[Senate Hearing 111-1103]
[From the U.S. Government Publishing Office]
S. Hrg. 111-1103
CYBER SECURITY--2010
=======================================================================
HEARINGS
before the
COMMITTEE ON
HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
JUNE 15, 2010
PROTECTING CYBERSPACE AS A NATIONAL ASSET: COMPREHENSIVE LEGISLATION
FOR THE 21ST CENTURY
__________
NOVEMBER 17, 2010
SECURING CRITICAL INFRASTRUCTURE IN THE AGE OF STUXNET
__________
Available via the World Wide Web: http://www.fdsys.gov/
Printed for the use of the Committee on Homeland Security
and Governmental Affairs
U.S. GOVERNMENT PRINTING OFFICE
58-034 WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware SCOTT P. BROWN, Massachusetts
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana GEORGE V. VOINOVICH, Ohio
CLAIRE McCASKILL, Missouri JOHN ENSIGN, Nevada
JON TESTER, Montana LINDSEY GRAHAM, South Carolina
ROLAND W. BURRIS, Illinois
EDWARD E. KAUFMAN, Delaware *
CHRISTOPHER A. COONS, Delaware *
Michael L. Alexander, Staff Director
Deborah P. Parkinson, Senior Professional Staff Member
Adam R, Sedgewick, Professional Staff Member
Brandon L. Milhorn, Minority Staff Director and Chief Counsel
Robert L. Strayer, Minority Director of Homeland Security Affairs
Devin F. O'Brien, Minority Professional Staff Member
Trina Driessnack Tyrer, Chief Clerk
Patricia R. Hogan, Publications Clerk and GPO Detailee
Laura W. Kilbride, Hearing Clerk
* Senator Coons replaced Senator Kaufman on the Committee on November
15, 2010.
C O N T E N T S
------
Opening statements:
Page
Senator Lieberman I60 1, 39..................................
Senator Collins I60 3, 40....................................
Senator Carper............................................... 5
Senator McCain............................................... 15
Senator Burris............................................... 17
Senator Coons................................................ 59
Prepared statements:
Senator Lieberman I60 65, 124................................
Senator Collins I60 67, 127..................................
Senator Carper............................................... 70
WITNESSES
Tuesday, June 15, 2010
Philip Reitinger, Deputy Under Secretary, National Protection and
Programs Directorate, U.S. Department of Homeland Security..... 6
Frances Fragos Townsend, Chairwoman of the Board, Intelligence
and National Security Alliance................................. 19
Alan Paller, Director of Research, The SANS Institute............ 22
Steven T. Naumann, Vice President, Wholesale Market Development,
Exelon Corporation, on behalf of the Edison Electric Institute
and the Electric Power Supply Association...................... 25
Sara C. Santarelli, Chief Network Security Officer, Verizon
Communications................................................. 27
Wednesday, November 17, 2010
Sean McGurk, Acting Director, National Cybersecurity and
Communications Integration Center, Office of Cybersecurity and
Communications, U.S. Department of Homeland Security........... 41
Michael J. Assante, President and Chief Executive Officer,
National Board of Information Security Examiners of the United
States Inc..................................................... 44
Dean Turner, Director, Global Intelligence Network, Symantec
Security Response, Symantec Corporation........................ 48
Mark W. Gandy, Global Manager, Information Technology Security
and Information Asset Management, Dow Corning Corporation...... 52
Alphabetical List of Witnesses
Assante, Michael J.:
Testimony.................................................... 44
Prepared statement with an attachment........................ 142
Gandy, Mark W.:
Testimony.................................................... 52
Prepared statement........................................... 165
McGurk, Sean:
Testimony.................................................... 41
Prepared statement........................................... 129
Naumann, Steven T.:
Testimony.................................................... 25
Prepared statement........................................... 101
Paller, Alan:
Testimony.................................................... 22
Prepared statement........................................... 84
Reitinger, Philip:
Testimony.................................................... 6
Prepared statement........................................... 72
Santarelli, Sara C.:
Testimony.................................................... 27
Prepared statement........................................... 109
Townsend, Frances Fragos:
Testimony.................................................... 19
Prepared statement........................................... 80
Turner, Dean:
Testimony.................................................... 48
Prepared statement........................................... 156
APPENDIX
Statement for the Record from Robert D. Jamison, Former Under
Secretary of Homeland Security for the National Protection and
Programs Directorate........................................... 116
Responses to post-hearing questions submitted for the Record
from:
Mr. McGurk................................................... 170
Mr. Assante.................................................. 173
Mr. Turner................................................... 176
Mr. Gandy.................................................... 177
PROTECTING CYBERSPACE AS A NATIONAL
ASSET: COMPREHENSIVE LEGISLATION
FOR THE 21ST CENTURY
----------
TUESDAY, JUNE 15, 2010
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 2:59 p.m., in
room SD-342, Dirksen Senate Office Building, Hon. Joseph I.
