold but when we \nthink about the fact that the gold is housed somewhere, it is \nin a container could it be impacted by a natural disaster, \ncould someone who is working there make a mistake, and that \nwould also cause us to lose our ability to access or use that \ngold.\n    So we really want to look at this from a holistic \nstandpoint of not just trying to figure out what it is that an \nadversary is trying to do but to understand what it is that is \nmost important to us and how we can ensure that it will not be \nimpacted in any negative way, right? From any sort of \ndisruption.\n    That really even starts before understanding what our \nassets are and that is related to what we talked about with \nhaving leadership have a real skin in this game. It is being \nable to articulate and communicate what it is that we are \ntrying to achieve from a mission standpoint so you know, \norganizations like Health and Human Services and Department of \nEnergy have different missions that they need to achieve, they \nhave different services that they are going to provide to \nachieve those missions, and then the assets that support those \nservices are what we really need to protect. So it is the \nidentification of the assets that are important to each \nmission.\n    The way we can use the limited resources that we have best \nis to be able to articulate our risk appetite against those \nassets that are in our organizations and make sure that \nprograms like CDM are focused on those.\n    So you know, my way of explaining this to you would be, let \nus not just look at this in terms of a threat from a cyber \nattack but a holistic, how do we protect against the impact of \nany negative consequence?\n    Ms. Fowler, thank you.\n    Mr. Schwartz.\n    Mr. Schwartz. You talked about protecting the gold in Fort \nKnox but that reminds me of a saying that they use in the \nmilitary about ``protecting diamonds and toothbrushes\'\' which \nis, if we were to protect diamonds the same way as we protect \nour toothbrushes, we would have a lot of toothbrushes and not \nvery many diamonds.\n    That is part of what both Mr. Durbin or Ms. Fowler are \ndiscussing here, which is how do we do risk management in this \nspace, in a way where we can identify the assets and then do \nthe risk profile in a way that makes sure that we are \nprotecting that information in the right way that it needs to \nbe protected?\n    Prior to the NIST framework, the NIST Cybersecurity \nFramework, which Mr. Durbin mentioned, the Federal Government \nactually pretty much just had a list of the things you need you \nfor every system and did not really take the less important \nsystems or more important systems and kind-of do that balancing \ntest of how should we be protecting this particular system.\n    Now we are moving toward a time when we are doing that \nkind-of risk management and that is what this OMB report\'s \nreally about, is how agencies are looking at risk in this \nspace; how are they identifying it, how do they do these \ndifferent pieces, right?\n    I break the NIST profile into identify, protect, detect, \nrespond, recover, which I break up into two pieces, one is the \ndefense side so the identify and protect, and then the other \nside detect, respond, recover I think of as a resilience side, \nas Ms. Fowler has been saying right?\n    So that is the how do you get to do both sides of that and \nmake sure you are doing it the right way for each system and \nthat is the kind of approach that now agencies are taking for \nthe most part but they still have problems in terms of actually \nputting the protections in place, actually making sure that \nthey are resilient in the way that they need to be even for the \nmost critical systems.\n    Mr. Donovan. I thank you all again for your expertise.\n    Mr. Chairman, I yield back, which time I don\'t have any \nmore.\n    Mr. Ratcliffe. Well, thank the gentleman.\n    The Chair recognizes the Ranking Member, Mr. Richmond--the \nChair recognizes my friend and colleague from Rhode Island, Mr. \nLangevin.\n    Mr. Langevin. Thank you, Mr. Chairman. I thank the Ranking \nMember.\n    Thank the panel also for their testimony today, the \nexpertise, the insights that you bring to these challenging \ntopics.\n    Let me begin if I could with Mr. Schwartz, you spoke of the \nneed to hold Secretaries, not CISOs accountable for the \nsecurity of their agencies\' networks and I certainly would \nagree.\n    I remember what happened when a Secretary of Defense Ash \nCarter started taking a deeper interest in this topic and doing \na deep-dive requiring weekly reports being given to him and \neven on the issue of establishing a Bug Bounty Program when he \nsaid, ``We are going to make this happen,\'\' he started telling \npeople and programs to get out of their way and make it happen, \nit did.\n    So I can see the why it is so important to have Secretary \nbuy-in but you know, it seems that for years poor results on \nFISMA scores have not been enough in other agencies though to \nmotivate action.\n    So my question is what could the administration do to \nencourage real action to address these continued deficiencies \nand ensure cybersecurity leadership at the highest levels and \nagain from your perspective why is it so important to have \nSecretarial buy-in?\n    Mr. Schwartz. Thank you, Mr. Langevin. Thank you for your \ncontinued leadership on these issues too.\n    I think there is a lot in that question in terms of, how do \nwe get leadership to actually focus on this?\n    I do think that the executive--or the Trump Executive Order \nthat came out in May 2017 actually put us in the right place, \nwhich is before the Secretaries had all of their goals in place \nthey were told that cybersecurity was a major issue.