[Senate Hearing 115-140]
[From the U.S. Government Publishing Office]
S. Hrg. 115-140
THE PROMISES AND PERILS OF EMERGING TECHNOLOGIES FOR CYBERSECURITY
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
MARCH 22, 2017
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
28-382 PDF WASHINGTON : 2018
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri MARIA CANTWELL, Washington
TED CRUZ, Texas AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska EDWARD MARKEY, Massachusetts
DEAN HELLER, Nevada CORY BOOKER, New Jersey
JAMES INHOFE, Oklahoma TOM UDALL, New Mexico
MIKE LEE, Utah GARY PETERS, Michigan
RON JOHNSON, Wisconsin TAMMY BALDWIN, Wisconsin
SHELLEY MOORE CAPITO, West Virginia TAMMY DUCKWORTH, Illinois
CORY GARDNER, Colorado MAGGIE HASSAN, New Hampshire
TODD YOUNG, Indiana CATHERINE CORTEZ MASTO, Nevada
Nick Rossi, Staff Director
Adrian Arnakis, Deputy Staff Director
Jason Van Beek, General Counsel
Kim Lipsky, Democratic Staff Director
Chris Day, Democratic Deputy Staff Director
Renae Black, Senior Counsel
C O N T E N T S
----------
Page
Hearing held on March 22, 2017................................... 1
Statement of Senator Thune....................................... 1
Prepared statement from Professors Scott Shackelford and
Steve Myers, Indiana University............................ 74
Prepared statement from Larry Clinton, President and CEO,
Internet Security Alliance................................. 81
Prepared statement from Theresa Payton, CEO, Fortalice
Solutions LLC.............................................. 87
Statement of Senator Nelson...................................... 3
Statement of Senator Wicker...................................... 45
Statement of Senator Cantwell.................................... 49
Statement of Senator Inhofe...................................... 51
Statement of Senator Schatz...................................... 53
Statement of Senator Markey...................................... 55
Statement of Senator Peters...................................... 57
Statement of Senator Cortez Masto................................ 59
Statement of Senator Udall....................................... 61
Statement of Senator Fischer..................................... 63
Statement of Senator Hassan...................................... 64
Statement of Senator Blumenthal.................................. 66
Statement of Senator Cruz........................................ 72
Witnesses
Caleb Barlow, Vice President, Threat Intelligence, IBM Security.. 4
Prepared statement........................................... 6
Venky Ganesan, Managing Partner, Menlo Ventures; and Chair,
National Venture Capital Association........................... 10
Prepared statement........................................... 12
Steve Grobman, Intel Fellow and Chief Technology Officer, Intel
Security Group................................................. 20
Prepared statement........................................... 21
Malcolm Harkins, Chief Security and Trust Officer, Cylance Inc... 28
Prepared statement........................................... 30
Hon. Eric Rosenbach, Former DOD Chief of Staff and Former
Assistant Secretary of Defense for Homeland Defense and Global
Security....................................................... 42
Prepared statement........................................... 44
Appendix
Letter dated March 22, 2017 to Hon. John Thune and Hon. Bill
Nelson from Marc Rotenberg, President, EPIC; and Caitriona
Fitzgerald, Policy Director, EPIC.............................. 91
Response to written questions submitted to Caleb Barlow by:
Hon. John Thune.............................................. 95
Hon. Todd Young.............................................. 97
Hon. Edward Markey........................................... 98
Hon. Tammy Duckworth......................................... 98
Response to written questions submitted to Venky Ganesan by:
Hon. John Thune.............................................. 99
Hon. Jerry Moran............................................. 100
Hon. Edward Markey........................................... 101
Hon. Tammy Duckworth......................................... 101
Response to written questions submitted to Steve Grobman by:
Hon. John Thune.............................................. 102
Hon. Edward Markey........................................... 105
Hon. Tammy Duckworth......................................... 106
Response to written questions submitted to Malcolm Harkins by:
Hon. John Thune.............................................. 108
Hon. Edward Markey........................................... 110
Hon. Tammy Duckworth......................................... 110
Response to written questions submitted to Hon. Eric Rosenbach
by:
Hon. John Thune.............................................. 111
Hon. Bill Nelson............................................. 113
Hon. Edward Markey........................................... 113
Hon. Tammy Duckworth......................................... 114
THE PROMISES AND PERILS OF EMERGING TECHNOLOGIES FOR CYBERSECURITY
----------
WEDNESDAY, MARCH 22, 2017
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 10:05 a.m. in
room SD-106, Dirksen Senate Office Building, Hon. John Thune,
Chairman of the Committee, presiding.
Present: Senators Thune [presiding], Wicker, Cruz, Fischer,
Moran, Sullivan, Heller, Inhofe, Capito, Gardner, Young,
Nelson, Cantwell, Klobuchar, Blumenthal, Schatz, Markey,
Booker, Udall, Peters, Hassan, and Cortez Masto.
OPENING STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
The Chairman. Good morning. As chairman, I've made it a
priority for this committee to focus on emerging technologies.
We've held some of the first hearings in Congress on artificial
intelligence, self-driving vehicles, Internet of Things, and
augmented reality. Today, we'll continue this practice, but
this time, we'll be focusing on the potential benefits and
sometimes risks that certain emerging technologies have on
cybersecurity.
As my fellow committee members know well, cybersecurity is
a topic that comes up at almost every hearing that we hold. The
cutting edge technologies we're exploring today are
fundamentally transforming how people and businesses connect as
well as the creation and transmission of information.
Emerging technologies such as artificial intelligence,
block chain, and quantum computing, as well as the flourishing
Internet of Things offer innovative approaches for combating
future cyber threats, but also present new risks. As threats
continually evolve, flexible and innovative approaches will be
required to protect businesses, critical infrastructure, and
individual citizens.
This hearing will explore the enormous potential of these
fields to revolutionize the cybersecurity arena and grow our
economy. For example, by 2020, the estimated number of
connected devices making up the Internet of Things may exceed
50 billion. Furthermore, a World Economic Forum report predicts
that 10 percent of global gross domestic product will be stored
on blockchain technology by 2027.
Artificial intelligence, or AI, will increasingly allow
computers to mimic cognitive functions associated with humans.
And, as described in a recent cover story in The Economist,
quantum computing's untapped potential will be capable of
handling complex problems that today's computers cannot solve.
Even with all of their promise, these technologies also
have the potential to create new security risks. For example,
nefarious hackers can use AI to identify cyber vulnerabilities
and victims faster. Future quantum computers could break our
current encryption standards with ease.
Federal agencies under the Committee's jurisdiction, such
as the Department of Commerce, the National Science Foundation,
the White House Office of Science and Technology Policy, and
NASA, in partnership with academia and industry, are focused on
research and the development of standards to ensure the U.S.
remains the leader in these fields. Our committee has been
supportive of prioritizing such work due its national and
economic security benefits.
The recently enacted bipartisan American Innovation and
Competitiveness Act, sponsored by Senators Gardner, Peters,
Nelson, and myself, charged our science agencies to research
future cybersecurity needs. In particular, the law directed the
Commerce Department's National Institute of Standards and
Technology to work with stakeholders to identify cryptography
standards that future computers will not be able to break, and
directed NSF to focus research on cybersecurity and human-
computer interactions.
In addition, the bipartisan Cybersecurity Enhancement Act
of 2014, which I co-sponsored with then Chairman Rockefeller,
included important provisions for cybersecurity research,
workforce development, and standards. It authorized NIST's
continued efforts to develop the voluntary Framework for
Critical Infrastructure Cybersecurity and the National
Initiative on Cybersecurity Education, as well as the NSF's
successful Cybercorps scholarship program. In fact, Dakota
State University, which is located in my home state of South
Dakota, is an active participant in this program.
Our nation faces an array of evolving cyber threats to our
personal data, access to online services, and critical
infrastructure. To be clear, cybersecurity is not solely a
technology issue. Also, while there is no silver bullet
solution to cybersecurity risks, I believe promoting public-
private partnerships on risk management, foundational research,
and a robust cyber workforce are essential to combating these
challenges. That is why I am excited to continue our
Committee's discussion on cybersecurity by looking toward the
future.
The companies represented at today's hearing are driving
innovation. They have employed machine learning to identify new
threats, conducted research that may soon unlock the commercial
potential of private blockchains and quantum computing, and
launched new tech startups that create jobs and grow the
economy.
And, Mr. Rosenbach, thank you for your dedicated service at
the Defense Department.
Cybersecurity will continue to be a priority for this
committee. In fact, Senator Gardner and I will be sending
letters to newly confirmed Commerce Secretary Ross and
Transportation Secretary Chao urging them to prioritize the
cybersecurity of Federal systems. As the heads of their
respective departments, they have an opportunity to improve the
effectiveness of cybersecurity programs. In addition, I look
forward to working with Senators Schatz, Risch, and Cantwell on
potential legislation to ensure that small businesses fully
benefit from the NIST Cybersecurity Framework.
I want to thank all of our witnesses for being here today.
I look forward to hearing your testimony. I will now turn it
over to Senator Nelson for his opening remarks.
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Nelson. Thank you, Mr. Chairman, and in order to
condense so we can get on with our witnesses and not to be
repetitive, let me just point out a couple of things.
Of course, this committee has a lot of things that involve
cybersecurity, everything from commercial aviation to the
driverless cars, and we are in this era in which cyber attacks
keep coming, and the advent of technology, one of which we were
dealing with in a classified session this morning, is going to
almost be like whack-a-mole. You hit them here and they pop up
over here, because technology is going to advance.
And then with the rapid commercialization of the Internet
of Things, it provides consumers with many, many benefits, but
also provides hackers with a multitude of opportunities. You
mentioned, Mr. Chairman, artificial intelligence and quantum
computing. That could greatly enhance our cyber defense
capabilities, but put it in the bad guy's hands and it makes it
much more difficult for us, much more difficult to detect
threats and risks to things like economic and physical well-
being.
Blockchain technology, which has proven successful in
securing financial transactions, could be used to secure all
kinds of sensitive data and information. I hope that we can
learn more from you all today about this.
Obviously, we are all concerned about cybersecurity, I
hope. Or is it, with regard to a lot of Americans, out of
sight, out of mind, until they get hit, such as the privacy of
their own information, the hack of their bank account? What
about their insurance company, and what about power grids?
According to the intelligence community's assessment
recently, we know that the Russian hackers at the president of
Russia's direction used a series of relatively simple cyber
attacks to try to influence our last Presidential election,
striking at the very core of how we operate this democracy. So
because what we're going to discuss today, that some of these
technologies can be used against us in a cyber attack, I'd like
to know how Russia, China, and the other adversaries might use
these technologies to disrupt our economy, if you all can say
this in this open session.
How might the Russian hackers, which seem to be the most
technically proficient--how might they use the Internet of
Things to hack our most vulnerable systems? How might
blockchain technology be used to secure sensitive data or
disguise illicit activity? How might quantum computing and
artificial intelligence improve or undermine the security of
everyday Americans? These are questions I'd like you to
address.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Nelson.
As I said, we've got a great panel today, and we look
forward to hearing from each of you. I'm going to start by
introducing the folks on my left and your right: Mr. Caleb
Barlow, who is Vice President of Threat Intelligence for IBM
Security; Mr. Venky Ganesan, Chair, National Venture Capital
Association and a Partner at Menlo Ventures; Mr. Steve Grobman,
who is the Chief Technology Officer and Intel Fellow at Intel
Security; Mr. Malcolm Harkins, the Chief Security and Trust
Officer at Cylance Corporation; and the Honorable, as I said
earlier, Eric Rosenbach, Former Chief of Staff, Office of the
Secretary of Defense, and former Assistant Secretary of Defense
for Homeland Defense and Global Security.
It's great to have you all here. Thanks so much for making
yourselves available to share with us your thoughts. And if you
could, as you share your opening statements, confine them
orally as close to 5 minutes as possible. Any additional
information or material you want, we can get it into the
record. But that will maximize the opportunity for members to
ask questions.
So we'll start with Mr. Barlow.
Please proceed.
STATEMENT OF CALEB BARLOW, VICE PRESIDENT,
THREAT INTELLIGENCE, IBM SECURITY
Mr. Barlow. Chairman Thune, Ranking Member Nelson,
distinguished members of the Committee, thank you for the
opportunity to appear here today before the Committee to
discuss this important topic.
I am here representing IBM Security, where I lead the
company's global threat intelligence business, which helps
clients around the world find, manage, and remediate cyber
attacks. We also help clients in responding to cybersecurity
incidents, from guidance on how to manage regulatory and
compliance requirements to incident response services. Last
year, we significantly expanded IBM's incident response
capabilities with a $200 million investment, which included us
opening the IBM X-Force Command Center in Boston,
Massachusetts, which is the world's first at-scale cyber
simulation range for the private sector.
Now, from my vantage point, working in one of the largest
security intelligence operations in the world, IBM manages 35
billion security events every day on behalf of our clients. I
see a change in the threat landscape unfolding before me.
Until now, just about everything we've heard about involves
the exfiltration of data. A bad guy breaks into a system, gets
access to information, downloads it, and then extorts that for
profit or influence. But what if rather than stealing the data
or holding it hostage with ransomware, what would happen if the
cyber criminal changed it? Think about how much we rely on data
from computers and just trust that it's accurate. Now, if trust
is broken, even the smallest of actions can have tectonic
implications, because the natural human tendency is to run from
areas of risk to areas of safety.
Today, I would like to discuss greater collaboration in
sharing cyber threat data between the public and the private
sector. We're seeing security attacks and techniques continue
to evolve, and why there's a lot of focus on nation-state
activity, a United Nations report estimated that 80 percent of
attacks are actually driven by highly organized and ultra
sophisticated criminal gangs.
The most sophisticated thieves operate like well-oiled
businesses. They collaborate and share expertise on a global
scale. They operate with anonymity and seemingly outside the
reach of the law. Cyber crime has grown rapidly due to its
organization and collaboration to become a significant societal
issue. Cyber crime is now estimated to be one of the largest
illegal economies in the world, costing the global economy--now
get this--more than $445 billion annually. Now, to put this
into perspective, $445 billion is greater than the GDP of more
than 160 nations, including Ireland, Finland, Denmark, and
Portugal, among many others.
What we need to do if we are truly going to stop this is
change the economics for the bad guys. You see, we've reached a
point where new actions and strategies are required. The scale
and pace of threat information sharing needs to be accelerated
between the public and the private sector. Threat sharing is
only actionable when it happens with speed.
Security vendors, governments, and other organizations need
to open up their arsenal of information on threats, the types
of threats, where they're coming from, and how they work, and
share them openly and at scale. Simply put, we must democratize
threat intelligence data. Governments need to support threat
sharing by declassifying their own data at default and with
speed, not measured in months or even years like it is today,
but measured in hours and minutes.
You see, by uncovering criminals' devices closer to real
time, we foil their schemes. By consistently keeping pace with
threat intelligence and using it to outmaneuver the criminals,
we gradually make cyber crime not pay. We change the economics
for the bad guys.
Now, new technologies such as cognitive have enormous
potential to radically reduce cyber crime while also helping to
close a cybersecurity skills gap and create new collar jobs.
Now, this cybersecurity skills gap is likely to exceed 1.5
million open and unfilled cybersecurity jobs by 2020.
IBM is bringing cognitive computing to the war on cyber
crime. Watson for Cyber Security sorts through, analyzes, and
understands massive amounts of structured data and unstructured
data that can overwhelm security professionals.
Now, true cognitive systems and technologies, like IBM
Watson, understand the nuances of language and threat data, and
they offer remediation actions and strategies, all with the
necessary speed to stay ahead of advance threats. Cognitive
systems are those that can reason and learn, as compared to
traditional systems that are programmed. In security terms,
cognitive systems can understand that a bug is a software
defect and not an insect.
While intelligent cybersecurity systems are fast advancing,
as demonstrated in cognitive computing, private and public
organizations need a new mindset, one that democratizes,
declassifies, and shares threat data by default and with speed.
Thank you for the opportunity to appear here before the
Committee today. I look forward to your questions.
[The prepared statement of Mr. Barlow follows:]
Prepared Statement of Caleb Barlow, Vice President, Threat
Intelligence, IBM Security
Chairman Thune, Ranking Member Nelson, and distinguished Members of
the Committee, I am pleased to appear before you today to discuss how
emerging technologies can help American companies more effectively
defend themselves against cyberattacks. In my testimony, I will focus
on the state of cybercrime, the importance of sharing data on cyber
threats, and how emerging technologies, such as blockchain and
cognitive systems that learn and reason, help dramatically reduce
cybercrime while also closing the looming cybersecurity skills gap.
The State of Cybercrime
Before discussing emerging security technologies, it's important to
describe the current state of cybercrime. Today, just about everything
we hear about involves the exfiltration of data. A cybercriminal breaks
into a system, gets access to information, downloads that data and
extorts it for profit or influence. Over 2 billion records were stolen
last year alone. And in 2015, over 100 million people--most of whom
were Americans--had their healthcare records stolen.\1\
---------------------------------------------------------------------------
\1\ See: IBM Security Intelligence by Caleb Barlow, Attackers Shift
Sights from Retail to Health Care in 2015 http://ibm.co/1Vpruus
---------------------------------------------------------------------------
From my vantage point working in one of the largest security
intelligence operations in the world--IBM manages 35 billion security
events per day for our clients--I see not only how many records are
being stolen, but other changes that are unfolding. For example, it's
not just the amount of records being stolen, but what cybercriminals
are doing with the information. Rather than just stealing the data to
profit from it, what would happen if a cybercriminal changed it? What
would happen if they manipulated a financial record or rerouted a
supply chain?
These types of attacks are emerging. Before the 2016 Summer Olympic
games, a group of hackers who call themselves ``Fancy Bear'' accessed
athletes' data in the World Anti-Doping Agency's database. They then
released sensitive data; for example, they listed athletes who were
given permission to use otherwise banned substances such as certain
types of asthma medication.
But what is particularly alarming is that this hacker group
allegedly did more than just steal and release data. According to the
World Anti-Doping Agency, the hackers also made changes to the data
prior to releasing it, in an attempt to swing public opinion.
By breaking trust, even the smallest of actions can have tectonic
implications. For example, if cybercriminals manipulate the data
consumers have come to inherently trust--from the financial reporting
of the companies they invest in to their healthcare records--we move
beyond stolen information and money to an even more damaging issue: a
loss of trust. This, of course, could have many damaging ramifications.
Imagine the uncertainty you would face regarding the soundness of your
investments if you read that a cybercrime gang had manipulated the
financial records of companies in your portfolio.
We are seeing security attacks and techniques continue to evolve,
and it's important to understand where they are originating from, not
necessarily geographically but from an economic and sociologic
perspective. The United Nations estimates that 80 percent of cybercrime
is from highly organized and ultra-sophisticated criminal gangs.\2\ It
is now estimated to be one of the largest illegal economies in the
world, costing the global economy more than $445 billion a year.\3\ To
put this in perspective, $445B is greater than the GDP of more than 160
different countries, including Ireland, Malaysia, Finland, Denmark, and
Portugal, among many others.\4\
---------------------------------------------------------------------------
\2\ United Nations Office on Drugs and Crime, Comprehensive Study
on Cybercrime, February 2013
\3\ Net Losses: Estimating the Global Cost of Cyber Crime, Center
for Strategic and International Studies, June 2014
\4\ See: http://statisticstimes.com/economy/countries-by-projected-
gdp.php
---------------------------------------------------------------------------
The most sophisticated thieves operate like a well-oiled global
business. They build development tools and collaborate on software.
They share knowledge about targets and vulnerabilities. In fact, each
successful attack proliferates the skills, tools and ecosystem because
hackers often reuse malware and other vulnerabilities that they know
are proven to work. Think of it as on-the-job training.
They operate on a regimented schedule like many legitimate
companies; their employees work Monday through Friday and take the
weekends off. We know this because our security researchers see
repeated spikes of malware launched on Fridays as hackers head home for
the weekend. On Monday, the criminals regroup to see how well things
went.
They collaborate and share expertise on a global scale via the
``Dark Web''--a term used to describe the anonymous Internet where
identity-masking tools enable criminals to operate without detection.
Networks of thieves steeped in both IT and business skills work
together to steal intellectual capital to damage businesses, and take
your money.
The Dark Web is where these criminals build and peddle attack
software to steal data from businesses and other institutions. Their
cohorts can purchase everything online from base-level attack platforms
to premium versions, which might offer a gold, silver and bronze-level
of service--and even a money-back guarantee if they don't get a
successful hack. There are different products and prices, along with
ratings and reviews of the ``merchants.'' If you buy a hack from a
``reputable criminal'' with good ratings, you are far more likely to
purchase a hack that is going to work.
Another major trend in cybercrime involves the Internet of Things.
In our increasingly interconnected world, the devices, the data they
produce and use, and the systems and applications that support them,
are all potential attack points for malicious actors. Unlike a
traditional computer, these IoT devices often operate without human
supervision. They can be deployed for an extended lifetime and often
lack simple methods to update and patch their software, which leads to
poor security. Worse yet, to ease the deployment of these IoT devices,
many often ship with minimal security controls, default user ID's and
passwords that are never updated by the end user, making them easy
targets for an attacker.
IoT devices are accumulating massive amounts of personal and
sensitive data, like voice searches, GPS locations, and heart rate
readings. If the data isn't managed and secured, its exposure can lead
to a loss of privacy and data ownership. This makes the security of the
data, how it's created, used and deleted extremely important.
Simply put, if a device connects to the internet, consumers need to
understand not only what data it collects and how it is used, they must
also have a way to maintain and update its security for the usable
lifetime of the device.
Battling Cyber Crime via Threat Sharing
So how do we stop this? Cybercrime rings operate with anonymity and
often seemingly outside the reach of the law. What we need to do is
change the economics for the bad guys.
Our response to cybercrime needs to be similar to how we manage a
healthcare pandemic. Sars, Ebola, Bird Flu, Zika--what is the top
priority when handling an outbreak? It is knowing where infections are
occurring and how they are being transmitted. First responders,
physicians, hospitals, governments and the private sector all share
information rapidly and openly. This is a collective and altruistic
effort to stop the spread of sickness in its tracks, and then rapidly
get the word out on transmission modality so that anyone not infected
can protect themselves.
Unfortunately, this is not what we see today in the event of a
cyberattack. Organizations are much more likely to keep the attack to
themselves because of a perceived risk to their reputation. When a
major breach is publicly revealed, typically all that is reported (by
the media) is how many records were stolen. Even if a company makes a
disclosure, rarely do organizations talk about how they were infected
because they are worried about the risk of litigation or regulation.
Adding to the problem, many security vendors see threat data as an
opportunity for profit--something of value to be shared only with high-
paying customers and used for competitive advantage. And many
government agencies continue to operate with Cold War-era strategies,
when keeping critical information hidden from a major adversary was
paramount. But in today's world, with an asymmetric enemy that operates
anywhere and with impunity, keeping government information secret can
work against us. Governments, too, need to disclose cyber threat
indicators, vulnerabilities, breaches and hacking schemes, when
appropriate, much faster. We call this concept the ``default
declassification of threat data at speed.''
The good news is that we are seeing signs of progress in this area.
The enactment of the Cybersecurity Information Sharing Act of 2015
(CISA), for example, was an important and helpful step forward, and we
have seen progress in our discussions and work with various government
agencies on sharing cyber threat data. But the scale and pace of
information sharing needs to be accelerated.
Cyber threat sharing is only actionable when it happens with speed,
but most governments are still keeping that data confidential for
extended periods of time.
As a result, we've reached a point where new actions and strategies
are required. Security vendors, governments and other organizations
need to open their arsenal of information on threats--the types of
threats, where they are coming from, how they work--and share them
openly, at scale and without significant financial remuneration. Simply
put, we must democratize threat intelligence data to compete with
cybercriminals at their own game.
By uncovering criminals' devises closer to real time, we foil their
schemes. We analyze and break their plans, and share their methods with
the potential victims and general public a lot sooner than the
adversaries expect. By consistently keeping pace with threat
intelligence and using it to out-maneuver the criminals, we gradually
make cybercrime not pay. We change the economics for the bad guys.
And if it does not pay, what's the motivation to do it in the first
place?
To begin addressing some of the barriers to real time threat
sharing and improve the sharing ecosystem, IBM supported the enactment
of CISA. However, even before CISA became law, IBM took the initiative
to practice what we are preaching, to share our data on cyberthreats.
In 2015, IBM opened one of the largest treasure troves of threat data
in the world and created the IBM X-Force Exchange. We put it all on the
Internet for free. IBM published nearly 700 terabytes of actionable
threat data from around the globe, including real-time indicators of
live attacks, which can be used to defend against cybercrimes. We keep
publishing, every day, every hour.
Battling Cybercrime with Cognitive and Blockchain Technology
So how can we democratize threat data while reducing attribution
risk to governments and private institutions?
This is where emerging technologies can play a big role in
cybersecurity. Cognitive security technologies, for example, has
enormous potential.
The number of risks and events is growing exponentially, and
security operations teams are struggling to keep up with the volume.
The threat landscape is changing rapidly, with the sophistication and
numbers of threat variants becoming too great to keep pace with or stay
ahead of using traditional approaches. The repercussions of incidents
and breaches are increasing, with the financial costs and risks growing
rapidly.
At the same time, many organizations are faced with a dearth of
security experts with the right skills. These different factors make it
difficult for organizations to maintain the healthy digital immune
systems they need to protect themselves and are driving the need for
new cognitive security technologies.
Specifically, we need new technologies that can serve as a
cognitive security assistant to analyze massive amounts of data to make
recommendations on remediation actions with much greater speed and
precision.
To highlight the amount of security information available today,
there are about 60,000 security blogs per month and 10,000 security
reports per year.\5\ We estimate that organizations are spending $1.3
million a year dealing with false positives alone, wasting nearly
21,000 hours.\6\ Cognitive security technologies can make a huge
difference by helping security professionals keep up with all this
information and extract value from it with greater speed and accuracy.
---------------------------------------------------------------------------
\5\ See: Watson for Cyber Security: Shining a light on human
generated data, August 2016--http://ibm.co/2mXuZj7
\6\ The Cost of Malware Containment, by Ponemon Institute, January
2015
---------------------------------------------------------------------------
Last month, IBM launched a cognitive security technology called
Watson for Cyber Security. About 50 organizations--Fortune 500
companies across all major industries--are now using Watson to fight
cybercrime.
The scale of what Watson is doing is enormous. In less than a year,
Watson for Cyber Security has analyzed more than 1 million security
documents on the Internet. It is now analyzing 15,000 security
documents per day--amounts that no army of people alone could ever
process.
What is even more significant than the scale of the data being
analyzed, is what cognitive security technologies, such as Watson, can
do with this sea of information. Specifically, true cognitive security
technologies are systems that learn versus systems that are programmed.
They can scour unstructured data across the Internet--the blogs and
reports, media articles, social media, and many other sources--that
were previously inaccessible by traditional security tools.
Cognitive systems can be trained to understand imprecise human
language in those documents--for example, understanding that in
security terms a ``bug'' is a software defect and not an insect.
Watson for Cyber Security is the first cognitive technology that is
doing all of this. Our early findings are that Watson's capabilities
are 60-times faster than complex manual analysis, with 10-times more
actionable indicators to uncover new threats.\7\
---------------------------------------------------------------------------
\7\ IBM Watson for Cyber Security Beta Testing Results
---------------------------------------------------------------------------
It is also important to underscore that cognitive technologies like
Watson do not replace people, but help them to be more productive,
precise and efficient in defending their organizations from
cyberattacks.
At the same time, they will help bridge a looming skills gap--an
estimated 1.5 million unfilled security jobs by the end of this
decade--by making the existing security workforce more effective and
efficient.
Cognitive technologies also can help create new jobs. At IBM, for
example, we're now tapping professionals who may not have a traditional
college degree, but who have the needed skills and aptitude to help us
in a variety of disciplines, including cybersecurity. We refer to these
new professionals as ``new collar'' workers, who may join an
organization, for example, with base-level security skills from a P-
Tech school or with an Associate's Degree.
Cognitive security technologies like Watson can help these ``new
collar'' workers by providing them with much greater levels of security
analysis and insights. Essentially, with cognitive security products,
new collar employees can be paired with technology that is like the
equivalent of a highly seasoned and experienced human security analyst,
but one who can examine massive amounts of data at incredible speeds.
New collar jobs are one way to help reduce the security skills gap,
but we also need institutions of higher education to expand their
cybersecurity curricula. We need more choices for earning cybersecurity
degrees and more students in the pipeline. We also need to focus on
ways to develop more female experts in this field, as women represent
only about 10 percent of today's cybersecurity workforce.\8\
---------------------------------------------------------------------------
\8\ 2015 report by (ISC)2
---------------------------------------------------------------------------
At IBM, we're also looking at other ways to help our new collar and
traditional security employees alike to benefit from cognitive
security. One example is our new research project, code named Havyn,
which brings a voice to cognitive security.
Havyn is a voice-powered security assistant that can interact
verbally with security analysts in real-time on a variety of topics,
from information on new threats, to data on an organization's security
posture.
Havyn creates a ``second-screen experience'' for security analysts.
It works in the background on command, pulling data from different
security tools and sources, and brings the relevant information to the
surface for further investigation by human analysts.
Voice-powered tools like Havyn can greatly expand the value of
cognitive security intelligence sources like Watson. Just think of
Watson for Cyber Security as the brain of the Security Operations
Center, and think of Hayvn as bringing a voice to the brain, making
Watson's expertise even more valuable.
Blockchain is another important example of emerging technology.
Blockchain is a technology for a new generation of transactional
applications that helps establish security, trust, accountability and
transparency. One of the key capabilities of blockchain is the ability
to maintain a record of the history of all transactions in a way that
cannot be manipulated.
Not only is it inherently more secure than other protocols, but
blockchain has the potential to be used by multiple parties to share
cyber-threat intelligence in a way that maintains the reputation of the
source of the data without revealing the identity of the source.
Governments and private institutions can combine data into threat feeds
that ensure transactional integrity and maintain reputation, but
without identifying the contributor.
Blockchain also has potential security benefits for IoT where
supply chain integrity is critical. Although there may be dozens of
parties involved in an IoT supply chain, a Blockchain can ensure
transactional integrity and visibility of logistical and quality
metrics from manufacturer to point of use.
Blockchain has inherent qualities that provide trust and security,
but, to fulfill its promise, the core technology must be further
developed using an open source governance model to make it deployable
on a grand scale. The Federal Government must invest in scientific
research to accelerate progress. The National Institute of Standards
and Technology can help shape standards for interoperability, privacy
and security. And government agencies can become early adopters of
blockchain applications. In addition, government has a key role to play
in certifying the identities of participants in blockchain-based
systems.
Conclusion
Cybercrime is one of this generation's most vexing societal
problems. As with all historic societal challenges, it requires radical
change at great speed.
The public and private sector need to collaborate on a much deeper
level to make the sharing of cyberthreat data a standard practice. This
level of interaction and sharing will result in highly organized
cybercrime fighting to thwart the massive collaboration of
cybercriminals today.
We need the partnership to incubate, develop, and institute
emerging security technologies such as cognitive systems and
blockchain. We need higher education institutions to also step up in
cultivating a new generation of security experts for our workforce.
In the process, we will not only chip away at cybercrime, but
radically reduce it by changing the economics of this significant
illegal economy. In doing so, we will experience many benefits,
including instilling trust in global interconnected systems, creating
new jobs while reducing a skills shortage, and increasing the diversity
of the workforce.
Thank you Chairman Thune, Ranking Member Nelson and distinguished
Members of the Committee for the opportunity to provide IBM Security's
perspective on this important topic.
The Chairman. Thank you, Mr. Barlow.
Mr. Ganesan?
STATEMENT OF VENKY GANESAN, MANAGING PARTNER,
MENLO VENTURES; AND CHAIR, NATIONAL VENTURE
CAPITAL ASSOCIATION
Mr. Ganesan. Thank you. Chairman Thune, Ranking Member
Nelson, thank you for the opportunity to testify before the
Committee this morning. My name is Venky Ganesan, and I serve
as one of the managing partners of Menlo Ventures. We are one
of the oldest and most successful venture capital firms in
Silicon Valley.
We have been fortunate to be early investors in many iconic
companies, including Gilead Sciences, Siri, and Uber. In the
cybersecurity space, we were the lead investors in Q1 Labs,
which is now a major part of IBM Security, and IronPort, which
is a critical part of Cisco Security. I was one of the lead
investors and on the Board of Palo Alto Networks, which today
has a market capitalization of over $10 billion. I am
testifying today in my capacity as Chair of the National
Venture Capital Association.
To understand the role that young high-growth startups play
in emerging cybersecurity technology, it is important first to
understand the role of venture capital in American
entrepreneurship. Venture capitalists like myself invest in
early stage companies with big potential and work shoulder-to-
shoulder with entrepreneurs to build the company. If you think
of a baseball team, the venture capitalist is a coach or
manager, and the entrepreneurs are the players on the field. We
are all working together to deliver value to the American
public.
American entrepreneurship is the envy of the world, in
significant part because of the right blend of public policy
priorities, such as the tax code, that rewards long-term,
patient investment of capital and Federal investment into basic
research, which often forms the building blocks for new
companies or industries.
Cybersecurity innovation and venture capital have been
intertwined right from the beginning, as almost all of the
major independent cybersecurity companies in the public market
were funded by venture capitalists. I have great respect for
all the companies and panelists here, but I'll tell you, most
of the innovation in cybersecurity today happens at the early
stage with startups.
Venture investors have deployed almost $15 billion in more
than 740 cybersecurity companies since 2010. These companies
are pushing the outer boundaries of what is possible in
cybersecurity. We have the advent of many exciting new
technologies that present incredible opportunities but also
many challenges.
For example, artificial intelligence continues to be an
area of considerable excitement among venture capital
investors. It is undeniable that we have made significant
progress in AI, even if a general purpose AI solution is not
estimated to be available until 2045 or beyond. I encourage the
Committee to think of AI applications not as man versus
machine, but rather as man plus machine.
One of the biggest challenges in cybersecurity today is the
avalanche of security alerts every enterprise gets. There's
simply not enough security professionals in the world to
resolve all of them. AI is a potential solution for this
problem, because it can automate some mundane activities, thus
freeing the experienced security professionals to focus their
energies on the high-value alerts.
In my written testimony, I discuss other new cybersecurity
technologies, such as blockchain, the Internet of Things, and
quantum computing that offer further opportunities and risks. I
believe this Committee can help spur cybersecurity innovation
and protect Americans from future threats with policy action in
a few areas, and I have a few recommendations.
First, we must modernize our procurement system so our
government has access to world-class cybersecurity technology,
much of which comes from startups. The unfortunate reality is
our procurement practices act as a deterrent to many startups.
If you look at the cybersecurity threats we face today, a lot
of them were technologies that were created after 2014. So you
need modern software technologies, and our procurement
practices do not allow you to have access to that.
Second, the government can drive market solutions by
establishing best practices. I commend Chairman Thune's efforts
on the NIST Framework and recommend NIST develop a way to
update the Framework periodically and establish test guidelines
that all security products can be objectively compared against.
Third, we need a better legal framework that allows data
sharing so that companies can team up against external threats,
learn from each other, and benefit from each other's solutions.
Fourth, we should create a generation of cyber warriors, as
attempts to weaponize technology will not recede in our
lifetime. We have countries, like Israel, China, Russia, who
all create a generation of cyber warriors that we've got to
compete against. Our idea would be to set up a cyber academy
where we can recruit, train, and develop the best young cyber
talent in our country.
Fifth and finally, more must be done to facilitate cyber
insurance to minimize existential risk, as the cost of breaches
can be astronomical and beyond any single company's ability to
handle. We need a market-based system to allow us to get
feedback, and cyber insurance is a market-based system to do
that.
To conclude, the cybersecurity challenges we face are
daunting, but I'm an optimist. For 241 years, it has never made
sense to bet against America, and that's not going to change.
My personal investing experience gives me great confidence that
there are many amazing companies out there who have needed
solutions to our cybersecurity challenges. This Committee can
support those dynamic young companies by enacting pro-
entrepreneurship policies that will facilitate creation of a
new wave of cybersecurity innovation.
I look forward to your questions.
[The prepared statement of Mr. Ganesan follows:]
Prepared Statement of Venky Ganesan, Managing Partner, Menlo Ventures
and Chair, National Venture Capital Association
Chairman Thune, Ranking Member Nelson, thank you for the
opportunity to testify before the Senate Committee on Commerce,
Science, and Transportation today. My name is Venky Ganesan and I serve
as one of the Managing Partners of Menlo Ventures. Menlo Ventures is
one of the oldest (41 years) venture capital firms in Silicon Valley.
We manage approximately $4.5 billion in assets and have invested in
over 400 portfolio companies whose aggregate value if held post going
public would be over $200 billion. We have been fortunate to be early
investors in many iconic companies, including F5 Networks (``FFIV''),
Gilead Sciences (``GILD''), Hotmail (acquired by Microsoft), Siri
(acquired by Apple), and Uber. We also have a long and successful
history investing in cybersecurity. Menlo Ventures was the lead
investor in Q1 Labs, which was acquired by IBM and has now become a
major part of IBM Security. Additionally, Menlo was also the lead
investor in IronPort, which was acquired by Cisco for $830 million and
is a critical part of Cisco Security. I was one of the lead investors
and was on the board of Palo Alto Networks (``PANW'') which today has a
market capitalization of over $10 billion. I am here today in my
capacity as Chair of the National Venture Capital Association (NVCA),
which advocates for pro-entrepreneurship policies that create jobs and
grow the U.S. economy.
Venture Capital and Entrepreneurship
Venture capital and entrepreneurship go hand in hand. Some people
mistake venture capital as a passive investing function in which
venture capitalists pick companies, write checks, and then wait for the
returns to roll in. While that would be nice, the reality is much
different. A better analogy to understand the relationship between
venture capitalists and entrepreneurs is to think about startups like a
baseball team. The entrepreneurs are the players on the field. The
venture capitalists are the coach and the managers. Ultimately, the
players need to deliver on the field and that is what entrepreneurs do.
However, as the coach/manager, venture capitalists help recruit
players, negotiate contracts, run training sessions, make real-time
tactical decisions during the game, and decide on the playing roster.
To give you additional context, in the last three weeks I have
personally done the following:
Evaluated over 5 new investments;
Negotiated compensation agreements with a CEO;
Identified and sourced potential executives for one of our
companies;
Interviewed and convinced a young marketing executive to
join one of our companies;
Done reference calls with prospective customers and
encouraged them to buy from one of our early stage companies;
and
Held strategy sessions with salespeople from our portfolio
companies.
Venture capital is hard and unfortunately not always successful.
According to research by Professor Shikhar Ghosh of Harvard Business
School, 75 percent of venture backed startups do not return investors
capital. Correlation Ventures, which evaluated over 21,000 financings
spanning the years 2004-2013, showed that 64.8 percent of financings
resulted in less than 1x return of capital.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Even when venture capitalists are successful, it takes a long time.
The average time to exit for venture-backed startups according to the
NVCA 2017 Yearbook is more than 5 years for an acquisition and more
than 7 years for an initial public offering (IPO). In life science,
those time periods are often even longer.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Source: NVCA 2017 Yearbook, Data Provided by PitchBook
However, when venture capital works, it really works. Some of the
most prominent technology companies in the world, e.g., Facebook,
Twitter, Snapchat, Google, Amazon, Microsoft, etc., were all venture
backed. At one point in 2016, the five largest companies by market
capitalization in America were technology companies (Apple, Microsoft,
Alphabet, Amazon, and Facebook) all of whom were venture-backed. Three
of these companies were built with venture capital within the last 22
years. According to a 2015 study by Ilya Strebulaev of Stanford
University and Will Gornall of the University of British Columbia, 42
percent of all U.S. company IPOs since 1974 were venture-backed.\1\
Collectively, those venture-backed companies have invested $115 billion
in research and development (R&D), and created $4.3 trillion in market
capitalization, accounting for 85 percent of all R&D spending and 63
percent of the total market capitalization of public companies formed
since 1974. Specific to the impact on the American workforce, a 2010
study from the Kauffman Foundation found that young startups, many of
them venture-backed, were responsible for almost all the 25 million net
jobs created since 1977.\2\
---------------------------------------------------------------------------
\1\ ``The Economic Impact of Venture Capital: Evidence from Public
Companies,'' Stanford University Graduate School of Business Research
Paper No. 15-55, available at http://papers.ssrn.com/sol3/
papers.cfm?abstract_id=2681841.
\2\ ``The Importance of Startups in Job Creation and Job
Destruction,'' Kauffman Foundation Research Series: Firm Foundation and
Economic Growth,'' (July 2010), available at http://www.kauffman.org/�/
media/kauffman_org/research%20reports%20and%20covers/2010/07/
firm_formation_importance_of_startups.pdf.
---------------------------------------------------------------------------
These incredible contributions to the U.S. economy are due, in
significant part, to the right blend of public policy priorities. For
example, our tax code rewards long-term, patient investment of capital
that enables venture capitalists to work alongside entrepreneurs for
many years before they see any return on investment. I encourage all
Members of Congress to make new company formation a priority in tax
reform. In addition, the Federal Government has prioritized investment
into basic research, which often forms the building blocks for new
companies and even whole industries that fuel economic growth with
rapid advancements that improve our well-being and extend our lives.
Venture Capital's Impact on Cybersecurity
Cybersecurity innovation and venture capital have been inextricably
intertwined right from the beginning. Some of the biggest innovations
in cybersecurity have been introduced by venture capital backed
startups. For example:
The stateful inspection firewall which is a critical
component of almost all perimeter security products was
invented by Checkpoint;
SSL encryption was invented by Netscape; and
Next generation firewall based on a ``single pass''
architecture was pioneered by Palo Alto Networks.
In addition, almost all of the major independent cybersecurity
companies in the public market were funded by venture capitalists,
including Symantec, Palo Alto Networks, FireEye, Proofpoint, Imperva,
Fortinet, Qualys, and Cyberark, to name a few.
Venture capitalists are also incredibly active in the private
markets. Since 2010, they have invested over $14.6 billion in more than
740 cybersecurity companies including $3.52 billion in 2015 and $2.75
billion in 2016.\3\
---------------------------------------------------------------------------
\3\ Pitchbook-NVCA data (Note: Some companies raised a round of
venture funding in more than one year, in which case they are counted
separately in each year.)
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
---------------------------------------------------------------------------
Source: PitchBook-NVCA data
America's leadership in cybersecurity is directly attributable to
the strong expertise and significant patient investment capital
provided by U.S. venture capitalists.
Cybersecurity Threat Landscape
Cyber threats at a consumer level really started to emerge in the
1990s with the commercialization of the Internet. Until the advent of
the Internet, viruses could only pass to other computers through floppy
disks or other storage media. Once consumers and businesses started
connecting their computers to the Internet, viruses with names like
Melissa and ILOVEYOU could propagate massively across the Internet and
infect millions of users. The first generation of protection against
these viruses were anti-virus companies such as Symantec and McAfee
that used signature based techniques to create anti-virus software. In
order to protect themselves from hackers, corporations started
implementing perimeter security solutions. Prominent among these
solutions were firewalls, Intrusion Prevention Systems (IPS), and
Intrusion Detection Systems (IDS). While there was a cat-and-mouse
element to this fight, for the most part people felt that the
cybersecurity problem was in check until the advent of two major
developments.