Lieberman, Chairman of the Committee, presiding.
Present: Senators Lieberman, Carper, Pryor, Burris,
Collins, and McCain.
OPENING STATEMENT OF CHAIRMAN LIEBERMAN
Chairman Lieberman. The hearing will come to order. Good
afternoon and thanks for being here today. We are going to take
a look at legislation Senators Collins, Carper, and I
introduced last week, the Protecting Cyberspace as a National
Asset Act. It provides a comprehensive framework to modernize,
strengthen, and coordinate our cyber defenses across civilian
Federal networks and the networks of the most vital privately
owned critical infrastructure, including some real basics of
American life: Our electric grid, financial systems, and our
telecommunications networks.
Today we are going to hear from the top cyber security
official at the Department of Homeland Security (DHS), which,
of course, has a critical role to play in protecting our cyber
assets; and we are also going to hear from security and
industry experts. We have, in preparing this legislation,
consulted extensively with members of the Administration,
people in the private sector, and privacy groups as well.
In the 40 years since the Internet was created, it has
developed into a necessity of modern life, a source of
remarkable information and entertainment and commerce. But as
we also have come to know, it is a target of constant attack
and exploitation. We now have a responsibility to bring the
public and private sectors together to secure the Internet,
cyberspace, and to secure it well. And we believe that our bill
would do just that.
The idea of cyber crime is not really totally new to the
American people. We all know about identity theft and about
emails from a foreign prince, doctor, or government official
who desperately needs more money, needs to move it out of his
or her country, and who will reward you richly--if only you
will give them your bank account number, which some people
actually do.
Identity theft and financial fraud are serious matters.
But, of course, we need, and hope through this bill, to
reorient our thinking about the risks inherent in the Internet
and cyberspace because today we face much greater risks in
cyberspace than crimes like identity theft. A sophisticated
attacker could cripple most of our financial system, take down
a lot of the electric grid, or cause physical devastation equal
to or greater than conventional warfare. The fact is that the
threat of cyber attack is among the most serious threats
America faces today.
President Obama I think has correctly described our
sprawling government and private sector cyber networks as a
``strategic national asset.'' But our efforts to secure those
networks and that national asset have been disjointed,
understaffed, and underfinanced. So what does our bill do?
First, we need leadership, we need focused and clear
leadership, and our bill provides it in the form of a White
House Office of Cyberspace Policy that would lead all Federal
efforts to defend cyberspace--that is, civilian, defense, and
private. The office would be led by a Senate-confirmed
director, accountable to the public. We have previously asked,
for instance, White House cyber coordinator Howard Schmidt to
testify before this Committee, but we have always been turned
down, apparently on the grounds of executive privilege. Our
legislation would change that by requiring Senate confirmation
and thereby making Mr. Schmidt or whoever holds that position
subject to the call of Congress and the public.
We also need a stronger agency to defend the dot-gov
networks and oversee the defenses of our most critical
infrastructure. The Department of Homeland Security Inspector
General will issue a report tomorrow critical of many
operational elements of the Department's cyber security effort,
citing a lack of clear authority as one of the issues that
needs to be rectified. Our bill more than addresses these
shortcomings by creating a National Center for Cybersecurity
and Communications within the Department of Homeland Security
which would have new, strong authorities to protect non-
defense, public sector, and private sector networks from cyber
attack. DHS already has this responsibility through
Presidential Directive but, in our opinion, insufficient
authority to carry it out.
The sound defense of our cyber networks will only be
successful if industry and government work together, so our
bill will set up a collaborative process where the best ideas
of the private sector and the government would be used to meet
a baseline set of security requirements that DHS would enforce
for the Nation's most critical infrastructure.