\n    But it takes staying on top of that to do that. That means \nholding Cabinet meetings around cybersecurity and the President \ngoing around and asking each agency what they are doing, \nholding up the report card from OMB and asking them, ``What are \nyou doing to do more,\'\' right? That is what really taking the \nExecutive Order and actually implementing it means in this \nspace.\n    I realize that there are a lot of other things going on but \nthat is what is going to make a difference in this area, is \nmaking sure that the Secretary knows that they are going to be \ngoing into a meeting and that they have to prepare for it and \nthe 50 people that follow them around and do every day and do \nthat thing for that day, this is going to be the thing that we \nare doing today, right?\n    Therefore, everything needs to be in line and we need to \nget the CISO in front of us so he can give us the answers of \nwhat we need----\n    Mr. Langevin. Yes.\n    Mr. Schwartz. Rght? That is the only way that it is going \nto change.\n    This is the same thing that is happening in the private \nsector too, not every company is doing this, those that are, \nare more successful.\n    Mr. Langevin. Yes. Yes, I would agree. I mean, if the top \npeople are not paying attention to this then clearly it becomes \na secondary priority but the President or the Cabinet \nSecretaries are the ones that are driving this then clearly \neveryone\'s going to stand up, shine the shoes, and get this \ndone the right way.\n    So, Mr. Schwartz, on another issue with small- and medium-\nsized businesses have largely resorted to outsourcing not just \ntheir IT but also the security of their IT given their limited \nbudgets. In a similar vein the OMB report suggests that shared \nservices are key to addressing risk management issues, yet we \nhave made little progress to that end.\n    So Mr. Schwartz, if you could, what barriers do agencies \nface in getting to shared or outsourced services and how do we \novercome them?\n    Mr. Schwartz. Yes. The shared services one is a tricky \nproblem for a lot of agencies. Part of it is just the culture \nof the fact that they have had been doing internal security for \nyears and years and they have to move away from that and spend \nthe money on the cloud company doing the protections for them \nrather than keeping that same security in-house.\n    The small agencies in particular, those that don\'t even \nhave a large IT department are never going to be able to have \nenough security professionals and technology to protect \nthemselves, whereas the cloud companies specialize in that, the \nmanaged security services specialize in that so there is a need \nto move in that way.\n    I think the main challenges that they face are really \nprocurement challenges though because you know, you want to do \noversight of the agencies that you are in charge of doing \noversight over. If they are turning over a lot of their budget \nto other agencies in order to run their services, you lose \noversight over their IT, right?\n    I understand that from a Congressional point of view but \nthat is how we are going to improve with the small- and medium-\nsize agencies, is by Members of Congress understanding that and \nbeing willing to take the risk of saying, ``OK, we understand \nthat you are going in someone else\'s purview, we are losing \nsome control here.\'\'\n    But we know, that that agency has security in place and \nthat they have oversight over what they are doing as well, and \nour information being held by that agency and being overseen by \ncompanies in that space that run the managed services in that \nspace is going to be acceptable.\n    Mr. Langevin. Very good.\n    Thank you for those answers. As you can imagine I have \nseveral more but time is expired.\n    So I will yield back. I will have some questions to submit \nfor the record unless we go to a second round.\n    Thank you. Thank you all.\n    Mr. Ratcliffe. I thank the gentleman.\n    The Chair now recognizes the gentleman from Nebraska, Mr. \nBacon for 5 minutes.\n    Mr. Bacon. Thank you, Mr. Chairman. I appreciate it. Thank \nyou for coming in here and sharing your expertise.\n    I used to work in the cyber offensive side a little bit, \ncyber intelligence side, and we have some of the best \ncapabilities in the world there but we were also the most \nvulnerable when it comes to defense and other people cyber \nattack. I heard a cyber leader once describ us as living in a \nbig glass house and we had the biggest rocks, not very \ncomforting at times.\n    One of the things that the OMB and DHS report calls for is \nthe consolidations of the Security Operations Center and \ninstead of each one having their own by consolidating it to one \nbig one, do you see that as a significant advantage or does \nhaving this does it make everybody equally vulnerable if you \nget into one, you get in everybody?\n    So I would like to have your thoughts on that. Thank you.\n    Mr. Durbin. Yes. Thanks for the question. So having a SOC \nfor the sake of having a SOC may not be the best strategy. It \ncomes down to your ability to stand up a SOC that has the right \ntools and capabilities to accomplish what it is you are trying \nto do.\n    So if you are in a position where it would be better for \nyou to merge with somebody else\'s SOC that has proven \ntechnologies and has the access capability that might be the \nbetter way to go so I agree with the recommendation of the \nreport, the consolidation of SOCs will improve some \nefficiencies.\n    Mr. Bacon. So it gives the best capabilities available for \neverybody----\n    Mr. Durbin. Exactly. Yes. Now----\n    Mr. Bacon. It standardizes the best----\n    Mr. Durbin. Yes.