The first major development was a discovery by researchers
in 2010 of a malicious computer worm known as Stuxnet that
targeted industrial computer systems. What made Stuxnet
different from other viruses was that it targeted programmable
logic controllers (PLC) which were not connected to the
Internet and were previously thought to be unhackable. Stuxnet
showed that many elements of our critical infrastructure, such
as dams, electric grids, water treatment facilities, hospital
systems, factory assembly lines, and power plants, which use
supervisory control and data acquisition (SCADA) and PLC
systems, are now under threat, even when they are not connected
to the Internet.
The second major development was the advent of highly
sophisticated malware called Advanced Persistent Threats (APT)
in 2013. These malwares function quite differently from the
viruses of the past. The hackers goal is espionage and data
theft. Once they infect a target, they use sophisticated root
kit techniques to disguise themselves. They then connect to
command and control servers on the Internet and both exfiltrate
data and take new instructions. These sophisticated malwares
can remain undetected for months or even years while slowly
traversing across the entire network of the victim and grabbing
valuable data. All the big breaches you have heard about
recently--Anthem, Office of Personnel Management (OPM), Target,
Sony--were victims of this technique. Legacy security vendors
never architected their solutions to handle threats like this,
and unless governments, enterprises, and consumers upgrade
their security infrastructure to a modern architecture they are
all exposed to this threat.
In addition to these new threats, there are some major developments
in other technical areas such as artificial intelligence, Blockchain,
Internet of Things and quantum computing which have the potential to
impact cybersecurity. Below is a brief overview of each of these
emerging areas of technology and how they might impact cybersecurity.
Artificial Intelligence/Machine Learning
Artificial intelligence (AI) in a computer science context is
defined as the study of intelligent agents. It is the idea that
computers mimic cognitive functions such as ``learning'' and ``problem
solving'' that is normally associated only with humans. Prominent
milestones in AI include IBM's Deep Blue becoming the first computer
chess-playing system to beat a reigning world champion, IBM's Watson
defeating two Jeopardy champions, and Google's AlphaGo beating a
professional Go champion. In popular culture, AI is usually captured as
the evil machines taking over the world a la ``Hal'' in the movie
``2001: A Space Odyssey'' or ``The Matrix.''
Artificial intelligence and machine learning have been areas of
considerable excitement among venture capital investors. As a subset of
U.S. cybersecurity venture investment, 15 artificial intelligence and
machine learning companies raised $203 million in 2016. In 2015 and
2016, 21 companies raised a combined $417 million in venture funding.
To put this into context, only 13 companies raised a total of $191
million from 2006 to 2014.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Source: PitchBook-NVCA data (Note: Some companies raised a round of
venture funding in more than one year, in which case they are counted
separately in each year).
It is undeniable that we have made significant progress in AI. The
factors that have enabled this progress include the availability of
inexpensive computing through the cloud through such innovation as
Amazon Web Service (AWS), sophisticated machine learning techniques and
algorithms, and availability of huge data sets to be used as training
data. Some of the progress we have made towards a self-driving car is
directly attributable to machine learning techniques like ``Deep
Reinforcement Learning.'' To date, artificial intelligence and machine
learning seems to show strong results when we apply it to a narrow
problem or constrain the solution space, i.e., Chess, Go. However, we
are not close to a general-purpose AI solution any time soon. While
estimates vary considerably, no credible expert estimates that we will
have general purpose AI sooner than 2045.
Rather than thinking in the context of Man vs. Machine, a better
exercise would be to think in the context of Man plus Machine. But, as
we come to rely on this technology to bolster our capabilities, could
hackers and nation state actors use artificial intelligence to hack
into our cyber infrastructure? Here again the answer is mixed. We are
far from an AI machine that can hack any infrastructure in a general-
purpose way. However, people could use machine learning techniques to
make progress. Still, most experts believe that the existing techniques
of capitalizing on human error (e.g., clicking on malware links,
opening attachments) are so effective that there currently is little
incentive to invest in expensive AI research for cyber hacking. On the
positive side, there are a variety of startups trying to use AI/machine
learning to help automate security operations. One of the biggest
challenges in cybersecurity today is the avalanche of security alerts
every enterprise gets. There are not enough security professionals in
the world to chase down and resolve every security alert. There has
been some promising advances in using artificial intelligence to
automate some of these mundane activities thus freeing the experienced
security professionals to focus their energies on the high value
alerts.
Internet of Things (IoT)
The Internet of Things refers to the inter-networking of physical
devices, vehicles, connected devices, and buildings whereby physical
objects can collect and exchange data with each other. The canonical
example of IoT are smart TVs, which are connected to the Internet and
allow you to watch over-the-top content not available through your
cable or satellite feed. Another example would be a connected car, such
as a Tesla, which can be upgraded or modified with an over-the-air
software update.
IoT interfaces with cybersecurity in two major ways. First, as more
and more appliances get ``connected'' and join the Internet they are
now vulnerable to hacking. Recent reports have shown that state actors
and sophisticated hackers can take over connected devices such as TVs,
refrigerators, vehicles, and yes, even microwaves. Once taken over,
these devices can then be used to spy and gather confidential
information. A good example of this would be voice assistants like
Amazon Echo and Google Home. These devices are connected to the
Internet and are always listening for voice commands. A hacker could
take over one of these devices and listen and record all voice
conversations happening around the device.
Second, and even more worrying, is that these devices once taken
over can be used as a weapon in a broader attack. There was a major
denial of service attack (DDOS) in October 2016 targeting a domain name
service (DNS) provider called Dyn. This attack brought down Dyn, which
in turn affected major parts of the Internet, including major websites
such as Amazon, Airbnb, Comcast, and The New York Times. It was
discovered that the attack was orchestrated through a botnet consisting
of millions of IoT-enabled devices, such as webcams and cameras. An
additional concern would be the ability of hackers to take over the
controls of a connected car and use it as a weapon for terrorism
purposes. The structure of the consumer electronics industry
perpetuates and exacerbates these security threats. Consumers are not
well informed about the inherent security risks in these products to
demand strong security solutions and there are not well-established
security certifications for consumer devices. As a result, vendors
often have not made the necessary investments in product security, and
have not implemented even basic capabilities such as password
management or the ability to perform over-the-air security upgrades.
In 2016, 12 cybersecurity IoT companies raised $92 million in
venture funding, the second highest annual total for both metrics in
the past decade.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Source: PitchBook-NVCA data (note: some companies raised a round of
venture funding in more than one year, in which case they are counted
separately in each year).
Blockchain
Blockchain refers to a digital ledger in which transactions made in
Bitcoin or any other cryptocurrency are recorded chronologically and
publicly. Blockchains are critical for the functioning of
cryptocurrency since they act as the ledger of record to show who owns
what and how ownership changes from one person to the other. Regardless
of your views on cryptocurrencies, experts are excited about Blockchain
because it is a distributed database with built in validation.
Blockchain is effectively an independent, transparent, and permanent
database existing in multiple locations and shared by a community. No
person controls it, nor can anyone manipulate it so it can serve as the
single source of truth for transactions. Blockchain can be used to
document anything, including record titles of digital goods.
Blockchains are exciting from a cybersecurity perspective since
they are currently perceived as much safer than traditional databases
and less impervious to manipulation and fraud. The drawback of
Blockchain, however, is that as they scale and get big, they need
massive computational power, which in turn needs significant electrical
power. Recently, a financial institution estimated that if 400
different virtual currencies were created, they would need 200 times
the amount of electrical power Ireland consumes. Governments who have
access to unlimited computational and power resources should however
consider Blockchain as a promising way to store their critical data.
High-profile hacks of databases like with OPM demonstrate the
vulnerability of information held by the government. Blockchain could
play an important role in data authentication and transparency in the
healthcare and financial sectors. There are numerous use cases through
which Blockchain could be used for identity and key management, domain
name system (DNS) authentication, and patient record management.
Quantum Computing
Traditional computers encode their data in binary form, i.e., data
is stored either as a 0 or a 1. There are only two states and
traditional machines read these binary files, which are just sequences
of 0s and 1s and make sense of them. Quantum computers, on the other
hand, store their data in something called ``qubits''. A quantum
computer with n qubits can store a complex combination of up to
2n states. The technical details are quite complex and
complicated to explain, but a simplistic way of thinking about it is
that a quantum computer will allow you to solve certain computer
problems that are intractable on conventional computers.
The way quantum computing intersects with cybersecurity is that all
of our current encryption standards are based on traditional computing
standards. If a large-scale quantum computer can be built, then our
current public key cryptography standards (e.g., RSA, ECDSA, DSA) could
all be broken, allowing anyone to decrypt the data. The best estimates
for what it takes to build such a quantum computer, according to
National Institutes of Standards and Technology (NIST), are 15 years,
$1 billion in spend, and electrical power tantamount to a small nuclear
power plant. This is beyond any private actor, but possible for a state
actor like China or Russia who do have the resources to invest in
quantum computing. This is a possibility that should greatly concern
policymakers because if we are beaten in this race the country could be
at a severe strategic disadvantage. Fortunately, we do have a number of
academics developing post-quantum cryptography. There is reasonable
confidence that we can find acceptable cryptographic techniques capable
of withstanding quantum computing attacks in the future. My view is
that quantum computing is still very nascent and not close to
commercialization. There are far more immediate acute problems in
cybersecurity that demand action before we need to focus on quantum
computing.
Recommendations
As an experienced investor in cybersecurity and a concerned citizen
of this great country, I have a few recommendations for the Committee
to consider on this topic:
1. Modernize government procurement systems so that the government
has access to the best technologies: The world's best
cybersecurity solutions are developed in America but
unfortunately our government's procurement laws are outdated
and make it hard for young startups to sell to the government.
As noted before, sophisticated malware threats like APT can
only be countered by modern security software. I do want to
acknowledge the efforts of entities such as In-Q-Tel \4\ and
DIUx \5\ that have made progress in helping startups interface
with government. However, these initiatives are focused on the
defense side of the government and do not help any of the
Federal agencies focused on civilian issues. Our procurement
practices are based on old frameworks that view software
solutions in a static, object-oriented way. The fact is, modern
software is cloud based and updated continuously and our
procurement practices need to evolve to accommodate that. As a
starting point, the Committee should collaborate with agencies
within its jurisdiction to improve their procurement practices
to better enable purchase of startup-generated technology.
Beyond that, I recommend a more comprehensive examination of
Federal procurement practices by the Trump Administration to
ensure the best technology is used to defend our government
against 21st century threats.
---------------------------------------------------------------------------
\4\ In-Q-Tel is ``is the non-profit strategic investor that
accelerates the development and delivery of cutting-edge technologies
to U.S. Government agencies that keep our Nation safe.'' See https://
www.iqt.org/. In-Q-Tel is a member of NVCA.
\5\ With locations in Silicon Valley and Boston, ``Defense
Innovation Unit Experimental (DIUx) serves as a bridge between those in
the U.S. military executing on some of our Nation's toughest security
challenges and companies operating at the cutting edge of technology .
. . [DIUx] continuously iterate[s] on how best to identify, contract,
and prototype novel innovations through sources traditionally not
available to the Department of Defense, with the ultimate goal of
accelerating technology into the hands of the men and women in
uniform.'' See https://www.diux.mil/.
2. Setting standards around cyber-hygiene: One way the government
can help drive market solutions is by setting standards around
cyber hygiene and expectations. I do want to commend this
Committee's leadership and support, especially Chairman Thune's
efforts in regard to the Cybersecurity Framework proposed by
NIST. I recommend that NIST develop a systematic way to update
the Cybersecurity Framework periodically and also establish
test guidelines that all security products can be objectively
compared against. In cybersecurity, we are only as strong as
our weakest link so it is imperative that we create incentives
for industry participants to practice cyberhygiene. I would
caution, however, that whatever solutions that may be crafted
in this area be limited in scope and remind lawmakers to be
careful not to unduly interfere in business practices which can
---------------------------------------------------------------------------
lead to unintended consequences.
3. Enable legal frameworks for companies to share and exchange data:
There is limited information flow today between companies and
government. The CIA and NSA possess very sophisticated
techniques and detailed information about threats and malwares,
but there is no systematic and safe way for that expertise to
be shared with the civilian sector. There is also minimal data
sharing between companies, as people are worried about legal
liabilities from disclosing data around breaches and malware.
We need a better legal framework that allows more data sharing
so that companies can team up against external threats, learn
from each other, and benefit from each other's solutions.
4. Create a generation of cyberwarriors: Countries like Israel have
sophisticated programs like Talpiot that identify talented high
schoolers in computer science and orient them to cybersecurity
careers. We need to create a generation of cyberwarriors and
should consider different strategies, including perhaps setting
up a cyber-academy like the U.S. Naval Academy where we can
recruit, train, and develop the best young cyber talent in our
country. Attempts to weaponize technology will not recede in
our lifetime; it is time for us to build our institutions to
recognize this fact.
5. Use cyberinsurance to pool and minimize existential risk:
Regardless of how much precaution companies take, there is
always a risk of security and data breaches. The cost of these
breaches can be astronomical and beyond any single company's
ability to handle. Similar to earthquakes and hurricanes, we
need to develop a deep cyberinsurance industry so that
companies have a way to pool and minimize existential risk.
Conclusion
The challenges we face in cybersecurity are daunting, but I am an
optimist. The pilgrims on the Mayflower faced insurmountable odds but
found a way to build a home and a country that is the leader of the
free world. My own personal investing experience gives me confidence
that there are market-based approaches that can be used to battle the
cybersecurity conundrum.
In 2011, two MIT graduate students applied for a small grant from
the National Science Foundation (NSF) with an idea to create a
cybersecurity ratings organization. In 2013, Menlo Ventures, along with
other venture firms, funded them. Six years later, their company--
BitSight Technologies--employs 225 people, counts more than 700
customers across 25 different sectors, and has raised $95 million in
venture funding. The company was recently named a Forbes ``Next Billion
Dollar Startup.''
As a cybersecurity ratings company, BitSight measures the security
performance of organizations on a scale of 250-900. A higher rating
indicates better security performance. It is a simple concept--very
similar to the credit ratings model companies such as Moody's and
Standard & Poor's have championed for credit and debt.
BitSight is an example of a venture-backed cybersecurity company
providing market-based solutions through its ratings system. It is a
system that can be used by market participants that can quantitatively
improve the global state of cybersecurity. BitSight is also an
outstanding example of how government and the private sector can work
together to solve our cybersecurity challenges. What started as an NSF
grant turned into a successful company that was backed by private, risk
capital. Our firm's long-term investment is rewarded because
policymakers understand the value of that investment to our national
economy. Due to this collaboration, American jobs were created and
cybersecurity challenges are being addressed. If we all continue to
work together, we can achieve a tremendous amount.
Finally, my greatest recommendation is to use all policy tools
available, including tax and regulatory policy, immigration, patent,
and Federal investment in basic research, to encourage new company
formation. It is through the innovation created by entrepreneurs
partnering with venture capitalists that we will have the greatest
chance to defeat this challenge.
The Chairman. Thank you, Mr. Ganesan.
Mr. Grobman?
STATEMENT OF STEVE GROBMAN, INTEL FELLOW AND CHIEF TECHNOLOGY
OFFICER, INTEL SECURITY GROUP
Mr. Grobman. Good morning, Chairman Thune, Ranking Member
Nelson, and members of the Committee. Thank you for the
opportunity to testify today. I'm Steve Grobman, Intel Fellow
and Chief Technology Officer for the Intel Security Group.
I've been focused on cybersecurity technology for the good
part of over two decades. With every advancement in technology,
it introduces new challenges. When we introduced automotive and
commercial air transport in the 20th century, it radically
changed every element of American life. But it also introduced
new challenges we needed to think about related to safety and
security.
The technologies we're going to speak about today are quite
similar. We're going to focus on IoT. With Moore's Law and
enhanced connectivity, 50 billion connected devices will be in
the marketplace by 2020, according to IDC. This drives new
risk, not only in manufacturing and critical infrastructure,
but also in connected consumer devices.
Last October, we saw the weaponization of consumer devices
all over the world that were used not to attack the consumers
themselves, but rather to be turned into a weapon and targeted
against some of our tech providers, such as Twitter, Spotify,
and others. This is a large part of the challenge in securing
these consumer devices, in that market forces don't naturally
drive manufacturers to build secure architectures or maintain
those devices throughout their useful life.
We'll also have the opportunity to talk today about
artificial intelligence. Artificial intelligence powers
everything from our future self-driving cars to search engines.
The underlying technologies are powerful tools for both cyber
attackers as well as cyber defenders. Attackers are using these
technologies to do everything, such as optimize spear-phishing,
to better select the targets that they will go after, while
defenders are using this technology to better classify malware,
to identify the threats that are in their environment, and to
fundamentally process the massive quantities of data that exist
in their organization.
We must always be mindful that as new defensive
technologies are created to defend environments, bad actors
will work to create countermeasures and evasion tactics to make
these technologies less capable, and we must focus on that and
be realistic, not only about the capabilities of technology but
also the limits, as we look to benefit from them.
We'll be talking today about blockchain. Blockchain creates
algorithms which solve major problems associated with
transactions, identity, supply chain, and other fields, using a
highly-resilient ledger capability that prevents you from
having to rely on a trusted middleman. Unfortunately, this also
powers some of the tools that bad actors use to facilitate some
of the most challenging cyber crimes that we see today,
including things like ransomware, where the ability to have
anonymous transactions allow cyber criminals to get paid
directly from the victims. So we must recognize how these new
innovations will not only be used to add efficiencies and solve
large challenges, but how they will become valuable tools for
the attacking community.
We will have the opportunity to talk about quantum
computing. Quantum computing is an amazing innovation to solve
some of the most challenging research problems we're facing.
But quantum computing is also well suited to attack some of the
encryption protocols and algorithms that we rely on today.
Things like the RSA public key algorithm is subject to future
quantum attacks. There are other algorithms that are not
subject to quantum attacks. We call these quantum safe, things
like the AES algorithm that we use for bulk encryption. These
algorithms are used pervasively together to secure the way we
communicate and store data.
What we must recognize is that this is not a problem to
worry about only in the future, but today, because bad actors,
nation states can put data on the shelf today, and as these
encryption capabilities are broken in the future, they will be
able to access that data. So we must recognize how to identify
new algorithms that are quantum safe today as well as triage
the systems that rely on protecting data so we protect data in
its greatest form.
We'll be talking about making specific recommendations on
regulations. We will be talking about not wanting to rely on
hard regulations, in that cyber crime evolves very quickly,
meaning that what the threats are today will not be the threats
of tomorrow, and being overly prescriptive into what a
manufacturer or organization might do will create opportunity
costs that are better spent on protecting their environment.
We also need to be more transparent in our vulnerabilities
equities process, where we need to recognize government will
identify or have access to vulnerabilities, and we need greater
transparency in how we disposition those.
I thank you very much for the opportunity to talk today,
and I look forward to our discussion.
[The prepared statement of Mr. Grobman follows:]
Prepared Statement of Steven Grobman, Intel Fellow and Chief Technology
Officer, Intel Security Group
Good morning, Chairman Thune, Ranking Member Nelson, and members of
the Committee. Thank you for the opportunity to testify today. I am
Steve Grobman, Intel Fellow and Chief Technology Officer, Intel
Security Group, part of Intel Corporation.
I am pleased to address the Committee on how emerging fields like
Artificial Intelligence (AI), Internet of Things (IoT), quantum
computing, and Blockchain not only create tremendous value for American
citizens, but also present new opportunities for both attackers and
defenders in the field of cybersecurity. My testimony will address
Intel and Intel Security's commitment to cybersecurity and the state of
the above emerging technologies. I will conclude with some policy
recommendations.
First, I would like to provide some background on my experience and
Intel's commitment to cybersecurity. I am the Intel Security Group
Chief Technology Officer (CTO), responsible for leading technical
innovation and thought leadership related to cybersecurity at Intel. I
have been focused on the field of cybersecurity for over two decades in
a wide range of positions.
Intel Security's Commitment to Cybersecurity
Intel is a global leader in computing innovation, designing and
building the essential foundational technologies that support the
world's computing devices. Combining Intel's decades-long computing
design and manufacturing experience with Intel Security's market-
leading cybersecurity solutions, Intel Security brings a unique
understanding of the cybersecurity challenges threatening our Nation's
digital infrastructure and global e-commerce. Governments, businesses
and consumers face a cybersecurity threat landscape that is constantly
evolving with each new technology that is brought to market at a faster
pace than ever before. The sharp rise of internet-enabled devices
(known as ``Internet of Things'' or ``IoT'') in government, industry
and the home exacerbates this already difficult challenge. The
increasing advancement of artificial intelligence provides real promise
for society but at the same time provides a tool for malicious actors
as well. Emerging areas such as quantum computing have repercussions we
need to be addressing now, and blockchain is a strong technology that
can be used to solve fundamental problems in security such as trusting
a central authority. The challenges we face are too significant for one
company or entity to address on its own. Real change in cybersecurity
requires a true public-private partnership with industry.
Collaboration will be the driving force behind what soon will be
the new McAfee (currently known as Intel Security)--planned to be a
standalone company this year. It's also why we recently announced a
whole new ecosystem of integrated platforms, automated workflows and
orchestrated systems based on an open communications fabric that will
enable all of us in cybersecurity to work together in ways never before
thought possible.
Emerging Technological Areas of Value and Concern
With every advancement in technology, new challenges are
introduced. The mass adoption of automobiles and air travel
fundamentally transformed every element of life in the 20th century,
yet these innovations also caused us to look at new concerns and
challenges related to auto and air safety. The technologies we will
discuss today are very similar. Technologies related to the Internet of
Things, artificial intelligence, quantum computing and blockchain are
foundational technologies with the potential to improve health, cure
disease and add new levels of automation and efficiency to our economy
and everyday life. These same building blocks will be valuable tools to
both offensive and defensive participants in the cybersecurity domain.
This discussion will focus on how these capabilities are pivotal to
building new security defensive architectures, but also examine what we
need to recognize related to new threats and risks the technologies
facilitate.
Internet of Things (IoT)
The combination of Moore's law \1\ and pervasive connectivity have
lowered the barrier of entry in building and enabling ``smart and
connected'' devices in almost every aspect of business and consumer
life in America. Collectively we are referring to these devices as the
``Internet of Things,'' or IoT.
---------------------------------------------------------------------------
\1\ In 1965, Gordon Moore, one of Intel's co-founders, made a
prediction that would set the pace for our modern digital revolution.
From careful observation of an emerging trend, Moore extrapolated that
computing would dramatically increase in power, and decrease in
relative cost, at an exponential pace--from 50 Years of Moore's Law
Intel article--http://www.intel.com/content/www/us/en/silicon-
innovations/moores-law-technology.html
---------------------------------------------------------------------------
IoT is defined as endpoint devices such as cars, machinery or
household appliances that connect to the Internet and generate data
that can be analyzed to extract valuable information. There are three
sub-definitions emerging out of the IoT space; however, all three
definitions overlap. The ``Mobile IoT'' comprises devices like cars,
wearables, sensors and mobile phones, which all connect directly
through broadband wireless networks. The ``Industrial IoT'' connects
devices in industrial environments like factory equipment, security
cameras, medical devices and digital signs. These devices are able to
connect to the Internet and into the datacenter (cloud) through an
industrial ``gateway.'' \2\ Finally, the ``Home IoT'' connects devices
like game consoles, smart TVs, home security systems, household
appliances and thermostats through a gateway to the internet.
---------------------------------------------------------------------------
\2\ A gateway is a node on a network that serves as an entrance to
another network.
---------------------------------------------------------------------------
IoT presents staggering economic opportunities for the U.S. and the
world. Market research firm IDC estimates there will be 50 billion
connected devices in the marketplace by 2020 \3\, and Morgan Stanley
forecasts 75 billion in that same time period.\4\ These estimates would
equate to six to 10 connected devices for every person on earth.
Whether the exact number of devices is 50 billion, 75 billion or
something more, one thing is for certain: The number of connected
devices will explode in the next five years. In just the automotive
industry alone, it is projected that 250 million (or one in five) cars
worldwide will be connected to the Internet by 2020--via technologies
like LTE, satellite and 5G communications networks.\5\ To put this in
perspective, there were roughly 250 million cars on U.S. roads in
2013.\6\
---------------------------------------------------------------------------
\3\ Business Strategy: The Coming of Age of the ``Internet of
Things'' in Government, IDC (April 2013), http://www.idc.com/
getdoc.jsp?containerId=GIGM01V
\4\ Morgan Stanley: 75 Billion Devices Will Be Connected To The
Internet Of Things By 2020, Business Insider (Oct. 2 2013) http://
www.businessinsider.com/75-billion-devices-will-be-connected-to-the-
internet-by-2020-2013-10
\5\ Gartner Says By 2020, a Quarter Billion Connected Vehicles Will
Enable New In-Vehicle Services and Automated Driving Capabilities,
Gartner Inc. (Jan. 26, 2015), http://www.gartner.com/newsroom/id/
2970017.
\6\ Average Age of Vehicles on the Road Remains Steady at 11.4
years, According to IHS Automotive, IHS (June 2014) (253M cars on U.S.
roads in 2013), http://news.ihsmarkit.com/press-release/automotive/
average-age-vehicles-road-remains-steady-114-years-according-ihs-
automotive.
---------------------------------------------------------------------------
This explosion of devices and technological revolution that is IoT
is projected to have a staggering positive impact on the U.S. and
global economy. McKinsey projects IoT will have a $2.7 trillion to $6.2
trillion global economic impact by 2025.\7\ And what should most excite
U.S. policymakers is that the U.S. and other developed economies are
expected to capture a remarkable 70 percent of this economic impact, if
we develop a leadership position.
---------------------------------------------------------------------------
\7\ Disruptive Technologies: Advances that will transform life,
business, and the global economy, McKinsey Global Institute (May 2013),
http://www.mckinsey.com/insights/business_technology
/disruptive_technologies.
---------------------------------------------------------------------------
On the other hand, with the growth of IoT, we are rapidly
approaching 50 billion connected devices (with varying degrees of
security) that are becoming more and more valuable to attackers. We
have already seen the beginnings of this trend, as cyberattacks against
physical assets--from cars to electric power stations--move from
science fiction to reality.
It is critical to recognize why IoT devices are interesting targets
for a cyber attacker. Incentives may range from a cybercriminal
monetizing an attack by holding a manufacturing facility for ransom or
a terrorist or nation-state actor executing an attack on critical
infrastructure or business assets to harm the U.S. economy or cause
loss of life. As we will see, a key incentive for the bad actor may be
to expand the attack infrastructure and weaponry they have at their
disposal.
One of the major issues in consumer IoT is weak market incentives
to drive manufacturers to build strong architectures, as the consumer
buying the device currently places little value on security, especially
with tight margins in the consumer IoT industries. More worrisome is
that manufacturers generally don't maintain the security of a device
throughout its entire practical life. Although a smart TV or thermostat
may have a three-year warranty, the device will likely function for
many years beyond that. If security vulnerabilities are identified in
year five, is the manufacturer compelled to release a fix? What about
manufacturers that no longer exist? With the rate and pace of the
creation of smart and connected devices, it is inevitable there will be
millions of vulnerable orphaned devices that will be ripe for
exploitation.
One thing critical to understand is that this is not just a
consumer problem. One of the questions I'm often asked is why someone
should care if their light bulb is hacked. What data are they really
going to steal? And the thing is, they're not going to steal data.
That's not the concern. The concern is weaponizing that lightbulb to
become part of the larger attack scenario. And that attack scenario can
impact infrastructure, it can impact organizations and it can impact
companies. The impact of insecure consumer devices is an issue that
needs to be comprehended well beyond just the consumer who purchased
the device.
This is exactly what we saw in October 2016 with the Mirai attack.
You may also hear it called the Dyn attack because it was targeting the
Dyn DNS infrastructure. Mirai was a botnet that spread by finding
generally inexpensive internet-connected consumer devices. These
devices didn't have traditional vulnerabilities; they were vulnerable
because the manufacturers had left integrated privileged accounts with
weak passwords. The botnet grew by having compromised devices play two
roles. They would search for other vulnerable devices and ``recruit''
them to join the botnet as well as check in with a command and control
infrastructure to see if there were any attack actions they needed to
take. The attackers who launched this attack issued a set of commands
that flooded the Dyn infrastructure, resulting in major technology
sites falling off-line for the better part of a day. The attackers
could use this infrastructure to attack any organization, and we should
think of the October incident as merely the beginning of this type of
scenario.
To prove this out, my team ran a test in January, months after this
attack. The experiment consisted of placing a simulated vulnerable
device on an open network to see how long it would take a device to get
compromised by this botnet. Literally at the one minute, six second
mark, it was exploited. If this were a real device it would now be part
of the broader botnet infrastructure.
When we think about attack scenarios it comes down to understanding
one thing--risk. Security upgradability and patching are critical.
Vendors need to design these critical capabilities into the products
they offer to consumers. They also need a plan to deal with critical
security vulnerabilities discovered even after devices are out of
warranty. We also need to raise consumer awareness so that buying
decisions have people consider security the way they think about other
things today (e.g., is this device from a reputable manufacturer? How
long will it last?, What is the warranty?).
There are a number of technologies and approaches to device
initiation and on-boarding that Intel, its partners and customers are
working on. We look forward to working with organizations like NIST to
standardize where appropriate. However, the issue of legacy devices is
more difficult to resolve, especially since it is likely in the hands
of consumers to address.
Artificial Intelligence
Artificial intelligence (AI) comprises a broad field of technology
that is enabling everything from our search engines to future self-
driving cars and everything in between. It is important to think of AI
as a set of technologies as opposed to one thing. Just as with every
other technology in computer science, the attacker and defender
communities analyze how AI can be used to enhance the capabilities of
their solutions.
Attackers are using capabilities in AI to perform a wide range of
tasks. AI can be used to automate capabilities that formerly required
human analysis for high levels of effectiveness. For example, in spear-
phishing the attacker's objective is to craft a message that the victim
will trust or interact with. AI also can be used to build customized
content automatically for a specific user based on content found within
their social media information or other feeds. This customized content
has a much higher success rate than a generic phishing interaction that
is not user specific. Additionally, in the past the attacker had to
choose between sending a high-volume of low-quality phishing
interactions or a low volume of high-quality interactions that were
crafted by a human. AI allows the attacker to have the best of both--a
high quality phishing interaction that can be sent to a large number of
users.
Another area where AI is an asset to cyber attackers is in victim
selection. One capability AI is very well suited for is classification
and scoring based on input data. One use case would be determining
which of a set of potential targets or environments would be viable to
breach. Attackers can train their data based on attributes about their
environments and the effectiveness of past attacks and then focus their
efforts where they will attain the highest return on their efforts and
investment.
By the same token, the characteristics of AI make it a powerful
tool in defensive tools and technologies for the cybersecurity
industry. A large portion of a defender's job is processing massive
quantities of data within an organization and identifying threats.
There are also many elements in cybersecurity that are ultimately
classification problems: Is a file malicious? Is behavior malicious? Is
a user acting differently than the tasks they normally perform? All of
these questions require data inputs, analysis and a predictive
conclusion. AI has numerous classification capabilities and algorithms
that make it a perfect tool for these sorts of tasks. For example,
Intel Security has recently launched products such as our RealProtect
technology \8\ that can analyze both the structure and behavior of an
application using AI techniques to classify it as malicious or benign.
---------------------------------------------------------------------------
\8\ https://www.mcafee.com/us/resources/white-papers/wp-real-
protect-dynamic-application-containment.pdf
---------------------------------------------------------------------------
We do need to be mindful that our current state of the art in AI
and analytics capabilities have limits, both in the field of
cybersecurity as well as in other fields. Simply having massive
quantities of data does not necessarily mean there is an underlying
signal that can be teased out by an algorithm. We have radically
improved how we do analytics on hurricane forecasting. For example,
three days before a hurricane makes landfall we can predict where it
will land to roughly 100 miles of accuracy, whereas 25 years ago, we
could predict accuracy only to 350 miles.\9\ Yet, although we have
massive quantities of seismic data, we have not yet found a way to
reliably predict that a major earthquake is about to occur. The same
issue occurs in cybersecurity; sometimes there is not a way to detect a
threat based on the data available.
---------------------------------------------------------------------------
\9\ https://en.wikipedia.org/wiki/The_Signal_and_the_Noise
---------------------------------------------------------------------------
There is one element of AI in cybersecurity that separates it
significantly from AI in other fields. In cybersecurity, there is a
human bad actor who creates evasion tactics and countermeasures with
the intent to have the algorithm fail. We don't have this issue in
other forms of goal-based analytics (e.g., water doesn't choose to
change the way it evaporates as we get better at hurricane
forecasting).
In addition, in cybersecurity we see a trend where every new
defensive technology loses effectiveness once deployment in the market
drives adversaries to build countermeasures and evasion tactics. The
cycle looks like this:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
As we are on the leading edge of the deployment curve with many of
the industry AI-based solutions, it is critical to use forethought into
how bad actors will work to circumvent AI-based capabilities. Examples
of techniques we are analyzing and tracking include machine learning
poisoning and forcing defenders to recalibrate models or raise the
noise floor. In the field of cybersecurity defense there is never a
silver bullet defense, but rather a constant pipeline of innovation for
both the attacker and defender.
Blockchain
Blockchains have gained a lot of attention as they provide key
benefits across a wide range of applications. Blockchains first emerged
as the technology behind the cryptocurrency Bitcoin. Blockchains,
however, have much broader use cases, including identity management,
marketplaces and supply chain management. The potential of the
technology is considered disruptive and has been described as
potentially impacting transactions in the same way the Internet
affected communications.
Blockchain makes use of cryptographically supported immutable
ledger and distributed consensus protocols to facilitate the exchange
of assets between two untrusted parties, eliminating the need for
intermediaries. Any networked ecosystem with a central authority for
transaction authorization could potentially use a blockchain in the
future as a replacement. In more detail, blockchain ensures the
integrity of the ledger. It is an immutable series of transactions
shared by all participants in the ledger. Cryptographic signatures
ensure correctness and guarantee ``non-repudiation'' (that is, once a
transaction is committed to the blockchain, it cannot be un-committed).
Distributed consensus algorithms ensure all participants see the same
series of transactions even if bad actors try to compromise the system.
Blockchain technologies can provide a significant contribution to
the improvement of efficiency and integrity in transactions in a
variety of areas, including finance and healthcare. In addition,
elements of blockchain technologies have been tested in a variety of
use cases and contexts, including e-government and health data
protection, notary services, supply chain; secure contracting and
document delivery; identity; real estate systems, and many more. In
order to ensure successful incorporation of blockchain in various
technology ecosystems, it is necessary to improve reliability,
scalability, security and privacy.
These goals cannot be achieved without the support of the features
in hardware. Intel has been paying close attention to the developments
in blockchain. Intel is developing products for blockchain and
participating in blockchain ecosystem development via a number of
initiatives, including the Linux Foundation's Hyperledger \10\, the
Ethereum Enterprise Alliance and an Intel's open source distributed
ledger \11\. Intel is testing its open source distributed ledger in
proof-of-concept (POC) environments in partnership with various
external companies to improve the integrity and applicability of the
technology. Intel's focus has been on developing hardware functionality
that will make it possible to operate blockchains on a commercial scale
with greater security and support for privacy, thus creating promise
for commercial deployment in several segments.
---------------------------------------------------------------------------
\10\ https://www.hyperledger.org/
\11\ http://intelledger.github.io/0.8/
---------------------------------------------------------------------------
While the core capabilities of blockchain add tremendous efficiency
and de-centralized authorization of transactions, these same
properties, like many other innovations, have also been used for
nefarious purposes. Blockchain enabled crypto-currencies, such as
Bitcoin, are the preferred financial instrument of cybercriminals
focused on executing ransomware. Ransomware is an efficient cybercrime
in which criminals are paid directly by the victim. From the
cybercriminal's perspective, there is no need to digitally fence stolen
data or worry about data becoming devalued (such as stolen credit card
numbers being canceled).
A typical ransomware scenario occurs when a cybercriminal gains
access to a victim's (individual or organization) system and encrypts
data that has value to the victim. The victim is then informed that
their data is being cryptographically held hostage, and if they want
their data back, they must pay a ransom. Ransom is typically paid in
cryptocurrency based on blockchain, such as bitcoin, as it is easy to
move the funds multiple times and difficult to map the underlying
holder of a bitcoin wallet to a true individual. Ironically, market
forces encourage cybercriminals to uphold their end of the bargain and
typically do provide keys after payment to uphold the reputation of the
ransomware model. Ransomware became practical when the usability of
cryptocurrencies reached a level that victims were technically
competent enough to use the system to make a payment.
We see an interesting phenomenon in ransomware in that
cybercriminals appear to be moving to harder targets as profit pools
dry up on soft targets. Ransomware started by targeting consumers, then
moved to soft target organizations such as hospitals, police stations
and universities. We now see ransomware impacting corporations and
organizations. This is a worrisome trend in that critical
infrastructure now presents incentives to not only be targeted by
terrorists and nation-states, but also by cybercriminals. Nation states
are cautious about actively attacking critical infrastructure as an
attributed response could cause an undesirable reciprocal response. As
it becomes more difficult to monetize consumers and organizations,
cyber criminals could see a path to hold power, water or other critical
systems for ransom by demanding payment by the government. We should
understand these scenarios and work to understand potential policy
impacts and coordinated responses prior to these scenarios playing out.
Quantum Computing
Quantum computing is a form of computing that relies on the
principles of quantum physics to solve specialized classes of
mathematical problems that are not practical to solve on traditional
computers. Quantum computers use quantum bits (qubits), unlike digital
computers, which are based on transistors and require data to be
encoded into binary digits (bits). These qubits can exist in multiple
states simultaneously, offering the potential to compute a large number
of calculations in parallel, speeding time to resolution.
It should be noted that quantum computers will not replace
traditional computers, as they are only effective on certain classes of
problems, and in many cases perform worse than traditional computing.
However, quantum computing holds the promise of solving complex
problems that are practically insurmountable today, including intricate
simulations such as large-scale financial analysis and more effective
drug development. It is an area of research Intel has been exploring
because it has the potential to augment the capabilities of tomorrow's
high performance computers.
Another type of mathematical task that quantum computers are
uniquely qualified to focus on relates to being able to break certain
cryptographic algorithms. Today, data protection relies on a set of
algorithms that secures everything from web connections to critical
data stored or transferred in organizations or governments around the
world. Some of these algorithms are called ``quantum safe,'' meaning
the mathematics of the algorithm are not subject to attack by a quantum
architecture. An example of a quantum safe algorithm is the symmetric
AES algorithm used for bulk data encryption. Algorithms that are
``quantum unsafe'' have properties that would create high levels of
risk that a future quantum architecture could break the encryption. An
example of a quantum un-safe algorithm is the public key algorithm RSA.
Unfortunately, most encryption uses these algorithms in combination,
and being able to break either one places data at risk.
One might ask why we need to think about this now if the ability to
have a practical quantum computer is still years off. The reason is
that encrypted data today can be ``put on the shelf'' by enemy nations
and bad actors who will wait for the technology to mature. We must
start to ask, ``how long must data remain secure or secret?'' If the
answer is one or two years, we are fine using current algorithms. For
data that must be kept secret for decades or longer, now is the time to
start the transition to quantum safe algorithms.
No one company or organization will succeed alone in unlocking the
path to advanced quantum computing. Instead, partnerships--such as the
one between Intel and the QuTech institute in Delft, The Netherlands--
in addition to industry collaboration will help realize the promise of
such a technically complex issue.
Quantum computing is promising, but there are significant
challenges to overcome. It is a subatomic scenario that requires
suspending conventional wisdom around basic physics, where an electron
can actually be two places at once, spinning clockwise and
counterclockwise at the same time. This ambiguity is both promising and
enormously complex--and of course, an incredibly exciting challenge to
anyone who loves physics, as many at Intel do. How do we connect
thousands of quantum bits, or qubits, together? How can we control
them? How can we reliably fabricate, connect and control many more
qubits? Even measuring qubit signals is going to require an entirely
new class of low temperature electronics that don't exist today.
This research is on the cutting edge of silicon, architecture and
software. As Intel's entire history has been built on driving
innovations in the very leading edge of all three of these, we're
excited about the role that our and other great minds can play in
shaping this technology--which has the potential to shape the world for
the better and solve problems we cannot solve today.
Policy Recommendations
Be wary of hard regulations--In cybersecurity the threat landscape
changes very rapidly. The threat we deem the most serious today may not
be the most important tomorrow. If regulation were to force
manufacturers to guard against today's threats, tomorrow's might very
well slip through the cracks. Additionally, if the government were to
impose technology mandates, the result would likely be mere compliance
rather than true security. Regulating in an area like cybersecurity is
very tricky, and the unintended consequences could outweigh any
benefits of the regulation.
Encourage public-private collaborations--It is far better for
policymakers to collaborate with the private sector on a voluntary
basis to develop risk-based, flexible frameworks to enhance the
security of emerging technologies. A best-in-class example is the
Framework for Improving Critical Infrastructure Cybersecurity, known as
the NIST Cybersecurity Framework. It is widely acknowledged as a highly
successful model of public-private collaboration that is being adopted
by government agencies and critical infrastructure companies. The NIST
approach succeeded because policymakers and the private sector defined
a real need, improving the security of critical infrastructures; the
process was open, NIST listened to the private sector, built trust with
key stakeholders; and the final product, a flexible framework, was
based on voluntary collaboration, not rigid regulations. Policymakers
should keep in mind the recent successes of the NIST framework as a
positive way to get to their desired outcome.
Implement Security and Privacy By Design--In addition to partnering
with the private sector to develop and adopt flexible, voluntary
security frameworks, policymakers should likewise champion the
principle of security and privacy by design to help incent broad
adoption by the key parts of the IoT, AI and quantum computing
ecosystem. Proper protection of individual privacy in products does not
just happen. It needs to be designed and engineered in from the
beginning of the product development process. Security by design also
means designing security in right from the start. Adding or `bolting
on' security features to a system, network or device after it's already
up and running has inherent weaknesses and inefficiencies. IoT is a
great example where security and privacy protections need to be
designed in from the start. Attributes such as location, activities,
health monitoring, finance, etc. need protection from access and
disclosure unless granted by the owner. AI applications need an
architecture from the beginning that allows access to high valued data
while protecting the private information it may be based upon. The use
of AI for genetic medical research is an example where privacy
considerations are critical to both protecting patients' privacy, while
allowing researchers' access to valuable data for them to validate
hypothesizes.
Cybersecurity and privacy must be built into the innovative
equipment, systems and networks at the very start of the design and
manufacturing process. Both privacy and security must be intrinsic to a
product development organization's thought processes, its business
processes, and its design, development, and manufacturing processes.
Both privacy and security must be embedded in a product or network
element so they become integral parts of the product's or element's
functioning. This approach is not only more effective; it is less
cumbersome and less expensive than trying to lock down systems that are
leaking personal information or are inherently insecure.
Revise Vulnerabilities Equities Process--As with all technologies
and more so with emerging technologies, vulnerabilities will arise that
need to be corrected to assure proper operation of the solution,
assuring its safety and security. The issue of vulnerability disclosure
has been a subject of debate for some time. Currently there are
concerns about how the U.S. Government deals with zero-day
vulnerabilities that its agencies, and those acting on its behalf,
discover. The government should revise its vulnerability equities
review and disclosure policies to allow greater transparency on how the
government is implementing the vulnerabilities equities process. A
revised policy would do much to enhance trust in the IT eco-system,
something particularly important in the context of the emerging
technologies we have been discussing today.
Conclusion
It has been an honor to testify before such a distinguished panel
of legislators. We face a cybersecurity threat landscape that is
constantly evolving with each new technology that is brought to market
at a faster pace than ever before. Rapid advances in hardware and
software are creating new categories of innovative technologies such as
the Internet of Things, artificial intelligence, quantum computing, and
blockchain algorithms.