Thanks to some excellent work by our colleague, Senator
Carper, our legislation reforms and updates the Federal
Information Security Management Act to require continuous
monitoring and protection of Federal networks, but do away with
the paper-based reporting system that takes up time agencies
really otherwise would be using and should be using to protect
their networks.
Our legislation also would require the Federal Government
to develop and implement a strategy to ensure that the almost
$80 billion of information technology products and services
that the Federal Government purchases each year are secure and
do not provide our adversaries with a back door into our
networks. And, of course, if the Federal Government uses that
$80 billion of purchasing power to drive security add-ons and
innovations in information technology products, it will also be
available and presumably bought by the private sector.
Finally, we would give special authority to the President
to act in the event of a catastrophic cyber attack that could
seriously jeopardize public safety or have disastrous effects
on our economy or national security. In those instances,
clearly defined in our legislation, the President could direct
the National Cybersecurity and Communications Center at DHS to
impose emergency measures on a select group of critical
infrastructure to preserve those assets and the networks they
rely on and protect the American people. These emergency
measures would automatically expire within 30 days unless the
President ordered an extension. I know there has been some
concern and controversy about that provision, and we can speak
to it, I hope, in the question-and-answer period. But it is
linked with a very important limitation on liability of private
entities who take action in response to an order from the
government and might otherwise incur liability. But we protect
them from that because the action the government is ordering
them to take is in the national security or economic interest.
So freedom of expression and freedom to innovate are not
inconsistent with greater security in cyberspace and that is
exactly what we hope to combine and balance in this
legislation.
Senator Collins.
OPENING STATEMENT OF SENATOR COLLINS
Senator Collins. Thank you, Mr. Chairman.
Mr. Chairman, I have a very lengthy statement which I would
request be inserted in the record in full.\1\
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Collins appears in the
Appendix on page 67.
---------------------------------------------------------------------------
Chairman Lieberman. Without objection.
Senator Collins. And I will just summarize my comments.
As the Chairman has pointed out, cyberspace is under
increasing assault on all fronts. The cyber threat is real, and
the consequences of a major successful national cyber attack
could be devastating. As former Director of National
Intelligence Michael McConnell warned in February, ``If we went
to war today, in a cyber war, we would lose.''
We are already under fire. Just this past March, the
Senate's Sergeant at Arms reported that the computer systems of
Congress and Executive Branch agencies are now under cyber
attack an average of 1.8 billion times a month. Cyber crime
already costs our national economy an estimated $8 billion per
year.
So it is clear that we must move forward now with an
aggressive and comprehensive approach to protect cyberspace as
a national asset. The vital legislation that we introduced last
week would do just that. It would fortify the government's
efforts to safeguard America's cyber networks. And it would
promote a true public/private partnership to work on national
cyber security priorities.
For far too long, our approach to cyber security has been
disjointed and uncoordinated. This simply cannot continue. The
stakes are too high.
Our bill, as the Chairman has pointed out, would establish
an essential point of interagency policy coordination within
the White House. This would be the Office of Cyberspace Policy
which would be run by a Senate-confirmed director who would
advise the President and who would develop a national cyber
security strategy.
Let me be clear. We are not talking about creating an
unaccountable cyber czar. The Cyber Director would have defined
responsibilities and would be accountable to Congress as well
as to the President. The Cyber Director would be an adviser, a
strategist, not an implementer.
That responsibility, for Federal civilian systems and for
the private sector critical infrastructure, would fall to a
strong operational and tactical partner at the Department of
Homeland Security through a newly created National Center for
Cybersecurity and Communications (NCCC). This new cyber center
is patterned on the National Counterterrorism Center (NCTC). It
would have representatives from various departments and would
work on these issues day to day.
The bill, as I mentioned, emphasizes the importance of
working with the private sector to improve cyber security
across private sector networks.
In cases where owners and operators are responsible for
assets whose disruption would cost thousands of lives in mere
seconds or multiple billions of dollars, the bill would
establish certain risk-based performance requirements to close
security gaps.
These requirements, for example, would apply to vital
components of the electric grid, telecommunications networks,
financial systems, or other critical infrastructure systems
that could cause a national or regional catastrophe if
disrupted.