\n    Mr. Bacon. OK.\n    Mr. Durbin. Yes and of course you need to make sure that \nyou consolidate to a SOC that does have the excess capacity and \nthat does have the tools in place----\n    Mr. Bacon. Right.\n    Mr. Durbin. That are going to accomplish the mission.\n    This recommendation was also made around the idea of \nimproving the ability to detect data ex-filtration and simply \nconsolidating SOCs may not accomplish that. You know, the SOC \nhas to have the right tools and to be able to discover where \nthe data lives and tag that data as sensitive so that you can \nthen monitor----\n    Mr. Bacon. But by consolidating we can invest in that one \nand make sure that we have the best capabilities----\n    Mr. Durbin. Exactly.\n    Mr. Bacon. I would say, but would you all just agree?\n    Mr. Schwartz. Agreed.\n    Mr. Bacon. OK.\n    Ms. Fowler. Yes.\n    Mr. Bacon. Are we doing better Mr. Schwartz, when it comes \nto sharing intel data because we don\'t have a lot of silos. I \nmean, you touch on this with Mr. Langevin a little bit but are \nwe doing better making progress?\n    Mr. Schwartz. There is some progress there. I think a lot \nof the private sector is still really frustrated. A lot of it \ncomes down to getting security clearances and the right people \ngetting the information so I still hear a lot of frustration.\n    I think internally inside the Government it has gotten a \nlot better though----\n    Mr. Bacon. It seems to be having a combined security \noperation center allows you to share that data faster because \nyou can see where there is infiltration or ex-filtration.\n    I had a just a question Mr. Durbin because this fascinates \nme. Evidently, you have talked about a group, well, let me just \nread it here, ``Symantec has engaged regarding a new attack \ngroup known as `Thrip\',\'\' and the ways in which they are living \noff the land in order to get info systems,\'\' can you talk about \nthis new threat and living off the land, what does that mean \nand what kind of a cyber threat is this?\n    Mr. Durbin. So living off the land is how we are describing \na technique where if an attack group creates a complex \nsophisticated piece of malware that they use to infiltrate a \nsystem, it is going to be relatively easier to detect that \nbecause we haven\'t seen it before, it doesn\'t look right, it \nraises a flag so if an attack group can utilize a network \nadministration tool that administrators commonly used to scan \nnetworks to see what they have and somebody sees that activity \ninside the network it is not going to raise a flag----\n    Mr. Bacon. It\'s camouflaged?\n    Mr. Durbin. Yes, they could say, OK, well somebody\'s just \nscanning the network because that is part of what they do----\n    Mr. Bacon. Right.\n    Mr. Durbin. So that--and that is just one example using \nPowerShell scripts and things, is just ways to mask their \nabilities so it is not as easy to detect.\n    Mr. Bacon. It makes sense.\n    One last question, I know, the Russians use a lot of \nphishing techniques, that is how they entered the DNC server. \nIt seems to me that makes us the most vulnerable, is that \ntechnique. What can we do to better defend against these \nphishing techniques that are going on?\n    I will just open up to whoever feels like they have the \nbest answer.\n    Ms. Fowler. Go ahead.\n    Mr. Schwartz. I would say getting better identity \nmanagement is really the key to the phishing techniques. I \nmean, right now, a lot of times we still rely on username, \npasswords, and moving toward techniques that move beyond that.\n    They talk about that a bit in the report that there has \nbeen a move toward use of cards sort-of which I think does help \nto some degree inside the Government but it is really about the \ncredential and whether you can secure that credential.\n    Ms. Fowler. We absolutely do see phishing as one of the \nmost common vectors for having attacks occur. A couple of \nthings that we need to do.\n    One is training although we know, that no matter how much \nwe train people over and over it takes just one person to hit \nthe link and cause the issue to occur so thinking about \nadvances in terms of automation and analytics and the things \nthat we are doing in the areas of Machine Learning.\n    So this is going to take us advancing past our adversaries\' \ncapabilities and investing in the research that will get us \nthere.\n    Mr. Bacon. Thank you, Mr. Chairman.\n    Mr. Ratcliffe. The Chair now recognizes my friend from \nLouisiana, Mr. Richmond.\n    Mr. Richmond. Thank you, Mr. Chairman. I think you touched \non it a little bit but from my perspective, when it comes to \nFederal network security I see at least two systematic problems \nbut they stem directly from the White House, one of which is \nthe tendency to undercut or diminish the role of authority \nfigures, eliminating the cybersecurity coordinator is a good \nexample.\n    Second, it is taking far too long to fill senior positions \nlike chief information officers and at the end of last year \nnearly one-third of the agencies were still operating without a \npermanent CIO and the Federal CIO was not named until January \nand the Federal CISO was selected just last week.\n    How important is strong, clear leadership structures when \nit comes to cybersecurity particular for an agency trying to \ninstill a culture of risk awareness? I know, Mr. Schwartz you \nmentioned having a chief executive that will hold people\'s feet \nto the fire, the question becomes can that be delegated and \nwithout a cybersecurity coordinator, where do we find \nourselves?\n    So anyone can answer that, let us start with Mr. Schwartz.