All of these innovative technologies merit attention from
policymakers given their potential to solve complex problems, grow new
markets and create high wage jobs. At the same time, these innovations
can also create new security challenges and opportunities that need to
be addressed in a thoughtful, prudent manner. Toward that end, we
encourage policymakers to partner with the private sector to develop
flexible, voluntary and market-based solutions, rather using regulatory
models to address the challenges of emerging, innovative technologies.
Policymakers are in a position to incent the ecosystem of emerging
technology providers to adhere to the principle of security by design.
By working together, policymakers and the private sector can harness
the benefits of innovation while also addressing its challenges.
The Chairman. Thank you, Mr. Grobman.
Mr. Harkins?
STATEMENT OF MALCOLM HARKINS, CHIEF SECURITY AND TRUST OFFICER,
CYLANCE INC.
Mr. Harkins. Thank you, Chairman Thune, Ranking Member
Nelson, and others of the Committee. I'm Malcolm Harkins, Chief
Security and Trust Officer with Cylance Corporation.
I'd like to start by telling you a story that I think will
add some perspective to the promise and the peril of emerging
technologies. The story starts in 2013 when the FDA approved an
experimental eye surgery: high-tech sunglasses with a camera,
video processing unit, a graphics processing unit, small
operating system, a retinal implant.
In June 2015, a 59-year-old gentleman in Ohio had that
surgery. The concept was that with computing and with
capabilities, we could perhaps transform this person's life,
change their outcome, get them to regain their sight. That's
the hope and the promise of technology. That's what computing
can do, to connect and enrich lives, to create social benefit,
to create economic benefit.
Now, what happened in June 2015 when he had that surgery--
several weeks, a couple of months later--and I'll quote from
him--``The other day, I asked my wife, Karen, to point me to
the Moon to see if I could see it. I couldn't. But I turned
around and I suddenly saw her face.'' That is what computing
can do for us if we do it right. But the one thing that's true
about computing is any device that computes can also execute
code, which means it has the potential to execute malicious
code.
Now, imagine that visor, those high-tech sunglasses, on
that gentleman. If it was poorly designed, developed, and
implemented, and it had the ability to execute malicious code,
and you hold a QR code in front of that person's face, you flip
bits, and they get held hostage to paying Bitcoin to get their
eyesight back. That's the peril.
You know, we have problems today in the world that we're
facing. We see them day in and day out across the headlines. I
believe we can't solve tomorrow's problems until we look at the
problems we have today. Otherwise, we'll carry forward the risk
issues that we're seeing today.
Having run risk and security in a large enterprise as well
as a small enterprise now for 16-plus years, I can tell you
there are two battlefields that the Chief Information Security
Officer or Chief Security Officer faces in an organization
today. There's the external battlefield that we see day in and
day out. We see in the press, the threat actors and the threat
agents that are coming after us.
But let's look at some of the data on that external
battlefield. A recent ISSA survey said that 45 percent of
cybersecurity professionals, the people that run security in
their organizations, said their organizations are significantly
vulnerable, and 47 percent said they're somewhat vulnerable.
Ninety-two percent of the cybersecurity professionals in
organizations think that their organizations are vulnerable.
Another recent survey: 61 percent of organizations today
have ransomware in their organization. Another survey from
Europol on the Internet Organized Crime Threat Assessment
Report--their look at all the investigations they've done over
the past couple of years--the majority of attacks are neither
sophisticated nor advanced. Techniques are re-used, re-cycled,
and re-introduced.
On the internal battlefield, again, some additional
surveys. Twenty-one percent of chief information security
officers say that executive management treats cyber risk as a
low priority. Sixty-one percent of the turnover for chief
information security officers, which happens about every 2 to 3
years, is predominantly because of the lack of a serious
cybersecurity culture in their organizations.
Now, I don't believe all is lost. I think there's hope. I
think there's promise. We can do better. Dr. Paul Sieving, the
Director of the National Eye Institute in the National
Institutes of Health, said in September of 2015 after the
surgeries to get people back their vision, ``When you know the
cause of something, you can begin to think about how to
ameliorate it.'' We know the cause. We know the cure. We can
put better security development, lifecycle and privacy by
design to lower the vulnerabilities in technology prior to its
implementation.
We also know the cure for today's problem. We can leverage
advances in artificial intelligence and machine learning.
Cylance is doing that today. We've already proven that we can
unlock the DNA, have an atomic level of malicious code, and
preempt prior to the execution of code its ability to do harm.
We can do it in milliseconds.
I think if we step back and look at all these things, and
we put ourselves in a better position to drive business
outcomes for the promise of technology, we'll be better apt to
avoid the peril. And I think if we do that, and do that right,
we can do three things. We can create a demonstrable and
sustainable bend in the curve of risk. We can lower the total
cost of controls in organizations that's growing unchecked and
unmitigated, just like the risks are. And we can reduce the
control friction that gets created because the security
solutions that are deployed today disrupt the ability to
compute, they disrupt the user experience, and they become a
drag coefficient on the business velocity of organizations.
Thank you.
[The prepared statement of Mr. Harkins follows:]
Prepared Statement of Malcolm Harkins, Chief Security and Trust
Officer, Cylance Inc.
Good morning Chairman Thune, Ranking Member Nelson, and other
members of the Committee. Thank you for the opportunity to testify
today. I am Malcolm Harkins, Chief Security and Trust Officer for
Cylance Inc. I am pleased to address the Committee on how emerging
technologies such as artificial intelligence, the Internet of things,
blockchain (the technology behind Bitcoin), and quantum computing will
drive a new generation of cyber vulnerabilities. Every evolution of
technology holds the promise of innovation and creates unique security
risks. However, with the proper design and forward looking
considerations these emerging technologies can also be used to combat
cyber threats more effectively.
My testimony will focus on the following areas
The innovation cycle and how that is fueling emerging
technologies which are leading to digital transformations that
present tremendous opportunity for economic as well as societal
benefit.
The information risk and security implications for these
emerging technologies. The potential impacts and concerns to
individuals, business, and government agencies if the creators
do not provide proper security capabilities as they design,
develop, implement, and maintain these new innovations.
The cybersecurity opportunities these technologies offer to
enable better risk mitigation thru prevention rather than
today's norm of react and response.
How we should be framing the digital opportunities in front
of us so that we can achieve digital transformation and digital
safety to ensure tomorrow is better than today.
First, I would like to provide some background on my experience and
Cylance's commitment to cybersecurity.
As Chief Security and Trust Officer for Cylance, I am responsible
for enabling business growth through trusted infrastructure, systems,
business processes and staff training. I have direct organizational
responsibility for information technology, information risk and
security, as well as security and privacy policy. I am also responsible
for peer outreach activities to drive improvements and understanding of
cyber risks. I work with business leaders, industry peers, security
experts and regulatory partners to develop best practices for managing
and mitigating those risks.
Prior to joining Cylance in 2015, I spent almost 24 years at Intel
Corporation. My last role at Intel, which I held for more than 2 years
was Vice President and Chief Security and Privacy Officer (CSPO). In
that role, I was responsible for managing the risk, controls, privacy,
security, and other related compliance activities for all of Intel's
information assets, products, and services. Before becoming Intel's
first CSPO, I was the Chief Information Security Officer (CISO)
reporting into the Chief Information Officer. Over my years at Intel I
also held roles in Finance, Procurement, and other business operational
positions.
I have been fortunate to receive both peer and industry recognition
over the years including the RSA Excellence in the Field of Security
Practices Award, Computerworld Premier 100 Information Technology
Leaders, Top 10 Break-away Leaders at the Global CISO Executive Summit,
and the Security Advisor Alliance Excellence in Innovation Award. I
have authored many white papers, blogs, and articles. In December 2012
I published my first book, Managing Risk and Information Security:
Protect to Enable�. I was also a contributing author to Introduction to
IT Privacy, published in 2014 by the International Association of
Privacy Professionals. The 2nd edition of my book, Managing Risk and
Information Security: Protect to Enable�, was recently published in
August of 2016.
Cylance's Commitment to Cybersecurity
Cylance was founded in 2012 by Stuart McClure and Ryan Permeh with
the sole purpose of revolutionizing cybersecurity by replacing outdated
reactionary security models with proactive prevention based security
using artificial intelligence and machine learning to stop attacks
before they occur.
Stuart McClure previously served as the Global CTO of McAfee/Intel
Security business and is the founding/lead author of the international
best-selling book Hacking Exposed. Ryan Permeh previously served as
Chief Scientist at McAfee/Intel Security and is the brain behind
Cylance's mathematical architecture and new approach to security. In
building Cylance, Mr. McClure and Mr. Permeh brought together the best
data science, security and executive minds from the likes of Cisco,
Sourcefire, Google, Symantec, McAfee and several Federal intelligence
and law enforcement agencies to create a new security model that is
focused on prediction of attacks and preventing them from occurring.
Cylance� is the first company to apply artificial intelligence,
algorithmic science, and machine learning to cybersecurity and improve
the way companies, governments, and end-users proactively solve the
world's most difficult security problems. Using a breakthrough
predictive analysis process, Cylance quickly and accurately identifies
what is safe and what is a threat, not just what is in a blacklist or
whitelist. By coupling sophisticated artificial intelligence and
machine learning with a unique understanding of an attacker's
mentality, Cylance provides the technology and services to be truly
predictive and preventive.
Leveraging cutting-edge artificial intelligence and machine
learning, our flagship product CylancePROTECT offers future-proof
prediction and prevention of the most advanced threats in the world
including advanced persistent threats, zero-days, and exotic
exploitation techniques never seen before. CylancePROTECT also guards
from everyday viruses, worms, ransomware, spyware/adware, Trojan horse
attacks and spam.
The problem with legacy security solutions is that adversaries can
continually evolve their techniques and tactics to bypass them, leaving
enterprises exposed to attacks. This means that traditional solutions
are reactive in nature and rely on a constant stream of ``signature
updates'' that tell these solutions what type of files to look for
after an attack was successful on some other system, these are called
``zero-day'' attacks. Traditional security solutions are built around a
basic set of rules and signature files that are costly and high risk
because they require a zero-day ``sacrificial lamb'' before they can
create the ability to block an attack, meaning it is not possible to
identify a new threat until after the damage is done. But
CylancePROTECT is different--it can identify and defuse even never-
before-seen attacks prior to execution. This means that we can stop new
variations of attacks without a zero-day sacrificial lamb. Our AI-based
solution is flexible and can support new generations of technologies
such as the Internet of things and many others.
Our commitment to cybersecurity was well demonstrated and
documented in September 2016 House Oversight committee report on the
OPM data breach. ``The committee obtained documents and testimony that
show internal bureaucracy and agency politics trumped security
decisions, and that swifter action by OPM to harden the defenses of its
enterprise architecture by deploying PROTECT would have prevented or
mitigated the damage that OPM's systems incurred.'' OPM IT Security
Officer Jeff Wagner said in an e-mail that Cylance was able to find
things that other tools could not ``because of the unique way that
Cylance functions and operates. It doesn't utilize a standard signature
or heuristics or indicators, like normal signatures in the past have
been done. It utilizes a unique proprietary method.'' The effectiveness
of Cylance at OPM meant that upon our engagement in less than 10 days
2,000+ pieces of malware were identified that had previously not been
stopped or detected across 10,000+ hosts that are now protected by
CylancePROTECT.
The Innovation Cycle Of Emerging Technologies
Understanding these innovations and the digital opportunities they
offer
The march of technology can be viewed as a succession of major
waves, each lasting roughly 100 years (Rifkin 2013). Each wave has
brought transformative benefits to society, but also significant
challenges. The first wave, starting in the 1760s, included steam
power, railways, and early factories as well as mass education and
printing. The second wave, starting roughly in the 1860s and continuing
well past the mid-1900s, included automobiles, electricity, mass
production, and had an even bigger effect on society.
Version 1.0: 1760s Version 2.0: 1860s Version 3.0: 1990s
Steam and coal Electric lights The Internet
Railways Communications Molecular biology
Factories Oil & gas Renewable energy
Printing press Mass production ``Smart'' everything
Mass education Automobiles
The third wave began in the 1960s, with early computers, but only
really gained momentum in the 1990s. It includes the Internet and smart
``things'', molecular biology and genetic engineering, and renewable
energy. Arguably, this technology wave may have the broadest impact on
society of any to date. Each previous wave lasted about 100 years, so
history suggests that we are far from reaching the crest. To provide
some perspective--if we thought of this wave as a movie, we'd still be
watching the opening credits.
The Internet of Things (IoT) has come upon us at a fast and furious
pace. It gets discussed and hyped constantly, but sometimes without a
clear definition. And, as such, the phrase can mean different things to
different people. But a simple way to think about it is that any
powered device will compute, communicate, and have an IP address--
meaning it is connected to a network. The Internet of things allow
devices to be sensed or controlled remotely across the Internet. This
has created opportunities for more direct integration of the physical
world into computer systems. When IoT is augmented with various sensors
we have what is often defined as smart grids, smart homes, and smart
cities. Each IoT device has an embedded computing system and is able to
interoperate within the existing Internet infrastructure. Many estimate
indicate that the IoT will consist of more than 50 billion devices by
2020, some estimates top 70 billion devices.
IoT devices or objects can refer to a wide variety applications
including everything from a heart monitoring implant or pacemaker to
biochip transponders on farm animals or children's toys such as an
Internet connected Barbie doll. Current market examples include home
automation, such as Google Nest, which can provide control and
automation of lighting, heating, ventilation, air conditioning (HVAC)
systems, and appliances such as washer/dryers, robotic vacuums, air
purifiers, ovens or refrigerators/freezers that use Wi-Fi for remote
monitoring.
In November of 2016, Louis Columbus from Forbe's wrote, ``This
years' series of Internet of Things (IoT) and Industrial Internet of
Things (IIoT) forecasts reflect a growing focus on driving results
using sensor-based data and creating analytically rich data sets. What
emerges is a glimpse into where IoT and IIoT can deliver the most
value, and that's in solving complex logistics, manufacturing,
services, and supply chain problems.''
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Source: Forrester--The Internet Of Things Heat Map 2016, Where IoT
Will Have The Biggest Impact On Digital Business by Michele Pelino and
Frank E. Gillett January 14, 2016
Quantum Computing is also emerging quickly. In 2011 Microsoft
created a Quantum Architectures and Computation Group with a mission to
advance the understanding of quantum computing, its applications and
implementation models. In February 2017, Brian Krzanich, CEO of Intel
said he was ``investing heavily'' in quantum computing during a
question-and-answer session at the company's investor day. Earlier this
month in March 2017, IBM announced that it's planning to create the
first commercially-minded universal quantum computer.
Today's computers work by manipulating bits that exist in one of
two states: a 0 or a 1. Quantum computers aren't limited to two states.
By harnessing and exploiting the laws of quantum mechanics to process
information a quantum computer can encode bits which contain these
multiple states simultaneously and are referred to as Quantum bits or
``qubits''. Quantum computing has the potential to be millions of times
more powerful than today's most powerful supercomputers. Last year, a
team of Google and NASA scientists discovered a D-wave quantum computer
was 100 million times faster than a conventional computer.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Source: Universe Review
This means that may computing challenges and difficult computation
tasks, long to be thought impossible (or ``intractable'') for classical
computers will be achieved quickly and efficiently by a quantum
computing. This type of leap forward in computing could allow for not
only faster analysis and computation across significantly larger data
sets. It would reduce the time to discovery for many business,
intelligence and scientific challenges which include improving energy
grids, protecting and encrypting data, simulations of molecules,
research into new materials, development of new drugs, or understanding
economic catalysts. Quantum Computing can reduce time spent on physical
experiments and scientific dead ends resulting lower costs and faster
solutions that can provide economic and societal benefit.
Blockchain as many people know it is the technology behind Bitcoin.
A blockchain is a distributed database that maintains a continuously
growing list of ordered records called blocks. Each block contains a
timestamp and a link to a previous block. By design, blockchains are
inherently resistant to modification of the data. Once recorded, the
data in a block cannot be altered retroactively. Blockchains are an
open, distributed ledger that can record transactions between two
parties efficiently and in a verifiable and permanent way. The ledger
itself can also be programmed to trigger transactions automatically.
The technology can work for almost every type of transaction
involving value, including money, goods and property. Its potential
uses are wide ranging: from collecting taxes to more effectively
managing medical records to anything else that requires proving data
provenance.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Source: WEFORUM.ORG
Artificial Intelligence is progressing rapidly with everything from
SIRI to self-driving cars relying on it automate specific tasks. While
there is a wide variety of definitions of AI. Artificial intelligence
today is properly known as narrow AI (or weak AI), in that it is
designed to perform a narrow task (e.g., only facial recognition or
only Internet searches or only driving a car). However, the long-term
goal of many researchers is to create general AI (or strong AI). While
narrow AI may outperform humans at whatever its specific task is, like
playing chess or solving equations, general AI would outperform humans
at nearly every cognitive task.
Machine learning is a branch of artificial intelligence (AI).
Machine learning is also one of the most important technical approaches
to AI. It is the basis of many recent advances and commercial
applications of AI. Machine learning is a statistical process that
starts with a body of data and tries to derive a rule or procedure that
explains the data or can predict future data.
A simple way to describe how ML works is as follows: In traditional
programming, you give the computer an input--let's say 1+1. The
computer would run an algorithm created by a human to calculate the
answer and return the output. In this case, the output would be 2.
Here's the crucial difference. In machine learning, you would instead
provide the computer with the input AND the output (1+1=2). You'd then
let the computer create an algorithm by itself that would generate the
output from the input. In essence, you're giving the computer all the
information it needs to learn for itself how to extrapolate an output
from the input. In classrooms, it's often stated that the goal of
education is not so much to give a growing child all the answers, but
to teach them to think for themselves. This is precisely how machine
learning works.
AI has applications in everything from Agriculture for crop
monitoring, automated irrigation/harvesting (GPS-Enabled) Systems to
the Media and Advertising industry with Facial Recognition Advertising.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Source: BofA Merrill Lynch Global Research
The Information Risk and Security Implications
The digital disasters that could be created if we don't manage the
risks ahead
These day, it's hard to read an online news source, pick up a
newspaper, or watch TV without seeing reports of new threats:
cybercrimes, data breaches, industrial espionage, and potential
destruction of national infrastructure. These reports inevitably leave
the impression that we are drowning in an inexorable tide of new and
terrifying threats. Reports such as; ``CloudPets' woes worsen: Webpages
can turn kids' stuffed toys into intrusive audio bugs'' read the
headline on March 1, 2017 posted on The Register by Richard Chirgin.
``Fatal flaws in ten pacemakers make for Denial of Life attacks'' wrote
Darren Pauli on December 1, 2016. Whether it is these headlines or the
ones from June 2015 reporting ``that hacker's show how to remotely
crash a Jeep from 10 miles away'' or the countless other headlines
communicating vulnerabilities found or the breaches that have occurred,
there is one common denominator that exists today and will exist
tomorrow. Any device that executes code has the ability to be
compromised and execute malicious code.
Emerging technology such as IoT, Blockchain, quantum computing, and
artificial intelligence offer tremendous promise for benefit, but if
poorly designed, developed, and implemented and there is a likely
ability to execute malicious code harm will occur. The variety of risks
and impacts to individuals, to our businesses, the economy, and
potentially to society could be wide ranging and financial significant.
When assessing risk, I think it is important to look at data. Here
is some data from recent surveys and studies:
2016 Europol Internet Organized Crime Threat Assessment Report
Increase acceleration of previous threat and vulnerability
trends
APT and cybercrime boundaries blur
Majority of attacks are neither sophisticated nor advanced:
techniques are reused, recycled, and re-introduced
Investing in prevention may be more effective than
investigating
2016-2017 National Association of Corporate Directors Public Company
Governance Survey
Cybersecurity threats are expected to have the fifth
greatest effect on a company in the next 12 months
75 percent of respondents report short term performance
pressures compromise management and the board's ability to
focus on the long-term
Directors continue to wrestle with effective oversight of
cyber risk. Many of them lack confidence that their companies
are properly secured and acknowledge that their boards do not
possess sufficient knowledge on this growing risk
ISSA--Through the Eyes of Cyber Professionals--Part 2
45 percent of cyber professionals think their organizations
are significantly vulnerable to cyberattacks
47 percent think their organizations are somewhat vulnerable
to cyberattacks
40 percent of cyber professionals want goals established for
IT around cybersecurity
44 percent of cyber professionals indicate they do not get
enough time with the board
21 percent say that business and executive management treat
cybersecurity as a low priority
61 percent of CISO turnover is due to a lack of a serious
cybersecurity culture and not active participation from
executives
The conclusion that I can draw from this data, as well as all the
headlines we see daily on breaches, including the March 9th 2017
headline from Tara Seals at Information Security Magazine that read
``61 percent of Orgs Infected with Ransomware'' is this: We are not in
aggregate doing a good job today managing our risk. We need to do
better. We have to do better. Not only do we need to make immediate
improvements today we need to get in front of our future risks.
Otherwise, the potential we have in front of us with technological
advancements, which can benefit individuals, business, government and
our society will be called into question.
We Can Do Better at Controlling for Risk Today as Well as Tomorrow
Emerging technologies, coupled with the right risk profile and control
assessment frameworks enable better risk mitigation.
In the world of cybersecurity, the most frequently asked question
focuses on ``who'' is behind a particular attack or intrusion--and may
also delve into the ``why''. We want to know whom the threat actor or
threat agent is, whether it is a nation state, organized crime, an
insider, or some organization to which we can ascribe blame for what
occurred and for the damage inflicted. Those less familiar with
cyberattacks may often ask, ``Why did they hack me?''
These questions are rarely helpful, providing only psychological
comfort, like a blanket for an anxious child, and quite often distract
us from asking the one question that can really make a difference:
``HOW did this happen?''
The current focus on the WHO and the WHY does the industry and
everyone else in general very little service. We need to rethink and
refocus the Security Risk Equation to examine how the attack occurs to
prevent them in the future.
Let's start by looking at the popular ``risk equation'' commonly
used when assessing the possibility of a breach or cyberattack:
Risk = Threat x Vulnerability x Asset Value or Consequence/
Impact
As someone who has been responsible for managing information risk
and security in the enterprise for 15-plus years, I have thought
through this equation countless times strategically, as well as
tactically, during an incident. The conclusion I have arrived at over
and over and over again is that I have little control or influence over
threat actors and threat agents--the ``threat'' part of the above
equation. The primary variable I do have control over is how vulnerable
I am--meaning the strength of my present as well as my future control.
From a consequence and impact perspective there are only three
primary consequences we need to focus on Confidentiality, Integrity,
and Availability. Each of these have different potential impacts to an
individual, to an organization, or more broadly to society depending on
the technology or data attacked. When we examine ``how'' attacks are
accomplished we see three core targets for attacks:
Attacks on identity credentials
Attacks focused on the execution of malware
Attacks that create a Denial of Service
So what must always be analyzed and reported on is HOW an intrusion
or attack was successful, so we can give attribution to either the
control(s) that failed, the lack of control(s), and to those
responsible for maintaining proper control.
A great example of this sort of investigation and analysis is the
House Committee on Oversight and Government Reform OPM breach report
which occurred in September of 2016 and in the subsequent report
published in January 2017 by the Office of the Director of National
Intelligence on Background to ``Assessing Russian Activities and
Intentions in Recent U.S. Elections: The Analytic Process and Cyber
Incident Attribution.'' There are a few important items to note from
the upfront background section:
1) ``Intelligence Community judgments often include two important
elements: judgments of how likely it is that something has
happened or will happen (using terms such as ``likely'' or
``unlikely'') and confidence levels in those judgments (low,
moderate, and high) that refer to the evidentiary basis, logic
and reasoning, and precedents that underpin the judgments.''
2) The nature of cyberspace makes the attribution of cyber
operations difficult, but not impossible. Every kind of cyber
operation--malicious or not--leaves a trail. U.S. Intelligence
Community analysts use this information, their constantly
growing knowledge base of previous events and known malicious
actors, and their understanding of how these malicious actors
work and the tools that they use, to attempt to trace these
operations back to their source.
The government--which has badges, guns, jails and laws to enforce--
should continue to focus law enforcement and other government agencies
on attribution related to the source(s) of attacks, so they can take
action to deter (via conviction and jail time) the threat actors who
wish to do harm. They can also post an incident if enough evidence
exists, attempt to detain and prosecute those responsible. However,
this alone is a completely insufficient forum of attribution and per
the report itself, has a degree of judgment.
Learning from the History of Attribution
One thing that can be done with complete certainty is to look
closely at HOW the threat actors were successful, and hold those people
and organizations accountable. We can also look back in history and
learn how every other reported intrusion occurred in the past decade,
including the now-infamous attacks on Sony, Home Depot, OPM, Yahoo,
Target, Anthem, and JPMC. This attribution is irrefutable, and the only
question we now have left to answer is why the same story has presented
itself over and over again, and why are we (as an industry) failing to
pay attention to it.
All of these intrusions have been successful due to one or both of
the following incidences occurring:
1) Control(s) that failed, and/or
2) Incomplete or lack of control(s)
We can attribute the source of these items very simply and with
certainty by answering two basic questions:
1) Who is accountable for the control environment?
2) Who created the control(s) that failed?
So, whom should we really hold accountable for the success of all
these intrusions? The none-too-flattering answer is that while the
breached organizations or the creator of the technology that was
vulnerable may shoulder some of the blame, we can attribute the success
of these attacks to the in many cases to cybersecurity industry itself.
Here is the simple reason: the security industry sells controls
that fail, and do so repeatedly. And here's the rub. These products and
services don't just fail in extreme conditions or due to highly unusual
or sophisticated attacks. Every one of the organizations that suffered
a breach was relying on the capabilities of a security provider that
failed to prevent the attack.
Why are these vectors so easy? The simple reason is that in many
cases, the security solutions deployed don't work with high enough
success rate to make an attack difficult or even challenging.
Disengaging from the Blame Game
In order to move forward and refocus our industry's energies on
making attacks more difficult for malicious actors, we need to break
free from our own obsessive infatuation with attribution. By investing
all of our resources into finding out ``whodunnit,'' we get to play the
victim card to minimize our own responsibilities and limit our
liabilities. None of that helps the organizations that have been
breached or the customers and clients who trusted those companies with
their private information.
Instead, we need to focus on WHY those intrusions were successful,
so we can give attribution to the real source of the intrusion--the
controls that failed or lack of control.
This form of attribution will bring real accountability, and
recalibrate our collective sights to take aim at the one variable in
the risk equation that we have real influence over--our strength of
control. Then, and only then, can we start to make a difference and put
a bend in the curve of risk we have been witnessing, versus continuing
to let it grow unchecked.
Control frameworks that add value
I have said for years that the core of business-driven security and
the mission of the information risk and security team is ``Protect to
Enable.'' When you are protecting to enable people, data, and the
business, you are proactively engaged upfront and aligned with the
business on the evaluation of how to achieve the business objective,
while best optimizing your controls.
I achieve that through my ``9 Box of Controls'' approach that was
published in September of 2016 in the second edition of my book--
Managing Risk and Information Security: Protect to Enable. Let me
explain my perspective on controls. My perspective is rooted in my
experiences as a business leader and in my many years in Finance,
including my role as a profit and loss manager for a billion dollar
business unit in the late 90s. It is a control philosophy that I have
carried forward in my roles in security, but one that I believe is
lacking in the industry.
An important aspect of this perspective is the concept of control
friction. I've developed a simple framework called the 9 Box of
Controls, which takes the issue of control friction into account when
assessing the value as well as the impact of any control, including
information security.
I believe that the 9 Box of Controls includes some actionable
perspective that may be valuable to many organizations facing these
universal risk challenges. My conversations with peers at other
companies have validated this view. Many of them are now using the 9
Box to drive not only tactical, but also strategic discussions in their
organizations around where they are spending their resources today, and
where they should be headed long term.
Types of Security Controls
There are three primary types of security controls: prevention,
detection and response:
Prevention occurs when an action or control prevents a
vulnerability up front in the design and development, or
prevents an infection or cyberattack in its tracks before it
affects users or the environment
Detection means identifying the presence of a vulnerability
or detecting something malicious that has already entered the
environment
Response is a reaction to the discovery of a piece of
malicious code, attempting to remove it after it has already
affected the user or the organization
From a risk perspective, prevention focuses on minimizing
vulnerability and the potential for harm, while detection and response
focus on minimizing damage. When you are focused on minimizing damage,
the main variables to turn the reactive risk dials are (a) time to
detect and (b) time to contain.
There are also three primary approaches one can take to implement a
control: automated, semi-automated, and manual.
Automated control occurs entirely through machines
Semi-automated control involves some level of human
intervention
Manual controls are managed entirely by hand
The combinations of these control types and automation levels
comprise the cells of the 9 Box, as shown in the figure below. Risk
increases as we move from prevention, to detection, to response. Cost
increases as we move from automated to semi-automated to manual
controls.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
A Note on Control Friction
However, there is a third dimension to the 9 Box: control friction.
As we know, friction is the force that causes a moving object to slow
down when it comes into contact with another object. Similarly,
controls can impose a ``drag coefficient'' on business velocity--they
can slow the user or a business process. Just think of the groan issued
by PC users when they switch on their machine to complete an urgent
task, only to find it indisposed for the next half hour due to a patch
or virus scan. Or think of the impact on time to market if your design
or development practices are bogged down with slow and cumbersome
security development lifecycle or privacy by design efforts.
However, friction is not a fundamental, immutable force like
gravity or electromagnetism. Instead, we have the ability to determine
exactly how much control friction we apply. Apply too much control
friction, and business users may choose to circumvent IT security
controls or the product security controls in the upfront design of
technology. This adds not only cost but it also adds risk: because the
security team lacks visibility into the technology being created or
used. So it cannot prevent vulnerabilities or compromises, detection
becomes difficult due to lack of visibility, and in many cases,
response after the fact becomes the only option.
If a business adheres to high-friction controls, the long-term
effect can be the generation of systemic business risk. High-friction
controls can hinder business velocity; the organization can lose time
to market and the ability to innovate, and over the long term it may
even lose market leadership.
Implementing the NIST (National Institute of Standards and
Technology) Cybersecurity Framework and continuously walking through
the macro steps that it outlines is also another approach we should all
continue to adopt and promote.
Prevention Steps: Identify and Protect.
Reaction Steps: Detect, Respond, and Recover.
If implemented properly, the NIST framework can set the stage for
having the right discussion within an organization on information risk.
It can also, when viewed in the context of the 9 Box of Controls, drive
a ``shift left and shift down'' to better enablement, which results in
the lowest risk, lowest cost, least amount of liability, and lowest
control friction spot--so we can all ``Protect to Enable'' not only our
organizations for today and tomorrow but also our customers.
I also hope that with the right discussion we can all focus on
``not'' positioning the work of managing risk as an ``either this or
that'' function. We need to recognize and remember compliance does not
equal security. We need to avoid positioning business velocity vs.
business control. We need to avoid positioning privacy as a balancing
act against the need for security. If we start with a mindset of
trading these items off against each other, we will not be successful,
because we will design our digital transformation to be at odds with
the digital control needed to do this right. And then, we will be left
with throwing money at symptoms after the fact, reactively detecting
and responding to risk rather than fixing the problem from the ground
up.
How emerging technologies can help
Any future security architecture we implement must provide better
prevention, and it must also be more flexible, dynamic, and more
granular than traditional security models. A new architecture also
needs to greatly improve threat management. We need to do this in the
upfront design, development, and validation during the creation of
technology to reduce vulnerabilities well before the technology gets
deployed. And as new attacks appear, we need a security system that is
able to recognize good from bad in milliseconds, so that it can stop
the bad and allow the good. For any attack that gets past these
preventive controls, we need to be able to learn as much as we possibly
can without compromising the user's computing performance or privacy.
This information enables us to investigate exactly what occurred, so we
can take immediate action to mitigate the risk whilst also learning how
to prevent similar attacks in the future.
A control architecture should assume that attempts at compromise
are inevitable--but we should also understand that it is possible to
achieve real prevention for 99 percent or more of risks that could
occur, including that of malicious code and zero-day attacks caused by
mutated malware. Should a piece of malicious code attempt to execute,
we can then instantly apply artificial intelligence and machine
learning to analyze the features of files, executables, and binaries to
stop the code dead in its tracks before it has a chance to harm the
environment. For the remaining attacks--representing less than 1
percent of malware--we need to focus heavily on survivability.
Blockchain as explained early has significant value well beyond
well beyond the implications a new form of money. By design,
blockchains are inherently resistant to modification of the data. Once
recorded, the data in a block cannot be altered retroactively. The
implications then to use blockchains as a method to overcome many of
the current weaknesses and vulnerabilities of the Internet and usher in
a new age of trusted secure transactions is significant.
Quantum computing also offers exciting possibilities to enhance
security as well. As mentioned earlier this type of leap forward in
computing could allow for not only faster analysis and computation but
across more data sets. Reducing the time to discovery in simulations
can be used not only to aid research into things like new materials,
drugs, or industrial catalysts. The tactic can reduce time spent on
finding vulnerabilities in the design and development cycle for
technology. This will then lower control friction on the developers of
technology and increase the probability that they can find and fix a
vulnerability prior to deployment. Doing so will not only lower secure
design costs, it will speed up an organizations time to market with
technology that is inherently less vulnerable to attack. The final
result will be a broad reduction of societal and individual risks.
Artificial intelligence and more specifically machine learning are
here today and Cylance is already demonstrating the impact it can have.
As I mentioned in the initial section of my testimony Cylance is the
first company to apply artificial intelligence, algorithmic science,
and machine learning to cybersecurity and improve the way companies,
governments, and end-users proactively solve the world's most difficult
security problems. Using a breakthrough predictive analysis process,
Cylance quickly and accurately identifies what is safe and what is a
threat, not just what is in a blacklist or whitelist. By coupling
sophisticated artificial intelligence and machine learning with a
unique understanding of an attacker's mentality, Cylance provides the
technology and services to be truly predictive and preventive.
In the future artificial intelligence and machine learning will
also be able to solve other vexing issues that we face today such as
passwords and identity management used to authenticate and authorize
users. We will also be able to mitigate distributed denial of service
attacks using the ability to predict and thus prevent in automated
fashion the flood of requests that can so easily disrupt an
organization today.
JFK once said, ``The problems of the world cannot be solved by
skeptics or cynics whose horizons are limited by the obvious realities.
We need men who can dream of things that never were and ask why not.''
When AI, quantum computing, and blockchain are combined with right
approach and right architecture the reduction in risk, the reduction on
the cost of control, and the reduction in the control friction
experienced by users and business will be dramatic.
Making Sure Tomorrow Is Better Than Today
The Perils and the Promise of Emerging Technologies for Cybersecurity
I read an article by Forbes leadership advisor and author Mike
Myatt just a few weeks ago. I was reminded of something I was told a
long time ago; ``If there is a conversation you have been avoiding,
that's the one to have.''
I think there is a broader conversation that we as a security
industry, as well as a tech industry, have avoided, and in some cases
have intentionally distracted others away from having. In reality,
there are two discussions--one for the creators/users of technology and
one for the security industry. Both share a common conclusion that
results in harm to others. Beyond that, both problems have a path
forward that can address these failings.
What Every CEO Should Know
Myatt wrote a great piece last month titled Digital Transformation
or Digital Free Fall: What Every CEO Must Know.
In the article, he astutely explains, ``Innovation has always been
synonymous with business survival and that hasn't changed. What has
changed is the pace and scale at which businesses must innovate to
remain competitive in a digital world. The speed of technology advances
in the market are making the old paradigm of first mover versus fast
follower largely irrelevant--every business must now become some
version of a first mover.''
He also goes on to point out that ``Digital transformation is
really more of a leadership, culture, strategy, and talent issue than a
technology issue. Real digital transformation occurs when business
models and methods are reimagined by courageous leaders willing to
manage opportunity more than risk, focus on next practices more than
best practices and who are committed to beating their competition to
the future.''
In my second book, I published a set of 9 Irrefutable Laws of
Information Risk. Law #9 states: ``As our digital opportunities grow,
so does our obligation to do the right thing.'' I believe this is a
crucial point that was left out of Myatt's piece.
Courageous leaders in digital transformation realize that business
survival is also about managing risk, not just managing or chasing
opportunity. Too many organizations today are chasing digital
opportunities while risking their customers, and in some cases,
society. Richard Rushing, CISO at Motorola Mobility, posted in December
a picture from a presentation that read, ``We're building self-driving
cars and planning Mars missions--but we haven't even figured out how to
make sure people's vacuum cleaners won't join botnets.''
The Real Life Implications of Digital Transformation
Digital transformation as discussed throughout my testimony is
embedding technology into the fabric of our lives. Typically, these
technologies are meant to help or assist users, but one key element is
often overlooked: Exploits that take advantage of technological
vulnerabilities will increasingly impact the well-being of almost
everyone in our society. So, it is incumbent upon all of us to properly
shape the way we design, develop, and implement digital transformations
to best manage and mitigate the information security, privacy, and
other risks that are being generated, while still challenging ourselves
to create technology that helps people.
The World Economic Forum 2017 Global Risk Report had Cyber
Dependence in its top five risk trends, just below climate change and
polarization of societies. It also indicated that ``. . . technology is
a source of disruption and polarization.'' I also believe technology is
a tremendous opportunity for economic and societal benefit. I believe
that technology can connect and enrich peoples' lives--if done
correctly and for the right reasons.
The 2017 Edelman Trust report, published recently, agreed that ``we
have a trust collapse'', adding, ``We have moved beyond the point of
trust being simply a key factor in product purchase or selection of
employment opportunity; it is now the deciding factor in whether a
society can function . . . the onus is on business to prove that it is
possible to act in the interest of shareholders and society.''
A growing digital economy relies on trust. Breaking someone's trust
is like crumpling up a perfectly good piece of paper--you can work to
smooth it over, but it's never going to be the same. I have said it
before and I will say it again: Managing information risk isn't about
saying ``No,'' it's about protecting to enable people, data, and
business. We have to run towards risk to shape the path of the risk
curve. CISO's need to do this, ideally, in front of business and
technological opportunities or, at a minimum, in line with them. That
is the best way we have to understand the risk dynamics to our
organizations, shareholders, customers, and society. That is the best
way to prevent risk that is avoidable in a proactive fashion.
If we carelessly implement technology in order to chase
opportunities or simply prove that we can, we won't be successful in
realizing digital transformations that can change lives and protect our
people. Instead, we will be setting ourselves up for a digital
disaster. By focusing on the opportunities along with our obligations
to implement them right way, we can achieve digital transformation and
digital safety to ensure tomorrow is better than today for everyone.
With this mindset, we can avoid not only the digital free fall about
which Myatt discussed, but also avoid the digital disaster that could
lie ahead.
Conclusion
Thank you again for the opportunity to provide testimony. I will be
happy to answer any questions.
The Chairman. Thank you, Mr. Harkins.
Mr. Rosenbach?
STATEMENT OF HON. ERIC ROSENBACH, FORMER DOD CHIEF OF STAFF,
FORMER ASSISTANT SECRETARY OF DEFENSE FOR HOMELAND DEFENSE AND
GLOBAL SECURITY
Mr. Rosenbach. Good morning, Chairman Thune, Ranking Member
Nelson, distinguished members of the Committee. Thank you very
much for holding this important hearing, and thank you for the
invitation. You've heard up until now from a lot of experts on
the technology and the ecosystem in the United States, and I
thought it might benefit the members of the Committee to hear
the cyber perspective at a little bit of a more strategic
level, based on some of my impressions in cyber issues in the
last 7 years at the Department of Defense.
The rapid rise of emerging technologies and the Internet of
Things will result in essential economic growth for America.
This is important. The United States must continue to
outperform competitor nations like China in the development and
adoption of emerging technologies. These technologies must be a
true economic center of gravity.
But as the number of Internet-connected, artificial
intelligence-driven devices increases, policymakers and
legislators need to address the associated increase in the
nation's vulnerability to strategic cyber attacks. The
fragility of our national cybersecurity posture combined with
our adversaries' perception that Russia's recent successful
cyber attacks on the United States will increase the likelihood
that we will experience more serious attacks in the coming
years.
As we unlock new technological innovation, we will live in
a glass house that must be better protected, and without an
improved defensive posture, this vulnerability may impact the
calculus of U.S. national security policymakers down the road.
Thus, it's important to understand the strategic perspectives
of two competitors and sometimes adversaries in the cyber
domain: China and Russia.
Over the past decade, China has pursued a national strategy
to challenge the United States world leadership in emerging
technologies. The Chinese government has invested heavily in
research and development of technology that underpins
supercomputing, artificial intelligence, and blockchain. Those
investments have resulted in genuine achievements. Last year,
for example, China unveiled the world's fastest supercomputer
and announced that it owned more of the top 500 supercomputers
than any other nation in the world.
Chinese firms and research institutions, nearly always
supported by state funds, have made advances in artificial
intelligence that some corporate leaders believe will make
China the world leader in hardware-based AI within the next
several years. Over the past 3 years, China has also
strategically established itself as the world leader in the
research and deployment of blockchain technologies,
particularly in the area of financial technology, known as
Fintech.
China currently leads the world in the number of citizens
using Internet payment and Fintech applications, and the
government continues to facilitate the growth of this sector
with a permissive regulatory environment and strong investments
in Fintech firms. China recognizes that the Fintech Revolution
is about more than fancy payment apps and Bitcoin. It has the
potential to disrupt the American-dominated financial sector
and increase Chinese economic influence around the world.
Although the vast majority of Chinese investment and
research in these emerging technologies focuses on improving
the country's economic competitiveness, China also has programs
dedicated to integrating new technology into security-focused
cyber capabilities. For example, the Chinese have incorporated
AI and supercomputing technology into the Great Firewall of
China. These advances give China an upper hand not only in
defending their domestic critical infrastructure, but also in
taking offensive actions against key targets, including the
United States.
Moving on to Russia, investment and research in emerging
technologies are likely a decade behind the U.S. and China.
However, President Putin has taken a deep personal interest in
quickly closing this gap. In the meantime, Putin's recognition
that his military does not have the ability to go head-to-head
with U.S. next-generation military capability drives the
Russian strategy to develop cyber capabilities to disrupt new
technologies in both civilian and military environments.
In short, the Russians know that they can impact American
strategic calculus--and control the escalation ladder of
conflict--by attacking civilian targets in the Internet-of-
Things and the military networks that connect AI-enabled
weapons. Combined with the Russians' proven deep experience
with spreading strategic disinformation, this form of cyber
warfare should be a serious concern.
Russia's demonstrated willingness to conduct cyber attacks
against civilian targets is unprecedented and has serious
implications for a world that relies on the Internet-of-Things.
Recent Russian cyber attacks against Ukraine took down a
significant portion of that country's power grid and
represented one of the first known cyber attacks that resulted
in a physical effect. But these attacks barely drew criticism,
let alone action, from the international community.
Additionally, every American should be deeply concerned
that the United States democratic system of government was
attacked by Russia during an important Presidential election.
This is not a partisan matter. Our democratic system serves as
an example to the free world. We must overcome politics and
protect ourselves and allies from being undermined by
adversaries in the future.
Without clear action in the near term, the Russians'
inevitable perception will be that they can conduct strategic
cyber attacks with impunity. This will likely result in further
attacks in the future.
Mr. Chairman, in the interest of time, I'll submit the rest
of my statement for the record to allow you all to ask as many
questions as possible.