But I want to emphasize that the private sector would be
able to choose which security measures are implemented to meet
the risk-based performance requirements. That model would allow
for the continued innovation that is fundamental to the success
of the information technology (IT) sector. And as the Chairman
has indicated, the bill would also provide limited liability
protections to owners and operators of critical infrastructure
that comply with the new risk-based performance requirements.
If a cyber attack were imminent or occurring, the bill
would authorize the President to undertake emergency measures.
But as the Chairman has indicated, we have carefully
circumscribed that authority. It is limited in duration and
scope. The bill does not authorize any new surveillance
authorities or permit the government to ``take over'' private
networks.
The legislation would also take full advantage of the
government's massive purchasing power to help ensure that cyber
security is baked into products when they are brought to the
marketplace.
And, finally, the bill would improve the recruitment and
retention of a qualified Federal IT workforce.
If hackers can bring the nation of Estonia to its knees
through cyber attacks, infiltrate a major defense program, and
hack into the computers owned and operated by some of the
world's most sophisticated private sector experts, we must
assume that even more spectacular and potentially devastating
attacks lie ahead. We simply cannot wait for a cyber September
11, 2001, before our government takes this threat seriously and
acts to protect these critical assets.
Thank you.
Chairman Lieberman. Thank you very much, Senator Collins.
It is the tradition of our Committee that the Chairman and
the Ranking Member only make opening statements. It is a
selfish system but one that Senator Collins and I both
appreciate. [Laughter.]
But on this occasion, since Senator Carper is a cosponsor
of our legislation, I would welcome any opening statement that
you would have Senator Carper.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Thank you very much, Mr. Chairman. I want
to salute you and Senator Collins for bringing this together in
a bipartisan--even a tripartisan coalition--on an issue whose
time has come. Look around this room. Standing room only. I
would suggest that finally at long last we have a strong
national focus here in the Senate and in the Administration on
taking the steps that we need to take to make sure that our
Internet, which has grown more complex by the day, is secure.
For 3 years, I have called for some of the very same
reforms that we will talk about today. In fact, I introduced
cyber security legislation, I think, last spring in an effort
to strengthen our Federal Government--and our Nation--against
the kinds of attacks that we have seen seriously disrupt the
nations of Estonia, as Senator Collins has mentioned, and
Georgia.
One reform that I am especially happy my colleagues have
accepted is the creation of a White House office that would be
responsible for coordinating the security and resiliency of our
Nation's cyberspace. To date, Federal agencies' efforts have
been ad hoc; they have been for the most part duplicative.
There is an old saying that goes, ``the left hand does not know
what the right hand is doing.'' And my hope is that this office
will provide the needed strategic direction to more effectively
deal with challenges in cyberspace before they become a crisis.
Another reform that I am happy, when it made it into the
bill, is the idea that agencies need to leverage their
purchasing power to demand that private vendors sell more
secure products and services at the front end. For too long
agencies have needlessly spent money cleaning up after a cyber
attack because the technology was full of security holes. Like
a door with no lock, hackers have used security holes that
never should have been there in the first place to gain access
to our sensitive networks, and this bill changes that.
I also want to commend my colleagues--and our staffs, and I
especially want to commend Erik Hopkins, who is sitting right
behind me, for the work that he has done on these issues for
years. But I commend all who have been involved in reforming
the Federal Information Security Management Act of 2002. As we
all know, producing a plan that sounds good on paper is not the
same as ensuring the plan is effectively implemented. That is
why our legislation compels agencies to stop producing the
reams of ineffective paperwork they currently do and instead
focus their efforts on defending their systems in real time,
much as we do in the nuclear power industry.
Last, I want to thank my colleagues for accepting my
language to create a nationwide network of cyber challenges to
help reduce the gap between the number of so-called cyber
warriors that are produced in America and those that are being
trained in place like China, North Korea, and Russia. A little
bit like a farm system in baseball, these cyber challenges will
create a pipeline of talent that can be tapped by government
agencies and by private sector companies. If we want America to
continue to be dominant in the century to come--and we know we
do--we have to invest in the skills of these young people.
In closing, I look forward to working with our Chairman,
with Ranking Member Collins, and other colleagues who have an
interest in these issues, including Senator McCain to my left,
and my colleague, Senator Burris from Illinois, who I know has
a strong interest in these issues. My hope is we can bring
together a diverse group of stakeholders on all sides of the
issue to produce a bipartisan/tripartisan bill that will
enhance our Nation's cyber security and be signed by the
President before the end of this week--or maybe this month. How
about this year? Thank you.