\n    Mr. Schwartz. Yes. I have always felt that the \ncybersecurity coordinator should be I mean, it should be \nbrought up to be a deputy level.\n    There was a commission, the Obama Commission that was \npreparing for the next President, suggested that it be raised \nto an assistant to the President but I actually think it makes \nsense to have it at the deputy level particularly for the \nreason of being able to call out deputy secretaries on these \nkinds of issues and make sure that they are held accountable.\n    Getting rid of that position totally I think is a step \nbackward from being able to do that. I mean, you can have a \ndeputy play that role but they are going to have 90 other jobs, \nright? So how much time can they actually spend calling up \ndeputies and asking them how they are doing on cybersecurity or \nif you are supposed to be having someone dedicated toward just \ndoing, offensive capabilities, defensive capabilities inside \nthe Government as well as critical infrastructure protection \ntoo but having this one piece be part of their job as a deputy \nat the level of deputies I think makes a lot of sense.\n    So again, I think that they took a major step backward by \ngetting rid of the position totally rather than elevating it \nthe way they should have.\n    Ms. Fowler. I agree that governance and leadership are the \nmost critical first step in establishing good cyber risk \nmanagement practices. It is also a matter of making sure that \nthe work force itself who is in those positions are trained in \nthese areas and understand how to manage cyber risk like other \nrisks are managed.\n    We often look at cybersecurity as something that is special \nor not understood and really, we need to manage cyber risk like \nwe manage other risks inside of the organization and that is a \nmatter of using those limited resources in the best way \npossible.\n    So the leaders that we do put in place it is incumbent that \nthey set that risk appetite and understand what the tolerance \nranges are for that organization and communicate those to the \nwork force.\n    The work force is doing the absolute best that they can to \ndo all of the right technical things, it is just ensuring that \nthey are provided the guidance that it is going in the right \nstep so the governance aspect of this is that most important \nfirst step.\n    Mr. Durbin. I would just simply add that no matter what \ncybersecurity program you are trying to set up, it is key to \nget buy-in from all levels of the organization and that is no \ndifferent with the Federal Government.\n    Mr. Richmond. Let me ask this because I think that it also \ncame up but the Federal Government\'s always lagging behind the \ntimes and we are about 10 years back from where we should be in \nterms of our cybersecurity.\n    How can Congress empower or provide the resources for our \nFederal agencies to actually be proactive and better prepared \nfor the future and then anticipate the risk as opposed to \nalways been on the back end?\n    Ms. Fowler. So I will speak to that in terms of what I \nthink is required for us as a Nation to move forward and you \nwill see in the written testimony, I think this requires a \nNational initiative to address cybersecurity as a need across \nall sectors.\n    You know, in 1961 we made this goal to put a human being on \nthe Moon and that sparked interest in a whole lot of different \nscience and technology that was developed. We need to have a \nsimilar initiative which goes down into our education levels at \nall levels starting very early which makes this a part of every \nlevel of education so that the work force in the future is \nprepared for this.\n    We saw this with Estonia when Estonia experienced their \ncrippling attacks, that Government decided to really put the \ninitiative forward to educate across all levels of their \ncitizenship and now, they are recognized maybe arguably but as \nthe No. 1 in cybersecurity in all of Europe.\n    I see that we need to put forth an educational initiative \nthat will prepare our work force for this in the future.\n    Mr. Richmond. Thank you. Thank you. I see that my time has \nexpired so I will just yield back.\n    Mr. Ratcliffe. Yes. Let me give you all--first of all, the \nChair recognizes himself for questions.\n    Ms. Fowler, I very much appreciated your remarks there and \nI agree. I have talked about a cyber moonshot and identifying \nan approach that will address some of the concerns that you \nrelated and if you believe as I do that cybersecurity risks \npresent perhaps our greatest National security threat right now \nand going forward then we need to have some sort of a cyber \nmoonshot to address those threats.\n    But I want to give each of the witnesses a chance to weigh \nin on the Ranking Member\'s very good question, one that I had \nas well.\n    So Mr. Durbin.\n    Mr. Durbin. If you were to take a look at the original CDM \ndocuments 5 years ago and look at the projections of where they \nthought they would be by now, we would be in much better shape.\n    There are reasons why we are not there yet. Phase 1 is a \ncritical phase, it builds the foundation. We basically had told \nthe agencies let us know, give us an inventory of all of your \nassets so that we can then turn around and provide you with a \ntool that is going to give you an accurate inventory count.\n    So there was no shock when after Phase 1 was deployed and \nthat tool was turned on, the number of assets in the agencies \nwas found to be severely under-reported.\n    That is a good thing. It is a good thing that we now have \nvisibility into what it is we are trying to protect so that \ntook more time than they originally thought.