[The prepared statement of Mr. Rosenbach follows:]
Prepared Statement of Hon. Eric Rosenbach, Former DOD Chief of Staff
and former Assistant Secretary of Defense for Homeland Defense and
Global Security
Chairman Thune, Ranking Member Nelson, and distinguished members of
the Committee, thank you for calling this important hearing on ``The
Promises and Perils of Emerging Technologies for Cybersecurity'' and
for the invitation to testify today.
The rapid rise of emerging technologies and the internet-of-things
will result in essential economic growth for America. This is
important: the United States must continue to make the development and
adoption of emerging technologies an economic center of gravity. But as
the number of internet-connected, artificial intelligence (AI) driven
devices increases, policymakers and legislators need to address the
associated increase in the Nation's vulnerability to strategic
cyberattacks. The fragility of our national cybersecurity posture,
combined with our adversaries' perception that Russia's recent
cyberattacks achieved unprecedented success, increases the likelihood
that the United States will experience more serious attacks in the
coming years.
As we unlock new technological innovation, we will live in a glass
house that must be better protected. Without an improved defensive
posture, this vulnerability may impact the calculus of U.S. national
security policymakers. Thus, it's important to understand the strategic
perspectives of two competitors and adversaries in the cyber domain:
China and Russia.
Chinese and Russian Strategy for Emerging Technologies
Over the past decade, China has pursued a national strategy to
challenge the United States world leadership in emerging technologies.
The Chinese government has invested heavily in the research and
development of technology that underpins supercomputing, artificial
intelligence, and blockchain. Those investments have resulted in
genuine achievements. Last year, for example, China unveiled the
world's fastest supercomputer--and announced that it owned more of the
top 500 supercomputers than any other nation in the world. Chinese
firms and research institutions, nearly always supported with state
funds, have made advances in artificial intelligence that some
corporate leaders believe will make China the world leader in hardware-
based AI.
Over the past three years, China has also strategically established
itself as the world leader in the research and deployment of blockchain
technologies, particularly in the area of financial technology (known
as Fintech). China currently leads the world in the number of citizens
using Internet payment and fintech applications, and the government
continues to facilitate the growth of this sector with a permissive
regulatory environment and strong investments fintech firms. China
recognizes that the ``Fintech Revolution'' is about more than fancy
payment apps and Bitcoin. It has the potential to disrupt the American-
dominated financial sector and increase Chinese economic influence
around the world.
Although the vast majority of China's investment and research in
these emerging technologies focuses on improving the country's economic
competitiveness, China also has programs dedicated to integrating new
technology into security-focused cyber capabilities. For example, the
Chinese have incorporated AI and supercomputing technology into the
massive ``Great Firewall of China'' used to isolate Chinese Internet
users from the outside world. These advances give China an upper hand
in not only defending their domestic critical infrastructure networks,
but also in taking offensive actions against key targets, including in
the United States.
In Russia, investment and research in emerging technologies are
likely a decade behind the U.S. and China; however, President Putin has
taken a deep personal interest in quickly closing this gap. In the
meantime, the clear recognition that Russia's military does not have
the ability to go head-to-head with next-generation U.S. military
capabilities has driven the Russian strategy to develop military cyber
capabilities to disrupt new technologies in both civilian and military
environments. In short, the Russians know that they can impact American
strategic calculus--and control the escalation ladder of conflict--by
attacking civilian targets in the internet-of-things and the military
networks that connect AI-enabled weapons. Combined with the Russians'
proven deep experience with spreading strategic disinformation, this
form of cyberwar should be a serious concern.
Russia's demonstrated willingness to conduct cyberattacks against
civilian targets is unprecedented and has serious implications for a
world that relies on the internet-of-things. Recent Russian
cyberattacks against Ukraine, which took down significant portions of
that country's power grid and represented one of the first known
cyberattacks that resulted in a physical effect, barely drew
criticism--let alone action--from the international community. The
Russians' inevitable perception that they can conduct strategic
cyberattacks with impunity is likely to encourage further attacks in
the future.
Every American should be deeply concerned that the United States'
democratic system of governance was attacked by a foreign nation during
an important presidential election. This is not a partisan matter. Our
democratic system serves as an example to the free world. We must
overcome politics to protect ourselves and our allies from being
undermined by our adversaries in the future.
Chinese and Russian strategies for dealing with emerging
technologies present the United States with two very different
challenges: In China, the U.S. faces a competitor who is focused
primarily on developing next-generation technologies more quickly than
the U.S. in order displace us as the world's economic and military
leader. In Russia, the U.S. faces an adversary who seeks use advanced
cyberattacks and information operations to undermine the strength of
our democracy and the efficacy of next-generation military
technologies.
Although the challenges posed by these nations differ, both cases
underscore the need for a new national cybersecurity strategy that
forces bold action and cooperation by the government and private
sector. To mitigate the risk of cyberattacks, one essential component
of this strategy should be for the government and private sector to
invest in and adopt new technologies that will aid cyber defense, such
as AI-enabled cybersecurity, cloud-based security-as-a-service
solutions, blockchain and super/quantum computing. Facilitating the
development of these technologies will not only improve our
cybersecurity, but also strengthen one of the few remaining American
economic centers of gravity.
Additionally, a new strategy for national cybersecurity cyberspace
contains at least three other components: (1) the U.S. must immediately
bolster deterrence of cyberattacks that threaten vital national
interests; (2) Congress must clarify key regulatory issues that would
promote the growth of key technologies with large potential to
facilitate economic growth, such as blockchain and FinTech, and; (3)
Congress must pass targeted legislation that provides the private
sector with a framework for improved cybersecurity standards and
incentives for information sharing.
The U.S. has enjoyed extraordinary economic success because of the
open Internet we created--it is imperative we lead the world in
securing it for decades to come.
The Chairman. Thank you, Mr. Rosenbach, and I'm going to
yield my time in the interest of giving as many people an
opportunity to ask questions to Senator Wicker.
STATEMENT OF HON. ROGER F. WICKER,
U.S. SENATOR FROM MISSISSIPPI
Senator Wicker. Well, let me just ask all of you to tell us
what needs to happen in the workforce and in our American
education system to meet these opportunities and challenges.
And we might as well just start with Mr. Barlow and go down the
line. Are we ready? Are we anywhere where we need to be?
Mr. Barlow. Thank you, Senator. Well, as I stated earlier,
we've got a 1.5 million person gap globally, and there are a
couple of things we need to do. One of the things we've got to
recognize is we need more women in this field. You know, the
number of women in the cybersecurity space and technology in
general is far too low. We also have to look at----
Senator Wicker. What is that figure here in the United
States?
Mr. Barlow. I don't know, but I could get it to you in our
comments. It's very low, sir, particularly in the technical
security ranks. When we look for things like security
operations professionals that would sit in an operation center,
the number is very, very low.
But in addition to that, when we look toward universities,
one of the things we really need to do is have universities
step up and start producing degrees at scale. You know, the
last time we saw an entrant in the C suite, it was the chief
information officer. Well, now we have a chief information
security officer. Where are the departments? Where are the
degree programs?
But I think the last and most important thing is we've also
got to look toward what we call at IBM new collar jobs, ways in
which we can bring people in that maybe don't have a
traditional 4-year degree in computer science and train them up
to work in a security operations watch floor. And we think that
that's absolutely possible when we augment those people with
technology that can help bring them up to speed quicker and
help them learn.
Senator Wicker. Where are we going to find these people?
What level of education do they need to have before we bring
them into training for new collar jobs?
Mr. Barlow. Well, I think that, you know, one of the things
we have to recognize is in the cybersecurity space, we need not
only traditional technologists, but we also need people like
linguists. So we're going to find them from all over. I think
the real question is: Do they have the willingness to learn the
forensics, learn the technological, and learn the science
behind it?
What I find that I think is so fascinating is that the kind
of mindset that you bring into a security operations center is
much more analogous to what you might find in a traditional law
enforcement career. You need people with an investigative
brain, and I think we can find those people well beyond where
we've traditionally looked for IT talent.
Senator Wicker. Others?
Mr. Ganesan. Thank you for the question, Senator. I
actually think this is a tremendous opportunity for us. Yes, we
have a shortage of cyber skills, but there's an opportunity to
create a million-plus, maybe 2 million jobs in this country
that are going to be high-paying, high-skilled, and cannot be
outsourced. Because of various reasons, you want people doing
cybersecurity to be based here.
I think the opportunity is: you don't need to go to
college. You can, but you don't need to. You don't need a four-
year degree. A two-year program, a one-year vocational program
can get people good enough to do a lot of the security
operations jobs we're talking about, and I think these can be
skilled jobs that are high-paying, resident here, and I think
if you put a collective focus on it, this will be both an
offensive move in making sure we have the right cybersecurity
infrastructure in this country and a move to re-energize our
economy and create jobs in America.
Mr. Grobman. I would agree with many of the statements made
that we do need to look to non-traditional methods to get
people into the cyber workforce. One thing that's unique about
cybersecurity as a profession is it rapidly changes, so the
skills that you need today are not going to be the skills that
you need tomorrow. The typical individual in cybersecurity
needs to be able to continuously learn and adapt to the ever-
changing threat landscape.
Unlike a civil engineer who may use the principles of
statistics and dynamics that will suit them well for their 40-
year career, what you know about today will need to be
completely retooled. So partnering with our government, looking
at things such as the potential for a cyber national guard as
well as really focusing on community colleges as well as
traditional educational institutions are key things.
Mr. Harkins. I would like to add some perspective to the
1.5 million job gap that we have. If you look at that--and,
again, from a perspective of somebody who has run this--the
reason why we have that gap is because we haven't prevented the
problems. Most of those job openings are reactive--to detect
and respond.
I think the bigger skill gap that we have is, again, how do
you design and develop technology with less vulnerabilities to
begin with? If you did that, we wouldn't have as big of a skill
gap. If we had better technology that actually prevented the
harm, we wouldn't have as big of a skill gap.
Now, I still think we're going to always need the fireman
and the responders, and we're going to need the investigators,
and I agree with the comments that we need people with a
diverse set of backgrounds. But I also think we need to go
earlier in the education cycle. We need to start at the grade
school and high school level and teach basic skill and acumen,
how to do coding and how to do it right, and then further that
education when people get into undergraduate and postgraduate
work.
Mr. Rosenbach. I'll be very quick. We struggled with this
problem at the Department of Defense when building Cyber
Command and trying to protect all our networks. So there are
two strategies, in brief. First, we decided to grow these
individuals internally, which meant that we put them through
high-end training. After a year and a half, they would have
pretty high-end skills, the equivalent of a Special Forces
operator in the cyber world.
Now, we want them to stay in the military, but if they
decide to get out, that's a great pipeline for that highly
skilled workforce that benefits the rest of the economy. You
see that model very pervasive in a lot of other countries,
Israel in particular.
Second, we've worked very closely with the National Guard
to have citizen soldiers that will go in and out of the
military, develop skills, but then also take those skills back
to the private sector. Building on those two models is
something that I think holds promise.
Senator Wicker. Thank you.
The Chairman. Thank you, Senator Wicker.
Senator Nelson?
Senator Nelson. Yesterday, the Director of the FBI outlined
what the Russians had done in this past election, and he opined
they may be planning to do it to us again in 2020 and possibly
2018. Just 4 days ago, four Russian citizens were indicted in a
scheme that took 500 million accounts from Yahoo. So they now
have the capability of spying on White House officials,
military officers, bank executives, and airlines. So the
actors, Russia and China--this, of course, is pretty serious
business.
So what, really, Mr. Rosenbach--if they can get access to
the personal, financial, and health information, then they
really have the keys to being able to manipulate citizens as
well as the government. So why is the country not alarmed?
Mr. Rosenbach. Senator, I don't know as much about why
there's not more alarm about this. To me, personally, this is
something that is very, very serious. And, as you heard from my
opening statement, I think deterrence is a very important
aspect of this. Deterrence is something that is an inherently
governmental role, and we need to think about how to bolster
our deterrence posture so that not only the Russians, but other
adversary states do not have the perception--because deterrence
is based in perception--that they can influence the American
democratic system for either way, and I don't mean this in any
partisan manner, but that is a core national interest,
defending our democracy.
Senator Nelson. Do you think the structure that we have
now, which we passed, but it's voluntary--a cybersecurity
bill--it's voluntary. Do you think voluntary cybersecurity
efforts in the private sector are going to meet this challenge?
Mr. Rosenbach. Sir, I don't. I believe that the framework
that NIST put together, which uses public-private
collaboration, is very strong and is important and is something
that should be in legislation. I also believe that there should
be a system of incentives for increased threat information
sharing, as you heard one of the earlier witnesses talk about,
and that there's some liability protection put in place for
that. Otherwise, I don't think there's a mechanism that will
influence things to change.
Senator Nelson. So you don't think that these are just
private cyber intrusions? These are threats to national
security.
Mr. Rosenbach. Yes, sir, absolutely. As you saw from the
DOJ action, these were both FSB-affiliated individuals, FSB
agents, and then people affiliated with FSB, probably from some
criminal organization. The nexus between those two is tight.
That's the standard MO for the Russians.
Senator Nelson. And what they have been doing is changing
or manipulating data to influence public discourse, in this
case, in the election, and to create confusion. So, obviously,
Russia took advantage of this. Do you think that these
technologies can help us, our country, defend from future
election tampering?
Mr. Rosenbach. Yes, sir, I do, and you could ask some of
the folks who are deeper into the technology. But, for example,
the idea behind blockchain, that there would be a ledger in
which you cannot manipulate the outcome of things, is
attractive when it comes to election and perhaps electronic
voting. However, I would say that technology is very, very
important. There's a lot more to this than just the technology.
Senator Nelson. Any comment from--Mr. Grobman?
Mr. Grobman. Senator, the one thing I would add, which was
in your opening remarks, is one of the big shifts that we see
right now is cybersecurity is moving away from just being about
theft of data and data being used as a weapon itself. Using the
data to extort or cause harm is one of the things that we've
not only seen in the election cycle, but that is the same type
of damage that is done through the Yahoo attack. So it's
important when we think about cybersecurity that we're thinking
about it broadly in terms of many areas, especially in this
emerging field of using data as a weapon.
Senator Nelson. How would you defend if someone put child
pornography onto someone's data system, their laptop, and then
tipped the police that this person is a child pornographer? How
would you defend against that?
Mr. Grobman. I think one of the biggest risks that we have
today is the general public treating leaked data as having
integrity. One of the big challenges is especially around
intermixing legitimate data with fabricated data. You can
increase the confidence that data is real by having part of
that data be accurate, that can be independently verified, but
then overlaid with fabricated data. Whether that fabricated
data is included to cause political harm or to falsely indict
someone in a criminal case, it is critical that we treat any
leaked data with suspicion until every element of it is
independently validated.
Senator Nelson. Thank you.
The Chairman. Thank you, Senator Nelson.
Senator Cantwell and then Senator Inhofe.
STATEMENT OF HON. MARIA CANTWELL,
U.S. SENATOR FROM WASHINGTON
Senator Cantwell. Thank you, Mr. Chairman, and continuing
along this same line, I wanted to make a point that I'm glad to
hear this 2 million job number. The Energy Committee has
already been on this task, and we definitely passed a very good
bill out of the United States Senate that was all about the
various elements that we need to do on workforce; information
sharing; supply chain security, which we haven't spent a lot of
time talking about this morning thus far; and R&D.
Unfortunately, our House colleagues just did not get the
urgency of this. So if any of my colleagues here can help us
with our House colleagues--I mean, literally, in negotiations
and conference, they didn't even--I mean, they almost looked at
it as like some sort of political issue on our side or
something. I don't know. It was just very, very disappointing
that they did not see the urgency of this issue.
The reason I bring that up--and I do want to allude to the
earlier comments by Mr. Barlow and Mr. Ganesan--the University
of Washington Tacoma, which happens to be also the area of
Joint Base Lewis-McChord, our National Guard--so there's a lot
of defense and education overlap on security, so they're
working very well.
But they do have a master's of cybersecurity and
leadership. They have a bachelor's of engineering and
cybersecurity, and then a two-year certificate in cybersecurity
operations. So we've definitely heard--I would throw on an
education person, too, that we need the educators to educate
the people. So they've already identified at that school these
various workforce issues, and, as I said, DOE in our energy
bill was supposed to add to those workforce requirements.
But back to this issue of the grid and Russia, because what
we've identified, too, is we want DOE to be a lead role on
critical infrastructure because the issues that we all just
discussed here require DOE and the grid to be modernized and
continue to have that security discussion with various
providers.
So I don't know if we start with you, Mr. Rosenbach, but
the Ukrainian attacks, Kiev, are something that we could very
easily see here in the United States by a government actor, if
not Russia, others. Is that correct?
Mr. Rosenbach. Yes, ma'am, absolutely. The malware that was
used in the Ukraine attack was actually a variant of something
that we've seen on the networks of critical infrastructure
operators in the United States--so-called black energy--even in
power grids. So it's not just a theoretic case that it could
happen. It could happen, and in the case of the United States,
because the critical infrastructure networks are so much more
highly automated, the damage could be even more severe. In
Ukraine, they were able to manually bring things back up.
Senator Cantwell. Right. I've heard people discuss the
possibility of a cyber 9/11, which I'm assuming they're
referring to the context of a great-scale disruption and chaos.
But in some cases on this critical infrastructure, they've
talked about the disruption that such malware could do to an
actual natural gas or oil pipeline or other critical energy
infrastructure.
I always find it interesting when you see these movies,
like Black Hat or what-have-you, it's always connected to
energy. It's always connected to disrupting energy supply as a
way to also send a shockwave--I don't know if either of the
other witnesses want to comment on the security of that and how
important it is to have DOE play a role on the critical
infrastructure development.
Mr. Harkins. Senator, I think it is absolutely critical,
and I think you're right, and I think that critical
infrastructure, as it was mentioned, does have risks. But,
again, going back to the context of where we're thinking about
emerging technologies and Internet of Things, let's just say we
hardened the electrical grid and hardened the traditional
critical infrastructure. The same effect could occur if I
attacked my home that's fully automated, and take out my
heating, air conditioning, take out the smart meter on my house
that's connected to the Internet. And if you do that en masse
across a metropolitan area, you could keep the grid up, but if
you still affected, let's say, a million people in the greater
Phoenix area during a 120-degree heat wave because you're able
to shut off the refrigerator, shut off their air conditioning,
shut off the electricity in their house, you could have the
same effect.
Senator Cantwell. You're making my point for me.
Mr. Harkins. Yes.
Mr. Ganesan. If I could add, Senator?
Senator Cantwell. Thank you.
Mr. Ganesan. I think critical infrastructure is--I mean
that broadly, as in dams, power grids, electrical grids. That
is a big area of vulnerability for us, and I actually don't
think we are fully prepared. I think what Stuxnet showed--that
you could have access to these--what they call PLCs and static
control systems that are not connected to the Internet, and
once you're in, you could impact them. And I do think we need
to think about both standards and evolution there.
In addition to that, you mentioned something equally
important, supply chain security. If you think about it and
look at some of the major hacks, those hacks came in because
the vendors were compromised. So I think we need to have a
better way of knowing the supply chain, if people have access
to a network, and making sure the entire supply chain is secure
because in cybersecurity, you're only as strong as your weakest
link.
Senator Cantwell. Exactly. That's why we want this DOE
upgrade, and to make sure that we do that. And then to Mr.
Barlow's point, having this larger discussion, which is very
hard to have, you know, necessarily, with our utilities and
some of our other critical infrastructure with the R&D side.
People don't want to talk about their vulnerabilities, but yet
we need to get best practices out there based on the latest and
most significant risks.
Mr. Barlow. I think this raises a really key point, in that
part of what I would encourage you to go back and really think
about is speed. You know, whether we're talking about black
energy, whether we're talking about other forms of attacks--I
mean, you know, if we look right now at what's going on in
Saudi Arabia and the Gulf states as they respond to Shamoon and
Shamoon 2, which is affecting the petroleum and chemical
industries, you know, these are, in many cases, significant
attacks that have a kinetic outcome in terms of their impact on
business, or they may stop various manufacturing lines.
At the end of the day, what actually makes the difference
is the speed at which the private sector and the public sector,
across multiple governments in many cases, work together. And
by having that threat intelligence with speed--now, think about
what that requires. That requires not only the culture and the
ecosystem to move fast, having an on-mission culture across the
board, but it also requires having the security clearances in
place for people to have those dialogs at an operational level,
and it requires the clearinghouse in order to manage those
vulnerabilities.
The Chairman. Thank you, Senator Cantwell.
Senator Inhofe?
STATEMENT OF HON. JIM INHOFE,
U.S. SENATOR FROM OKLAHOMA
Senator Inhofe. Thank you, Mr. Chairman.
At the risk of sounding redundant, which I will, for the
benefit of the witnesses, there are two very significant
committees, the Commerce Committee and the Environment and
Public Works Committee. There are nine committee members on
both committees, and we always have our meetings at the same
time. So the disadvantage is you get--you miss all--I would
miss, in this case, all of the opening statements and what
questions have already been asked. So that's one of the
problems that we're going to try to get the leadership of both
committees together to try to rectify since we deal with very
similar subjects.
Let me go ahead and just cover some of the--it may have
been covered. Stop me if it has been.
Mr. Grobman, cybersecurity is enhanced when products are
built from the ground up protected from cyber attack instead of
trying to impose cybersecurity protections after the product
has been developed. I think we understand that. Unfortunately,
there are not always strong market incentives for companies to
build products from the ground up with a focus on
cybersecurity, which has encouraged sentiment for hard
regulations to force the integration of cybersecurity into the
development of consumer products.
So, first of all, do you agree that is a problem? And can
you speak to the harm that structured hard regulations would
have on cybersecurity innovation?
Mr. Grobman. Absolutely. To the first point, one of the big
challenges that we see is sometimes the attack on a device
isn't going to harm the individual that purchased the device.
In the case of the Mirai attack back in October, although a
consumer purchased a DVR, they weren't the ones harmed when
that DVR turned and attacked Dyn and then provided denial of
service against Spotify and Twitter. So there would be a
natural sentiment to look for ways to regulate the way you
build those devices.
One of the challenges that we see with hard regulation in
cybersecurity is, given that the threat landscape continuously
changes, being overly prescriptive on how to build a device can
make it so that companies are focused on being compliant and
removing opportunity costs they would otherwise apply to
addressing the most critical threats of the day, making their
device less secure.
Our recommendation is to focus more on a framework very
similar to what we've done with the NIST framework that can
provide a blueprint for manufacturers to ensure they're looking
at the key areas, but be flexible enough so that it's
constantly tracking the latest threats of the day, and that the
manufacturers and organizations always have the ability to
focus on the most profound threats versus specific elements
that are imposed in a regulation.
Senator Inhofe. So what you're pointing out is that, yes,
it is true that if you have to do this--but if you do it to
that detail, they'll forget what the real purpose is, whether
it's safety or other elements. Do the rest of you agree with
that kind of a----
Mr. Ganesan. If I could add, Senator, I completely agree
with Mr. Grobman. Because cybersecurity is so dynamic, if you
try to do hard regulations, it's sort of like closing the barn
door after the horse has bolted, because you're fighting the
last war instead of the next war. So I think it's much better
to have guidelines and visibility and flexibility and let the
market forces determine----
Senator Inhofe. That makes sense. That does. That's a good
comment.
Some of you talked about the value of the public and
private partnership. Usually, you're talking about government
and industry. However, as was brought up by Senator Cantwell,
the universities are getting involved now, and it happens to be
that the University of Tulsa--and I assume some of you are
aware of this--has won the Southwest Regional Collegiate Cyber
Defense Competition for the second year in a row. Any comments
you would make about the inclusion of programs like that one
that has been very successful in Tulsa University?
Yes, sir?
Mr. Barlow. Well, I was very disappointed to see their win
because they won against my alma mater, Rochester Institute of
Technology.
[Laughter.]
Mr. Barlow. But that aside, you know, all kidding aside, I
think it's really exciting to see these kinds of competitions,
and----
Senator Inhofe. I think so, too.
Mr. Barlow. Well, you know, because part of what we have to
all understand in this, right, is that in order to be good
defenders, we have to understand how offense works. We have to
understand both sides of the game, and this is a great way to
give students the opportunity to learn, to do something a
little bit different. And, interestingly enough, we're trying
now to take this, frankly, to adults as well, which is why IBM
has built the Cyber Range in Cambridge, Massachusetts, to give
people the opportunity to practice and rehearse not just the
technical side of this, but how to deal with regulators, how to
deal with unhappy customers, how to deal with the press and
media post-breach. I mean, I would argue that in many, if not
most, breaches we see, the response to the breach often causes
more damage than the breach did itself.
Senator Inhofe. And you would agree that you are actually,
in this program, leading some of these young people into that
career.
Mr. Barlow. Absolutely. This is actually one of the reasons
why we have been active sponsors of these types of university
competitions.
Senator Inhofe. Yes, and we appreciate it.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Inhofe.
Senator Schatz?
STATEMENT OF HON. BRIAN SCHATZ,
U.S. SENATOR FROM HAWAII
Senator Schatz. Thank you, Mr. Chairman.
I want to follow up on the question asked and the sort of,
I think, consensus view of the panel that if we try to lock in
a regulation, either through rule or statute, that the
technology will just outrun it, and I'll stipulate to that.
But the question I have is if NIST is our framework, the
real challenge is we don't know what the adoption rate is in
the private sector. I'd like, if you wouldn't mind, just a
quick yes or no and maybe a few comments on whether or not each
of the panelists think it would be in the public interest for
NIST to collect data on adoption rates so we know whether or
not this NIST framework, private sector-driven, innovative,
nimble, is being adopted, because all of that makes theoretical
sense, but if it's not being adopted, or we don't even know the
adoption rates, then we're working in the dark.
It seems to me that all of you are data people, so you
might be amenable to the idea that we should know what private
sector actors are doing here.
Mr. Barlow, to start.
Mr. Barlow. Well, I think it's an excellent question,
Senator, and we've actually studied it, and we'd be happy to
provide you with the details of that study, where we didn't
look specifically at just the NIST framework. We looked at
frameworks overall, because I think one of the things that the
NIST framework excelled at was giving people a guideline and
allowing them to customize it.
Senator Schatz. But the question is do you think that we
should be collecting data on the percentage of companies in the
private sector that are adopting the NIST framework?
Mr. Barlow. I think you need to ask the question a little
differently, in my opinion, which is how many companies have a
framework that they're following? I think it's OK if they use
it as a guideline and tweak and tune it based on industry or
based on what their particular threats are. But what is
absolutely critical is that private sector companies and
governments have a framework that they're following so that
they have both breadth and depth across all----
Senator Schatz. Whether it's NIST or some other framework--
--
Mr. Barlow. Exactly. COBIT, whatever.
Senator Schatz. Fine. But we need to know where we're at,
and it seems to me that we're operating in the dark as
policymakers here. We'll just go down the line as quickly as
possible.
Mr. Harkins. Senator, I totally agree with you. I think the
collection of that data is useful, and I also agree with Mr.
Barlow that there are multiple frameworks. We need to think
about which ones. And just having a framework by and of itself
doesn't mean that you're actually applying the framework
appropriately. So it would be like giving somebody a calculator
and saying, ``Are you using the calculator?'' It doesn't mean
they're doing the calculation correctly.
Senator Schatz. No, but we know they're not doing the
calculation correctly if they don't possess a calculator.
Right?
Mr. Harkins. I absolutely agree, yes.
Mr. Ganesan. I like market forces, Senator, and so one of
the reasons why I've been pushing cyber insurance is now you
have a market force for people to get cyber insurance. The
insurance companies will need to underwrite, and one of the
questions they will ask when they're underwriting is, ``Are you
following the NIST framework?'' And your premiums will be based
on how well you follow this.
So market forces which actually have money at risk will
drive people's behavior than regulatory purposes, because what
that becomes is compliance, as opposed to having a market
dynamic that feeds into what you do.
Senator Schatz. As quickly as possible, please. Thank you.
Mr. Grobman. I agree with Mr. Barlow. I think the challenge
with assuming NIST is the only framework is NIST is a great
solution when customers are looking to improve their
cybersecurity posture. It's something that, very often, if I go
to a customer, and they ask, ``Do you recommend a framework?,''
I will point them to NIST. But for other organizations that
have been operating for many years using another methodology, I
would not hold them at fault for that. So I think studying it
is good, but I don't think one size fits all.
Senator Schatz. Right. But we should be collecting data.
Mr. Rosenbach, I want to ask you a different question. One
of the policy recommendations from the panel has been to revise
the process that the administration uses to determine whether
to disclose a vulnerability to a vendor or to retain it for
national security purposes. Senator Johnson and I are working
on a bill that would improve and codify the process. Can you
tell us why you think this process is important to codify and
why it's useful to business?
Mr. Rosenbach. Yes, sir. I do think the process is
important. So I'll state up front there are cases in which the
government needs to keep zero-day vulnerabilities to ourselves
for national security reasons. I'll caveat that by saying if we
can't keep those secret, and there are going to be a lot of
insider disclosures as there have been, then we undermine our
credibility for saying that we can't disclose vulnerabilities.
Second of all, in the Department of Defense, Secretary
Carter took very, very seriously the need to rebuild bridges
with Silicon Valley after the Snowden disclosures, and part of
that is transparency. And if we know that the greater good is
disclosing some vulnerabilities to vendors and firms that are
U.S. firms, that's good for the country, because we want it to
be the center of gravity for the economy, and if we don't do
that, we're kind of shooting ourselves in the foot.
Senator Schatz. Mr. Grobman?
Mr. Grobman. I think the key thing is transparency, because
what we do need to recognize is some vulnerabilities the
government is aware of will make sense to keep private, and
others will be in the greater good to use responsible
disclosure and get addressed. We need to look at things such as
what is the probability it will be independently found by other
adversaries. There are many elements that need to go into that
decision, and being transparent on the criteria is a great way
to be open about what it is we're doing while keeping the
classified information classified.
Senator Schatz. Thank you.
The Chairman. Thank you, Senator Schatz.
Senator Markey?
STATEMENT OF HON. EDWARD MARKEY,
U.S. SENATOR FROM MASSACHUSETTS
Senator Markey. Thank you, Mr. Chairman.
Mr. Rosenbach, I'm working on a piece of legislation right
now that I'm going to call Cyber Shield, and it's with this
idea--because of the spread of the Internet of Things, whether
it be an automobile, a toaster, you name it, they're all going
to be vulnerable to hacking. Right now, the American public
doesn't know how vulnerable they may be.
So on cars, we've got--here's your fuel economy sticker,
here's the safety of the car sticker, and so people can make a
judgment. So what would you think about that idea, that on a
voluntary basis, but here it is, like kind of Energy Star--it's
on the car, it's on the toaster, and it gives you kind of a
one-star through five-star rating as to the level of
cybersecurity that has been built into that device? That would
incentivize companies to kind of meet the higher standard as
people get more concerned about it.
What would you think about that as an idea?
Mr. Rosenbach. Yes, sir. I'm a huge fan of creative ideas
that allow people to understand the problem and facilitate the
flow of information about cybersecurity, so I think that sounds
good. In particular, if it's worked in conjunction with the
private sector so that everyone understands how the evaluation
would work, it seems like a good idea.
Senator Markey. What do you think about that, Mr. Harkins?
Mr. Harkins. You know, I think it's a great idea, and I was
smiling when you were saying that, because a few years ago when
I was at Intel as Chief Security and Privacy Officer, we had
floated the idea of creating a security star rating. It's an
interesting concept and I think one that has merit.
I think it can be practically hard to implement, though,
because it would be like the miles per gallon. Because the
technology is evolving, there might be a deterioration of the
rating, and so how do you keep that up to date.
Senator Markey. I appreciate that. We'd have to figure it
out, but----
Mr. Harkins. Yes, we would.
Senator Markey.--the public has a right to know as well.
Mr. Harkins. Absolutely.
Senator Markey. Do you agree with that, Mr. Grobman?
Mr. Grobman. Senator, I would note a tone of caution. I
think that there is a risk in that sort of approach, in that
even devices that were built with high levels of quality in
their security architecture are still subject to having
vulnerabilities in the future, and if having the five-star
rating on a device at the time of manufacture gives the user of
that device the thought that it is going to be good, I think it
can lead to issues----
Senator Markey. Assuming that we could do it with that
caveat, that, you know, over time it could erode, but just so--
it's a 2014, here's the standard for that.
Mr. Grobman. I just don't know if the general public is
able to comprehend that level of intellect that even if they
had a five-star rating when they bought the device, it still
may become vulnerable in the future.
Senator Markey. One of the criteria would be whether or not
the technology has an ability to alter to changing threats,
too. That could also be up there, so that the public could
understand that.
Let me go to you, Mr. Ganesan.
Mr. Ganesan. Senator, I find this nuance because I always
think of the perspective of the small entrepreneur. That's the
companies we back, and a lot of well-intentioned government
regulations end up putting a lot more burden on small companies
and their ability to innovate, because those companies don't
have expensive lawyers and they don't have----
Senator Markey. This would just be voluntary.
Mr. Ganesan. So I understand, Senator, and I would say that
I find that market-driven initiatives are better than
government regulations.
Senator Markey. Right. But if there is no--right now,
there's nothing, so the market's had years to do something and
they don't do anything. So in the substitution for that, you
introduce something that's voluntary, so that would be my
point.
Mr. Barlow, quickly, please?
Mr. Barlow. So I think at the end of the day, what you need
to do is hold manufacturers responsible for a few key things.
When products ship, they need to ship not with default user IDs
and passwords. We need to understand how the data that these
devices collect--how it's being used, where it's being stored,
what the security posture is around it.
And we also have to recognize that these devices--I mean,
how old is your computer, sir? It's probably only a year or two
old, right? I mean, I've got a 10-year-old car. We've got to
have the ability to update things. The thermostat that goes in
your house might be there for 20 years.
Senator Markey. I got it. I just have one more question. I
just will say this is actually going to give small companies a
chance to stand out and say, you know, we've got this new
device so you can--not only--we're selling it, and the small
companies could kind of just move it. So that would be a great
venture capital entrepreneurial opportunity.
Finally, on the question of cybersecurity vulnerabilities
directed to the--you know, in the airlines. It's a huge issue
now. We're reading more and more about it.
Mr. Rosenbach, do you agree that the airline industry
should share information about cybersecurity threats, attacks,
and protections to the FAA and to other airlines when they're
identified?
Mr. Rosenbach. Yes, sir. In principle, more information
sharing is better. Whether you want the FAA to be the nexus, I
think you should work with the private sector to make sure that
they're up and able to do all that. But there are threats to
the airlines, and it's very important to try to find some way
to address those.
Senator Markey. And do you also agree that the FAA should
establish cybersecurity framework for aircraft and ground
support equipment?
Mr. Rosenbach. They should, as long as they do that with
the private sector, too, so that it's within the technology
that they work with.
Senator Markey. And that's the Cyber Air Act that Senator
Blumenthal and I have introduced so that we can figure out what
that framework should be so that information gets shared. If
there's a cyberattack on United, American should learn about
it, the FAA should learn about it, so all the vulnerabilities
that might be identical would be shut down.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Markey.
Next up is Senator Peters.
STATEMENT OF HON. GARY PETERS,
U.S. SENATOR FROM MICHIGAN
Senator Peters. Thank you, Mr. Chairman, and thank you to
each of the panelists. This is a fascinating discussion.
I want to focus on an area that I have been doing a great
deal of work on, and actually working with Chairman Thune on,
and that is automated vehicles. We've talked about, generally,
some frameworks in looking at these kinds of products.
But, obviously, this is a piece of critical infrastructure.
These vehicles will be highly connected. They'll not only be
talking to each other. They're going to be talking to the
roadbed and will be in complete control, and it's much
different if there's a cyberattack on an automobile than your
bank account. We're all mad when our bank account is attacked
and some money is stolen, but this could be existential if they
take over your automobile.
I know the auto companies are focused on this a great deal.
But I want to kind of get your assessment as to what you are
seeing, if you've been working with them, and what you are
seeing in terms of the work that they are doing. I know that 2
years ago, the auto industry and NHTSA developed an Auto ISAC,
which, from my understanding, is working well. It's successful.
It has now been expanded to suppliers as well, understanding
that in order to get consumer acceptance for this product,
you're also going to have to make sure that they are fully
protected.
Mr. Ganesan, I believe you have some familiarity with this
area. Do you think the auto industry is taking the right steps
with that ISAC, and what role do you see in data sharing in
connected vehicles among a variety of companies?
Mr. Ganesan. That's a very important question, Senator. I
do wish to state for the record that we're investors in Uber
which is developing self-driving cars, and so we do have an
interest in this.
But I think that, yes, some progress has been made. I would
actually say more progress needs to be made because, in
essence, cars actually end up having a much longer timeframe.
You keep them for longer and so, in essence, you need to have a
way of updating them post facto. And the very fact that you
need to update them also means there's a security risk, because
if you can update them, so can the bad folks. I think that
while progress has been made in terms of getting together, I
think more needs to be done, and I do agree that having someone
taking over an unmanned vehicle poses a much bigger risk, and I
would say that more work needs to be done.
Senator Peters. Although updating, as you said, is
problematic, and the fact that you should try to design these
right from the get-go to be secure--obviously, you need some
updates--but it is a problem, as was mentioned by Mr. Barlow
and others, when you have older vehicles out there as well that
may have some interfaces with vehicles. So that's a challenge
we've still got to deal with.
Mr. Barlow?
Mr. Barlow. Well, you know, I think one of the fascinating
things about the auto industry is this is a good proxy as we
look across many other industries, whether we're talking about
airlines or vessels at sea, of the types of things we need to
consider. But we also have to consider not just the vehicle and
the kind of kinetic actions that may occur, but what's
happening to that data that's coming off those cars. Where is
it being stored in the cloud?
You know, our X-Force threat researchers recently disclosed
that we were able to identify multiple vehicles that once you
sold them, you were still connected to them. So someone buys a
used car, and the old owner is still connected to the vehicle.
They can find out where it is. They can unlock it and in some
cases could even drive off with the vehicle. You know, there's
a good example of working with industry to obviously get this
fixed, but it's a good example of new challenges and new
thoughts that we have to take into account.
What I would encourage you to think about is this isn't
limited to what happens in the vehicle. It's just as important
to think about what's happening in the cloud. A good proxy for
this that gets even more interesting is when you start looking
at vessels at sea. A cruise ship is a floating data center with
all kinds of information and IoT devices on it, and we've
really got to think about all the aspects of how that is
managed.
Senator Peters. Mr. Grobman?
Mr. Grobman. So the one thing that I would like to add is
we really do need to think about autonomous vehicles as being
new platforms. It's not that we're taking the cars of today and
making them self-driving. It's one of the reasons that we are
sponsoring a new organization, the Future of Automotive
Security Research, to partner with the industry to figure out
what are the new building blocks that are needed, everything
from what is the right architecture for field upgrade ability,
because we recognize if you're going to have a car in field for
10 years, you're going to need ways to remotely update it as
well as have secure communications across the board.
The one other point that I think is critical is to
recognize that the general public looks in aggregate at the
risk that autonomous driving can lower as it relates to death
in automotive cases, where we see autonomous driving as being
much safer than human driving in the long run, and based on
studies, we see things such as 95 percent of accidents are
caused by human failure, not machine failure. So we need to
look at that element as much as the new risk related to the
cyber elements.
Senator Peters. My time has expired. Thank you.
The Chairman. Thank you, Senator Peters.
Next up is Senator Cortez Masto.
STATEMENT OF HON. CATHERINE CORTEZ MASTO,
U.S. SENATOR FROM NEVADA
Senator Cortez Masto. Thank you, Mr. Chair.
Thank you, gentlemen, for being here. I appreciate the
conversation. I was the Attorney General of Nevada for years.
This was an important issue for me to address and I still look
forward to working with all of you in this space. One of the
things--there are a number of topics. I'm going to try to get
through them very quickly with your help.
Small businesses, in general. I was just home in Nevada,
and one of the questions I repeatedly get from our small
businesses is this is a space that they want to address and try
to protect against, but, as you can imagine, there are concerns
about resources, the ability, and then just understanding
cybersecurity, in general, and being able to implement it.
Can you address a way that we can help to work with our
small businesses to give them the opportunities that they need
to protect against cyberattacks? And I'll open it up to anyone
who would like to comment.
Mr. Harkins. Senator, I think you're right, and I think
small business has a challenge just like consumers have a
challenge. I've long thought that there's a security poverty
line that exists, like a societal poverty line, and those that
have the resources, the skills, the technical competencies to
deal with these issues and those that don't. And I think in
many cases small business is well below that poverty line, just
like we see a lot of large businesses below that poverty line.
I think the only way we can get them to essentially punch
above their weight limit and do better is to get them better
technology that preempts the execution of malicious code and
stops the bad things from occurring that can harm their
business and harm their customers.
Senator Cortez Masto. So that goes back to your security in
the design and architecture, correct?
Mr. Harkins. Not only in the design, development, and the
implementation, but post-implementation. Any device that
executes code has the potential to execute malicious code. We
have to look at that code execution prior to it happening and
determine good from bad. We've proven it can happen in
milliseconds, and we've proven we can preempt the execution of
malicious code.
Senator Cortez Masto. OK. Mr. Grobman?
Mr. Grobman. One of the big advances that we're focused on
along with the rest of the industry right now is shifting the
way that we build cybersecurity defense solutions for cloud-
based offerings, and one of the reasons that that is key to
small business is what the cloud does is it abstracts the
complexity to the organizations that are running the cloud
implementation, whereas you don't need the same level of
expertise within the small business that you traditionally did.
So one of the things that I would strongly advocate for the
industry is to continue to move down that trajectory, but make
sure that we're designing our systems with a wide enough
dynamic range that they scale not only to large businesses and
organizations, but also to the very small businesses as well.
Senator Cortez Masto. Thank you.
Mr. Ganesan. I'll be brief, Senator. I think the easiest
way is to make sure that capital formation and the ease of
capital is easily available for entrepreneurs, because I think
the way you bring down the cost for small businesses in terms
of cybersecurity is by having more innovators focus on the
market and making capital formation easier is a key to that.
Senator Cortez Masto. Thank you. And then the topic on the
skills gap, which clearly is an issue for the future. We are in
the age of technology. It's going to continue to evolve, and we
need to do a better job really training and preparing the
workforce for the future.
I am proud that in Nevada, for the first time, our
Governor's Economic Development Agency partnered with the
private sector and our system of higher education, so we're
working together. Let me give you an example. We went out and
were able to incentivize Tesla to come to Nevada. Part of that
arrangement was also partnering with the private sector as well
as our system of higher education to develop the curriculum
that Tesla will need for that skilled workforce. So we put them
all in a room and work together. I think that's how it should
happen all the time. But that's not necessarily the case in
every community.
I'm curious--and I'll open this up again--how we here at
the Federal level can incentivize that type of coordination to
ensure we are focusing on that skills gap and the curriculum
that's necessary.
Mr. Barlow. So I think there are a couple of key things
that we can do, Senator. And, by the way, just to answer an
earlier question on the percentage of women in the
cybersecurity workforce--I was able to find that while we were
talking--it's 10 percent today. There's a great example of a
real opportunity, right?
But if we look at the things government can do, certainly
incentives for universities to start to develop programs, and I
don't just mean kind of a couple of classes--full-on
cybersecurity programs. In addition to that, really looking at
the transition from veterans into the security workforce. Not
that any of us want to steal people out of the government, but
when people are ready to retire from their time in government,
there's an excellent opportunity for that transition. So I
think those are two really simple things we can do.
But the other thing we can really look at is how can
government, working with the private sector, help to influence
these new collar job opportunities, where we're finding people
above and beyond just people that pursued a traditional
computer science degree, to bring them into this space and help
solve the problem.