Chairman Lieberman. Thanks, Senator Carper. Thanks to
Senator McCain and Senator Burris for being here.
We will go to our first witness, Philip Reitinger, Deputy
Under Secretary of the National Protection and Programs
Directorate, and Director of the National Cybersecurity Center
at the Department of Homeland Security. Mr. Reitinger's coming
to the Department is part, I think, of a really full open-
throttle attempt to dramatically upgrade the Department's
capacity for cyber defense. He has a remarkably diverse
background in both the private sector and government, which
includes working at both Microsoft and the Department of
Justice, though not at the same time.
Mr. Reitinger. Thank you, sir. You left off the Department
of Defense as well.
Chairman Lieberman. Sure.
Anyway, Mr. Reitinger, I am glad to see you again, and we
welcome your testimony now.
TESTIMONY OF PHILIP REITINGER,\1\ DEPUTY UNDER SECRETARY,
NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT
OF HOMELAND SECURITY
Mr. Reitinger. Chairman Lieberman, Ranking Member Collins,
and Members of the Committee, it is indeed an honor to appear
before you today to talk about the security of cyberspace and
this Committee's Protecting Cyberspace as a National Asset Act.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Reitinger appears in the Appendix
on page 72.
---------------------------------------------------------------------------
As you point out Mr. Chairman, the President has described
our networks as a strategic national asset. And as the Ranking
Member pointed out, those networks are under an increasing
threat and increasing risk of harm every day. The attackers
range in skill from state-sponsored attackers down to low-level
criminal hackers. And the fundamental insecurity of our
ecosystem means not just our information is at risk, but the
information infrastructure that provides us critical services
is also at risk, as the Committee Members point out: Power,
financial services, transportation, and other key parts of our
infrastructure. That means it is incumbent upon all of us--
across the government, the State, local, tribal, and
territorial governments, and the private sector--to treat this
as a real national security and homeland security emergency. We
must respond to deal with the increasing threat.
The prior Administration began a good start in this space
with the Comprehensive National Cybersecurity Initiative, which
President Obama furthered with the Cyberspace Policy Review.
We, in DHS, are similarly recognizing our responsibility. We
are the lead for working to protect Federal civilian systems
and working to protect private sector and State, local, tribal,
and territorial government systems and helping them to bolster
their cyber security.
A key moment happened in February of this year which
escaped a lot of people's notice. The Department of Homeland
Security released, after interagency review, the first ever
Quadrennial Homeland Security Review, which was released,
interestingly, on the same day as the Quadrennial Defense
Review. And I would urge everyone who has not to read the cyber
sections of those two documents because they are parallel. The
Department of Defense (DOD) recognizes its increasing need to
be involved and treat cyber security as a growing mission set.
And the entire homeland security enterprise--and that is
broader than just the Department of Homeland Security. It
includes the private sector. It includes multiple other
government agencies and State, local, tribal, and territorial
governments. It treated cyberspace and the security of
cyberspace as a top five mission area of that enterprise, on a
par with protecting the borders and ensuring domestic security.
So we are well on the way towards treating this as a national
and homeland security event.
In that line, we have had significant outcomes over the
course of the past year that demonstrate our intent to move
forward. I am a firm believer that, in government or the
private sector, organizations succeed or fail based on the
people who are doing the work. If you have the right people,
technology does not matter too much. And if you do not have the
right people, then technology does not matter too much.
There was a great core of people at the Department of
Homeland Security when I arrived, and we have been expanding
that as rapidly as possible. During the course of the last
fiscal year, fiscal year 2009, we increased the people who do
cyber security in the Office of Cybersecurity and
Communications from 35 to 118. And in the course of this fiscal
year, we are trying to more than double it again.
We are rapidly deploying EINSTEIN 2 on the technical side.
We are ahead of schedule. It is deployed and operational at 11
of 19 agencies where it is to be deployed, and at four Internet
service providers it is deployed, and in one it is operational.
Through those deployments, we are already discovering, apropos
of the comments that the Ranking Member made before, more than
278,000 indicators on average of potentially malicious activity
per month.