\n    So if we were to accelerate the other phases and let us get \nto the point where we can automate the authority to operate \nprocess, every 72 hours we are doing a scan, so an organization \nknows you know, am I able to operate, do I have some \ndeficiencies that need to be repaired in kind-of real-time, I \nthink that would put us in a much better position.\n    They did add Data Protection as a Phase 4. I applaud them \nfor that but that is what the bad guys are after. They are \nafter the data so while we are trying to figure everything else \nout, let us protect the data, let us lock that down.\n    Mr. Ratcliffe. Perfect. Thank you.\n    Mr. Schwartz.\n    Mr. Schwartz. Thank you, Mr. Chairman. This you know, \nresponding directly to your comments on this issue about the \ncyber moonshot and the threat that comes from cyber and the \nspace compared to other threats. I mean, look at what we have \ndone on terrorism, right?\n    We have done a pretty good job in terms of trying to \nresource-out how we protect this country from terrorism but we \nhave been told for the past 7 years that cyber is overtaking \nterrorism as the most major threat to this country and we are \nnot getting the resources to cyber that we have for terrorism.\n    So I am not sure that that is a moonshot or what you call \nit but there is this question of paying as much attention to \nthis problem as to address it in the way that we think of it as \nthe size problem that it actually is.\n    That is why I focus on you have to have Cabinet-level \nmeetings in order to do that, you have to put the resources \ntoward it that are commensurate with it and we are not doing \nthat now, so we cannot expect to get the results particularly \nat small agencies in order to protect themselves when we are \nnot helping them out to do that.\n    Mr. Ratcliffe. Terrific. Thank you.\n    As I mentioned in my opening, the OMB and DHS report that I \nthink the specific number was 71 of 96 Federal agencies have \ncybersecurity programs that are either at risk or at high risk \nand a statistic that really jumped out at me as being \nparticularly disturbing and I am wondering if the number \nsurprised you as you read that and whether it does or not.\n    When we talk about reversing the trend there, I mean, I \nmentioned CDM as a solution there but I want to make sure that \nthat we are talking about all the potential solutions to \nreversing that trend and give you all the chance to weigh in on \nmaking those points.\n    Mr. Durbin. So I guess the percentage did not surprise me \nall that much given the fact that CDM is behind and that some \nof the recommendations made in last year\'s Executive Order are \njust now starting to take hold so again it did not surprise me.\n    I do see CDM as a way to fix a lot of what is in that \nreport instead of creating a new program, let us utilize what \nis already there and let us improve it, let us empower it so \nthat we can target those specific issues and bring that \npercentage down as quickly as possible.\n    Mr. Ratcliffe. Terrific. Thank you.\n    Ms. Fowler. I would agree that the 71 is not surprising. It \nis also consistent with what we have seen through our work with \nDHS, what the SEI has done with DHS in looking at the private \nsector with the owners and operators of critical \ninfrastructure.\n    I would say that CDM in accelerating that program will be \nhelp in terms of giving us visibility into what our \ncapabilities are.\n    Again, I do want to see us move toward an operational \nresilience approach where even before we start thinking about \nwhat it is in terms of a threat actor that we need to worry \nabout that we think about the most critical assets inside of \neach organization.\n    Mr. Ratcliffe. So can I stop you there Ms.----\n    Ms. Fowler. Sure.\n    Mr. Ratcliffe [continuing]. Fowler because you talk about \nthat in terms of the resilience factor. Are there key metrics \nthat we can be looking at to determine how effective we are \nbeing in terms of making progress on resilience?\n    Ms. Fowler. Absolutely. We do have something called the \n``Cyber Resilience Review\'\' which is a set of questions that \nlook across 10 domains of cybersecurity and that can help give \na maturity measure of how you are doing in terms of the \ncompleteness of the practices and also the institutionalization \nor sophistication of the practices that you have in place.\n    The third element of that is something that you yourself \nmentioned sir, which is efficacy of practice and that is \nsomething that has been a concern and continues to be a concern \nback at the SEI because we can be doing a lot of things very \nwell and they might not be the right things to do.\n    Much like we do in the medical industry, we set up very \nscientifically rigorous tests and we do a lot of data analysis \nbehind whether or not those tests work in very specific ways.\n    We don\'t have a lot of those practices occurring in \ncybersecurity to say, ``Does this control actually do what we \nwant it to do in the face of this threat?\'\' That is something \nthat I think that the Government could invest research in to \nmake sure that the efficacy of the practices is as good as the \ncompleteness of the practices.\n    Mr. Ratcliffe. Great point. Thank you.\n    Mr. Schwartz I will give you the last word.\n    Mr. Schwartz. Sure. So I mean, I addressed this in my oral \ntestimony but just to take it a little bit further. I mean, \nwhat do we do with agencies that are a high risk? Do we spend \nmore money there? Do you give them more money to continue to \nfail? Do you fire people? So they have less people there to do \nthe job that they need to do.