Senator Cortez Masto. Thank you. I know my time is up. And
one final thing I'm just going to throw out there, and we'll
follow up on--I'm also concerned about patchwork regulation and
legislation. We see the states--Nevada has done it. We had
concerns, and so we developed legislation at the state level,
then the Federal level coming in. There needs to be the
ability, I think, to coordinate so we aren't stifling
entrepreneurship, so we are working together to share
information when it comes to that, the cybersecurity threat. So
I'm just throwing that out there and would love to follow up
with you to get your thoughts on that as well.
Thank you, Mr. Chair. I appreciate the opportunity.
The Chairman. Thank you, Senator Cortez Masto.
Senator Udall?
STATEMENT OF HON. TOM UDALL,
U.S. SENATOR FROM NEW MEXICO
Senator Udall. Thank you very much, Chairman Thune.
This has been an excellent panel here today. Thank you for
all your testimony.
In this committee, we have a bipartisan track record of
promoting innovations and new technologies, but we cannot
ignore that our new reliance on Internet-connected technologies
can make us more vulnerable to cyber-attacks. So it's important
that we explore ways to ensure basic consumer protections and
cyber hygiene for new technologies.
Cyber threats are more than individual identity theft,
stolen credit card information, or other cybercrimes. We also
face cyber terrorism threats to our electric grid, to
pipelines, and other critical infrastructure, and, most
dramatically, the U.S. intelligence community is stating in no
uncertain terms that we face threats from state-directed actors
seeking to influence and undermine our election process by
manipulating social and online media. In our modern
capitalistic economy, all of the important private sector firms
in front of us today, play a role in defending America and our
freedom, not just from cybercrime, but from cyber war.
Mr. Rosenbach, your testimony discusses how Russia has
become increasingly emboldened in its use of cyber-attacks. You
cite a lack of forceful response following cyber-attacks
against Ukraine that took down portions of the power grid.
Could you share more about the relationship between Russian
cybercrime organizations and Russian intelligence operations?
Mr. Rosenbach. Yes, sir. There's a long history of the
Russian intelligence services cooperating with Russian
organized crime in order to carry out things that are within
the Russian national interest. So you saw that clearly in the
evidence behind the DOJ Yahoo case, but you see that in many
other ways, too, but in cyber, in particular, because there
will be members of the FSB or the GRU that also make money on
the side or are part of those criminal organizations. So it
makes it complicated, but it also makes it very important that
the government understands that and have some type of response
to it.
Senator Udall. Thank you. The Federal Government spends--
and I'm changing over to a new topic here, on legacy IT. The
Federal Government spends $80 billion annually on major IT
systems. The bulk of that money goes to maintaining and
operating legacy IT. GAO has noted that legacy IT systems
result in higher costs and create security vulnerabilities.
Some tech companies have sold IT that is still being used by
Federal customers, even though the product is no longer
supported. That means no customer support, no automatic
software updates with security patches, for example.
Mr. Grobman and Mr. Barlow, is it a good idea for Federal
agencies to use vulnerable IT products that are no longer
supported by the manufacturer? And do you agree that it makes
sense to replace outdated IT systems when they create cyber
risks and when a new technology is more cost effective?
Mr. Grobman. It's absolutely critical to rapidly move to
new, modern technologies, not only for the reason you cite,
that older technologies have vulnerabilities that could be
exploited by bad actors, but also the technology itself. The
new, modern systems they are built on are inherently more
secure than being able to retrofit or try to defend those
legacy systems.
So think of it in terms of our physical infrastructure.
Occasionally, we'll have an old bridge. We can do a retrofit to
it in order to make it seismically stable. But sometimes
there's no alternative but to build a new bridge, and that's
the same mindset that we need to think about as we triage the
systems in our Federal Government and focus on replacing the
ones at most critical risk.
Senator Udall. Mr. Barlow, please?
Mr. Barlow. I think the biggest challenge is really
understanding the vulnerability of any system. There are plenty
of brand new systems that come out that are chock full of
vulnerabilities. Now, obviously, the older things get, the more
likely they are to degrade. One of the things, though, I think
we've been talking about as a group today is the importance of
making sure that systems can, for their useful lifetime, be
updated.
Now, whether that useful lifetime has exceeded itself in
the commercial sector or not is really immaterial. It's about
making sure that we have the security posture; the
vulnerability assessments in place; we understand the risk;
we're using a security framework so we've got breadth and depth
in our security posture; and, last and probably the most
important thing that people often forget about, that you've got
a relationship with incident response forces, whether that's in
the government or private sector, that can monitor that
environment continuously and respond when there is a problem.
Senator Udall. Thank you very much.
Thanks, Mr. Chairman.
The Chairman. Thank you, Senator Udall.
Senator Fischer?
STATEMENT OF HON. DEB FISCHER,
U.S. SENATOR FROM NEBRASKA
Senator Fischer. Thank you, Mr. Chairman.
Mr. Grobman, in your written testimony, you state that
manufacturers of connected devices need to think about security
by design--we've heard some comments here today--so that these
protocols will be in the devices from the beginning rather than
adding them later on. How can companies that are innovating in
the Internet of Things space mitigate the burdens of security
by design? For example, when is the use of patches or other
security upgrades sufficient to combat those new threats that
we face really every single day, as opposed to redesigning the
devices wholesale in the future?
Mr. Grobman. So, very much like the NIST framework coming
up with a specific list of areas that an organization must pay
attention to, that is the same sort of process that we need to
instill in our embedded Internet of Things devices. There's a
set of requirements that almost any IoT device will have, even
though those requirements and what makes up those requirements
will evolve over time, so, just as an example, the general
category of field repair ability, making sure that when a
device is installed in the field that it is possible to get the
updates to it in a secure manner.
One of the large problems that we do recognize, though, is
what is reasonable for a manufacturer to take care of a device.
If a manufacturer sells a device for $30 with a 3-year
warranty, if a vulnerability is discovered in year seven, are
they still subject to being required to deploy fixes? What
about in the case where manufacturers no longer exist, and we
are still left with millions of vulnerable devices? Very
challenging problems.
Senator Fischer. Do you have suggestions on how we're
supposed to handle that, especially in the future, when
companies come and go, when we see technology being developed
so quickly and the innovation taking place? How are we going to
address that? Because those devices will still be out there.
Mr. Grobman. I think one of the most important things that
we can do in the near term is have consumers think about
security in much of the same way that they think about
reliability or safety in other products. We really need to
raise awareness that security in all devices is key. I do think
there are some real practical challenges, though, especially
given the global nature of product development, that products
developed in other countries will not have the same
forethought.
Senator Fischer. That leads me to my next question, Mr.
Ganesan. I expect that many companies that you work with are
investing in the Internet of Things and you're developing all
these great innovative products in the area, and we're looking
to make sure that these devices are secure and they're not
going to be vulnerable to cyber threats.
We've heard about the importance of the security of the
supply chain. We've heard about making sure that the systems
can be updated during their useful lifetimes. That said, I'm
concerned that innovation is going to be hindered because
consumers aren't going to buy these devices because they're
going to be very concerned about security.
So how do you believe the investment into the Internet of
Things has been deterred because of those security concerns,
and what can the private sector do to make sure that we ensure
that the investment that we're seeing in the Internet of Things
is going to continue?
Mr. Ganesan. Excellent question, Senator Fischer, and I
agree with you that making sure that we have a secure
infrastructure, a secure framework for IoT is going to be
critical for adoption. One of the market-based approaches we
have taken at Menlo is we have funded a company called BitSight
that does security ratings, and one of the things that BitSight
does is actually like Moody's and Standard & Poor's. It gives
you a security score at a company level and at individual
product levels so that people can get a sense.
I like market-based approaches like that where people can
have a feedback loop, where you can get a score, you can
improve it, and consumers have visibility to that so that they
can decide whether they want to work with a certain company or
not, if they want to work with certain products or not.
Senator Fischer. So as long as we can see the private
sector stepping up and providing those security options for
consumers, you believe that that development in the Internet of
Things and the reliability that consumers would feel in that
development would be sufficient?
Mr. Ganesan. I do, Senator.
Senator Fischer. Thank you.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Fischer.
Senator Hassan?
STATEMENT OF HON. MAGGIE HASSAN,
U.S. SENATOR FROM NEW HAMPSHIRE
Senator Hassan. Thank you, Mr. Chairman, and good day to
all of our panelists. I thank you so much for being here.
I want to follow on a little bit of what Senator Fischer
was beginning to discuss. Last December, a company in my state,
Dyn, in Manchester experienced a series of distributed denial
of service attacks. Since Dyn directs global Internet traffic
for some of the top social media, e-mail, and streaming
services, the impact of the attack, as I'm sure all of you
know, was felt throughout the country. Perhaps most unsettling
about this attack was that hackers turned everyday Internet
devices into a force multiplier that targeted Dyn, a very
sophisticated technology company. So this isn't just about
consumers being disrupted.
So, Mr. Rosenbach, if groups of criminal hackers can
mobilize the Internet of Things to help advance an attack like
this, then, clearly, countries like Russia and their teams of
state-backed hackers could use the Internet of Things to
mobilize a far more catastrophic attack. So what are your
thoughts about what we can do to prevent against state-
sponsored attacks of this nature?
Mr. Rosenbach. Yes, ma'am. So this is a great example of
where the Internet of Things has a dark side that the
government needs to play some role in, because you can't expect
a firm like that--if it were the Russians or the Chinese or the
Iranians, who are also very active in putting together the bot
networks--to be defending itself. So it doesn't mean that it
should always be the Department of Defense. In fact, we should
probably be the last people you call in, because we want to be
very respective of civil liberties and the constitutional
tradition.
But there needs to be a hard conversation about when the
government is going to defend a firm like that in New
Hampshire, because, otherwise, the investment they would need
to make in defending themselves will put them out of business.
That's not the role that they should be in. There is a role for
government when it comes to state-based attacks.
Senator Hassan. Thanks.
Mr. Barlow?
Mr. Barlow. Well, Senator, I think one of the other
challenges we have to recognize that was very unique about the
Dyn attack is that many of the devices that were used were
everything from everyday nanny cameras, however, they had the
default user IDs and passwords on these devices. Now, it's
incredibly easy to write a script to go scan the internet
looking for these devices and then check if it is--you know,
literally, if the password is still admin and password.
You know, one of the challenges is the bad guys can use
these tools to not only scan, but to go try to log in to these
devices and then identify them for potential inclusion in their
botnet. The good guys can't do that, because the minute I try
to log in with a default user ID and password, I'm breaking the
law.
Now, I'm not saying I want to go enter into these devices,
but I certainly--whether it's working with government or
working with other private sector entities, I want to know
where these devices are, so we can potentially notify the
manufacturers, who probably have some responsibility here,
notify the end users or where these are deployed, or worse yet,
just identify these devices so they can be black listed so they
can't be used in an attack like this. That's a critical area
where the threat has evolved past the good intentions of the
prior law.
Senator Hassan. Well, thank you. I want to just take my
last minute or so to talk a little bit more about bots. I am
referencing a McClatchy report on this from earlier this week
that the FBI is investigating Russia's use of bots to blitz
social media and try to influence the public discourse
surrounding the 2016 Presidential election. So if the
allegations are true, it shows that Russia had made use of a
powerful tool to disseminate misinformation and fabricated
stories on truly a mass scale.
The University of Oxford study found that on Twitter during
the period of October 9 through 12, 2016, there were over
850,000 tweets from suspected bot accounts. It would seem that
some of the emerging technology discussed today could be used
to counter the proliferation of Twitter bots and the Russian
misinformation campaign.
So, again, I'll start with you, Mr. Rosenbach. Can you
please take a minute and discuss how we can use these
technologies to address this problem?
Mr. Rosenbach. We have experience in this in the government
from a bot-based campaign that the Iranians conducted against
U.S. banks several years ago. So the technical solution to
taking out bot networks is not actually that difficult. But,
one, you need the willingness to do it, you need to make sure
that it's transparent under the law, and then you have to work
with a lot of international partners because the bot network on
its face is located in many different countries around the
world.
But that is where there's a role for the government to
play, because, otherwise, it won't happen, and you can't expect
one private sector firm to counter the Russian government's
effort to influence our elections.
Senator Hassan. Thank you. Anyone else want to comment?
[No verbal response.]
Senator Hassan. Well, then, thank you very much.
And thank you, Mr. Chair.
The Chairman. Thank you, Senator Hassan.
Senator Blumenthal?
STATEMENT OF HON. RICHARD BLUMENTHAL,
U.S. SENATOR FROM CONNECTICUT
Senator Blumenthal. Thank you, Mr. Chairman.
We've talked a little bit, I think, about the kinds of
dangers posed by devices that are insufficiently secure in the
Internet of Things world, and as we usher in this new era,
there will be an explosion of devices that are connected to the
internet. Everything will be. Cisco has said 50 billion things
will be connected to the Internet by 2020. We're not talking
about something in the far distant future. It's upon us now.
But we're only as strong as the weakest link. We know that
from experience. And even if only a tiny percentage of these
devices have weak cybersecurity, they can cause very
significant harm to consumer privacy and security and even to
national security.
In October, an array of popular websites and services,
including Amazon, PayPal, The New York Times, and Twitter, were
shut down, and it turned out that the shutdown was the result
of a hack. The hack was powered by multiple massive botnets
which operate by commandeering thousands, tens of thousands, of
vulnerable devices, baby monitors, routers, printers, DVRs, the
most common household devices, seemingly often the most
innocent, and the devices were directed to conduct criminal
activity unbeknownst to the consumer. I'm telling you something
everybody on this panel knows. Very few Americans know.
The question I have is: Shouldn't insecure devices be
regarded as, in effect, defective products, consumer products
that are perhaps as dangerous as a toy with small parts that
children may swallow, or blinds that can strangle them because
they're improperly constructed, or baby toys that have lead? In
other words, shouldn't they be subject to recall, taken off
shelves, if they're insufficiently secure, and out of
consumers' homes if they can't be patched through to a software
or firmware update?
So let me ask the panel, in no particular order. But I
notice that you have your hand up, so go ahead.
Mr. Grobman. So I think there are some differences that we
need to be very aware of in looking at IoT devices as compared
to traditional consumer devices. One is their global nature. In
the example that you gave with a toy having lead, it is only
going to do damage within its direct vicinity, whereas the
challenge that we have, such as in the Mirai attack, it wasn't
just machines that were located in the U.S. or IoT devices that
were located in the U.S. executing the attack, but from all
over the world.
My team actually ran a test 2 months ago where we created a
fictitious vulnerable device that we put on an open network in
January. Within a minute and 6 seconds, it was infected with
the same botnet that ultimately took down the sites that you
mentioned. We ran the test from Amsterdam, and we were attacked
from Vietnam, not the country, but from some infected DVR that
happened to be in Vietnam.
So although, I think, on the surface, thinking about some
of the correlations to the physical world are good things to
think about, I do think there are many, many differences that
we need to pay attention to.
Senator Blumenthal. Why don't we begin at that side and
just go down the panel.
Mr. Barlow. Thank you, Senator. So I think at the most
basic level, if it connects to the internet, you've got to have
a way to secure it and update it for the lifetime of the
device, hard stop. Now, what that may evolve into is some sort
of freshness date or some sort of subscription date for the
device.
The challenge I think we face is that no matter how much
effort and work you put into securing the device when it's
originally produced--let's take a thermostat installed in
someone's home. Who knows what vulnerabilities, what
techniques, what solutions are going to be available 10, 20
years down the road? So, you know, that's part of what we've
really got to think about, is the time factor of how long is
that device viable and how is it going to be updated.
Mr. Ganesan. Very briefly, I think the challenge from a
regulatory framework is even if you could have some sort of
guidelines for the U.S., there are webcams in Singapore that
could still affect companies here, and there would be no way to
figure out how to manage that. So we don't want to do something
that will unfairly put burdens on American companies that
doesn't apply globally.
Mr. Harkins. Just to add, I agree with all of what was said
here, and I think it's also important to note that beyond just
updating, there is the potential for patching. But, again, as
Mr. Grobman indicated, patching after the fact, long after the
fact, might be difficult. So the real question becomes not only
updating, but really how do we protect it. Updating is one
potential mechanism to protection, not the only mechanism.
Mr. Rosenbach. Sir, this isn't my area of expertise, but
I'd say if you could find a way to put more on individuals and
make individuals responsible for some of their own
cybersecurity, that would be another way to turn it around,
that probably even under the complexities of litigation law
would get at what you're going to.
Senator Blumenthal. I very much appreciate these answers. I
recognize that my question is a very complex and broad one, and
in a couple of minutes you've suggested some areas, some
directions, we should go. But I agree that it is a global
problem. We don't want to put American companies at any
disadvantage.
I also agree that individuals bear a part of the
responsibility, and I agree that, fundamentally, the problem
may be viewed as different from a toy that just affects a
single child or family. Maybe that makes it even more
dangerous, although one life at risk could be judged to be as
important--certainly as important as a global shutdown of
Internet devices.
But I think we're just beginning to grapple with this
issue, and I'm suggesting a recall type of procedure, because
very soon, it will be not just a matter of individual security
or family security or town or city, but it will be truly
national security, and, indeed, it already is, as we've seen
from some of the attacks mentioned here--Russians--you
mentioned Vietnam, a hacker in Vietnam. We're at the point
where we don't know whether that hacker is a free agent or
somebody operating under the auspices of a government, not to
say about Vietnam, but certainly about Russia. That's been the
experience.
So we're very much in dangerous uncharted waters, and I
hope we'll continue this conversation.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Blumenthal.
Let me just ask--as I understand it, blockchain relies on a
decentralized or distributed database of transactions. And, Mr.
Barlow, you testified that blockchain has potential
applications for the sharing of cyber threat intelligence
because it maintains data security and integrity without
revealing its source. How could this technology facilitate
information sharing between industry and Federal agencies and
within industry-specific information sharing and analysis
centers?
Mr. Barlow. Thank you, Mr. Chairman. That's an excellent
question. I think one of the things we have to recognize is
whether we're talking about, let's say, a large bank or an
energy company or even a government, everyone has concerns
about people looking at the threat information they're sharing
and trying to decipher other activities, you know. What's the
acquisition they're about to maybe--the company they're about
to acquire or a particular form of intelligence they may be
under.
One of the things that we look at blockchain with a lot of
optimism around is the ability to aggregate that data together.
And when you aggregate it together, all of a sudden, even the
anonymous becomes even more anonymous. But any time you have a
big collection of data, you really need to be able to maintain
that reputation. You don't want people just throwing things in
there that are either duplicates or throwing out extraneous
information or, worse yet, false flags.
One of the real promises of blockchain is it gives people
the ability to share with cryptographic integrity and integrity
around the reputation of the source, but with only a few
people, if any, actually knowing who the source is. So that's
one of the things we really look at, because you could take
government data, you could take data from a large bank, and you
could take data even from small boutique cybersecurity firms,
aggregate it all together, and it would be nearly impossible to
figure out who presented this data into the collective, but
you'd understand that it's a high reputation source and that
you need to take action immediately.
The Chairman. Mr. Grobman, Intel is currently conducting
research on the future deployment of blockchain for security
applications. What are some of the current hardware limitations
that you have encountered?
Mr. Grobman. So one of the things that we're looking to do
is combine what blockchain can do from an infrastructure
perspective, so providing greater levels of resiliency and
immutability on the infrastructure side along with greater
levels of trust on the device that actually creates the data to
begin with. So there are a number of hardware technologies that
are in Intel's upcoming hardware lines that make it so you can
cryptographically sign data, secure data before it moves into
the blockchain. So it's really the combination of those two.
One note just on Mr. Barlow's answer on threat
intelligence. I do think this is a very good example of using
hardware to be able to ensure how the data was collected, has a
high degree of integrity, along with blockchain, but also
recognize some of the challenges inherent in threat
intelligence-sharing. It's one of the things that we call a
free-rider problem, meaning that everybody wants threat
intelligence, but there's generally very little incentive to
give up threat intelligence.
So figuring out how to not only remove the barriers, but
actually create incentives to provide threat intelligence, much
like your point on cyber insurance, is a good way for us to
think about the problem at the next level.
The Chairman. Mr. Ganesan, we often hear the terms, AI and
automation, mistakenly used interchangeably. Currently, to what
extent are the cybersecurity startups and companies that you
encounter actually using AI and machine learning, and how much
further do they have to go?
Mr. Ganesan. Senator, I think there has been a lot of
progress in AI, in the sense that I would say that even a few
years ago, a lot of the things that we do today were not
possible, and that's a combination of things including having
great cloud services, having data, and then having
sophisticated algorithms. So where I think the progress is
being made is in very vertical AI use cases.
Specifically, I think the exciting areas to me are on
automation of security alerts. There are just too many security
alerts in the world. There are not enough people in the world
to run down every one of these alerts. Every one of these great
companies create alerts that go out, and I think what AI has
been good at focusing on is vertical problems where they can go
in and automate.
So I think of the progress being made as man plus machine
as opposed to man versus machine, and so here AI is going to
work on the mundane stuff so that our security professionals
can focus on the higher value threat.
The Chairman. Yes, sir?
Mr. Barlow. The average security operations center sees
200,000 security events a day. A large bank would be several
millions. Human beings simply can't get through that. So one of
the real promises of artificial intelligence above and beyond
cognitive systems is the ability to help security operations
professionals dig through that.
In our early findings with our Watson project, we're
finding that Watson's capabilities are 60 times faster than
manual complex analysis, with 10 times more actionable
indicators identified. It's bringing that kind of ability to
sift through this data that can really take the threat
intelligence that we all need to share and help make an
actionable difference.
The Chairman. I think we could all use a Watson in our
office, probably, to keep sorting all these things out that we
have coming at us all the time.
Let me just ask a generic question, and that has to do with
if you thought about, kind of, what is the thing that keeps you
up at night, biggest fear, biggest concern, and then maybe to
put a brighter note on it, kind of, what your biggest hope and
opportunity is as well. But just kind of a general question,
but as you think about the space that you work in, what is it
that concerns you the most? What's the biggest fear?
Mr. Barlow. My biggest fear is that as security
professionals, we often become very enamored with the problem.
It's very easy and very quick to focus on things like nation-
state activity, espionage, and all these types of things,
which, let's face it, at the end of the day are accepted
international practices. What I worry about is we also have to
recognize the level of organized crime in this neighborhood is
unbelievable, and I really firmly believe that if we work
together, which is something that we can all agree on
regardless of which side of the political aisle anyone sits on,
that the organized crime has got to go, then we can make a real
and substantial difference. And then the only thing left to
focus on is the nation-state activity.
Now, the positive side of this, as much as we talk about
all the negative, is this is fueling an enormous new economy of
new talent, of STEM skills, of high-paying jobs, and I think
it's incumbent on all of us to work together to ensure more of
that work, more of that skill, more of that new talent lands
here in the United States.
The Chairman. Mr. Ganesan?
Mr. Ganesan. Senator, my biggest fear is critical
infrastructure. There are many problems we can solve
individually, but critical infrastructure is something that can
only be protected at the government level, and, therefore, that
would be my biggest fear.
But my biggest hope and optimism is the fact that we have
the best entrepreneurial ecosystem in the world by far. Every
major security innovation, every major cybersecurity company
are funded and created in America. We have the world's best
venture capital system and the best set of entrepreneurs. What
we just need to do is to make sure that we enable these people,
make sure we can attract the best and brightest to come to this
country, that we have the capital available for them to fund
it, and give them the room to grow and innovate, because when
we do that, we can solve anything.
Mr. Grobman. I think my biggest concern is that what we
call the threat surface area continues to grow. So much of what
our discussion was on today dealt with new areas of innovation,
whether it was self-driving cars or automation in factories or
connecting our critical infrastructure capabilities. The
implications of a cyber attack on any of those would be
catastrophic. But yet our traditional systems are not taking
care of themselves. So it's not that we can shift our focus
from the old to the new, but rather we're forced to expand our
comprehension of what we need to secure in order to survive as
a nation.
What gives me hope is this concept that has been discussed
a bit today on human-machine teaming, where we use technology
to amplify the effectiveness of our cyber warriors, our cyber
defenders, that will ultimately enable us to secure this new
scale of capabilities that we ultimately need to defend.
The Chairman. Mr. Harkins?
Mr. Harkins. My biggest fear, honestly, is that we
perpetuate the cyber risk curve that we see today, and that we
don't fundamentally address the problem, and we continue to be
reactive and responsive at a cost to our business, at a cost to
our customers, at a cost to society.
My biggest hope, though, honestly, even in this discussion
today--I've long believed that the biggest vulnerability we
face today and in the future is the misperception of risk. I
think we've misperceived it 10, 15 years ago, and I think by
having the dialogs like we're having today, we'll start a
better discussion. We'll better understand where new
technologies, the blockchain, quantum computing, artificial
intelligence, and machine learning, not only can add benefit in
other areas of the digital economy, but can be used and tuned
to prevent issues from occurring to begin with and then better
detect and respond to them if damage was to occur.
Mr. Rosenbach. Yes, sir. I would say what keeps me awake is
that right now, we're watching the evolution of cyber warfare,
something where there are hacks and the spread of
disinformation, and that if something bad were to happen either
to the democratic system or to our financial system in which
trust in those two systems is undermined to the point that the
U.S. loses two things that are incredibly valued, and that then
the country's reaction to those things and maybe even the
Congress', if I could be so candid, would be so strong that it
might actually stifle some of the innovation and everything
good that is happening right now. So that keeps me awake.
The thing that always makes me feel good--in particular,
when I was in the Pentagon, if you go to CYBERCOM and you go to
NSA, and you see really talented, hardworking soldiers and
civilians who are very talented and could go make several
hundred thousand dollars on the outside, but they want to stay
there, they want to keep working on it, they want to defend
duty networks, and they want to go after the bad guys, that
always gives me hope.
The Chairman. Good. All right. Good answers.
Senator Cruz?
STATEMENT OF HON. TED CRUZ,
U.S. SENATOR FROM TEXAS
Senator Cruz. Thank you, Mr. Chairman. I'd like to thank
each of the witnesses for being here today, and, Mr. Chairman,
thank you for holding this important hearing.
Last November, my Subcommittee on Space, Science, and
Competitiveness held the first congressional hearings on
artificial intelligence, both the opportunities and the
challenges and threats posed by artificial intelligence. Among
the promise artificial intelligence presents is the opportunity
to unleash a technological revolution that the world has not
seen since the creation of the internet, and it could impact
every sector of our economy.
A 2016 Accenture report predicted that artificial
intelligence could double annual economic growth rates by 2035
and boost labor productivity up to 40 percent. So these are
exciting new opportunities for our economy, but at the same
time, this technology produces challenges that could have very
significant impacts in labor markets and a real need to secure
the privacy of individuals and to guard against threats, in
particular, in the cybersecurity space.
In an interview with Wired magazine last year, President
Obama stated, ``Then there could be an algorithm that said, `Go
penetrate the nuclear codes and figure out how to launch some
missiles.' If that's its only job, if it's self-teaching, and
it's just a really effective algorithm, then you've got
problems. I think my directive to my national security team is
don't worry as much about machines taking over the world. Worry
about the capacity of either non-state actors or hostile actors
to penetrate systems, and in that sense, it is not conceptually
different than a lot of the cybersecurity work we're doing.''
My question for each of you is: What impact is artificial
intelligence having on how we currently approach cybersecurity,
and how will that approach have to change over the next decade?
Mr. Grobman. So, Senator, I think one of the points you
make is a very good one, which is, we can't be naive to think
that artificial intelligence will only be used by defenders,
and one of the things that we see in cybersecurity is very
often the attackers are able to implement new technologies more
rapidly. So having an attacker use artificial intelligence for
what we call victim selection, essentially the scenario you
outlined, where it's identifying the place in an organization
or an environment where they'll be most successful, is some of
what we're starting to see today.
The good news is if we recognize that and start planning
for the bad actors to have that weaponry in their arsenal
today, we can build strong defenses and most effectively use
the same technology to build strong capabilities as well, and
that's what a lot of us at the table are doing in our
businesses to try to get ready for those scenarios.
Mr. Harkins. Senator Cruz, I think it's important in what
you talked about in terms of the potential, and I agree with
Mr. Grobman. But I also think that we've proven today that we
can use artificial intelligence to stop malicious code from
happening. I think it's also possible to use artificial
intelligence and machine learning to deal with the identity
problem and do continuous authentication to know that Malcolm
is Malcolm, his machine is his machine, and allow him to do the
things that he needs to do as a user.
I also think it's possible to use artificial intelligence
and machine learning to disrupt and stop denial of service
attacks, like what we saw with Dyn. I think we have to use
these technologies, use the advanced algorithms, use the math
and the science, and place them in the right spots to really
get at the heart of the problems and better predict and prevent
these problems to begin with. And then if we can't, because you
cannot eliminate the full vulnerabilities, then you have to use
that technology to speed up the detection and response and
mitigate and slow the potential for harm.
Senator Cruz. One of the threats that we heard testimony
about at the November hearing on artificial intelligence was a
cybersecurity threat as more and more decisionmaking is based
on big data, a cybersecurity threat that doesn't come in and
shut down a system in a way that it's obvious that it has been
hacked, but rather that goes and alters the dataset that is
being relied upon for artificial intelligence to make
decisionmaking and to alter the dataset in a way that it's not
immediately evident, but changes the decisionmaking in a way
that could have significant consequences. That struck me as a
particularly difficult form of cyber threat to respond to. I'd
be interested in your comments.
Mr. Grobman. So I think one of the things that we see in
any new cyber defense technology, is as soon as it gains
traction in the industry, the attackers look for ways to create
countermeasures, evasion tactics. A few years ago, the industry
was very focused on what we call sandbox detonation,
essentially trying to run an unknown executable in a safe
environment to see if it had malicious behavior. Very quickly,
the adversaries would try to fingerprint to detect ``am I
running in that environment.'' And I think we can expect that
same mindset for the adversaries as the industry embraces AI-
based defenses.
So one of the things we're looking at is really
understanding the attacker's point of view. How will they use
machine learning poisoning? How will they poison the models?
How will they force defenders to recalibrate their defenses
because they sent a lot of false positives that are very costly
for their operations center? And really recognizing that at the
beginning will allow us to build more resilient capabilities.
Mr. Ganesan. Senator Cruz, if I can add a different
dimension, we are, I think, in the golden age of AI. In the
next probably 15 to 20 years, we'll get to the point where we
can do a lot of really impressive things. But now it's a war
for talent. We need to make sure that we get the best AI folks.
From where I come from in Silicon Valley, Facebook, Google--
they spend--I'm not kidding you--millions of dollars trying to
get the best AI folks to join them.
This global talent is spread all over. My point of view is
let's figure out a way to make sure that we can get the best AI
talent from all over the world to come here to our universities
and, more importantly, stay here and create companies here.
Mr. Harkins. Senator Cruz, specific to your question around
a data integrity attack, we have to look at how would a data
integrity attack occur. One would be I own your system, and I
own the data base, which means malicious code was placed on
that. So the way to mitigate that is to prevent malicious code
from executing.
The other way that would be simply there is I own your
identity, or I'm an insider and I changed the data. And, again,
there are ways to do the authentication to validate the
individual, and then there's backend detection on the data
integrity, and I think--as was mentioned earlier with
blockchaining, I think that's a great way to ensure some level
of data integrity out in the future and use that for critical
data to give you a higher level of trust.
Mr. Barlow. I think one of the challenges in the question
you posed is that there's a lot of data behind that, and you're
not looking for the needle in the haystack. There's no one
sending up a big red flare. You're trying to find a needle in a
stack of needles with everything else that's going on. And,
interestingly enough, I think the solution to the problem is
also artificial intelligence and cognitive systems.
I've had the opportunity over the last year to watch Watson
grow up, and, literally, it was like watching a child grow up.
There was an early day where we--it couldn't understand what
ransomware was, because it wasn't in the dictionary. So it
thought ransomware was a city. Right? OK. Well, I can kind of
see how it would make that mistake. And then we got to the
point, almost like it was in college. We were grading papers,
going, ``Hey, you got an A on this one. This one, you still
need a little work to do.''
But we're at the point now where we're putting this up
against talented security teams, augmenting their skills, and
what it's doing is giving them that peripheral awareness to go,
``Hey, something very unusual and obscure''--very much to your
example, Senator--``happened over here. Why is that happening?
Have I seen it before? Is there a research paper that talks
about this? Is there another threat intelligence company that's
identifying this?'' And it's bringing that level of awareness
right to the surface, but with an evidence-based conclusion,
and that, ultimately, is the type of thing we need to combat,
the exact same threat.
Senator Cruz. Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Cruz.
I think we've exhausted members and their questions, so
thank you all very much, panel.
I want to, before we wrap up, ask unanimous consent to
place in the record three pieces of additional testimony. The
first is from Professors Scott Shackelford and Steve Myers of
Indiana University. The second is from Larry Clinton, the
President and CEO of the Internet Security Alliance. The third
is from Theresa Payton, the CEO of Fortalice Solutions. So
without objection, it'll be so ordered.
[The information referred to follows:]
Prepared Statement of Professors Scott Shackelford and Steve Myers,
Indiana University
Chairman Thune, Ranking Member Nelson, distinguished members of the
Committee, thank you for the opportunity to offer this statement for
the record to help inform your Committee's important work with regard
to the risks and opportunities of emerging fields for cybersecurity.
We are professors at Indiana University-Bloomington engaged in
cybersecurity and emerging technologies research. Our work touches on a
number of fields of interest to this hearing, including Internet of
Things (IoT) security, cryptography, the promise and pitfalls of
blockchain technology, and supply chain cybersecurity. For purposes of
this statement, we will limit our remarks to the IoT context.
Introducing the Internet of Broken Things
On July 21, 2015, there was a car crash. This in and of itself is
not newsworthy given that there are, unfortunately, some 15,000 car
accidents daily in the United States.\1\ What made this episode
different, though, was the fact that this crash was not the result of
drunk driving or human error; rather, code was to blame.\2\ Hackers
Charlie Miller and Chris Valasek took advantage of fundamental flaws,
so-called ``zero-day exploits,'' \3\ in the software running a Jeep
Cherokee and used these entry points to turn on the car's air
conditioning, change the radio station while cranking the volume, turn
on the windshield wipers, display a picture of themselves on the car's
navigation screen, and eventually disable the car's transmission.\4\
All of this was done from a laptop some ten miles away from the
targeted Cherokee.\5\ And this episode was far from unique. Flash
forward to late 2016 and the appearance of the Mirai botnet, which
paralyzed much of the web in late 2016 by overwhelming Dyn, an
Internet-services firm, in an attack that has shown an even harsher
spotlight on IoT insecurities.
---------------------------------------------------------------------------
Professor Scott Shackelford
Associate Professor, Indiana University Kelley School of Business
Cybersecurity Risk Management Program Chair, Indiana University-
Bloomington
Director, Ostrom Workshop Program on Cybersecurity and Internet
Governance
Affiliate, Harvard Kennedy School Belfer Center Cyber Security
Project
Affiliated Scholar, Stanford Center for Internet and Society
Professor Steve Myers
Associate Professor of Computer Science & Security Programs
Director
Indiana University School of Informatics and Computing
* This statement was adapted from Scott J. Shackelford et al., When
Toasters Attack: Enhancing the `Security of Things' through Polycentric
Governance, 2017 Univ. of Ill. L. Rev. 415 (2017); Scott J.
Shackelford, When Toasters Attack: 5 Steps to Improve the Security of
Things, Cyber Magazine (Sept. 8, 2016), http://magazine.milcyber.org/
stories/whentoastersattack
5stepstoimprovethesecurityofthings; Scott J. Shackelford, Opinion: How
to Fix an Internet of Broken Things, Christian Science Monitor Passcode
(Oct. 26, 2016), http://www.cs
monitor.com/World/Passcode/Passcode-Voices/2016/1026/Opinion-How-to-
fix-an-internet-of-broken-things, L.Jean Camp et al, TWC: Large:
Collaborative: Living in the Internet of Things, Proposal for NSF Award
#1565375.
\1\ See Nat'l Highway Traffic Safety Admin., Fatality Analysis
Reporting System, http://www-fars.nhtsa.dot.gov/Main/index.aspx (last
visited Aug. 6, 2015).
\2\ See Andy Greenberg, Hackers Remotely Kill a Jeep on the
Highway--With Me In It, Wired (July 21, 2015), http://www.wired.com/
2015/07/hackers-remotely-kill-jeep-highway/.
\3\ In a zero-day attack, a hacker creates an exploit before the
vendor knows about the vulnerability, so the attack base is broader.
There is little that users can do to slow down zero-days once they are
unleashed, so an attacker ``can wreak maximum havoc.'' Gregg Keizer,
Microsoft's Reaction to Flame Shows Seriousness of `Holy Grail' Hack,
Computerworld (June 7, 2012), http://www.computerworld.com/s/article/
9227860/Microsoft_s_reaction_to_Flame_shows_serio
usness_of_Holy_Grail_hack.
\4\ See Andy Greenberg, Twitter Hires Elite Apple Hacker Charlie
Miller To Beef Up Its Security Team, Forbes (Sept. 14, 2012), http://
www.forbes.com/sites/andygreenberg/2012/09/14/twitter-snags-elite-
apple-hacker-charlie-miller-to-beef-up-its-security-team/. Christopher
Valasek is ``the Director of Security Intelligence at IOActive, an
industry leader in comprehensive computer security services.'' Chris
Valasek, RSA Conf., http://www.rsaconference.com/speakers/chris-valasek
(last visited Aug. 6, 2015).
\5\ See Greenberg, supra note 2.
---------------------------------------------------------------------------
Together these and other instances highlight the extent to which
smart products hold the promise to revolutionize business and society.
In sum, from 2013 to 2020, Microsoft has estimated that the number of
Internet-enabled devices is expected to increase from 11 to 50 billion,
though estimates vary with Morgan Stanley predicting 75 billion such
devices in existence by 2020.\6\ To substantiate the coming wave,
Samsung recently announced that all of its products would be connected
to the Internet by 2020.\7\ Regardless of the number, the end result
looks to be a mind-boggling explosion in Internet connected stuff. But
the burning question now is whether security can scale alongside the
fast pace of innovation.
---------------------------------------------------------------------------
\6\ See Tony Donava, Morgan Stanley: 75 Billion Devices Will Be
Connected to The Internet Of Things By 2020, Bus. Insider (Oct. 2,
2013), http://www.businessinsider.com/75-billion-devices-will-be-
connected-to-the-internet-by-2020-2013-10#ixzz3i4CApJsg.
\7\ See Rachel Metz, CES 2015: The Internet of Just About
Everything, Tech. Rev. (Jan. 6, 2015), http://www.technologyreview.com/
news/533941/ces-2015-the-internet-of-just-about-everything/.
---------------------------------------------------------------------------
Enhancing the Security of Things
What role do policymakers have to help enhance IoT security? We
have outlined eight areas for your consideration, including a number of
IoT specific initiatives:
1. First, we need more cooperation amongst stakeholders, including
information sharing within defined boundaries to build trust,
along with graduated sanctions being in place for rule
breakers. The auto industry Information Sharing and Analysis
Center (ISAC) is one example of this approach that should be
replicated in other IoT sectors, though broader IoT Information
Sharing and Analysis Organizations (ISAOs) would also be
beneficial to break down artificial silos and spread cyber
threat data and best practices more widely.
2. Second, Congress should consider certain baseline standards for
IoT devices, such as the ability to securely and easily accept
security updates, and only from authenticated and trusted
channels. An initial model is the National Institute for
Standards and Technology's (NIST) Cybersecurity Framework,
along with its work on Cyber-Physical Systems. Over time, these
standards could help establish a standard of IoT cybersecurity
care, including new approaches to proactive cybersecurity
measures.
3. Third, there is ongoing benefit in flexible, guidance-driven
frameworks in the IoT context over prescriptive regulation
given the fast-evolving nature of these technologies. Still, a
range of policy options are available to incentivize
cybersecurity investments, ranging from R&D tax breaks to
public bug bounty programs and grants to help establish
cybersecurity clinic collaborations between firms, research
universities, and community colleges across the Nation. Further
incentives include liability limitation for certain types of
information sharing in the IoT context,\8\ technical assistance
for critical IoT sectors, and offering priority consideration
to certain Federal grants all serve as examples of such
incentives.\9\ We note that security is not currently a
property of products that is easily signaled to or understood
by consumers, and so it is difficult, at least initially, for
consumers to make informed decisions on security, and thus for
the market to naturally select towards more secure products. We
also recommend that more attention should be paid to the
intersection of IoT and the need to secure supply chains. Since
IT systems control everything from phones to factories,
ensuring these systems are secure is of vital importance to the
global economy. Yet this is a daunting proposition given
varying sources of insecurity, from malicious--a 2012 Microsoft
report found malware being installed in PCs at factories in
China--to conflicting commercial incentives, such as Lenovo's
installation of advertising software that weaken security in
2015. Regardless, manufacturers will have no ability to assert
basic security properties of their products if supply chains
are not considered.
---------------------------------------------------------------------------
\8\ This is already happening to an extent with the U.S. Government
encouraging automobile manufacturers to work with one another through a
new Information Sharing and Analysis Center and with consumers and the
government to identify and share cybersecurity best practices. See Pete
Bigelow, 18 Automakers Agree on New Safety Pact with Regulators, Auto
Blog (Jan. 15, 2015), http://www.autoblog.com/2016/01/15/18-automakers-
agree-new-safety-pact/.
\9\ See Michael Daniel, Incentives to Support Adoption of the
Cybersecurity Framework, White House (Aug. 6, 2013), https://
www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-
cybersecurity-framework.
4. Fourth, IoT providers should be encouraged to undertake good
governance best practices, which can be accomplished by
effective monitoring of IoT peers and an active role for civil
society in shaming outliers. The power of supply chains and
private contractual relationships could be brought to bear to
help encourage the dissemination of best practices, such as
firms requiring NIST Cybersecurity Framework compliance from
their suppliers. Similarly, an active dialogue between public
---------------------------------------------------------------------------
and private sector supply chain governance is needed.
5. Fifth, government should be willing to allow industry to react to
data breaches without overly broad, harsh or punitive fines,
except in egregious circumstances as has begun to be defined in
the U.S. context through FTC Act Section 5(a) litigation. Firms
should also be encouraged to make use of existing tools from
other contexts, such as integrated reporting schemes, to better
inform cybersecurity decision-making.
6. Sixth, government should consider the effects that emergent
properties of IoT attacks can have on populations when large
numbers of IoT devices are simultaneously attacked. For
instance, we note a few Internet devices being infected with a
botnet provides little security threat, but a large deployment
of such devices provides attackers the ability to disrupt the
services of even the largest Internet content providers.
Similarly, the ability of attackers to disrupt and break a
single IoT heating system in a home may be a nuisance, but the
ability of attackers to disrupt a large fraction of a
community's heating systems in the midst of winter could be
considered a local emergency. This is true, if local inventory
is not sufficient to replace broken components, or if the time
necessary to perform repairs is significant, and the local
workforce is insufficient to supply surging demand. We note
that emergent attacks on a wide variety of potential IoT
products lead to outcomes that can be worrisome. Some simple
examples include: (i) if many cars can be stopped in a
localized area, then roads can become impassible; (ii) if smart
meters can be bricked, then the full communities may lose
power; and, (iii) if refrigeration can be affected, communities
may lose perishable food stuffs.\10\ Emergent properties of
such attacks may necessitate the rethinking of what constitutes
critical infrastructure, or the need for minimum security and
safety standards in some IoT categories.
---------------------------------------------------------------------------
\10\ See, Husted and Myers, Emergent Properties & Security: The
Complexity of Security as a Science, Proceedings of the 2014 New
Security Paradigms Workshop (2014), pp. 1-14, Victoria, British
Columbia, Canada, ACM.
7. Seventh, government should consider the effects of IoT policy not
just on device manufacturers and consumers, but on integrators
and managers. IoT deployment ecosystems may comprise more than
just IoT devices and various stakeholders IoT devices'
environments; indeed, there may exist third parties that assist
with the integration and management of IoT devices within a
larger IoT ecosystem. These integrators already play a
significant role in corporate IoT deployments (for example,
building control systems for facilities), and we envision
integrators will soon play a critical role in many domestic IoT
deployments as well. As an early precursor to such domestic IoT
integrators, the Xfinity ISP currently offers its Home
package--a suite of home security and automation technologies.
However, it is clear that many of the large corporate
technology corporations would like to sell services that
incorporate consumer IoT devices--both monitoring and
supporting them. Ensuring that government policy allows and
ensures such integrators to securely and privately support
products while interacting with many vendors will ensure more
consumer choice and allow for more competitive markets, and
prevent vendor lock-in. We support this, even though it will
---------------------------------------------------------------------------
admittedly make security technically more difficult to achieve.
8. Eighth, government policy on IoT security needs to consider IoT
devices in their complete lifecycles. This lifecycle begins
with product conception and development; next is device
acquisition; the lifecycle proceeds to device deployment; and,
after deployment, the lifecycle proceeds to device
administration and maintenance. In some cases, the owner of an
IoT device might transfer the device to another party, in which
case the lifecycle loops back to device acquisition.
Eventually, the device manufacturer will end the supported life
of the device, thereby rendering that device a ``zombie''--
where new attacks may be found in widely deployed devices, but
manufacturers are no longer willing to support the product for
economic reasons, leaving large deployed bases of knowingly
insecure products. Security concerns can arise anywhere in this
lifecycle, and hence a holistic approach to IoT security must
consider the full lifecycle. Additionally, the product
lifecycles for many IoT durable goods (e.g., kitchen
appliances, thermostats, etc. . . .) is much longer than the
typical high-tech gadget. The result is that security must be
planned over a longer period of time. For example, a
requirement for more stringent cryptography, that is perhaps
believed to be resistant to quantum attack, may be more
important to deploy in a furnace sold in the near future, than
a smartphone, as the smartphones are likely to be out of use in
2-3 years, while the furnace may have a 10 to 20 year
lifecycle. Again, the longevity of these products and the
implications for security are not easily signaled in the
marketplace, and may require appropriate incentives or policy
to help ensure the desired policy outcome of a secure and
private IoT ecosystem.
Building from these steps, an overarching approach to enhancing the
Security of Things may be promoted that considers IoT as an ecosystem,
and encourages IoT providers to take responsibility for how their
products impact the entire ecosystem (such as how a smart home
interfaces with an autonomous vehicle). Entities that are information
gatherers, information aggregators, and information transmitters/
communicators, for example, could be liable for misusing user data,
especially when such misuse has downstream consequences or involves
critical or highly sensitive information.\11\ Similarly, organizations
that produce consumer products that enact poor physical outcomes, by
interacting with users or their environments and produce damage while
being used for their intended purpose, as deployed by a typical user
(and not an expert), might be considered partially liable for such
damages if their security posture did not meet some industry norms. The
use of such an approach creates incentives for self-monitoring of the
ecosystem and may encourage various industries across the IoT landscape
to work together and gain a broader perspective on how IoT devices and
data interact. The IoT ecosystem approach could help incentivize
participants to develop and maintain an appropriate level of
cybersecurity, is flexible to information type, and is malleable to
changes in the environment, even as it insists upon ecosystem
monitoring and taking accountability for the entirety of the system.
Industry outliers could also find it difficult to purchase and/or share
information with cooperative industry participants.
---------------------------------------------------------------------------
\11\ See, e.g., Occupational Safety & Health Admin., https://
www.osha.gov/workers/index.html (last visited Jan. 5, 2015).
---------------------------------------------------------------------------
Moreover, lessons from related areas should not be ignored since
device management issues that arise in IoT also come about within other
analogous fields. Consider two recent examples: Google and Mattel.
Turning to Google first, under the Family Educational Rights and
Privacy Act (FERPA), a schools needs to obtain written consent from
parents before sharing personal information about students, except when
the school sharing data with ``school officials'' have a ``legitimate
educational interest'' in the data.\12\ This definition has been
interpreted to include contractors, since schools now outsource some of
their functions.\13\ And, Google--it seems--falls under that
definition.\14\ The result is that Google has been gathering a great
deal of information about students as a result of their use of certain
Google products such as Droid-powered tablets and has been using that
information within its own ecosystem of GoogleWorld, with parents
having no ability to prevent such information gathering.\15\ How Google
will use, protect, and store this student information, how or with what
data sources will this information be aggregated, and to whom will it
pass on this information remain open questions as of this writing.
---------------------------------------------------------------------------
\12\ Family Educational Rights and Privacy Act (FERPA), 20 U.S.C.
Sec. 1232g; 34 CFR Part 99, (1974).
\13\ See Department of Education, Family Educational Rights and
Privacy Act (FERPA), Final Rule, 34 CFR Part 99, 5 (2008) http://
www2.ed.gov/policy/gen/guid/fpco/pdf/ht12-17-08-att.pdf.
\14\ See Andrea Peterson, Google, A `School Official?' This
Regulatory Quirk Can Leave Parents In The Dark, Wash. Post, (Dec. 30,
2015).
\15\ Id.
---------------------------------------------------------------------------
Mattel is another large corporate entity that has the ability to
aggregate information across product lines and information sources.
Yet, it seems unaware of the public's growing awareness of the `creepy'
factor in the emerging IoT landscape. In 2015 Mattel released ``Hello
Barbie,'' a smart doll that has a microphone and Wi-Fi connectivity
that allows Mattel to host two-way conversations with children.\16\ And
while one can assume the backlash was instant, in fact several privacy
groups alerted individuals to the two-way communication feature in
early 2015,\17\ yet the doll was released without major modification in
time for Christmas 2015.\18\ This example serves as a reminder that
industry self-monitoring can only serve as a mechanism to flag industry
outliers; it cannot by itself change the behavior of multinational
businesses that seek to take advantage of poorly constructed or
antiquated policy, or individual user apathy. Consequently, while it is
true that the desire for industry self-regulation seems justified given
the still nascent state and rapid development of the underlying
technologies, some IoT regulation may in fact be necessary, especially
in critical areas of concern, such as transportation and healthcare.
However, regulation should be limited to at-risk areas or populations
(such as children) and should be crafted to reinforce existing best
practice frameworks, as has arguably happened in the electricity
regulatory context.\19\ Most important to a self-regulatory model,
policymakers must create incentives to encourage the further refinement
of best practices as part of an ecosystem of information system
participants.
---------------------------------------------------------------------------
\16\ See Benjamin Snyder, Activists Fight Release Of New High-Tech
Barbie Doll From Mattel, Fortune, (Mar. 25, 2015).
\17\ See Alejandro Alba, Mattel's Talking Hello Barbie Doll Raises
Concern Over Children's Privacy, Daily News, (Mar. 16, 2015).
\18\ See id.
\19\ See Intelligence & Nat'l Sec. Alliance, Addressing Cyber
Security Through Public-Private Partnership: An Analysis Of Existing
Models 7 (Nov. 2009), www.insaonline.org/i/d/a/Resources/
Addressing_Cyber_Security.aspx.
---------------------------------------------------------------------------
In the creation of the IoT regulatory interventions, policymakers
must recognize one important behavioral element; individuals often
behave in a less than protective manner when it comes to what they
share online. Consider Wyndham as an example; individuals continued to
provide information to Wyndham after the breach was discovered but
before litigation ensued. What should Wyndham (and others) take away
from that fact? Unfortunately, one lesson is that people, in general,
are oftentimes unwilling or incapable of protecting their own
information, especially given the recent deluge of data breaches.\20\
Yet consumers are at risk in data breaches, especially in the IoT
environment, and that fact serves as an insulator to information
security accountability. Thus, the ability to blame user error or to
limit accountability for due diligence based on general use of service
consent needs to be questioned. People are predictably apathetic when
it comes to their online behavior, such as reading terms and
conditions.\21\ As a result, businesses should accept some
responsibility in protecting PII. For example, the Health Insurance
Portability and Accountability Act (HIPAA) only covers patient
information kept by health providers, insurers and data clearinghouses,
as well as their business partners, but these definitions are vague.
The result, in January of 2015 Jacqueline Stokes discovered the home
paternity test results of 6,000 unsuspecting people openly available
online.\22\ The individuals had consented to the use of the test, and
had agreed to receive their results online, but had not consented
(without ever reading the terms of use) to the information being used
in aggregate for research and other search activities. As this example
illustrates, policymakers need to create an information ecosystem that
insists upon accountability while encouraging the reporting of data
loss within a flexible regulatory model, while managers should be
encouraged to plan for the likely behavior of users such as by
designing automatic security and privacy opt-out protections.
Similarly, policymakers should consider businesses responsibility to
not only provide security and privacy features in their products, but
to provide them in a manner that is ``on by default'' and easily
understood by the average consumer--and not just technical experts.
When wireless routers were initially being widely deployed throughout
consumer households, they often came with many security features, but
they were difficult and cumbersome to deploy. Laws at the state level
requiring that manufacturers provide notice about wireless insecurity
issues and to provide guidance on secure installation may have had an
effect to prompt more user friend and easy to manage security services.
---------------------------------------------------------------------------
\20\ See World's Biggest Data Breaches, http://
www.informationisbeautiful.net/visualizations/worlds-biggest-data-
breaches-hacks/ (last visited Jan. 5, 2015).
\21\ See Rebecca Smithers, Terms and Conditions: Not Reading the
Small Print can mean Big Problems, Guardian (May 11, 2011), http://
www.theguardian.com/money/2011/may/11/terms-conditions-small-print-big-
problems.
\22\ See Charles Ornstein, Federal Privacy Law Lags Far Behind
Personal-Health Technologies, Wash. Post (Nov. 17, 2015).
Unfortunately, the tail of the lost medical information is a tale often
told. For example, in 2011 an Australian company did not properly
secure details of hundreds of paternity and drug tests, making them
accessible through a public Google search. Id.
---------------------------------------------------------------------------
Policymakers should also consider instances where the industry
simply cannot make the decisions about what to do with a given type of
information within the IoT ecosystem. For example, consider the case of
a Florida woman's car that informed authorities after she allegedly
rear-ended two vehicles and left the scene without reporting the
accident to the authorities.\23\ In this instance, Ms. Bernstein had
activated Ford's Emergency Assistance safety feature after she was
involved in a ``sudden change of speed or movement.'' \24\ In these
instances, the Emergency Assistance feature automatically places an
emergency call to local first responders allowing emergency personnel
to assist injured or otherwise incapacitated individuals.
Unfortunately, Ms. Bernstein was neither and was instead allegedly
intent on leaving the scene of the accident.\25\ While this information
may be detrimental to Ms. Bernstein--and those similarly situated as
her--such information must not necessarily be shielded from sharing
given that it is serves a public good, in this case of promoting
traffic safety and accountability. However, it is alternately easy to
imagine a future where ubiquitous sensor monitoring of data that is
available for the public good results in an Orwellian state, and policy
will be needed to find appropriate balances--such decisions almost
surely should not be left to corporations.
---------------------------------------------------------------------------
\23\ See Trevor Mogg, Hit-And-Run Suspect Arrested After Her Own
Car Calls Cops, Digital Trends, (Dec. 7, 2015).
\24\ Id.
\25\ Id.
---------------------------------------------------------------------------
It is also important to encourage effective cybersecurity workforce
development including the necessity of baking in proactive
cybersecurity best practices from the inception of a new IoT product
line. The lesson here is constant vigilance, e.g., letting an initial
process of cybersecurity due diligence be the first, and not the last,
word in an ongoing, comprehensive cybersecurity policy that promotes
cyber hygiene along with the best practices essential for battling the
multifaceted cyber threat.\26\ Such a policy should be widely
disseminated and regularly vetted as part of an overarching enterprise
risk management process, along with having an incident response plan in
place that includes private and public information sharing
mechanisms.\27\ These recommendations are in line with FTC guidance, as
seen in the Wyndham settlement order, which should be considered the
ground floor of compliance to be supplemented by the NIST Cybersecurity
Framework and NIST IoT Framework to check for governance gaps that may
then be filled in by industry best practices. Concrete steps for
retailers, for example, in addition to the above could include
installing software to deactivate RFID tags after a pre-determined
period of time so as to avoid consumer privacy concerns. Powershelves
could similarly limit real-time location tracking to only specific
applications. Health data should be encrypted from end-to-end to help
get ahead of the HIPAA-HITECH Act regulatory curve. Voluntary private-
sector driven certification schemes could also be created to signal to
customers as to those IoT companies that have taken such basic
cybersecurity measures.\28\
---------------------------------------------------------------------------
\26\ See Gregory J. Touhill & Joseph Touhill, Cybersecurity For
Executives: A Practical Guide 291 (2014) (``You should measure your
cybersecurity posture as part of your efforts to practice due care and
due diligence, monitor and control your information systems, maintain
legal and regulatory compliance, meet contractual obligations, and
maintain certifications.'').
\27\ For more on this topic, see Amanda N. Craig et al., Proactive
Cybersecurity: A Comparative Industry and Regulatory Analysis, 18 Am.
Bus. L. J. 721 (2015).
\28\ See David Inserra & Steven P. Bucci, Cyber Supply Chain
Security: A Crucial Step Toward U.S. Security, Prosperity, and Freedom
in Cyberspace, Heritage Found. (Mar. 6, 2014), http://www.heritage.org/
research/reports/2014/03/cyber-supply-chain-security-a-crucial-step-
toward-us-security-prosperity-and-freedom-in-cyberspace.
---------------------------------------------------------------------------
Globally, the U.S. Government should build on the progress made in
cybersecurity norm building such as in the critical infrastructure
context with a new focus on IoT. This is already happening to an extent
in several cross-border partnerships have emerged that may present yet
another option to protect sensitive PII. For example, in December 2010,
the U.S. Department of Health and Human Services (HHS) and the European
Commission's DG CONNECT signed a Memorandum of Understanding (MoU) on
Cooperation surrounding eHealth/Health IT.\29\ The MoU was signed to
demonstrate a shared dedication to strengthening transatlantic
cooperation in eHealth and Health Information Technologies. In 2013, DG
CONNECT and HHS published a first Roadmap of specific MoU actions.\30\
Since then, this Roadmap has guided activities in two priority areas
(work streams):
---------------------------------------------------------------------------
\29\ Europa, Memorandum of Understanding (2010), http://
ec.europa.eu/digital-agenda/en/news/memorandum-understanding-eu-us-
ehealth.
\30\ Europa, Transatlantic Ehealth/Health It Cooperation Roadmap
(2013), http://ec.europa.eu/digital-agenda/en/news/transatlantic-
ehealthhealth-it-cooperation-roadmap.
---------------------------------------------------------------------------
1. Standards development to advance the development and use of
internationally recognized standards supporting transnational
interoperability of electronic health information and
communication technology, and
2. Workforce development to develop and expand the skilled Health IT
workforce in Europe and the U.S.\31\
---------------------------------------------------------------------------
\31\ Id.
In 2015, it was agreed between DG CONNECT and the U.S. HHS to add a
third priority area: Transatlantic eHealth/Health IT Innovation
Ecosystems.\32\ This work stream aims to encourage innovation in the
eHealth/Health IT industry and ensure linkages to the other two Roadmap
work streams.\33\ Over time, further linkages could be added to this
and other IoT partnerships; indeed, the active collaboration
surrounding the NIST Cybersecurity Framework could be extended with a
special emphasis on IoT concerns as part of the growing bottom-up
approach to enhance the Security of Things.\34\
---------------------------------------------------------------------------
\32\ Id.
\33\ Public Stakeholder Consultation on Next Phase of EU-US
Cooperation in eHealth/Health IT, (Europa Press Release, Apr. 2015),
https://ec.europa.eu/digital-agenda/en/news/public-stakeholder-
consultation-next-phase-eu-us-cooperation-ehealthhealth-it.
\34\ See Scott J. Shackelford, Scott Russell, & Jeffrey Haut,
Bottoms Up: A Comparison of ``Voluntary'' Cybersecurity Frameworks, 16
Univ. of Cal. Davis Bus. L.J. 217 (2016).
---------------------------------------------------------------------------
Conclusion
We have come a long way since Kevin Ashton first used the
expression ``Internet of Things'' as the title of a presentation he
gave for Proctor & Gamble in 1999. The promise of networked smart
devices is finally being realized, but in order to avoid the same
litany of cyber attacks and data breaches we have seen in other
contexts it is vital to adopt proactive policies that help drive the
evolution of effective and secure IoT governance before cyber
insecurity becomes replete in the Internet of Everything.
______
Prepared Statement of Larry Clinton, President and CEO,
Internet Security Alliance
Cybersecurity Is Not An ``IT'' Issue. To Address IT Effectively We Need
To Look At Cybersecurity As An Economics Issue
Expecting technology to provide the answer to our cybersecurity
problems would be a perilous course. A more promising path would be to
understand the true nature of the cyber threat and take a more
enterprise wide approach to addressing it.
Two months ago, the National Association of Corporate Directors
(NACD) released the second edition of its Cyber-Risk Handbook, the only
private sector cybersecurity document ever endorsed by both the
departments of Homeland Security and Justice.
The very first principle of the NACD Cyber Risk Handbook is that
cybersecurity is not an information technology issue. While it has a
substantial technological component, cybersecurity is an enterprise-
wide risk-management issue.
Information technology is only the pathway for cyberattacks--the
``how'' of cyberattacks.
If we are to address the cybersecurity issue in a long term,
sustainable fashion we need to not only address the ``how'' of
cybersecurity, but also the ``why'' of cybersecurity: the reasons that
attacks occur.
From the private sector perspective, (and the core of the Commerce
Committee's jurisdiction) the reason cyberattacks continue to occur is
the unbalanced nature of digital economics.
The basic equation of cybersecurity economics is this. Cyberattack
methods are easy and cheap to access, they can generate enormous
profits--in the hundreds of billions of dollars--and the business plan
for the attackers is secure and sustainable as attackers reinvest in
their enterprise to become ever more sophisticated and effective.
On the security side, cyber defense must protect an inherently
insecure system that is growing technologically weaker with the
explosion of mobile devices and the Internet of Things. We are almost
inherently a generation behind the attackers, our laws and regulations
are not well suited to address international and often state-sponsored
digital threats. Moreover, the government mandates being piled on the
private sector are often counterproductive. Finally, there is virtually
no effective law enforcement. We successfully prosecute less than 2
percent of cyber criminals.
So long as we continue to try to address the cybersecurity issue
from a techno-centric perspective and ignore the fundamental economics
that are driving the problem, we are destined to continue to fail
badly.
To effectively address this issue, we must frame it differently.
The problem is not that the technology is bad. Modern technology is
nothing short of amazing.
The problem is that the technology is under attack. And the reason
the technology is under attack is because all the economic incentives
favor the attackers.
That is a fundamentally different problem that demands
fundamentally different set of solutions. Within the private-sector, we
have begun to address the issue in a broader risk management
perspective that includes technology but places it in the context of
the overall enterprise operation, not at the center of it. We are
already seeing positive results.
For example, PricewaterhouseCoopers, in their 2016 Global
Information Security Survey reported that ``Guidelines from the
National Association for Corporate Directors (NACD) advise that Boards
should view cyber-risks from an enterprise-wide standpoint and
understand the potential legal impacts. . . . Boards appear to be
listening to this guidance. This year we saw a double-digit uptick in
Board participation in most aspects of information security.
Respondents said this deepening Board involvement has helped improve
cybersecurity practices in numerous ways. It may be no coincidence
that, as more Boards participate in cybersecurity budget discussions,
we saw a 24 percent boost in security spending.''
The Internet Security Alliance believes the Senate Commerce
Committee, indeed the full Senate and Congress can help facilitate
further progress by addressing the cybersecurity issue in a less
techno--centric, and more enterprise risk management/economic fashion.
ISA would offer three paths for the Commerce Committee to pursue.
Steps Toward Creating Better Economics For Cybersecurity
ISA would like to suggest three measures for improving
cybersecurity that come within the jurisdiction of the Senate Commerce
Committee.
1. Create a Rational Cyber Regulatory System
2. Promote incentives
3. Test the NIST Cybersecurity Framework for cost effectiveness.
Create a Rational Cyber Regulatory System
No one, certainly not ISA, is saying we ought not to have cyber
controls or assessments. But we need to have a rational and well-
thought out system or we will waste vital resources and undermine our
security.
Earlier this week ISA released a ``Cyber Regulation Fact Sheet.''
The fact sheet (attached) demonstrates multiple examples of how the
tremendous growth in cybersecurity rules and regulations is diverting
scarce security resources and undermines our Nation's cyber defenses.
One of the unintended consequences for organizations like ISA that
has been raising awareness of the cyber threat for 15 years, is that we
now have cyber mandates spring up like weeds as virtually every
governmental entity, Federal state and local fight to be the ``cyber
guy.'' The result is an uncoordinated, inconsistent and often
counterproductive setoff requirements that is actually hurting, not
helping, to increase security.
Research tells us we are experiencing more than a million cyber-
attacks a year and we don't have nearly enough cyber professionals to
help protect us. We need to use our scarce resources efficiently and
effectively. Yet some firms are now spending 30 percent of their
budgets and 40 percent of their time of various compliance regimes none
of which have been shown to empirically aid in securing our cyber
systems.
ISA's fact sheet offered numerous examples from multiple industry
sectors of the growth on cyber regulations often inconsistent with the
risk management philosophy that professionals overwhelmingly suggest is
a more effective approach to cyber defense. Among the statistics cited
are:
In financial services increases of over 300 percent in
cybersecurity and privacy related questions financial
institutions now need to answer.
In defense there are new rules for unclassified controlled
information that force companies to label bits of information
based on 23 categories, 84 sub-categories and hundreds of
different citations. Ironically these rules could actually make
it easier for attackers to find useful data.
In Energy DOE has proposed requirements (10 CFR 73.53) that
all networks in the sector meet controls (DG 5062) so overly
broad that the mandate will require the expenditure of millions
of dollars to implement controls not tailored for the risk of
the networks.
New defense acquisition rules will require small companies
to comply with extraordinary detailed requirements that may
well drive many smaller firms out of the defense business which
is both inconsistent with DoD policy to promote the use of
smaller companies but also harms national security as many of
these firms are the top suppliers who can find markets for
their services that don't require the extensive compliance
Various regulators are demanding public disclosure of
supposedly material cyber-attacks when in fact the attack
itself may not have a material effect, but the disclosure may
well trigger unjustified (and usually temporary) stock
fulgurations. As a result, it is the disclosure creating the
material effect and provides a path for stock manipulation
contrary to the regulator's mission.
Our fact sheet is by no means an exhaustive list it sim early
illustrative of the uncoordinated government response to the
cybersecurity problem that need to be brought under control.
Part of this problem is that the government itself is not properly
structured for the digital age and hence digital age issues like
cybersecurity run into legislative and executive jurisdictional
barriers. However, the Commerce Committee with its overarching mandate
to promote U.S. commerce may well be positioned to provide some of the
needed coordination.
Promote incentives
We believe that the most effective way for the private sector to
improve the level of its cybersecurity is for the Congress and the
Federal Government to consider what sets of incentives for better risk
management can be brought to bear.
Government incentives allocated to the private sector in exchange
for behaviors that, without incentives, would be not economically
sustainable are not unprecedented. They are responsible for the
telecommunications and electric infrastructure that undergird much of
American prosperity. We call this the ``social contract'' approach to
infrastructure and the Internet Security Alliance has long argued that
a similar approach is needed for cybersecurity.
In the early twentieth century, the hot technologies of the time
were telecommunications (phones) and distributed electricity. Initially
these services were provided where the economies justified them: urban
and affluent areas. The policy makers of the era not only understood
that universal service of these technologies would have broad social
benefit but also realized government couldn't accomplish this on its
own. Moreover, compelling the private sector to provide the services
without adequate compensation would be an unsustainable model. So a
``social contract''--essentially an economic deal--was developed.
Private companies agreed to provide universal service at regulated
rates. In exchange, the government agreed to guarantee a substantial
rate of return on their investments.
And it worked. The broader systemic benefits of the social contract
were enormous. The electric and telecommunications infrastructures were
deployed at an accelerated pace compared with other nations that chose
a government-centric model. Moreover, the infrastructures, adequately
supported by the economic incentives imbedded in the contract, were
continually made more sophisticated and innovative. The rapid
development of these infrastructures provided the foundation for
accelerated industrialization, job creation, and innovation. These
systemic effects were essential to turning the United States from a
second-rate world presence at the turn of the twentieth century into
the world's leading superpower in a little more than a generation.
More recently, the House GOP Task Force on Cybersecurity made their
number one recommendation to develop a menu of incentives for the
private sector to begin to address the economic incentive imbalance
discussed above. To be fair there has been some progress since the
House GOP report. In 2013 President Obama in his Executive Order 13636
also embraced the notion of using market incentives as opposed to
regulatory mandates to promote cybersecurity and in the last Congress
bipartisan legislation on cyber information sharing used the market
incentive of liability protection.
As we move forward we need to enhance and accelerate the
development of market incentives. While obvious techniques such as tax
breaks for smaller companies to adopt sophisticated defenses not
otherwise commercially justifiable can be used, there are many other
models of incentives that can be adapted. For example, just as
pharmaceutical companies with good records can gain access to an
accelerated drug approval process perhaps good actors in technology
could get patent approval preference, or utilities could gain access to
a fast rerack permitting system. Regulatory forbearance could be
offered for organizations meeting specified levels of maturity in
traditionally regulated industries and streamlined audit and assessment
process can also be developed.
The reality is that many cyber-attacks are nation-state backed and
no private organization can match the resources of a nation state. It
may well be that private companies will have to take on traditionally
governmental responsibilities in the digital age and government needs
to find a sustainable and cost efficient mechanism to deal with this
new reality.
No less a source than the National Infrastructure Protection Plan
(NIPP) has observed that the private sector and the public sector
assess cyber risk on very different dimensions. For the private
sector--operating under a mandate to maximize shareholder value--the
cybersecurity calculus is largely economic. This reality generates a
higher level of security risk tolerance in the private sector than the
public sector. For example, a private entity maybe comfortable with
allowing 10 percent of inventory to ``walk out the back door'' every
month because it will cost 11 percent to purchase the additional guards
and cameras to fully secure themselves. The public sector doesn't have
this luxury. Government has enormous non-economic concerns it must
accommodate such national security and citizen privacy.
Today, we need a twenty-first-century systems approach to address
the cybersecurity issue. The new model needs a much more dynamic
motivator than backward-looking regulations and potential enforcement.
Since 90 percent of infrastructure is owned and operated by the private
sector and the principal problem with cybersecurity is economic, the
best model to promote a forward-thinking risk-management approach to
cybersecurity would be injecting positive economic incentives into
continual upgrading and management of private cyber systems.
Test the NIST Cybersecurity Framework for cost effectiveness.
The NIST Cybersecurity Framework rightly enjoys the praise of wide
swaths of government and the private sector. We join in that praise,
although we note that the Framework is not a standard but a broad
framework that can, and ought to be, implemented in many ways depending
on unique aspects of the system its being applied to and the threats
that system is facing. As such, the specific way the Framework is used
is not necessarily the most cost effective approach. This is why the
executive order that called for the Framework's creation, E.O. 13636,
also stipulates that the Framework ought to be cost effective--a direct
call to address the economic imbalance causing the cybersecurity
crisis.
Unfortunately, three years after NIST released the Framework, there
have been no efforts to evaluate it for cost effectiveness.
This is even despite Section 104 (b) of the recently signed
American Innovation and Competitiveness Act, which in states that NIST
shall ``conduct research and analysis (A) to determine the nature and
extent of information security vulnerabilities and techniques for
providing cost effective information security'' (emphasis added).
The lack of data in this area is a huge drag on cybersecurity since
the commercial sector cannot afford economically unsustainable
cybersecurity measures. It's likely led to an underinvestment in
cybersecurity in many sectors, since it's impossible for companies to
trace the quantitative reduction in risk exposure caused by
cybersecurity measures.
Most importantly, lack of cost data makes it impossible for the
government to understand which specific areas of cybersecurity it
should spend its considerable powers on encouraging within the private
sector. In the absence of data, cybersecurity advice tends toward the
general, along the lines of ``implement best practices.'' But abstract
exhortation is not working. We now need to know which best practices,
and why they're not being adopted. The ISA suspects cost is a major
factor.
After determining cost effectiveness, the government should move to
create incentives to encourage adoption. Steps that improve the bottom
line by diminishing quantifiable risk will find natural take up by the
private sector. But measures that are effective but too expensive to
justify economically--but necessary for securing the economic and
national security of the United States--are precisely where targeted
incentives should be deployed.
We urge the Committee ought to use its tools and processes to test
the cost effectiveness of NIST Framework implementation.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
Prepared Statement of Theresa Payton, CEO, Fortalice Solutions LLC
Chairman Thune, Ranking Member Nelson, distinguished members of the
Committee:
It is an honor to submit this written testimony on behalf of
Fortalice Solutions LLC (``Fortalice''). Fortalice is a cybersecurity
and intelligence firm that provides and enhances national and economic
security through the delivery of highly-focused, mission-critical
cybersecurity solutions to top business and government entities. We are
a team of cybercrime fighters, techies, geeks, policy wonks, and
enthusiastic security and intelligence professionals, who strive to
protect people, businesses, and nations against threats to their cyber
footprint. Fortalice applauds the Committee for prioritizing
cybersecurity and focusing on how the Nation can most effectively
achieve the equally important goals of: (a) unleashing rapid, continued
technological innovation, and (b) ensuring that technology is secure.
Many in private industry and the government argue that achieving these
goals requires a balancing act. Focusing on a solution that seeks to
balance these goals, however, does a disservice to the nation: a
balancing act insinuates that both sides of the equation--innovation
and security--must give a little to achieve balance. Fortalice believes
private industry and government need to move toward an integrated risk
philosophy that accelerates and maximizes, not balances, innovation and
security.
Explosion of Emerging Technologies and Challenges
A few years ago when Ted Claypoole and I wrote our second book on
Internet privacy and security, ``Privacy in the Age of Big Data:
Recognizing Threats, Defending Your Rights, and Protecting Your
Family,'' we predicted that the broken technology innovation lifecycle,
combined with outdated security strategies, would be overrun by
consumers' insatiable desire to rapidly integrate the latest digital
advancements in apps, social media platforms, and smart devices at home
and at work. We predicted this would create a security and privacy
conundrum by 2020, but that prediction came sooner than we anticipated.
In the Internet of Things (IoT) area alone, the predictions for the
explosion of emerging technologies are staggering. Gartner predicts
that by the end of this year, 8.4 billion ``things'' will be connected,
a 31 percent increase from 2016, and that by 2020 we will reach 20.4
billion connected ``things.'' \1\ Internet connected refrigerators have
long been the poster child of IoT.
---------------------------------------------------------------------------
\1\ Gartner. Press Release, ``Gartner Says 8.4 Billion Connected
``Things'' Will Be in Use in 2017, Up 31 Percent From 2016.'' February
7, 2017.
---------------------------------------------------------------------------
Recent events indicate that there is more to it than just worrying
about your home refrigerator spilling your dieting secrets to the
world. This explosion in digital devices, the data they collect, and
the integration into our every day workplaces and personal lives,
provides numerous economic and societal benefits--but it will also
require the security marketplace and practitioners to immediately
change the paradigm they use to design security solutions to one that
enhances security products and services. We cannot take a pause on
innovation to integrate security. IoT creates new business value,
improves customer experiences, and may possibly even save lives. For
example, in the U.K., neighborhoods are testing an IoT street lamp that
shines extra-bright when it detects noises such as banging and
hollering. It's also armed with cameras that transmit a live video feed
to the cloud for further review.
Despite its wonderful impact on our lives, emerging technology
creates more complexity for security teams because of lagging security
approaches and infrastructure. The security company, RSA, released a
Cyber Security Poverty Index in 2016 that indicated that 72 percent of
large enterprises, and these are the ones with the budget and resources
for a robust security program, are unprepared for all aspects of a data
breach (including identifying the scope, recovery, and
notification).\2\
---------------------------------------------------------------------------
\2\ RSA. ``2016 RSA Cybersecurity Poverty Index.''
---------------------------------------------------------------------------
Why do we need to act now? Security issues existed well before
integrating emerging technology, including IoT. Candidly, if we do not
make a commitment to a major shift in how we establish a new set of
security protocols, human safety, not just data, is at risk. How many
warnings do we need before we act? Many U.S. adults report they have
had their data reported stolen in a data breach and, in some cases,
have been victimized by identity theft. In fact, 2 in 5 Americans
reported to Bankrate.com that they have either been an identity theft
victim or know someone who has--this is a staggering statistic that
continues to escalate.\3\ We also know from recent FBI reports that
intellectual property theft, ransomware, and extortionware are on the
rise. As seen in October 2016, random cybercriminal groups can impact
major companies like Amazon, Twitter, and Netflix, who are almost
solely dependent upon the reliability of the web, and render them
unavailable to their customers via a Distributed Denial of Service
(DDoS) attack. We must not wait to change how we protect and defend our
emerging technology, data, and infrastructure until the next
catastrophic attack impacts human safety. The safety of humans trumps
cyber security. The time to act is now.
---------------------------------------------------------------------------
\3\ Dickler, Jessica. ``41 Million Americans Have Had Their
Identities Stolen, Survey Finds.'' CNBC. October 11, 2016.
---------------------------------------------------------------------------
Fortalice believes there are several specific challenges overall
for the security industry that this Committee should consider:
Marketplace demands for technological innovation are
outpacing security: An age old problem in the security industry
is the technology innovation lifecycle. For far too long,
industry has followed an inherently broken process for
producing new products. First, the great thinkers on the
innovation and design teams come up with an idea for the
marketplace. Second, the innovation and design teams develop
and build the product. Finally, once the product is already
built, the innovation and design teams consult the security
team during the testing phase. The security team may find
vulnerabilities, however, it is often too late or too expensive
to fix those vulnerabilities before going to market.
Cybercriminals know this technology innovation lifecycle is
flawed and take full advantage of it. Tomorrow's hot new IoT
item is today's target of cybercriminals. This flawed lifecycle
is exacerbated as emerging technologies hit the marketplace at
a dizzying pace. As we saw in the DDoS attack on October 21,
2016, when the Internet screeched to a slow crawl and in some
cases was inoperable, the lack of security in our emerging
technology hit critical mass. On that fateful day, baby cams,
smart devices from thermostats to security surveillance
cameras, and numerous IoT devices were weaponized and used to
target an Internet infrastructure company, Dyn. Dyn houses a
portion of the web's domain name system (DNS) infrastructure.
Companies, including but not limited to, CNN, Spotify, Reddit,
the New York Times, Netflix, Amazon, and Twitter were all
impacted that day. The DDoS attack was largely powered by the
Mirai botnet which took over the unsecured devices of innocent
consumers and businesses. This attack is considered the largest
DDoS attack ever to be reported.\4\ How do we prevent another
October 21st? The design phase must include security engineers
at the beginning. Implemented correctly, elegant security
design can enhance and improve the development cycle,
contribute to speed to market, and create a market
differentiator by focusing on privacy and security in the
design.
---------------------------------------------------------------------------
\4\ Woolf, Nicky. ``DDoS Attack That Disrupted Internet Was Largest
of Its Kind in History, Experts Say.'' The GuardianNews and Media.
October 26, 2016.
Security marketplace often solves for past cybercriminal
behavior and does not anticipate new tactics: Security vendors
today provide critical services that help companies monitor
networks; these services are necessary but not nearly
sufficient for combatting dynamic cybersecurity threats. While
having coffee with my esteemed security colleagues recently,
one challenged all of us to name a single security problem that
has been 100 percent eliminated in the last decade by security
solutions. We couldn't. The focus has been too heavy on
minimizing risk, and as we saw when we hit a milestone of one
million new pieces of malware released daily in 2015,\5\ it is
challenging for the security industry to keep up. The best that
most legacy security services model can do is react. For
example, most security services scan for known vulnerabilities
and then layer on more rules and more tools to protect against
known vulnerabilities. While this is an important service, the
security industry must also proactively anticipate the next
wave of threats. We know something is wrong with our
cybersecurity approach when worldwide spending on cybersecurity
is predicted to top $1 trillion for the five-year period from
2017 to 2021 and the Global Cost of Cybercrime will hit $6
Trillion Annually in 2021.\6\ That is not a winning business
case. The emerging technology lifecycle and the legacy
approaches to security must be disrupted now.
---------------------------------------------------------------------------
\5\ Harrison, Virginia and Pagliery, Jose. ``Nearly 1 Million New
Malware Threats Released Every Day.'' @CNNTech, April 14, 2015.
\6\ ``Global Cost of Cybercrime Predicted to Hit $6 Trillion
Annually By 2021, Study Says.'' Dark Reading. October 26, 2017.
NIST Framework sets a floor: In 2014, this Committee
spearheaded the Rockefeller-Thune act and significantly
advanced cybersecurity by codifying a voluntary and risk-based
process that forms the basis of major aspects of today's
cybersecurity risk management landscape. Fortalice has
performed dozens of assessments against the resulting National
Institute of Standards and Technology (NIST) Cybersecurity
Framework, and as we've seen through our clients, the next
phase for the NIST Framework should be enabling companies to
develop functional plans of execution. In our work with private
sector companies large and small, many are familiar with the
NIST Framework and have performed the assessment, but they are
unclear on how to integrate lessons learned from these
assessments into their every day business processes.
A Framework for Maximizing Innovation and Security
Fortalice offers the following framework for maximizing innovation
and security:
1. Incentivize Security: One reason security is broken for all of us
is that security is not designed for the human psyche. We do
not expect untrained consumers to do their own dental work or
health physicals, but we expect them to know how to protect
themselves online. This is a fundamental design flaw that needs
to be changed through incentives. For companies that invest in
cybersecurity, either as a buyer or developer of emerging
technologies, offer R&D Tax Credits. For designers of emerging
technology, this will provide the financial incentive to speed
up and prioritize security engineering in design. For
businesses purchasing emerging technology, the R&D tax credit
for implementing security will incent them to ask the right
questions of vendors and product manufacturers. The questions
will lead to further adoption of best practices such as the
NIST framework. Financially incentivizing security ensures it
becomes a priority in the Boardroom in addition to the server
room. Additional tax or financial incentives should be awarded
to Internet Service Providers (ISPs) that agree to make
security for businesses and consumers work ``like an app''.
Imagine if businesses and consumers could update ISP routers
with vital security patches, block known bad traffic, and
receive alerts and warnings that Internet traffic is suspicious
and have the option to block it all via an app. That is how you
design for the human instead of asking the human to conform to
security.
2. Change the Narrative Regarding Data Breaches: The more we know
about a data breach, the more information we have to improve
security designs. Recognize that all companies that are victims
of cybercrime are truly victims. The media often vilifies
companies that have a data breach. This creates a huge
disincentive to companies that would otherwise come forward to
share their lessons learned from data breaches when they are
not compelled to do so.
3. Make Emerging Technologies Work for Security: Innovation and
emerging technologies can be leveraged to accelerate security.
For instance, IoT devices can be configured to produce
behavioral based analytics and monitor critical assets. IoT
security applications can also develop baselines for alerts and
notify security practitioners of key indicators, such as when
traffic volumes are high or when behavior patterns just don't
make sense. Policies should be crafted to further this end.
4. Promoting Risk Management Frameworks: Perhaps the most important
work that the Committee and Congress can do is to continue
leveraging the legislative process to examine and assess the
Nation's cybersecurity needs in the short- and long-term and
ultimately seek enactment of smart legislative solutions.
Fortalice commends the Committee on Rockefeller-Thune, and
codifying the NIST Framework process, and urges the Committee
to consider follow-on actions for this important legislation,
such as codifying incentives to promote further adoption of
risk-based cybersecurity models. Furthermore, private industry
would benefit from help with implementation in the form of case
studies with suggested implementation plans mapping out
suggested first, second, and third technical steps to help them
implement or transform their security programs. The Committee
could go even further--work to shift the emphasis in future
frameworks to making sure the basics are covered by providing
industry benchmarks that help explain how an organization is
protecting their data from the inevitable data breach.
5. Communication and Awareness: We encourage the Committee to
develop a communication campaign leveraging case studies to
continue to drive awareness. Examples include actively
promoting the work of this Committee through conferences,
social media sites such as LinkedIn, and opinion pieces in
local and national newspapers.
About Fortalice Solutions
Fortalice Solutions was founded in 2009 by former White House Chief
Information Officer, Theresa Payton, to provide and enhance national
and economic security through the delivery of highly-focused, mission-
critical cyber security solutions to clients. She and her business
partner, Vince Crisler, a former United States Air Force officer,
former White House Communications Agency Presidential Communications
Officer, and current cybersecurity subject matter expert to Fortune 200
companies, strive to ensure that every service and solution is grounded
in practicality and a real-world understanding of the threats to
people, their business, and nation. The Fortalice team represents the
highest quality of cyber security and intelligence talent available
today, and delivers analysis, training, action, transparency and
creative problem solving to keep what matters most safe. Fortalice has
deep experience in the cybersecurity life cycle, from the keyboards in
the server room to the boardroom.
Fortalice services include:
Designing, Protecting, and Orchestrating Significant
National Security Events
Risk, Threat, and Vulnerability Assessments
Incident Response and Forensics Support
Adversarial Targeting through Red Teaming and Penetration
Testing
Payment Card Industry (PCI), HITECH, FFIEC and Other
Regulatory Compliance Support
Cybersecurity Crisis Communications and Public Relations
Business Protection Plans
Strategic Spend Plan for Security that Answers: ``How Much
is ``Enough''?''
Confidential and Sensitive Company & Personal Communication
& Data Protection Strategies
Digital surveillance including Cyber asset and data
protection for executives, high-net worth individuals, high-
profile individuals (e.g., politicians and celebrities), and
victims of cyberstalking, revenge porn, and other cybercrimes
Vendor Management and Supply Chain Security Protection
For more information visit us at: www.fortalicesolutions.com
The Chairman. We'll keep the record open for a couple of
weeks so if senators have additional questions that they want
to submit for the record. If you would respond as quickly as
you can to those questions, we'll try and wrap it up within a
couple of weeks time. So we would appreciate you doing that.
It has been a great panel. Thanks so much for your input. A
lot of good interaction. Lots of questions, probably more
questions than answers, but I think this is an issue that's
going to be with us for some time, and it's important that we
stay ahead of our adversaries and that we're constantly looking
for new and better ways, not only of taking full advantage of
the wonderful benefits of the innovation, the technologies out
there, but also to make sure that we are securing and providing
the right levels of security and safety for the American people
and for users of these great systems.
So thanks again. We appreciate it, panel. And with that,
this hearing is adjourned.
[Whereupon, at 12:15 p.m., the hearing was adjourned.]
A P P E N D I X
Electronic Privacy Information Center
Washington, DC, March 22, 2017
Hon. John Thune, Chairman,
Hon. Bill Nelson, Ranking Member,
U.S. Senate Committee on Commerce, Science, and Transportation,
Washington, DC.