\n    I think each agency is a sort-of its own case and what we \nneed to do is give people a reason to succeed and make sure \nthat the leadership understands what they need to do to \nsucceed.\n    Sometimes there are a lot of barriers in the way to \nsuccess, OK, then you have got to tackle this one at a time and \nget the right people from the entire agency in order to do that \nand to address those one at a time but it involves digging in, \nin each of those agencies and figuring out what the right path \nto success is.\n    It is part of what risk management is but it is also just \nmanagement at an agency at this point.\n    Mr. Ratcliffe. Well I want to thank all of our witnesses.\n    This has been incredibly insightful and valuable for all of \nus. Thank you all for being here today.\n    I also want to thank the Members of the committee for their \nquestions and remind them that they can submit additional \nquestions for the witnesses and it sounds like at least one of \nthe Members will and we will ask the witnesses to respond to \nthose in writing.\n    Pursuant to Committee Rule VII(D), the hearing record will \nbe held open for a period of 10 days.\n    Without objection, the subcommittee stands adjourned.\n    [Whereupon, at 11:40 a.m., the subcommittee was adjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n        Questions From Honorable Jim Langevin for Summer Fowler\n    Question 1. You spoke in your testimony about the importance of \nunderstanding the potential effect of realized cyber threats. The 2015 \nOPM breach exposed a gap in OPM\'s understanding of the damage that \ncould result from the loss of security clearance records--a risk more \nconsequential to other Federal agencies.\n    What can the administration do to address cyber risk management \nholistically, rather than agency by agency?\n    Answer. The Federal Government is an enterprise comprising \ndepartments and agencies with specific objectives and missions that \nsupport the larger Federal objective of serving the public. Addressing \ncyber risks at this level requires an enterprise risk management (ERM) \napproach. Carnegie Mellon University\'s Software Engineering Institute \ndeveloped an ERM process that is targeted at not only managing risks \nbut at ensuring organizational and mission resilience. Organizational \nresilience is the ability for a department or agency to achieve its \nmission before, during, and after a disruptive event (such as a cyber \nattack) and to return to normal operations as soon as possible. Our 10-\nstep ERM process is shown in Figure 1.\n          figure 1: ensuring organizational resilience via erm\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    The process must begin by establishing governance, risk appetite, \nand risk tolerance ranges. This should be done at the top levels of the \nFederal Government and communicated down to all departments and \nagencies so that they have an understanding of targets/goals for their \ncybersecurity programs. This can be daunting at the enterprise level, \nbut it is a best practice that large private companies use to ensure \nalignment of cybersecurity activities to overall business objectives. \nWhile the cyber risks will still be owned and managed at the \ndepartment/agency level, this also provides a standardized way for \ncross-agency dependencies and risks (e.g., risk of OPM data breach to \nother agencies) to be communicated and managed.\n    Enterprise risk management addresses cyber risks holistically by \nfirst focusing on mission objectives, critical assets, and requirements \nbefore leaping to technical solutions. This process also provides a \nstructured way to develop measures and metrics to monitor performance \nof cybersecurity and cyber risk management practices at an enterprise \nlevel.\n    Unfortunately, if we were to comprehensively answer the question of \ncyber risk management, detailing each step, our response would likely \nbe too long to be appropriate for this forum. However, both the CERT \nResilience Management Model (CERT-RMM) handbook \\1\\ and ``The 3 Pillars \nof Enterprise Cyber Risk Management,\'\'\\2\\ from the Insider Threat Blog, \nare readily available on-line. Additionally, the SEI is more than happy \nto schedule discussions with Rep. Langevin and his staff. This \ninvitation is of course extended to any Member and his/her staff.\n---------------------------------------------------------------------------\n    \\1\\ https://resources.sei.cmu.edu/asset_files/Handbook/\n2016_002_001_514462.pdf.\n    \\2\\ https://insights.sei.cmu.edu/insider-threat/2017/11/the-3-\npillars-of-enterprise-cyber-risk-management.html.\n---------------------------------------------------------------------------\n    Question 2. One continuing challenge with prioritizing Federal \nexpenditures on cybersecurity controls is the lack of viable metrics \nfor assessing the effectiveness of those controls in reducing \ncybersecurity risks.\n    What are the obstacles to closing that gap so that we can measure \nthe relative value of various cybersecurity controls? How is SEI \nworking to overcome those obstacles?\n    Answer. Thank you for recognizing and articulating this challenge. \nAlthough cybersecurity is viewed as a technically advanced field of \nstudy, we are still in our infancy when it comes to measuring efficacy \nof capabilities. Other scientific fields such as medicine perform \nrigorous studies following the scientific method with a hypothesis and \ncontrol groups to determine the efficacy of capabilities. In \ncybersecurity, we are still relying on subject-matter expertise and \ncompliance as our primary tools for ``measuring\'\' capabilities.