Dear Chairman Thune and Ranking Member Nelson:
We write to you regarding the Committee's hearing on ``The Promises
and Perils of Emerging Technologies for Cybersecurity.'' \1\ American
consumers face unprecedented privacy and security threats. The
unregulated collection of personal data and the growth of the Internet
of Things has led to staggering increases in identity theft, security
breaches, and financial fraud in the United States. Artificial
Intelligence implicates a wide range of economic, social, and political
issues in the United States. These issues have a significant impact on
the future of cybersecurity, and we commend the Committee for exploring
them.
---------------------------------------------------------------------------
\1\ The Promises and Perils of Emerging Technologies for
Cybersecurity, 115th Cong. (2017), S. Comm. on Commerce, Science, and
Transportation, http://www.commerce.senate.gov/public/index.cfm/
hearings?ID=E0E0BBA1-231C-42A4-AF33-FC4DDFCF43C3 (March 22, 2017).
---------------------------------------------------------------------------
EPIC is a public interest research center established in 1994 to
focus public attention on emerging privacy and civil liberties
issues.\2\ EPIC is a leading advocate for consumer privacy and has
appeared before this Committee on several occasions.\3\ EPIC is also
focused on the impact of Artificial Intelligence (AI) on American
society. In recent years, EPIC has opposed government use of ``risk-
based'' profiling,\4\ brought attention to the use of proprietary
techniques for criminal justice determinations,\5\ and litigated
several cases on the front lines of AI. In 2014, EPIC sued the U.S.
Customs and Border Protection under the Freedom of Information Act
(``FOIA'') for documents about the use of secret tools to assign ``risk
assessments'' to U.S. citizens.\6\ EPIC also sued the Department of
Homeland Security seeking documents related to a program that assesses
``physiological and behavioral signals'' to an individual's likelihood
commit a crime.\7\
---------------------------------------------------------------------------
\2\ See EPIC, About EPIC, https://epic.org/epic/about.html.
\3\ See, e.g, Marc Rotenberg, EPIC Executive Director, Testimony
before the U.S. Senate Committee on Commerce, Science, and
Transportation, Commerce Committee, Internet Privacy and Profiling
(June 13, 2000), https://epic.org/privacy/internet/senate-
testimony.html; Letter from EPIC to the U.S. Senate Committee on
Commerce, Science, and Transportation on Oversight of the FTC (Sept.
26, 2016), https://epic.org/privacy/consumer/EPIC-Letter-Sen-Comm-CST-
FTC-Oversight.pdf; Letter from EPIC to the U.S. House of
Representatives Committee on Energy and Commerce on FCC Privacy Rules
(June 13, 2016), https://epic.org/privacy/consumer/EPIC-FCC-Privacy-
Rules.pdf.
\4\ EPIC et al., Comments Urging the Department of Homeland
Security To (A) Suspend the ``Automated Targeting System'' As Applied
To Individuals, Or In the Alternative, (B) Fully Apply All Privacy Act
Safeguards To Any Person Subject To the Automated Targeting System
(Dec. 4, 2006), available at http://epic.org/privacy/pdf/
ats_comments.pdf; EPIC, Comments on Automated Targeting System Notice
of Privacy Act System of Records and Notice of Proposed Rulemaking,
Docket Nos. DHS-2007-0042 and DHS-2007-0043 (Sept. 5, 2007), available
at http://epic.org/privacy/travel/ats/epic_090507.pdf. See also,
Automated Targeting System, EPIC, https://epic.org/privacy/travel/ats/.
\5\ EPIC Sues Justice Department Over ``Risk Assessment''
Techniques, EPIC (March 7, 2017), https://epic.org/2017/03/epic-sues-
justice-department-o.html (EPIC's Complaint against the DOJ isavailable
at https://epic.org/foia/doj/criminal-justice-algorithms/EPIC-v-DOJ-
criminal-justice-algorithmscomplaint.pdf).
\6\ EPIC v. CBP (Analytical Framework for Intelligence), EPIC,
https://epic.org/foia/dhs/cbp/afi/.
\7\EPIC v. DHS--FAST Program, EPIC, https://epic.org/foia/dhs/
fast/.
---------------------------------------------------------------------------
The Internet of Things Poses Numerous Privacy and Security Risks
The Internet of Things (IoT) poses significant privacy and security
risks to American consumers.\8\ The Internet of Things expands the
ubiquitous collection of consumer data. This vast quantity of data
could be used for purposes that are adverse to consumers, including
remote surveillance. Smart devices also reveal a wealth of personal
information about consumers, which companies may attempt to exploit by
using it to target advertising or selling it directly. Because the IoT
generates data from all aspects of consumers' daily existence, these
types of secondary uses could lead to the commercialization of intimate
segments of consumers' lives.
---------------------------------------------------------------------------
\8\ See Comments of EPIC to NTIA, On the Benefits, Challenges, and
Potential Roles for the Government in Fostering the Advancement of the
Internet of Things (June 2, 2016), https://epic.org/apa/comments/EPIC-
NTIA-on-IOT.pdf; Internet of Things, EPIC, https://epic.org/privacy/
internet/iot/.
---------------------------------------------------------------------------
Many IoT devices feature ``always on'' tracking technology that
surreptitiously records consumers' private conversations in their
homes.\9\ These ``always on'' devices raise numerous privacy concerns,
including whether consumers have granted informed consent to this form
of tracking. Even if the owner of an ``always on'' device has consented
to constant, surreptitious tracking, a visitor to their home may not.
Companies say that the devices rely on key words, but to detect those
words, the devices must always be listening. And the key words are
easily triggered. For example, several Amazon Echo devices treated a
radio broadcast about the device as commands.\10\ A San Diego
television report about a girl using an Echo to order a $170 dollhouse
and four pounds of sugar cookies triggered Echo devices across the city
to make the same purchase.\11\ A recent law enforcement request for
Amazon Echo recordings \12\ shows that ``always on'' devices will be
much sought-after sources of information by law enforcement, foreign
and domestic intelligence agencies, and, inevitably, cybercriminals.
---------------------------------------------------------------------------
\9\ EPIC Letter to DOJ Attorney General Loretta Lynch, FTC
Chairwoman Edith Ramirez on ``Always On'' Devices (July 10, 2015),
https://epic.org/privacy/internet/ftc/EPIC-Letter-FTC-AG-Always-On.pdf.
\10\ Rachel Martin, Listen Up: Your AI Assistant Goes Crazy For NPR
Too, NPR (Mar. 6, 2016), http://www.npr.org/2016/03/06/469383361/
listen-up-your-ai-assistant-goes-crazy-for-npr-too.
\11\ Carlos Correa, News Anchor Sets off Alexa Devices Around San
Diego Ordering Unwanted Dollhouses, CW6 (Jan. 5, 2017), http://
www.cw6sandiego.com/news-anchor-sets-off-alexa-devices-around-san-
diego-ordering-unwanted-dollhouses/.
\12\ See Christopher Mele, Bid for Access to Amazon Echo Audio in
Murder Case Raises Privacy Concerns, N.Y. Times (Dec. 28, 2016),
https://www.nytimes.com/2016/12/28/business/amazon-echo-murder-case-
arkansas.html.
---------------------------------------------------------------------------
Another significant risk to consumers in the IoT is security, of
both the users' data and their physical person. Many of the same
security risks that currently threaten our data will only expand in the
Internet of Things. The damage caused by malware, phishing, spam, and
viruses will have an increasingly large array of networks in which to
spread.\13\ Additionally, not all wireless connections in the IoT are
encrypted.\14\ Researchers who studied encryption within the IoT found
that ``many of the devices exchanged personal or private information
with servers on the Internet in the clear, completely unencrypted.''
\15\
---------------------------------------------------------------------------
\13\ See EUROPEAN COMM'N, A DIGITAL AGENDA FOR EUROPE, 16-18
(2010), http://eur-lex.europa.eu/LexUriServ/
LexUriServ.do?uri=COM:2010:0245:FIN:EN:PDF.
\14\ Federal Motor Vehicle Safety Standards; Event Data Recorders,
Docket No. NHTSA-2012-0177 (Comments of Privacy Coalition), 10 https://
epic.org/privacy/edrs/EPIC-Coal-NHTSA-EDR-Cmts.pdf.
\15\ Nick Feamster, Who Will Secure the Internet of Things?,
FREEDOM TO TINKER (Jan. 19, 2016) https://freedom-to-tinker.com/blog/
feamster/who-will-secure-the-internet-of-things/ (emphasis in
original).
---------------------------------------------------------------------------
In addition to data security risks, the IoT also poses risks to
physical safety and personal property. This is particularly true given
that the constant flow of data so easily delineates sensitive behavior
patterns, and flows over networks that are not always secure, leaving
consumers vulnerable to malicious hackers. For instance, a hacker could
monitor Smart Grid power usage to determine when a consumer is at work,
facilitating burglary, unauthorized entry, or worse. Researchers have
already demonstrated the ability to hack into connected cars and
control their operation, which poses potentially catastrophic risks to
the public.\16\
---------------------------------------------------------------------------
\16\ See, e.g., Karl Brauer & Akshay Anand, Braking the Connected
Car: The Future of Vehicle Vulnerabilities, RSA Conference 2016,
https://www.rsaconference.com/writable/presentations/file_upload/ht-
t11-hacking-the-connected-car-thetfuturetof-vehicle-
vulnerabilities.pdf; FireEye, Connected Cars: The Open Road for Hackers
(2016), https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/
connected-cars-the-open-road-for-hackers.pdf.
---------------------------------------------------------------------------
It is not only the owners of IoT devices who suffer from the
devices' poor security. The IoT has become a ``botnet of things''--a
massive network of compromised web cameras, digital video recorders,
home routers, and other ``smart devices'' controlled by cybercriminals
who use the botnet to take down websites by overwhelming the sites with
traffic from compromised devices.\17\ The IoT was largely to blame for
attacks in 2016 that knocked Twitter, Paypal, Reddit, Pinterest, and
other popular websites off of the web for most of a day.\18\ They were
also behind the attack on security blogger Brian Krebs' website, one of
the largest attacks ever seen.\19\
---------------------------------------------------------------------------
\17\ See Bruce Schneier, We Need to Save the Internet from the
Internet of Things, Schneier on Security (Oct. 6, 2016), https://
www.schneier.com/essays/archives/2016/10/we_need_to_
save_the_.html
\18\ See Scott Hilton, Dyn Analysis Summary of Friday October 21
Attack, Dyn.com (Oct. 26, 2016), http://dyn.com/blog/dyn-analysis-
summary-of-friday-october-21-attack/.
\19\ See Brian Krebs, KrebsOnSecurity Hit With Record DDoS,
KrebsOnSecurity (Sept. 21, 2016), https://krebsonsecurity.com/2016/09/
krebsonsecurity-hit-with-record-ddos/.
---------------------------------------------------------------------------
These problems will not be solved by the market. Because poor IoT
security is something that primarily affects other people, neither the
manufacturers nor the owners of those devices have any incentive to fix
weak security. Compromised devices still work fine, so most owners of
devices that have been pulled into the ``botnet of things'' had no idea
that their IP cameras,
DVRs, and home routers are no longer under their own control. As
Bruce Schneier said in recent congressional testimony, a manufacturer
who puts a sticker on the box that says ``This device costs $20 more
and is 30 percent less likely to annoy people you don't know'' probably
will not get many sales.\20\ We urge the Committee to address these
numerous privacy and security concerns as it moves forward on
legislation related to the Internet of Things.
---------------------------------------------------------------------------
\20\ Testimony of Bruce Schneier before the House Committee on
Energy & Commerce, Understanding the Role of Connected Devices in
Recent Cyber Attacks, 114th Cong. (2016).
---------------------------------------------------------------------------
The Challenge of AI
There is understandable enthusiasm about new techniques that
promise medical breakthroughs, more efficient services, and new
scientific outcomes. But there is also reason for caution. Computer
scientist Joseph Weizenbaum famously illustrated the limitations of AI
in the 1960s with the development of the Eliza program. The program
extracted key phrases and mimicked human dialogue in the manner of non-
directional psychotherapy. The user might enter, ``I do not feel well
today,'' to which the program would respond, ``Why do you not feel well
today?'' Weizenbaum later argued in Computer Power and Human Reason
that computers would likely gain enormous computational power but
should not replace people because they lack such human qualities and
compassion and wisdom.\21\
---------------------------------------------------------------------------
\21\ Joseph Weizenbaum, Computer Power and Human Reason: From
Judgment to Calculation (1976).
---------------------------------------------------------------------------
We face a similar reality today. EPIC has concluded that one of the
primary public policy goals for AI must be ``Algorithmic
Transparency.'' \22\
---------------------------------------------------------------------------
\22\ Algorithmic Transparency, EPIC, https://epic.org/algorithmic-
transparency/.
---------------------------------------------------------------------------
The Need for Algorithmic Transparency
Democratic governance is built on principles of procedural fairness
and transparency. And accountability is key to decision making. We must
know the basis of decisions, whether right or wrong. But as decisions
are automated, and we increasingly delegate decisionmaking to
techniques we do not fully understand, processes become more opaque and
less accountable. It is therefore imperative that algorithmic process
be open, provable, and accountable. Arguments that algorithmic
transparency is impossible or ``too complex'' are not reassuring. We
must commit to this goal.
It is becoming increasingly clear that Congress must regulate AI to
ensure accountability and transparency:
Algorithms are often used to make adverse decisions about
people. Algorithms deny people educational opportunities,
employment, housing, insurance, and credit.\23\ Many of these
decisions are entirely opaque, leaving individuals to wonder
whether the decisions were accurate, fair, or even about them.
---------------------------------------------------------------------------
\23\ Danielle Keats Citron & Frank Pasquale, The Scored Society:
Due Process for Automated Predictions, 89 Wash. L. Rev. 1 (2014).
Secret algorithms are deployed in the criminal justice
system to assess forensic evidence, determine sentences, to
even decide guilt or innocence.\24\ Several states use
proprietary commercial systems, not subject to open government
laws, to determine guilt or innocence. The Model Penal Code
recommends the implementation of recidivism-based actuarial
instruments in sentencing guidelines.\25\ But these systems,
which defendants have no way to challenge are racially biased,
unaccountable, and unreliable for forecasting violent
crime.\26\
---------------------------------------------------------------------------
\24\ EPIC v. DOJ (Criminal Justice Algorithms), EPIC, https://
epic.org/foia/doj/criminal-justice-algorithms/; Algorithms in the
Criminal Justice System, EPIC, https://epic.org/algorithmic-
transparency/crim-justice/.
\25\ Model Penal Code: Sentencing Sec. 6B.09 (Am. Law. Inst.,
Tentative Draft No. 2, 2011).
\26\ See Julia Angwin et al., Machine Bias, ProPublica (May 23,
2016), https://www.pro
publica.org/article/machine-bias-risk-assessments-in-criminal-
sentencing.
Algorithms are used for social control. China's Communist
Party is deploying a ``social credit'' system that assigns to
each person government-determined favorability rating.
``Infractions such as fare cheating, jaywalking, and violating
family-planning rules'' would affect a person's rating.\27\ Low
ratings are also assigned to those who frequent disfavored
websites or socialize with others who have low ratings.
Citizens with low ratings will have trouble getting loans or
government services. Citizens with high rating, assigned by the
government, receive preferential treatment across a wide range
of programs and activities.
---------------------------------------------------------------------------
\27\ Josh Chin & Gillian Wong, China's New Tool for Social Control:
A Credit Rating for Everything, Wall Street J., Nov. 28, 2016, http://
www.wsj.com/articles/chinas-new-tool-for-social-control-a-credit-
rating-for-everything-1480351590
In the United States, U.S. Customs and Border Protection has
used secret analytic tools to assign ``risk assessments'' to
U.S. travelers.\28\ These risk assessments, assigned by the
U.S. Government to U.S. citizens, raise fundamental questions
about government accountability, due process, and fairness.
They may also be taking us closer to the Chinese system of
social control through AI.
---------------------------------------------------------------------------
\28\ EPIC v. CBP (Analytical Framework for Intelligence), EPIC,
https://epic.org/foia/dhs/cbp/afi/.
EPIC believes that ``Algorithmic Transparency'' must be a
fundamental principle for all AI-related work.\29\ The phrase has both
literal and figurative dimensions. In the literal sense, it is often
necessary to determine the precise factors that contribute to a
decision. If, for example, a government agency considers a factor such
as race, gender, or religion to produce an adverse decision, then the
decision-making process should be subject to scrutiny and the relevant
factors identified.
---------------------------------------------------------------------------
\29\ At UNESCO, Rotenberg Argues for Algorithmic Transparency, EPIC
(Dec. 8, 2015), https://epic.org/2015/12/at-unesco-epics-rotenberg-
argu.html.
---------------------------------------------------------------------------
Some have argued that algorithmic transparency is simply
impossible, given the complexity and fluidity of modern processes. But
if that is true, there must be some way to recapture the purpose of
transparency without simply relying on testing inputs and outputs. We
have seen recently that it is almost trivial to design programs that
evade testing.\30\
---------------------------------------------------------------------------
\30\ See Jack Ewing, In '06 Slide Show, a Lesson in How VW Could
Cheat, N.Y. Times, Apr. 27, 2016, at A1.
---------------------------------------------------------------------------
In the formulation of European data protection law, which follows
from the U.S. Privacy Act of 1974, individuals have a right to access
``the logic of the processing'' concerning their personal
information.\31\ That principle is reflected in the transparency of the
FICO score, which for many years remained a black box for consumers,
making determinations about credit worthiness without any information
provided to the customers about how to improve the score.\32\
---------------------------------------------------------------------------
\31\ Directive 95/46/EC--The Data Protection Directive, art 15 (1),
1995, http://www.data
protection.ie/docs/EU-Directive-95-46-EC--Chapter-2/93.htm.
\32\ See Hadley Malcom, Banks Compete on Free Credit Score Offers,
USA Today, Jan. 25, 2015, http://www.usatoday.com/story/money/2015/01/
25/banks-free-credit-scores/22011803/.
---------------------------------------------------------------------------
Building on this core belief in algorithmic transparency, EPIC has
urged public attention to four related principles to establish
accountability for AI systems:
``Stop Discrimination by Computer''
``End Secret Profiling''
``Open the Code''
``Bayesian Determinations are not Justice''
The phrases are slogans, but they are also intended to provoke a
policy debate and could provide the starting point for public policy
for AI. And we would encourage you to consider how these themes could
help frame future work by the Committee.
The continued deployment of AI-based systems raises profound issues
for democratic countries. As Professor Frank Pasquale has said:
Black box services are often wondrous to behold, but our black
box society has become dangerously unstable, unfair, and
unproductive. Neither New York quants nor California engineers
can deliver a sound economy or a secure society. Those are the
tasks of a citizenry, which can perform its job only as well as
it understands the stakes.\33\
---------------------------------------------------------------------------
\33\ Frank Pasquale, The Black Box Society: The Secret Algorithms
that Control Money and Information 218 (Harvard University Press 2015).
We ask that this letter be entered in the hearing record. EPIC
looks forward to working with the Committee on these and other issues
impacting the privacy and security of American consumers.
Sincerely,
Marc Rotenberg,
EPIC President.
Caitriona Fitzgerald,
EPIC Policy Director.
______
Response to Written Questions Submitted by Hon. John Thune to
Caleb Barlow
Question 1. Quantum computing has the potential to solve problems
current computers today cannot solve. How can industry work with
academia and the public sector to ensure we see the benefits of such
computing, while managing the potential encryption security
implications?
Answer. The United States industry, academia and the public sector
(DARPA/IARPA, and the DoE) must focus on accelerating the research and
development of moderate-sized quantum computers and algorithms needed
to solve problems such as chemical simulation for materials development
and a wide range of optimization problems from improving supply chain
logistics to financial portfolio decisions. There is potential for
significant economic benefit by solving these types of problems that
classical computers cannot practically solve.
Industry, academia and public sector (i.e., NSF) must:
Educate not only the current technical population but also
emerging high school, college and graduate school students on
quantum information theory and quantum computing fundamentals
Ensure access to quantum computing systems to drive
education, to drive algorithm development and to build a
vibrant U.S. ecosystem of hardware, software and solution
vendors
Quantum decryption leveraging Shor's Algorithm \1\ will require
larger fault-tolerant quantum systems. Industry and academia should be
continuing to work with public sector agencies, such as NIST, to
identify new encryption techniques that are not tractable for the
eventual fault-tolerant quantum systems of the future, even if those
systems are several decades away from being practical.
---------------------------------------------------------------------------
\1\ Shor's algorithm--is a quantum algorithm (an algorithm that
runs on a quantum computer) for integer factorization formulated in
1994.
Question 2. I was pleased to hear that the emerging technologies
discussed at the hearing have the potential to create new jobs and
build a well-trained cybersecurity workforce. In my home state of South
Dakota, Dakota State University is helping to meet this demand by
doubling enrollment in its cybersecurity program in the last five
years, serving as a major participant in the National Science
Foundation's CyberCorps program, and hosting GenCyber camps for high
---------------------------------------------------------------------------
school girls.
a. What steps should American educational institutions take to
encourage more students to choose cyber careers?
b. How can we promote the development of entry-level cybersecurity
education using emerging technology tools? How can we also promote
education in higher skill levels in this field?
Answer. As discussed during the hearing and in my written
testimony, there is a significant workforce shortage to fill
cybersecurity positions. Information technology and security roles
require specialized skills and knowledge. IBM is championing a new
educational model \2\ coupled with ``new collar'' approach to security
hiring by going beyond traditional methods of talent recruitment and
focus more on skills than actual degrees earned.
---------------------------------------------------------------------------
\2\ https://www.ibm.com/blogs/policy/ibm-ceo-ginni-romettys-letter-
u-s-president-elect/
---------------------------------------------------------------------------
At IBM, as many as one-third of employees do not have a four-year
degree. As of 2015, new collar cybersecurity professionals have
accounted for around 20 percent of IBM Security's hiring in the U.S.
Much of this is due to partnerships with schools for training and
education as well as expanding our traditional recruiting as
demonstrated by IBM's Veterans Employment Accelerator, cyber training
and certifying programs for military veterans.
While we do need to start educating students early about careers in
cybersecurity, it needs to be recognized that the security industry
needs people of all backgrounds, with creative problem solving skills,
and ability to drive collaboration. Skills alignment needs to be the
education reform issue. We need to match career and technical training
with new collar career paths.
There are things that Congress can do to help with this alignment
around skills:
1) Update and expand career-focused education to help more people
learn in-demand skills at every stage. For example, reorient
vocational training programs around skills needed in the labor
market or update the Federal Work-Study Program with career-
focused internships at companies
2) Create and fund a 21st century apprenticeship program to recruit
and train/retrain workers to fill critical skills gaps
3) Support standards and certifications for new collar skills, just
as it has been done for other technical skills, like automotive
technicians and welders, providing recognition of sufficiently
qualified candidates
Lastly, I've attached 3 links to new collar stories that illustrate
this new collar approach to hiring--from turning a liberal arts degree
into web-developer to harnessing specific on the job skills into
creating malware defense technologies and lastly, an early success
story from IBM's PTECH education model.
https://www.ibm.com/blogs/policy/writing-new-collar-story-code/
https://www.ibm.com/blogs/policy/griff-griffin/
https://www.ibm.com/blogs/policy/hacking-way-new-collar-education/
Question 3. Both technologies and threats are continually evolving.
This Committee has passed significant, bipartisan legislation to
advance voluntary, public-private collaboration on cybersecurity, as
well as research and workforce development. For example, the
Cybersecurity Enhancement Act of 2014 authorized the process for the
NIST Framework for Improving Critical Infrastructure Cybersecurity. The
NIST framework employs a flexible, risk-management approach that the
private sector and security experts have praised. Do you believe that
cybersecurity policy, especially in the context of the emerging fields
we discussed at the hearing, should maintain a flexible, voluntary
approach, and avoid mandatory compliance measures?
Answer. IBM commends the Committee for their continued support of a
non-regulatory, risk management approach to cybersecurity. We continue
to support the NIST Cybersecurity Framework and believe that a risk
based approach is the best way to manage the dynamic environment that
is cyberspace. Cybersecurity is, and will continue to be, a fast-paced
and constantly evolving landscape. Any cyber policy that is rigid and
static will fail because it will not be able to keep up with rapid
changes in threats and technology. The same can be said for emerging
technologies as we are on the cusp of a new era with understanding how
artificial intelligence and cognitive can transform every facet of life
and work. Placing compliance measures on emerging technologies, whether
for security or privacy reasons, will stifle the growth of the digital
future and the benefits that will come along.
Question 4. The cybersecurity of the Internet of things must be a
top priority. Many of the devices in the Dyn attack last year were
manufactured and located outside the U.S. How can we address
cybersecurity risks from an international perspective? Given these
devices provide a significant benefit to our economy, how do we also
ensure American innovators are not at a competitive disadvantage in the
global marketplace?
Answer. As I mentioned in my testimony, what made the Dyn attack
unique was the use of common household items or devices, all with
factory supplied passwords that consumers typically do not change. A
sizable number of IoT devices come preloaded with identical credentials
across multiple devices. Although these default credentials should be
changed by users before the devices are made operational, they're often
left as is.
Default secrets aren't secret. Attackers can use them to take over
such devices for unintended purposes, making them vulnerable to
sabotage or disruption. By delivering devices that prompt for a
mandated password change upon first use, however, manufacturers can
help ensure that default credentials can't persist.
At IBM, we have determined there are ``Five Indisputable Facts
about IoT Security'' when building and deploying IoT devices--one of
which is mentioned above regarding default passwords.\3\ We have
developed a podcast series around each fact to help end users and
manufacturers understand how to increase security and protect data in
IoT. I've provided the link to the series here--https://securityin
telligence.com/media/podcast-iot-security-fact-1-devices-will-operate-
in-hostile-environments/--and I encourage the Committee to listen and
follow up with any questions.
---------------------------------------------------------------------------
\3\ https://www-01.ibm.com/common/ssi/cgi-bin/
ssialias?htmlfid=SEF03018USEN&ce=ISM04
84&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=67767554257814
87948
7367&cm_mc_sid_50200000=1492781598&cm_mc_sid_52640000=1492781598
---------------------------------------------------------------------------
We must treat and consider connected equipment as computers that
can be attacked, compromised and co-opted and therefore protect them
with techniques used on any other computer (i.e., defense in depth,
network protections, supply chain protections, etc.). Monitoring and
response will also be necessary (prevent, detect, respond, recover)
since we all have to keep playing defense as we operate on the
Internet.
In addition to the ``Five Facts'', it is prudent upon industry to
ensure that such common devices are not easily co-opted into botnets by
utilizing secure engineering practices (i.e., IBM Secure Engineering
Framework, ISO27001, etc.) in development. Furthermore, by
adhering to secure lifecycle approaches, based on best practices like
ISO20243,\4\ and promote the adoption of IoT management
platforms to ensure devices are maintained in a secure state, the U.S.
will continue to lead in IoT innovation. IoT platforms, like Watson IoT
Platform, are the control points for overall IoT operations--
``configure and manage a secure environment appropriate for device,
application and user requirements.'' \5\
---------------------------------------------------------------------------
\4\ https://www.iso.org/standard/67394.html
\5\ https://www.ibm.com/internet-of-things/platform/iot-security/
https://www.ibm.com/blogs/internet-of-things/security/https://
www.ibm.com/blogs/internet-of-things/security-cognitive-iot/
---------------------------------------------------------------------------
These IoT platforms should be built to handle multiple data streams
from disparate sources and implement privacy by design and security by
design.
______
Response to Written Question Submitted by Hon. Todd Young to
Caleb Barlow
Question. Mr. Barlow, in the areas of artificial intelligence and
quantum computing, where does the United States stand compared to other
countries? What should the U.S. do to regain/maintain its technological
lead in these areas? What, if any, statutory or regulatory changes are
required?
The United States has made significant advances in quantum
computing, however, with significant strategic state investments by
countries such as China in their own ecosystems we are concerned that
it will be difficult for private companies to compete on equal footing.
Across the world, including our neighbor to the north, Canada, there
are several university and research lab based consortia being built,
and the United States must continue to build and focus our own
investments to support communities around quantum information science
and quantum computing. This includes access to systems and research
calls in promising applications of the technology. Some leading U.S.
participants include but are not limited to IBM, Google, Microsoft and
representatives from academia including MIT, Yale and UC Santa Barbara.
Regardless of the focus there is still a need for more investment
in this critical technology to ensure continued U.S. leadership.
Below are examples of international quantum efforts:
Canada: strong presence in quantum computing industry and
academia. The University of Waterloo is one the first academic
institutions to offer degrees in quantum information science.
Canada's D-Wave is the largest current manufacturer of quantum
computing systems (and its benefits can be explained by
Canadian Prime Minister Trudeau
https://www.youtube.com/watch?v=4ZBLSjF56S8)
European Union: announced last year a 1B Euro flagship
initiative on quantum technologies. Australia: announced a 70M
joint government. Industry and academic investment in quantum
computing technology
The Chinese Academy of Sciences announced a ``hack proof''
quantum satellite in January 2017. Alibaba announced in 2015
that it was building a quantum computing laboratory with
support from the Chinese Academy of Science.
The United States currently has a strong position in artificial
intelligence and leads in creation of new technologies, but (a) China
is moving quickly on AI technology, driven by significant government
investment and by mass deployment of applications for consumers; and
(b) Canada has key academic leaders in AI. To ensure AI
competitiveness, the U.S. Government needs to act now and help foster:
(a) open data sets and challenge problems to drive AI research in the
U.S.; (b) AI research and development in academia and corporations; and
(c) invest in talent development at U.S. universities as we have too
few AI and data scientist graduates entering the workforce.
______
Response to Written Question Submitted by Hon. Edward Markey to
Caleb Barlow
Question. The Federal Government relies on Internet of Things
devices and could bear a heavy burden if these devices are breached by
a cyberattack. To align security incentives and promote cybersecurity,
should contractors and vendors selling Internet of Things devices to
the Government be required to bear their financial responsibility in
the event of a material breach through mechanisms like cyber insurance?
Answer. Thank you Senator Markey for the question. I think it is
important to put in context that cybersecurity concerns apply to IoT
much as they do to other digital environments. Connected devices can be
used as personal devices as well as part of critical infrastructure.
As with most discussions with public and private sector clients
regarding general allocation of risk--whether it is in the context of
IoT, data security, etc. -the balance of providing appropriate level of
protection for those who might suffer injury or loss and ensuring that
liability rests on the most appropriate party must be struck. Liability
risks discussed with respect to IoT are not new or specific to IoT. We
believe that the well-established existing legal framework is fit to
address liability issues in the field of IoT. Contractual liability
offers the most flexible way to adapt to the specificities of each
product and situation and existing tort law imposes liability for
damages caused by products with design defects or manufacturing
defects.
Requiring cyber insurance for the producer could result in an
increase cost of production which the producer would have to shift on
the price of the products. This would result in an increase cost of the
products which may in fact represent an obstacle for distribution in
the market and presenting the spread and development of technology.
______
Response to Written Questions Submitted by Hon. Tammy Duckworth to
Caleb Barlow
Question 1. To all of the Witnesses, beyond standards and
frameworks, from an industry perspective, what are the top three to
five best practices you've identified to protect critical
infrastructure that enables companies and governments to enact
proactive measures instead of just focusing on the response to threats
or disasters? Specifically, I want to know how we move from reaction to
proaction.
Answer. At IBM, we are continually evolving our capabilities to
stop threats at speed and scale. However, we are finding that many
organizations are drowning in a sea of unmanageable, disconnected point
products and services, each designed with a specific task making it
that much more challenging to stay at pace with the ongoing threat.
Some organizations report they are using as many as 85 security
products--from more than 40 vendors--at once. As each tool is added,
the cost associated with installing, configuring, managing, upgrading
and patching continue to grow. And with the skills gap plaguing the
industry, where the necessary expertise isn't always available, it's
easy to see how more threats are continuing to generate more vendors,
more tools--and more headaches. Yesterday's security era of moats and
firewalls is antiquated. The reality is that even with the best
perimeter defenses, some attacks will get through. From a technical
standpoint, we must move towards managing and remediating threats like
an immune system.
The analogy is this: As humans, we have finely tuned and highly
adaptive immune systems to help us fight off all kinds of attacks that
would otherwise destroy us. Our bodies are intelligent, organized,
efficient systems that can instantly recognize an invader and take
action to block its entry or destroy it. Therefore, we need to manage
security like an immune system and develop an integrated and
intelligent security system with analytics and cognitive technologies
at its core.
As I mentioned in my testimony, the health analogy also extends to
the need for the public and private sector to more actively share
threat data--similar to how the Center for Disease Control and World
Health Organization rapidly share data and collaborate to battle
pandemics and other health outbreaks. IBM is constantly evolving this
approach with focused investments in cognitive, collaboration and cloud
that drive our innovation.
Lastly, but just as important, it is imperative that organizations
prepare and train for security incident response--from a lost employee
laptop to a highly sophisticated breach--for a prompt and highly
coordinated response in the event of an issue. Organizations need to
deploy incident response technologies to automate and speed processes,
from a multitude of regulatory filings, to client and employee
notification.
Question 2. As this committee moves forward in the 115th Congress,
we are considering oversight and legislation within the committee's
jurisdiction of science, technology, transportation and the critical
infrastructure that supports them. For all the witnesses in closing,
what should this committee keep in mind in order to help make sure
we're developing the framework for infrastructure that is proactive,
resilient and lasting as cyber threats continue to evolve?
Answer. IBM continues to support the risk management approach and
stakeholder engagement process that produced the NIST Cybersecurity
Framework that is voluntary, flexible and applicable for every sector
of the economy. We ask that the Committee continue to use the Framework
as a cornerstone for any oversight of different critical infrastructure
sectors and their approach to cybersecurity risk management. The
Framework is a living guidance document and we expect further
improvements, changes, additions as industry continues to innovate and
address new challenges in cyberspace.
______
Response to Written Questions Submitted by Hon. John Thune to
Venky Ganesan
Question 1. I was pleased to hear that the emerging technologies
discussed at the hearing have the potential to create new jobs and
build a well-trained cybersecurity workforce. In my home state of South
Dakota, Dakota State University is helping to meet this demand by
doubling enrollment in its cybersecurity program in the last five
years, serving as a major participant in the National Science
Foundation's CyberCorps program, and hosting GenCyber camps for high
school girls.
a. What steps should American educational institutions take to
encourage more students to choose cyber careers?
b. How can we promote the development of entry-level cybersecurity
education using emerging technology tools? How can we also promote
education in higher skill levels in this field?
Answer. Community colleges can be an invaluable asset in both
increasing cybersecurity literacy and competence in our country. The
Federal Government should consider market incentives for community
colleges to both develop cybersecurity curriculum and launch courses in
the subject. Many of the skills required to be an entry-level operator
or analyst in the cybersecurity space can be acquired over a 12-18
month period and are perfect as an associate or junior college degree.
In addition, I recommend the creation of an elite U.S. cyber academy
similar to West Point and the U.S. Naval academy where very high
performing high schoolers in math and computer science can be recruited
and trained specially for cyberwarfare. Similar to the programs in
Israel, this can be a very effective way to build a pool of extremely
well qualified and trained cyber talent.
Question 2. Both technologies and threats are continually evolving.
This Committee has passed significant, bipartisan legislation to
advance voluntary, public-private collaboration on cybersecurity, as
well as research and workforce development. For example, the
Cybersecurity Enhancement Act of 2014 authorized the process for the
NIST Framework for Improving Critical Infrastructure Cybersecurity. The
NIST framework employs a flexible, risk-management approach that the
private sector and security experts have praised. Do you believe that
cybersecurity policy, especially in the context of the emerging fields
we discussed at the hearing, should maintain a flexible, voluntary
approach, and avoid mandatory compliance measures?
Answer. Yes, I absolutely believe that cybersecurity policy in the
context of the emerging fields should maintain a flexible, voluntary
approach and avoid mandatory compliance measures. This field is too
dynamic and our adversaries are too fleet-footed for static mandatory
compliance measures to be effective. Market based approaches driven by
cyberinsurance could be another way to create compliance incentives for
companies.
Question 3. The cybersecurity of the Internet of things must be a
top priority. Many of the devices in the Dyn attack last year were
manufactured and located outside the U.S. How can we address
cybersecurity risks from an international perspective? Given these
devices provide a significant benefit to our economy, how do we also
ensure American innovators are not at a competitive disadvantage in the
global marketplace?
Answer. We need to create an awareness program around the security
risks posed by IoT devices and create market incentives for all vendors
(both domestic and international) to do the following:
Participate in the best practices and standards proposed by
the NIST cybersecurity framework;
Provide cyber warranties for their products which require
them to both support and update their products with the most
recent security patches; and
Have a minimum amount of cyberinsurance coverage so that
there is some financial compensation in case of a material
breach.
______
Response to Written Question Submitted by Hon. Jerry Moran to
Venky Ganesan
Question. According to the GAO's High Risk Series report, the
Federal Government annually spends over $80 billion on information
technology (IT), but over 75 percent of this spending is for ``legacy
IT''. In fact, since FY 2010, agencies have increased spending on
``legacy IT;'' thereby, crowding out spending on development,
modernization, and enhancement activities. Last Congress, I led
legislation called the Modernizing Outdated and Vulnerable Equipment
and Information Technology (MOVE IT) Act with my colleague Senator
Udall to reduce wasteful Federal Government spending on outdated
``legacy IT'' systems and enhance information security.
In your testimony, you provided five recommendations to this
committee to improve comprehensive cybersecurity practices of the U.S.
Federal Government and industry as a whole. The first recommendation on
that list included, ``Modernizing government procurement systems so
that the government has access to the best technologies.''
a. Could you please go into further detail on how the Federal
Government's procurement policies and resources could be improved and
better facilitate the adoption of necessary innovations such as cloud
computing?
b. How can modernizing Federal Government IT make us more secure?
c. There have also been considerations to streamline the
certification process of the Federal Risk and Authorization Management
Program, also known as FedRAMP, so that smaller companies without large
legal departments might be able to get certified to do business with
the Federal Government. Do we need to make it easier to allow smaller
companies help the government?
Answer. The Federal Government's procurement processes today for
cybersecurity products is very cumbersome, restrictive, and
bureaucratic. Most small or innovative cybersecurity companies will not
even consider selling to the Federal Government, which is a tragedy
since most of the innovation is happening there. The primary reasons
are various compliance requirements such as FIPS and FedRamp, both of
which are expensive and time consuming. Companies estimate it takes
millions to get FIPS certification and over 2 years to be FedRamp
certified. There have been some fast track programs through the DOD,
DHS, and In-Q-Tel, but these do not apply to most Federal agencies.
Similar to the JOBS Act, which provided exemptions from some certain
regulations for companies below a certain size, I would recommend a
modified procurement process for companies below $1 billion in revenue
which would enable smaller, nimble, venture-backed startups to sell to
the Federal Government.
Modernizing Federal Government IT is one of the most important
things we can do. It will not only make our government secure and
protect invaluable data but it will also bring down our costs in the
long run. Today the government is captive to old on-premise systems,
which are both functionally weak and very expensive to maintain. By
shifting to cloud based systems, the government can both get much
better functionality and user interface and significantly save on
operational costs. The move to the cloud would also make our systems
more secure since private cloud vendors are investing a lot more in
cybersecurity than on-premise vendors.
______
Response to Written Question Submitted by Hon. Edward Markey to
Venky Ganesan
Question. The Federal Government relies on Internet of Things
devices and could bear a heavy burden if these devices are breached by
a cyberattack. To align security incentives and promote cybersecurity,
should contractors and vendors selling Internet of Things devices to
the Government be required to bear their financial responsibility in
the event of a material breach through mechanisms like cyber insurance?
Answer. As part of the procurement process, the Federal Government
should require contractors and vendors who sell Internet of Things
devices to do the following:
Participate in the best practices and standards proposed by
the NIST cybersecurity framework;
Provide cyber warranties for their products which require
them to both support and update their products with the most
recent security patches; and
Have a minimum amount of cyberinsurance coverage so that
there is some financial compensation in case of a material
breach.
______
Response to Written Questions Submitted by Hon. Tammy Duckworth to
Venky Ganesan
Question 1. To all of the Witnesses, beyond standards and
frameworks, from an industry perspective, what are the top three to
five best practices you've identified to protect critical
infrastructure that enables companies and governments to enact
proactive measures instead of just focusing on the response to threats
or disasters? Specifically, I want to know how we move from reaction to
proaction.
Answer. Protecting critical infrastructure is indeed one of the
most important things we can do to defend our Nation and economy and
preserve the quality of life we all seek.
Here are my recommendations on how we can be proactive on this
issue:
1. Clearly define and catalog all the elements of our critical
infrastructure
2. Establish minimum security standards and best practice frameworks
for these elements of critical infrastructure
3. Define and catalog the processes by which both employees and 3rd
party vendors can access this critical infrastructure
4. Require that all vendors of critical infrastructure must
participate in the NIST cybersecurity framework and have
adequate cyberinsurance coverage in case of a material breach
5. Update and revise items 1-3 on a yearly basis so that we account
for new bugs or hacking techniques
Question 2. As this committee moves forward in the 115th Congress,
we are considering oversight and legislation within the committee's
jurisdiction of science, technology, transportation and the critical
infrastructure that supports them. For all the witnesses in closing,
what should this committee keep in mind in order to help make sure
we're developing the framework for infrastructure that is proactive,
resilient and lasting as cyber threats continue to evolve?
Answer. Cybersecurity is an extremely fast moving field where the
adversary is working feverishly every day to find weaknesses. It is an
asymmetric problem as the adversary only needs to find one weakness to
overcome all the protections we have in place. This means that the
government has to take a market based dynamic approach to fix the
problem. It is important to create market incentives for critical
infrastructure vendors to invest in cybersecurity by both specifying
best practice frameworks and mandating cyberinsurance coverage.
Cyberinsurance can be a good market based approach to provide dynamic
feedback and incentive for vendors to proactively improve their
cybersecurity approach.
______
Response to Written Questions Submitted by Hon. John Thune to
Steve Grobman
Question 1. Quantum computing has the potential to solve problems
current computers today cannot solve. How can industry work with
academia and the public sector to ensure we see the benefits of such
computing, while managing the potential encryption security
implications?
Answer. There is a long and successful tradition of the Federal
Government funding science and technology research at our Nation's
universities. Federal funding of research and development managed by
such agencies as the National Science Foundation has, over the years,
helped produce a wide range of innovations in hardware, software and
biotechnology that have enabled American companies to stay at the
forefront of the information technology revolution. When I think of
cutting-edge examples of universities that partner well with industry,
Stanford University, the University of California, and North Carolina
State University come to mind. All these great schools have helped
spawn countless companies--Sun Microsystems, Google, and Red Hat are
just a few examples--that have supported the growth of our innovation
economy. Policymakers should continue to invest in university-based
research to promote advances in such cutting-edge technologies such as
quantum computing to help ensure that the United States remains in the
top rank of computing. Investing in university-based research at
institutions that have strong partnerships with industry have proven to
work well in the past and can continue to pay huge dividends in the
future.
Additionally, we need to ensure there is proper funding for both
research institutions and NIST to address the need for more quantum-
safe encryption algorithms. Today, the AES algorithm, which is used for
bulk data encryption, is considered quantum-safe. An example of a
quantum un-safe algorithm is the public key algorithm RSA.
Unfortunately, most encryption uses these algorithms in combination,
and being able to break either one places data at risk. Research
efforts are needed to ensure we can replace the quantum un-safe
algorithms that are extensively used today to secure our
infrastructure.
Question 2. I was pleased to hear that the emerging technologies
discussed at the hearing have the potential to create new jobs and
build a well-trained cybersecurity workforce. In my home state of South
Dakota, Dakota State University is helping to meet this demand by
doubling enrollment in its cybersecurity program in the last five
years, serving as a major participant in the National Science
Foundation's CyberCorps program, and hosting Gen Cyber camps for high
school girls.
A. What steps should American educational institutions take to
encourage more students to choose cyber careers?
Answer. Addressing our Nation's cyber skills shortage requires us
to think and act in a holistic manner. We need to invest more in
science, technology, engineering and math (STEM) education for grade
school and middle school students. As James Brown, executive director
of the STEM Education Coalition in Washington, DC, said recently, ``The
future of the economy is in STEM,'' adding that the Bureau of Labor
Statistics projects that employment in STEM jobs will grow to more than
nine million between 2012 and 2022. That is probably a conservative
estimate. While various initiatives have sprung up to address the STEM
education problem, we're not there yet--and we need to be. We need a
broad-based STEM investment plan to solve this long-term problem. We
should ensure that all middle and high school students have the
opportunity to take substantial cybersecurity courses at school. For
high school students, we need to expand our idea of what it means to
take shop classes in school that can prepare students for careers
repairing cars. The shop classes of the future need to also focus on
building IT and cyber skills so students can develop these critical,
job ready skills before they graduate.
But it's not just STEM awareness that children need at an early
age. It's also awareness of security and privacy. As adults we hear
about breaches in the news, and some of us understand cyber is a
corporate board room topic, but does the average grade school and
middle school student learn about the importance of cyber safety? Do
they understand what that means beyond ``don't share your password''?
Where does security sit on the average college student's list of
priorities? We have a great opportunity to increase awareness about
security as it effects the workforce at large, with 1.5 million
unfilled jobs today and growing, providing the opportunity for steady,
high-paying jobs. We also have an opportunity to increase awareness in
a way that appeals to the millennial generation--a group passionate
about causes, especially human interest ones--and generation X youth,
who are learning about how to keep themselves and their friends safe.
We need both traditional and creative approaches to reach these
students, possibly through gamification.
The Federal Government needs to partner with states to support an
expansion of cybersecurity training programs at our Nation's community
colleges. The National Science Foundation-managed Scholarship for
Service (SFS) CyberCorps program is an example of a successful Federal
program. While the CyberCorps program serves college juniors and
seniors who are already far along the learning path, another program,
or an expansion of the SFS program, could attract high school graduates
who don't yet have specific career aspirations. Private companies could
partner with a community college in their area to establish a course of
study focusing on cybersecurity. The Federal Government could fund all
or part of the tuition remission for students. Interested students
would be taught both by college faculty and private sector
practitioners. For example, an IT company could offer several faculty
members/guest lecturers who would participate during a semester.
Students would receive free tuition--paid for by a Federal program,
perhaps with private sector contributions--and, if they can show a
financial need, a stipend for living arrangements, which four-year
college students can get through the CyberCorps program. Students would
receive a two-year certificate in cybersecurity that would be
transferrable to a four-year school. Like the CyberCorps program,
graduates would spend the same amount of time as their scholarship
period working in a guaranteed government job.
At McAfee, we have been strong supporters of the CyberCorps
scholarship program, given the need to train many more college
graduates at the four-year university level. With additional funding,
the CyberCorps SFS program certainly could be expanded to more
institutions and more students within each of those schools. To date,
the Federal Government has made a solid commitment to supporting the
SFS program, having spent $45 million in 2015, $50 million in 2016, and
the most recent Administration's budget requested $70 million. As a
baseline, an investment of $40 million pays for roughly 1,500+ students
to complete the scholarship program. Given the size and scale of the
cyber skills deficit, policymakers should significantly increase the
size of the program, possibly something in the range of $180 million.
At this level of funding, the program could support roughly 6,400
scholarships. Such a level of investment would make a dent in the
Federal cyber skills deficit, estimated to be in the range of 10,000
per year. At the same time, this level of investment could help create
a new generation of Federal cyber professionals that can serve as
positive role models for a countless number of middle and high school
students across the country to consider the benefits of a cyber career
and Federal service. Indeed, this positive feedback loop of the SFS
program might well be its biggest long-term contribution.
B. How can we promote the development of entry-level cybersecurity
education using emerging technology tools? How can we also promote
education in higher skill levels in this field?
Answer. Fortunately, not all cyber jobs or successful cyber-related
careers need a four-year degree in computer science. Policymakers
should look at supporting and promoting the expansion of two-year
cybersecurity programs, as many jobs can be staffed by individuals with
community college degrees. Another way to promote cybersecurity
education is by investing in cross-training programs that offer
certifications from non-traditional educational organizations. With the
proper background in STEM, even on-the-job training can be beneficial.
We are starting to see newer, more innovative technologies being
made available to students in K-12 settings. However, far too often
these educational technologies fail to properly focus on cybersecurity
training. Policymakers should prioritize IT investments in schools that
also include cybersecurity capabilities to enable a more balanced
training regime. Cybersecurity companies should replicate learnings
from other sectors of the IT ecosystem and provide affordable
cybersecurity solutions to students as learning tools, given the
important role of hands-on learning. Policymakers should consider a
range of incentives--possibly tax credits or procurement preferences--
to encourage manufacturers and security vendors to make their software
and solutions available to schools for the purpose of supporting
student engagement and learning.
Question 3. Both technologies and threats are continually evolving.
This Committee has passed significant, bipartisan legislation to
advance voluntary, public-private collaboration on cybersecurity, as
well as research and workforce development. For example, the
Cybersecurity Enhancement Act of 2014 authorized the process for the
NIST Framework for Improving Critical Infrastructure Cybersecurity. The
NIST framework employs a flexible, risk-management approach that the
private sector and security experts have praised. Do you believe that
cybersecurity policy, especially in the context of the emerging fields
we discussed at the hearing, should maintain a flexible, voluntary
approach, and avoid mandatory compliance measures?
Answer. Yes. As stated in my testimony, I believe the cybersecurity
threat landscape changes extremely quickly. What is deemed the most
serious threat today may not be the most important tomorrow. If
regulations directed manufacturers to guard against today's threats,
tomorrow's might very well slip through the cracks. Additionally,
compliance is not security. It simply proves the manufacturer is able
to check a box saying that they are in compliance. Regulations in the
security field have resulted in corporations diverting real monies away
from true security. Regulating an area like cybersecurity is very
tricky and unintended consequences could easily outweigh any benefits.
Policymakers should maintain a flexible, voluntary approach to
cybersecurity and avoid the temptation to impose mandatory compliance
on organizations. The NIST approach to cybersecurity is spot on--it's a
voluntary, flexible, risk-based approach that is done in true
partnership with the private sector. This model has shown to be quite
effective because both the government and industry participants have
`bought in' to the issue and work in concert with each other to achieve
a positive end result. The NIST Cybersecurity Framework truly is having
a positive impact on how organizations view their cyber risk management
processes. Partnerships such as this are productive and will pay
dividends as policymakers and the private sector work together to
secure the next generation of technology innovations.
Question 4. The cybersecurity of the Internet of things must be a
top priority. Many of the devices in the Dyn attack last year were
manufactured and located outside the U.S. How can we address
cybersecurity risks from an international perspective? Given these
devices provide a significant benefit to our economy, how do we also
ensure American innovators are not at a competitive disadvantage in the
global marketplace?
Answer. The cat's out of the bag. The Internet provides global
connectivity of devices, including traditional devices and IoT devices.
We can't always use the same logic that works in the physical world and
apply it to the digital world. We can't think of devices being
contained in one country or another and not having an impact on other
countries, especially in the U.S., which is committed to a free and
open communications architecture. The most important thing is to
recognize this type of attack is possible. We need to prepare
organizations to be able to defend against these types of attacks,
while educating IoT device manufactures on a global basis that it is
critical for them to take security seriously by building strong
security and privacy architectures and update mechanisms into their
devices.
Policymakers should champion the principle of security and privacy
by design to help incent broad adoption and trust in IoT products and
infrastructure. Proper protection of individual security and privacy in
products does not just happen. It needs to be designed and engineered
from the beginning of the product development process. Adding or
`bolting on' security features to a system, network or device after
it's already up and running has proven to be ineffective. IoT is a
great example of where security and privacy protections need to be
built in from the start. This approach is not only more effective; it
is less cumbersome and less expensive than trying to lock down systems
that are leaking personal information or are inherently insecure.
In order to ensure the U.S. continues to be an innovator in all
types of connected devices, we must recognize the development process
needs to be at the same level of friction as it is in any other part of
the world. We need to be cautious given the reality that over-
regulating in the U.S. will simply cause device design and
manufacturing companies to move to other regions of the world. We need
to ask ourselves if we wish to impose other costs on our economy by
forcing U.S. citizens to pay higher taxes on imported devices. There
really are no borders; we live in a borderless virtual world. As part
of a larger strategy to drive security and privacy into the early
design phase of IoT devices, policymakers should support industry led,
global security and privacy standards. Global standards are much more
effective than country-specific security and privacy regulations in
producing the outcome we all want--more secure and more privacy-
friendly IoT devices.
We need to accelerate leadership in IoT security and privacy. How
can policymakers accelerate IoT deployments to ensure U.S. leadership?
Candidly, the U.S. is behind. Other countries such as China, Brazil and
the UAE are aggressively investing in and deploying IoT to transform
their economies, address societal problems, and spur innovation. Many
have adopted national IoT plans with time-bound goals and are investing
heavily in IoT R&D and infrastructure. The U.S. needs to do the same
and needs to act now. Congress can advance our Nation's IoT momentum by
collaborating with industry to establish a national IoT strategy that
includes a strong security and privacy foundation and by encouraging
public-private partnerships that uniquely focus on security, while
aiming to improve manufacturing productivity, optimize transportation
efficiency, reduce energy consumption, sustain our environment and
accelerate smart cities and towns. Promoting industry alignment around
these large-scale IoT deployments based on secure, open and
interoperable solutions will deliver immeasurable benefits and showcase
U.S. leadership.
______
Response to Written Question Submitted by Hon. Edward Markey to
Steve Grobman
Question. The Federal Government relies on Internet of Things
devices and could bear a heavy burden if these devices are breached by
a cyberattack. To align security incentives and promote cybersecurity,
should contractors and vendors selling Internet of Things devices to
the Government be required to bear their financial responsibility in
the event of a material breach through mechanisms like cyber insurance?
Answer. No. While ``organizational cyber-risk'' insurance is needed
and its markets and offerings are growing, it is not the silver bullet.
First, not all cybersecurity challenges derive from vendor design
mistakes. Products often provide capabilities that can and should be
configured by the organization's staff or end user. Improper customer
configuration can cause vulnerabilities and exposure data.
In today's IT ecosystem, there are complex supply chains and design
chains that have become baked into the way that virtually all
manufacturers operate. Thus, it is not practicable for the final
assembler of a device to validate the technology in all the
subcomponents. Consider the Takata airbag recall. This component
manufacturer supplies its airbags to 19 different automakers. In this
case, it was not the product vendor or the car company but the supplier
that was at fault, and is now working to correct the situation.
Second, this would have unintended consequences on innovation. If
we are trying to foster the development of new and innovative solutions
by American companies to sell in a global marketplace, we need to
understand the effect this may have on the startups that have real,
valuable ideas for unique products and services. If they have to raise
the additional funds from investors to pay the cover charge to get in
the door, their potentially valuable ideas will languish. It could even
have an effect on the investment community's approach to funding IoT
innovators. Even established product vendors could use defensive
tactics and be very selective as to what new types of products they
offer. Meanwhile, organizations developing IoT products in other
nations would not have this restriction. Would products built and
developed in other countries have the same requirements when they're
sold into the U.S. market? If so, they will likely have grown their
product sales, external to the U.S., to a point where they are able to
pay-to-play in the U.S. World-class solutions may not be available in
the U.S. until they have shown their success in foreign markets. This
approach would put U.S. innovators at a critical disadvantage both here
and on the global stage. Unintended consequences could extend beyond
the life of a company if it went out of business. For example, there
will always be a problem with orphaned devices when manufacturers cease
to exist. If too harsh a level of responsibility is imposed on
manufacturers, policymakers may encourage the creation of corporate
shell structures to shield corporate liability. This unfortunate result
could add complexity and cost to the IoT ecosystem while undercutting
the goal of improved security.
Randal Milch, Former General Counsel, Verizon; Distinguished
Professor, NYU School of Law, testifying before the Commission on
Enhancing National Cybersecurity on May 16, 2016, discussed three
attributes of a well-functioning insurance market. The first is
information, the second is the ability to have after-action forensic
reports and the third is focusing on and citing standards. Today, the
information foundation to establish a marketplace for this rapidly
evolving diverse IoT product environment is not there. Getting after-
action forensic reports from consumers to determine liability may be
very problematic and the foundational standards used today within the
IoT space are far from defined, let alone universally accepted.
For example, how long was OPM exposed to a major cybersecurity
attack before its compromise was discovered? Was it one product that
was at fault in the OPM breach or was it a system or systems
circumvented to allow exfiltration of 21.5 million records. Do we
really know? What if the agency had been warned of issues they needed
to address?
At this point in time, the IoT product environment and the general
cyber insurance market is extremely immature and, in my opinion, not
capable of supporting this solution. The unintended consequences this
approach may create could have a negative and long lasting impact on
America's ability to innovate and capture the growing IoT market share
globally.
______
Response to Written Questions Submitted by Hon. Tammy Duckworth to
Steve Grobman
Question 1. Mr. Grobman, in your testimony you referred to NIST's
Framework for Improving Critical Infrastructure Cybersecurity as a
``best-in-class'' example of a successful private-public partnership
between critical infrastructure companies and government agencies. In
your view how can we build on foundations like these to improve the
security of critical infrastructure at all levels--state, local, county
and federal?
Answer. The Framework for Improving Critical Infrastructure
Cybersecurity, known as the NIST Cybersecurity Framework, is widely
acknowledged as a highly successful model of public-private
partnership. The Office of Management and Budget is already working to
push Federal agencies to adopt the Framework, the new Administration's
draft executive order mandates government agencies to deploy the
framework, and the private sector is rapidly adopting it.
Here's our analysis of why it has been successful:
The need was real
The process was open
NIST listened first
They were prepared
They engaged all stakeholders
The framework was voluntary--not regulatory
I'd like to expand on each of these aspects, not simply to
compliment NIST but to offer the process as a model for future public-
private partnerships.
The need was real: PPPs created around a topic or issue that is
real to both the public and the private sectors have a much better
chance of getting the exposure and participation needed to achieve the
goal of the partnership. In the case of the Cybersecurity Framework, it
was very obvious to both groups that the need existed. While NIST had a
hard time-frame to be successful in--one year--they have a long history
in risk management and understood the need well. For too long,
regulatory compliance had forced industry to spend valuable security
dollars to prove something to the regulators instead of using those
resources to help protect enterprises. The cost of compliance was
impacting our ability to secure ourselves.
Openness of the process: From the very beginning, NIST made it
clear this was going to be a very open process. In the initial meeting,
NIST staff described what would be occurring, from the RFI-submitted
comments that would be made public on NIST's website to the anticipated
workshop process and general timeline for various milestones. Along the
way, NIST staff were quick to ensure that industry participants
understood what was happening so there would be no surprises. This
created a growing sense of trust as the effort evolved and made the
process more effective during the development of the Framework.
Listening: One of the more interesting and effective parts of the
development was the way NIST staff listened to the workshop
participants. They used a moderated dialog approach that allowed all
attendees to voice their opinions on a set of topics the NIST staff
wanted to learn about. There were very active discussions that were
highly informative from members of various sectors and industries. Dr.
Gallagher, NIST's director at the time, stated quite clearly this was
not NIST's Framework; this was the community's framework. Having the
public side of a public-private partnership listen instead of dictate
allowed private sector participants to voice their opinions in a much
more open and direct way. This, too, built trust as the effort went
along.
Being prepared: Each of the workshops seemed very well organized,
and the topics, panels, questions and outcomes were well thought-out
before each workshop began. This gave participants reassurance their
time was being well spent. Open forums with no direction or planning do
not give those involved much confidence the effort will succeed. Being
prepared also meant participants needed to do their homework as well.
While not always the case, as the workshops advanced, they did.
Engaging all: One of the smartest things NIST did as part of the
Framework development process was to understand they needed to get
outside the Beltway for the effort to be successful. They held the
workshops in different locations around the country so the local
owners/operators of the critical infrastructure could have their voices
heard. This ensured there was a diverse group at each of the workshops
and all were able to participate. The processes used during the
workshops encouraged all in the room to contribute and they did. A
highly interactive, collaborative environment is one where real dialog
can occur and produce positive results.
Voluntary--Non-regulatory nature: The fact that NIST is a non-
regulatory body also helped their credibility and the private sector's
attitude towards participating and contributing. This was a topic area
that had a lot of people concerned initially, but as the effort
progressed, more and more private sector participants relaxed and
believed in the voluntary intent of the effort. NIST also made it clear
in each workshop that they were requiring non-attribution from any and
all regulators in the room. Each agreed to the rules, making it much
more comfortable for real, open and honest dialog to occur. While
others have tried to copy NIST's success, often they have left out one
or more of the characteristics that made the Cybersecurity Framework
effort a success. In reality, both the public and the private sector
participants must buy in. To do so requires trust in the process, the
effort and the vision.
Question 2. To all of the Witnesses, beyond standards and
frameworks, from an industry perspective, what are the top three to
five best practices you've identified to protect critical
infrastructure that enables companies and governments to enact
proactive measures instead of just focusing on the response to threats
or disasters? Specifically, I want to know how we move from reaction to
proaction.
Answer. As mentioned above, the NIST Cybersecurity Framework is a
great place for any organization to start. Over the past decade, the
U.S. business community has been so focused on compliance reporting
that many organizations did not have the resources to invest in true
security. The Framework has really changed the conversation from
compliance to risk-management. Cyber is now being integrated into
existing corporate risk management planning and processes.
Organizations are now improving their cyber programs by using the
Framework to implement repeatable processes. The end result is the
Framework is providing the foundation for helping improve the
organizational security posture by focusing on people, process and
technologies. While U.S. organizations used to focus on proving to a
regulator they are compliant at one point in time, increasingly those
same organizations are focusing on how to improve their corporate
cybersecurity risk management program on a continuous basis. Today, the
Cybersecurity Framework is focused on traditional computing systems. As
we look to real operational technology, it will be critically important
to continue and accelerate the process of evolving the framework to not
only comprehend the elements of computing common to all industries, but
also to look at things unique to specific critical infrastructure
sectors.
Another trend McAfee is encouraging is moving internal network
defenses from locally-focused to enterprise-focused. In the past,
network and point products were highly siloed, meaning they did not
communicate event and incident information in a way other components in
the network could understand and use. For example, in the past, if a
user's PC detected malware, it would quarantine or delete the offending
malware and write a log record to a logfile that may or may not have
been sent to an administrator's console. Often the fact that it
happened went undetected due to the high quantity of event information
administrators needed to deal with. The event needed to be tracked and
responded to but it was not. Today when that situation occurs, the PC
can create a hash of the detected malware and send it to a central
repository in near real time. That information is now immediately to
available to other components in the network subscribed to the
repository. For example, when the mail gateway receives an e-mail
message with an attachment, the mail gateway is able to create a hash
of the attachment and then compare that hash with those stored in the
central threat intelligence repository. If a match is found, the e-mail
message can be blocked at the boundary, protecting subsequent users.
This type of internal threat information sharing between network
components provides a much quicker response and informed protections
not available in the recent past. All the while, this capability is
being driven by the policy rules configured and managed by the site's
network staff. We believe this trend toward automation in the right
places allows corporate network defenses to act together and at much
more wire-speeds than has been possible in the past. It also frees up
critical network and security staff to do more valuable work.
Much has been said about cyber threat intelligence (CTI) sharing
but we are still in the early days of demonstrating its value. It is
understandable that if one organization sees something on their network
and they share that information with a sharing partner, the partner
could use that information to better protect themselves. One's
detection is another's prevention. In the Cybersecurity Information
Sharing Act of 2015, DHS was directed to stand up the Automated
Information Sharing (AIS) program, providing the ability to share cyber
threat indicators between the Federal Government and private sector at
machine speed. Threat indicators are pieces of information like
malicious IP addresses or the sender address of a phishing e-mail.
While indicators can be useful, AIS has no capability to share enriched
cyber threat intelligence. Threat intelligence is much more than a
single piece of information contained in an indicator and can contain
threat information such as exploit targets, adversarial tactics,
techniques and procedures, incidents, courses of action, identified
threat actors, and additional valuable context. Often in the security
community, one organization will discover something they consider
malicious and share it with other trusted sharing partners. A sharing
partner may discover other characteristics of the threat and can pass
that enriched information back to the original organization. Over time,
the shared data can provide all participating organizations with a much
more holistic picture of the specific threat, potentially including how
to mitigate or defend against it. Today, the AIS program does not
provide a means to send enriched intelligence out to their
participating sharing community. As we move to mature cyber threat
sharing capabilities, it is critical we figure out how to share real
cyber intelligence instead of simple indicators.
Question 3. As this committee moves forward in the 115th Congress,
we are considering oversight and legislation within the committee's
jurisdiction of science, technology, transportation and the critical
infrastructure that supports them. For all the witnesses in closing,
what should this committee keep in mind in order to help make sure
we're developing the framework for infrastructure that is proactive,
resilient and lasting as cyber threats continue to evolve?
Answer. It is important to think about the objective to minimize
risk and reduce the damaging impact of cyber threats versus attempting
to create a legislative process to remove or eliminate them. An example
of this is NOAA and FEMA reducing the impact of natural disasters such
as hurricanes. By improving our ability to track hurricanes, and
improving our response capabilities, we have been able to drastically
reduce the number of deaths caused by hurricanes over the last few
decades. But we all recognize they will occur; there will be damage to
property and occasional unavoidable loss of life. Our goal is to
minimize that damage and loss instead of having the unrealistic
expectation of eliminating hurricanes completely. The point here is for
policymakers to focus on minimizing risk and reducing impacts as
opposed to attempting to have an expectation that anyone will be able
to remove cybersecurity threats from the world we live in today on a
permanent basis.
It is also critical to keep in mind that this is a shared problem.
No one organization, regardless of size, can solve this problem, either
in the private or the public sectors. It will take all of us working
together with open lines of communication and shared goals to be able
to get to the point where adversarial evolution in tactics and tools
has negligible effect on our daily lives. Flexibility is critical. We
need to ensure that any legislation passed is enabling in nature and
not restrictive in our abilities and actions. When all the stakeholders
buy-in to a shared set of goals and outcomes, the prospects of long
term success greatly increase.
______
Response to Written Questions Submitted by Hon. John Thune to
Malcolm Harkins
Question 1. I was pleased to hear that the emerging technologies
discussed at the hearing have the potential to create new jobs and
build a well-trained cybersecurity workforce. In my home state of South
Dakota, Dakota State University is helping to meet this demand by
doubling enrollment in its cybersecurity program in the last five
years, serving as a major participant in the National Science
Foundation's CyberCorps program, and hosting GenCyber camps for high
school girls.
a. What steps should American educational institutions take to
encourage more students to choose cyber careers?
Answer. Our educational institutions need to provide students in
schools across the Nation with the opportunity to learn about cyber
careers. We need to have programs that will develop new skills as well
as help students understand our industry challenges with the goal of
helping them find their own purpose and passion. These programs need to
span science, technology, engineering, math as well as humanities,
sociology, and psychology. Our educational institutions need to reach
across every degree program and understand the current as well as
future digital dependencies for those fields. Each area of study should
embrace its specific cyber learning needs, not only for security but
also for data privacy. These educational programs not only need to
develop our skills to deal with the risk concerns after technology is
deployed, but we need to build a much stronger focus on improving the
development of technology with fewer vulnerabilities through teaching
security development lifecycle and privacy-by-design skills. If we take
this sort of broad approach, everyone will gain the needed cyber skills
for their chosen career in addition to the specific cyber careers we
have a current critical need to foster.
b. How can we promote the development of entry-level cybersecurity
education using emerging technology tools? How can we also promote
education in higher skill levels in this field?
Answer. One way we can promote the development of entry-level
cybersecurity education using emerging technology is through setting up
cyber ranges at schools so that students can learn about the
technology, have simulated experiences using these tools, and practice
the processes they would use in a real cyber career. Additional entry
level education could be done through internships as well as mentoring
programs within the industry. We can promote higher education in this
field by offering research grants, scholarships, as well as by
encouraging industry to create endowments for educational institutions
to perform research and support advanced educational efforts.
Question 2. Both technologies and threats are continually evolving.
This Committee has passed significant, bipartisan legislation to
advance voluntary, public-private collaboration on cybersecurity, as
well as research and workforce development. For example, the
Cybersecurity Enhancement Act of 2014 authorized the process for the
NIST Framework for Improving Critical Infrastructure Cybersecurity. The
NIST framework employs a flexible, risk-management approach that the
private sector and security experts have praised. Do you believe that
cybersecurity policy, especially in the context of the emerging fields
we discussed at the hearing, should maintain a flexible, voluntary
approach, and avoid mandatory compliance measures?
Answer. Flexibility is key. Risk is temporal. Technology and its
attendant workflows are evolving rapidly. Any measure that would reduce
flexibility or slow down the ability to learn and innovate on how to
best prevent cyber vulnerabilities would generate increased risk.
Compliance measures exist today across all industries including the
public sector and we are still vulnerable as a nation. So before we
look at adding additional compliance measures, we need to determine why
existing ones are not working.
In some cases this is because existing compliance measures are
written in a way that requires the use of 20-year-old technology that
doesn't work to prevent the issues. A great example of this is the
variety of compliance requirements that evaluate security controls
based on updates for signatures or the deployment of intrusion
detection and response mechanisms. We need to remember that compliance
does not equal commitment. Whatever approach is used (mandatory or
voluntary), it needs to foster commitment to improving cyber risks
through better prevention vs. the current approach of reaction and
response. We witness every day proof that the current approach is not
working to prevent these risks. More alarming, though, is the continued
promotion of the current approach by many in the security industry that
profit from the growing manifestation of cyber risks and the continued
maintenance of this cycle of reaction and response through to currently
outlined compliance measures. These measures must be updated to include
newer technologies that are better suited to reduce cyber risk.
Question 3. The cybersecurity of the Internet of Things must be a
top priority. Many of the devices in the Dyn attack last year were
manufactured and located outside the U.S. How can we address
cybersecurity risks from an international perspective? Given these
devices provide a significant benefit to our economy, how do we also
ensure American innovators are not at a competitive disadvantage in the
global marketplace?
Answer. While location creates some potential level of risk, that
is not the core contributor to our risk issue. The risk we are faced
with today and in the future is caused by the way that these devices
and applications are designed, developed, implemented, and maintained.
Any device that executes code has the potential to execute malicious
code. So, as a nation we must do a better job of advancing our efforts
around having stronger security development life-cycle and privacy-by-
design to prevent vulnerabilities in the creation of technology. This
needs to be done nationally as well as internationally. We also need to
encourage organizations as well as consumers to use security
technologies that can prevent these risks with a high degree of
efficacy and with a level of efficiency that does not degrade the
computing experience. We need to attack the primary driver of our
current and future cyber risks--the execution of malicious code on
these devices. If we do these things our risks will be dramatically
lower and we will unleash innovators to use computing to generate new
opportunities for the Nation. The current reactive approach carries
with it a growing risk penalty that makes us so vulnerable that it puts
us at a global disadvantage. If we approach this correctly with a
continuous focus on proactive prevention as much as possible, we will
have the competitive advantage in the global marketplace because we
will get a risk reduction dividend that will pay us back generously.
______
Response to Written Question Submitted by Hon. Edward Markey to
Malcolm Harkins
Question. The Federal Government relies on Internet of Things
devices and could bear a heavy burden if these devices are breached by
a cyberattack. To align security incentives and promote cybersecurity,
should contractors and vendors selling Internet of Things devices to
the Government be required to bear their financial responsibility in
the event of a material breach through mechanisms like cyber insurance?
Answer. As I mentioned in my testimony, any device that executes
code has the potential to execute malicious code. Responsibility for
breaches should be recognized as a shared responsibility that includes
the creator of the technology, the purchaser of the technology, and the
user of the technology. So any responsibility needs to be evaluated
from a few perspectives to assess potential financial ``liabilities.''
And that assessment needs to also understand that the potential for
risk cannot be fully eliminated. However, those risks can be
substantially reduced through preventative controls, and damage can be
managed with the appropriate reactionary controls of detection and
response.
Technology Creator Responsibilities
(1) The creator of the technology should have an adequate security
development lifecycle and privacy-by-design effort in place to
as best as possible prevent a vulnerability that could generate
a material or significant risk.
(2) The creator of the technology should have an adequate response
capability to effectively and efficiently mitigate a product
vulnerability if one is found.
Purchaser/User of Technology Responsibilities
(1) The organization who bought and deployed the technology should
have an adequate set of internal controls (security technology
and processes) that are implemented to substantially prevent
the potential for a breach. This would include the evaluation
of potential risks with the technology prior to its purchase
and the evaluation and implementation of controls needed to
mitigate those risks.
(2) The organization that bought and deployed the technology should
also have an adequate emergency response capability should the
preventative controls fail to adequately manage the damage that
could occur.
We are at a point in time where our lives and society have a
growing digital dependence. Digital risk management requires a level of
shared digital responsibility to prevent these risks to the best of our
abilities. Some aspects of this risk can and should be handled through
financial mechanisms like insurance. Insurance would only mitigate
financial expenses after the fact from the resulting liability on
either the creator or purchaser of technology. However, we need to
realize that this would still be a reactionary approach focused on
financial remuneration. It would also not deal with the full
repercussions of a material breach such as those still being
experienced following the breach at the Office of Personnel Management
(OPM). That breach not only affected our national security and may well
affect it for years to come, but it has a potential material impact on
the lives of the individuals and families whose personal information
was taken. The future Internet of things devices--if not designed,
developed, implemented, and maintained properly--could have even more
devastating implications that no form of financial remuneration could
address.
______
Response to Written Questions Submitted by Hon. Tammy Duckworth to
Malcolm Harkins
Question 1. To all of the Witnesses, beyond standards and
frameworks, from an industry perspective, what are the top three to
five best practices you've identified to protect critical
infrastructure that enables companies and governments to enact
proactive measures instead of just focusing on the response to threats
or disasters? Specifically, I want to know how we move from reaction to
proaction.
Answer. Best practices to move from reaction to proaction include
the following:
(1) Strong security development lifecycle and privacy-by-design in
the creation and implementation of technology.
(2) Responsible vulnerability disclosure by any organization or
individual who identifies a vulnerability.
(3) Relentless focus on the preventing the execution of malicious
code on all devices, because it is the primary driver of the
cyber risk cycle.
(4) Routine transparency within an organization to its executives
and stakeholders on the state of security for the technology
they use for internal operations as well as the technology they
create for use by customers.
(5) Demonstrating a culture of continuous improvement on how to
identify risk and proactively prevent its cause.
Question 2. As this committee moves forward in the 115th Congress,
we are considering oversight and legislation within the committee's
jurisdiction of science, technology, transportation and the critical
infrastructure that supports them. For all the witnesses in closing,
what should this committee keep in mind in order to help make sure
we're developing the framework for infrastructure that is proactive,
resilient and lasting as cyber threats continue to evolve?
Answer. Security is a journey with no finish line. It's a
continual, relentless pursuit as technology evolves along with the
potential risks. As a nation, we have the capability to do a better job
than we have done to date. Leveraging cutting-edge artificial
intelligence and machine learning, Cylance has shown we can create a
demonstrable and sustainable bend in the curve of cyber risk. By
applying artificial intelligence (AI) and machine learning to the
identification of malicious code, our flagship product CylancePROTECT
offers future-proof prediction and prevention of the most advanced
threats in the world, including advanced persistent threats, zero-days,
and exotic exploitation techniques never before seen.
CylancePROTECT also guards from everyday viruses, worms,
ransomware, spyware/adware, Trojan horse attacks and spam. The problem
with legacy security solutions that are the common control in
organizations today is that adversaries can continually evolve their
techniques and tactics to bypass them, leaving enterprises exposed to
attacks. This means that traditional solutions are reactive in nature
and rely on a constant stream of ``signature updates'' that tell these
solutions what type of files to look for after an attack was successful
on some other system; these are called ``zero-day'' attacks.
Traditional security solutions are built around a basic set of
rules and signature files that are costly and high risk because they
require a zero-day ``sacrificial lamb'' before they can create the
ability to block an attack. This means it is not possible to identify a
new threat until after the damage is done on at least one system so
that the malicious software can be studied and ``fingerprinted.'' But
CylancePROTECT is different--it can identify and defuse even never-
before-seen attacks prior to execution. This means that we can stop new
variations of attacks without a zero-day sacrificial lamb. Our AI-based
solution is flexible and can support new generations of technologies
such as ``internet of things'' devices and many others.
______
Response to Written Questions Submitted by Hon. John Thune to
Hon. Eric Rosenbach
Question 1. In your testimony, you noted that China is facilitating
the growth of its ``fintech'' sector through a permissive regulatory
environment. You further observed that Congress must clarify key
regulatory issues in the United States. What barriers inhibit American
competitiveness and economic growth in emerging fields like AI and
blockchain? Please provide specific examples.
Answer. Regulatory uncertainty blocks experimentation and
innovation by fintech firms, including in relation to digital
currencies and blockchain technology. The UK Financial Conduct
Authority's ``regulatory sandbox'' provides an example for how
regulators can facilitate innovation, while maintaining consumer
protections. The FCA grants fintech firms temporary approval to test
their innovations, and exempts them from certain regulatory penalties,
provided appropriate consumer safeguards are in place.
Another barrier to fintech innovation in the U.S. is that fintech
firms are largely regulated on a state-by-state basis (unlike the
incumbent banking and securities firms, which are largely federally
regulated). This increases the cost and complexity of regulatory
compliance, and inhibits firms' ability to scale their innovations
across the country.
Regulatory overlap is also an impediment to the development and
commercial adoption of AI. For example, autonomous vehicles must comply
with different regulations in different states, which increases the
costs of developing this technology, and raises barriers to entry for
new firms. The commercial applications for AI cross myriad sectors--
including transport, finance, and healthcare. Multiple regulatory
agencies will need to develop AI expertise, and collaborate on uniform
Federal standards, if they are to prevent regulation from constricting
innovation.
Question 2. I was pleased to hear that the emerging technologies
discussed at the hearing have the potential to create new jobs and
build a well-trained cybersecurity workforce. In my home state of South
Dakota, Dakota State University is helping to meet this demand by
doubling enrollment in its cybersecurity program in the last five
years, serving as a major participant in the National Science
Foundation's CyberCorps program, and hosting GenCyber camps for high
school girls.
a. What steps should American educational institutions take to
encourage more students to choose cyber careers?
Answer. Encouraging socio-economic diversity is key to building the
cybersecurity workforce of the future. Educational institutions should
take steps to ensure that they are marketing cybersecurity offerings to
a broad audience. Additionally, cybersecurity courses should not just
be an option for new starters. Educational pathways that credit prior
learning and professional experience will make it easier for
professionals to change careers.
b. How can we promote the development of entry-level cybersecurity
education using emerging technology tools? How can we also promote
education in higher skill levels in this field?
Answer. The development of the cyber workforce should not be
limited to higher education only. ``Cyber apprenticeships,'' which
could be delivered via flexible online courses, offer an alternative
with lower financial barriers to entry than a bachelor's degree, and
may increase diversity in the field.
To encourage the development of highly-skilled cyber workers,
Federal Government employers, including the Department of Defense and
Intelligence Community, should increase flexibility to support the
careers of ``citizen soldiers,'' who blend careers of government
service and private sector work. In the Department of Defense, we
significantly expanded the role of the National Guard in the National
Cyber Mission Force in order to improve the Department's ability to
attract, train and retrain high-end cyber operators. Government
training provides an important pipeline for highly skilled cyber
workers--even those who leave government can benefit the broader U.S.
economy.
Question 3. Both technologies and threats are continually evolving.
This Committee has passed significant, bipartisan legislation to
advance voluntary, public-private collaboration on cybersecurity, as
well as research and workforce development. For example, the
Cybersecurity Enhancement Act of 2014 authorized the process for the
NIST Framework for Improving Critical Infrastructure Cybersecurity. The
NIST framework employs a flexible, risk-management approach that the
private sector and security experts have praised. Do you believe that
cybersecurity policy, especially in the context of the emerging fields
we discussed at the hearing, should maintain a flexible, voluntary
approach, and avoid mandatory compliance measures?
Answer. The NIST Cybersecurity Framework is a valuable tool for
identifying and managing cybersecurity risks, and is a strong example
of the benefits of public/private collaboration. The Framework has been
a focal point for the development of legal standards and an improved
insurance market for cyber risk. The Framework's flexible approach
yields two key advantages: (1) it can be adopted by organizations
regardless of size and business sector; and (2) it can evolve with
changes in technology and threats.
However, a purely voluntary approach to compliance has not prompted
the behavior changes needed to improve the Nation's cybersecurity.
Recent high-profile hacks have demonstrated that poor cybersecurity
will result in expensive litigation and CEOs losing their jobs. These
trends will encourage investment in improved cybersecurity. That said,
the strategic importance of this issue should compel congressional
leaders to not passively wait for voluntary adoption of a private-
sector derived cybersecurity framework. We cannot sit and watch while
Americans suffer the strategic and economic consequences. Accordingly,
at least in some sectors, compliance should be mandatory and it should
be a baseline standard for Federal Government contractors.
Question 4. The cybersecurity of the Internet of things must be a
top priority. Many of the devices in the Dyn attack last year were
manufactured and located outside the U.S. How can we address
cybersecurity risks from an international perspective? Given these
devices provide a significant benefit to our economy, how do we also
ensure American innovators are not at a competitive disadvantage in the
global marketplace?
Answer. The United States government must take a much more active
role in disrupting and dismantling ``botnets''--networks of infected
devices which are used to conduct cyberattacks such as the 2016
distributed denial of service attack against Dyn. Key national security
organizations, led by the FBI and Department of Justice with the
Department of Defense in support when needed, should work very closely
with private sector telecommunication companies and international
partners, to neutralize botnets by blocking traffic between the
malicious operator and infected devices and using more active defensive
measures.
Additionally, all international ISPs have a responsibility to
ensure the security and integrity of their networks, including by
acting to block malicious traffic where they become aware of an attack.
Mandating product features or imposing product liability on the
manufactures or distributors of Internet of things devices would be
practically difficult from a legal perspective and also has the
potential to handicap American cybersecurity firms. However, if
producers of IoT devices continue to sacrifice cybersecurity--only to
improve profit margins--the FCC should seriously consider regulation
that ensures security is designed into IoT devices by default.
______
Response to Written Question Submitted by Hon. Bill Nelson to
Hon. Eric Rosenbach
Question. Our election system is highly decentralized, but about
80,000 votes in three states decided the last presidential election.
Therefore, if Russian state actors wanted to try to influence our
elections again, they could conceivably do so by targeting a limited
number of voting precincts.
Mr. Rosenbach, could Russia have the capability to influence future
elections by targeting a relatively small number of votes?
Answer. Russia has both the capability and demonstrated intent to
manipulate an election outcome by targeting only a relatively small
number of votes or voting precincts. In practice, the complexity of the
U.S. electoral system, and unpredictability of which particular votes
will matter most to an election outcome, would make this kind of
manipulation difficult.
The most serious problem is Russia's demonstrated willingness to
conduct cyberattacks, in conjunction with effective information
operation campaigns, against civilian targets, including our democratic
institutions. Protecting these institutions must be among the United
States' most vital national interests. We simply cannot allow
adversaries, including but not limited to Russia, to have the
perception that they can conduct attacks of this nature with impunity.
The U.S. is yet to react to any cyberattack with a response that is
visible, serious and will deter future cyberattacks against our
democratic institutions. We must bolster our deterrence posture to
ensure our democratic institutions and future elections are protected.
______
Response to Written Question Submitted by Hon. Edward Markey to
Hon. Eric Rosenbach
Question. The Federal Government relies on Internet of Things
devices and could bear a heavy burden if these devices are breached by
a cyberattack. To align security incentives and promote cybersecurity,
should contractors and vendors selling Internet of Things devices to
the Government be required to bear their financial responsibility in
the event of a material breach through mechanisms like cyber insurance?
Answer. The Federal Government is only a small market for Internet
connected devices. If it sought to impose onerous contractual liability
standards on vendors, there is a risk that vendors would not be willing
to sell to the government, or would charge significantly higher prices.
The government can best mitigate the cybersecurity risks posed by
Internet of Things devices by ensuring that government networks follow
appropriate procurement and network security processes. For example,
the malware used in the 2016 Dyn denial of service attack accessed
devices by using default usernames and passwords that had not been
changed by users. This is basic cyber hygiene that all cybersecurity
managers in the U.S. Government should address as standard practice.
Additionally, the government has a key role to play in helping the
private sector to respond to attacks which use Internet of Things
devices, particularly those commissioned by state adversaries.
Responding to these types of attacks requires significant resources and
engagement with international partners.
______
Response to Written Questions Submitted by Hon. Tammy Duckworth to
Hon. Eric Rosenbach
Question 1. To all of the Witnesses, beyond standards and
frameworks, from an industry perspective, what are the top three to
five best practices you've identified to protect critical
infrastructure that enables companies and governments to enact
proactive measures instead of just focusing on the response to threats
or disasters? Specifically, I want to know how we move from reaction to
proaction.
Answer. First, to be proactive about the defense of critical
infrastructure, we must bolster the US' deterrence posture regarding
state-sponsored cyberattacks.
Second, the Intelligence Community plays a key role in proactively
identifying plans for attacks through the collection of intelligence
abroad. To assist intelligence agencies to identify and prevent
cyberattacks, we need clear channels of communication between industry
and government, as well as liability protection for information-
sharing.
Third, the government can assist industry by testing the security
and resilience of critical infrastructure systems. For example, the
Washington State National Guard conducts ``red team'' exercises to
search for vulnerabilities in state networks, and to test cyber-
emergency responses. This practice has been adopted in a number of
other states, and could be adopted further.
Finally, the NIST Cybersecurity Framework sets out important best
practices for businesses involved in critical infrastructure, but we
need to move beyond voluntary compliance. The government can establish
and leverage incentives to promote adoption of the NIST framework,
which could for example include technical assistance, regulatory
streamlining, grants or liability protection for complying businesses.
At least for some sectors, compliance with the NIST framework should be
mandatory.
Question 2. As this committee moves forward in the 115th Congress,
we are considering oversight and legislation within the committee's
jurisdiction of science, technology, transportation and the critical
infrastructure that supports them. For all the witnesses in closing,
what should this committee keep in mind in order to help make sure
we're developing the framework for infrastructure that is proactive,
resilient and lasting as cyber threats continue to evolve?
Answer. To meet the current and future challenges of cybersecurity,
the U.S. must continue to be on the leading edge of technological
development. This is not just in our economic interest; it is a
security imperative. Technological competitiveness can be supported in
three ways.
First, the U.S. Government should invest in and be an early adopter
of new technologies that will aid cyber defense.
Second, Congress and state legislatures must ensure that existing
regulations designed in the pre-internet age do not obstruct the
development of new technologies.
Third, we must ensure that new laws designed to protect our
Nation's critical infrastructure do not inadvertently stifle
innovation. Laws and regulations must be flexible, and designed to
evolve in response to changing technological opportunities,
vulnerabilities, and adversaries. They will therefore need to be
informed by broad and ongoing consultation with industry.
[all]
This page intentionally left blank.