\n    The challenge in applying the scientific method is that in any \ngiven instance of measuring a cybersecurity capability, there are \nseveral factors to consider:\n    1. The operating environment and its configuration (e.g., a \n        computer server).\n    2. The cybersecurity control being applied and its configuration \n        (e.g., a firewall).\n    3. Potential threat(s) and/or threat actor(s) (e.g., criminal \n        hacker).\n    Each of these factors has multiple possible states that must be \ntested. This means that testing the NIST 800-53 controls, for example, \nwould require tens of thousands of test cases to account for the \nvarious operating environments, control configurations, and potential \nthreats. I have written more about measuring cybersecurity performance \nin the CERT blog ``Cybersecurity Performance: 8 Indicators.\'\'\\3\\\n---------------------------------------------------------------------------\n    \\3\\ https://insights.sei.cmu.edu/insider-threat/2018/03/\ncybersecurity-performance-8-indicators.html.\n---------------------------------------------------------------------------\n    Carnegie Mellon University\'s Software Engineering Institute is \ninvesting a portion of its Congressional Line Item research funding to \ndevelop and validate a methodology for measuring the efficacy of a \ncybersecurity practice. If successful, the community will have a new \nmethodology for measuring the cybersecurity of a system and be able to \nrank order the importance of the controls needed to protect it. This is \na nascent concept and will require additional investment into research \nand transition into practice, but it is an important step in making \nscientifically valid improvements in cybersecurity. Future work will \nuse emerging artificial intelligence concepts to automate the \nmethodology and simplify the process.\n         Questions From Honorable Jim Langevin for Ari Schwartz\n    Question 1. Having served on the National Security Council, can you \nspeak to the cross-agency issues that are likely to emerge without a \nCybersecurity Coordinator at the White House?\n    Answer. In 2008, a Center for Strategic International Studies \n(CSIS) bi-partisan Commission led by Chairman McCaul and Representative \nLangevin called for:\n\n``An assistant to the President for cyberspace, who directs and is \nsupported by a new office in the EOP--the National Office of \nCyberspace. This office would be small (10 to 20 people) and would \nprovide programmatic oversight for the many programs that involve \nmultiple agencies . . . \n``Because cybersecurity requires coordination of activities across \nagencies, the White House is the best place to locate this function. It \nalone has the authority to ensure coordination. The most appropriate \nplace in the White House is the NSC.\'\'\\4\\\n---------------------------------------------------------------------------\n    \\4\\ ``Securing Cyberspace for the 44th Presidency: A Report by the \nCSIS Commission on Cybersecurity for the 44th President\'\' December 2008 \nhttps://csis-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/\nmedia/csis/pubs/081208_securingcyberspace_44.pdf. See page 36.\n\n    When the Obama administration took office, it created a cyber \npolicy office in the NSC and put a special assistant to the President \nin charge of this office with the title, White House Cybersecurity \nCoordinator, reporting to the assistant to the President for Homeland \nSecurity and Counterterrorism.\\5\\ At the time, several commentators \nsuggested that this role was ranked too low in the NSC structure given \nthe current and anticipated importance of cybersecurity for the Nation. \nNevertheless, this office grew to 10 to 15 people and became an \neffective structure to coordinate and provide oversight and direction \nfor a wide range of programs and initiatives involving multiple \nagencies. The office also became a focal point for interaction with the \nprivate sector on high-level issues of policy and National security.\n---------------------------------------------------------------------------\n    \\5\\ In my time at the White House, it was explained to me that for \nthe NSC: An assistant to the President is the Presidential Commissioned \nOfficer that could run meetings at the level of an agency head or \nSecretary; a deputy assistant to the President could run coordination \nmeetings at deputy secretary; and a special assistant to the President \ncould run meetings at under secretary or assistant secretary. There \nwere exceptions to this rule but it gives a sense of overall hierarchy \nin relation to the rest of the Executive branch.\n---------------------------------------------------------------------------\n    Listing all of the successes of the cyber office since its \ninception would be a considerable effort, but during my 2\\1/2\\ years at \nNSC Cyber under the leadership of then-Cybersecurity Coordinator \nMichael Daniel, we coordinated a number of important policies and \nactions:\n  <bullet> Creation and promotion of the NIST Cybersecurity Framework;\n  <bullet> Creation of the Cyber Threat Intelligence Integration \n        Center;\n  <bullet> The Executive Order on Cyber Sanctions;\n  <bullet> Development of a working Vulnerabilities Equities Process;\n  <bullet> Creation of a standards body for Information Sharing and \n        Analysis Organizations;\n  <bullet> The remediation of the Heartbleed vulnerability and greatly \n        increased speed in patching critical vulnerabilities in \n        Government agencies;\n  <bullet> Agreement with the Chinese government on norms related to \n        corporate espionage through cyber means;\n  <bullet> Agreement among agencies on roles in cyber incident \n        response;\n  <bullet> Implementation of U.S. Cyber Operations Plan (PPD-20), which \n        was drafted by NSC Cyber prior to my arrival;\n  <bullet> Reconstituting the interagency Cyber Response Group (CRG);\n  <bullet> Working with Congress to draft the Cybersecurity Information \n        Sharing Act (CISA), which passed and had implementation \n        coordinated by NSC Cyber after my departure; and\n  <bullet> Sponsoring the successful White House Cybersecurity Summit \n        at Stanford University in February 2015, where companies \n        pledged to move forward on several important joint \n        cybersecurity projects with Government.\n    While the cybersecurity policy coordination in the U.S. Government \nis by no means perfect, it improved demonstrably from where it was when \nthe CSIS Commission first made its recommendation.\n    In fact, in 2016 the bi-partisan President\'s Commission on \nEnhancing National Cybersecurity \\6\\ again recommended that the \nPresident elevate the current position of Cybersecurity Coordinator to \nan assistant to the President. The report explains that the position \nshould have responsibility for bringing together the Federal \nGovernment\'s efforts to protect its own systems and data and to secure \nthe larger digital economy, and as well as for informing and \ncoordinating with the director of the Office of Management and Budget \non efforts by the Federal chief information officer and chief \ninformation security officer in order to secure Federal agencies.\n---------------------------------------------------------------------------\n    \\6\\ https://www.nist.gov/sites/default/files/documents/2016/12/02/\ncybersecurity-commission-report-final-post.pdf.\n---------------------------------------------------------------------------\n    In general, I agree with both commissions that the special \nassistant role was too low level to be as effective as possible. \nHowever, instead of raising the level to an assistant to the President. \nI would split the difference and suggest that the cyber coordinator be \na deputy assistant to the President. This would allow the NSC to work \nclosely with the deputy secretaries to make cybersecurity a lead issue \nfor every Cabinet agency and better create areas of consensus around \nimportant new cyber policy, while still providing the ability to raise \nmajor policy issues to a higher level when disagreement occurs.\n    The current administration has decided against all of these \napproaches. It has demoted the role of NSC Cyber by not replacing the \ncybersecurity coordinator and removed the related commissioned officer \nposition entirely. It also has demoted the Homeland Security and \nCounterterrorism advisor to a deputy. While this may still provide a \ntenuous hold onto the increased coordination among agencies that was so \nhard-earned over the last decade, I am concerned that eventually this \ncoordination will decline and the result will be a de-prioritization of \ncybersecurity as a National security issue. Either there will be a \ncybersecurity incident that causes confusion among agencies, or the old \nrivalries and petty squabbles among agencies will return at a time when \nthe White House leadership is not able to organize and offer a \nconsensus path forward.\n    I find the decision to demote the NSC Cyber particularly \nfrustrating because at the beginning of this administration there \nseemed to be the possibility that greater progress could be made toward \nincreased coordination.\n    Question 2. Having been intimately involved with a very successful \ncybersecurity Executive Order, EO 13636, and the NIST Cybersecurity \nFramework that came out of it, what is your impression of how agencies \nare making use of the CSF now that they are mandated to?\n    Answer. The NIST Cybersecurity Framework (``CSF\'\') was designed to \nprovide standards, guidelines, and best practices to help entities \nmanage cybersecurity-related risk. Conversely, the CSF was not designed \nto provide a prescriptive set of requirements that must be satisfied in \norder to achieve a desired outcome. This risk-management approach can \nbe distinguished from the checklist-oriented compliance style that many \nagencies have historically relied upon. Following the implementation of \nEO 13636, which created the CSF with a focus on critical infrastructure \norganizations, it has been encouraging to see that the current \nadministration required agency use of the CSF with EO 13800.\n    Agencies are clearly adapting to the risk-management approach and \nincorporating it into agency practices. However, risk management as an \napproach must permeate beyond the IT departments and must have buy-in \nmore broadly among other parts of Government in order for the CSF to \nhave the desired impact.\n    In particular, the inspector generals (IGs) must begin to \nunderstand how to audit properly to a risk-based approach. Too often \nthe IGs seem to want to return to the checklist of cybersecurity \ncontrols. Under a risk-based approach like those encouraged under the \nCSF, an auditor must not only make a determination if the organization \nis implementing controls, but if the organization is prioritizing the \nimplementation of controls properly.\n    To be fair, measuring a risk-based approach to cybersecurity \nmanagement is more challenging than simply running through a list of \nthings to determine whether they are being done or not. However, we \nshould not allow that challenge to deter progress. Risk-based \nmanagement is a well-understood approach, and is used extensively by \nthe most sophisticated organizations in both the public and private \nsectors, with demonstrable results.\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'