Finally, with regard to FISMA, the Administration is moving
rapidly to recognize the criticisms that have been made of that
regime in the past. In particular, a key focus in the
Administration is moving away from annual paper reports and
more towards continuous monitoring. What is the real security
situation we are in? And apropos of where this Committee is
intending to go, providing the operational responsibility to
manage that effort to the Department of Homeland Security.
Turning finally to the bill, I regret I am not able at this
time to state an Administration position on the bill which was
introduced last week. That said, DHS looks forward greatly to
continuing to work with the Committee on strengthening the
Department's ability to accomplish its cyber security mission.
I particularly welcome this Committee's and the sponsors'
support for the DHS mission, its support for allowing DHS'
effort to maximize its hiring flexibilities, and the continuing
and clear support in the bill for privacy and civil liberties,
which we believe are fundamental to cyber security.
With regard to authorities, we believe the continued
examination of authorities for both DHS and in emergencies is
called for to see what can be done under existing authorities
and what changes may be necessary.
Finally, I would state that with regard to organization, it
is the Department of Homeland Security's view that our
preference is to keep physical and cyber security tightly co-
joined. We believe that it will enable us to work more
effectively with the private sector to manage risk, give us--to
the extent one wants to influence the private sector, which is
important--more levers to pull, and allow us to continue to
work with the private sector in an all-hazards way on instant
response.
Mr. Chairman, Ranking Member Collins, Members of the
Committee, thank you again for the opportunity to testify, and
I would be more than pleased to answer any questions you may
have.
Chairman Lieberman. Thanks, Mr. Reitinger. I appreciate the
fact that though there is not an official position of the
Administration on the bill, you are giving your own welcome and
warm response, particularly of the role given to the
Department. Is that right?
Mr. Reitinger. We certainly welcome the support for the DHS
mission space, sir, and the clear delineation of roles and
responsibilities, absolutely.
Chairman Lieberman. Fine. Let me just start out, and we
will do 7-minute rounds. Let me ask first, if somebody comes up
to you and says, ``Is all this business about cyber security
for real? In other words, are we really under threat from non-
state actors, other states, or terrorist groups? Can they
really do as much damage as a conventional attack?'' What do
you say?
Mr. Reitinger. Sir, the threat is clearly real. I often
say--in fact, I said yesterday when I was in Miami at the Forum
of Instant Response Teams event--that if you really want to
secure your computer, it is best to turn it off, disconnect it
from the Internet, and if you really want to be secure, do not
allow any person to get near it, open up the cover, pull out
the hard drive, and hit it with a hammer until it no longer can
be read.
The current state of the technology simply does not allow
for foolproof security. Instead, we are in risk management. And
right now we have a long way to go to be able to as effectively
manage risk as we need to.
We depend on these companies not just to see a silly video
on the Internet or even to write a document to pass up the
chain of command. We depend on them for power, for food, and
for transportation. Those systems are insecure in many ways,
and we simply do not live in a sustainable environment right
now. The system is fundamentally insecure and needs to change.
Chairman Lieberman. So the capacity to attack in cyberspace
or intrude or exploit is, therefore, much greater than the
capacity to defend against such attacks?
Mr. Reitinger. Yes, sir.
Chairman Lieberman. I do not want to carry you too far into
a parade of horribles, but is it really possible that a cyber
attack on, for instance, private infrastructure could cause
damage comparable to a conventional military attack on our
homeland?
Mr. Reitinger. Sir, I think it is hard to know the full
scope of damage. I think it is possible damage. It is certainly
likely that significant economic damage could be undertaken. If
a cyber attack, for example, destabilized people's trust in the
financial system, one would see untold economic costs to this
country. And physical attacks are possible, and we need to
advance the state of science and the art of the possible to
know what the full scope of risk is. In any event, we need to
prepare now as if it were possible.
Chairman Lieberman. Yes. Let us talk about what we can do
to better defend, and let me ask you to compare or respond to
some alternative suggestions to the one that we have included
in our bill. There are proposals moving around different
sections of Congress that would have the Department of Defense
or the intelligence community take the lead on protecting the
Federal civilian networks. Obviously, DOD is responsible for
the defense networks now, and, of course, our bill respects
that totally. But there are these proposals saying DOD or the
intelligence community should take the lead in protecting
Federal civilian networks as well as those of private critical
infrastructure.
From your point of view, what is the argument for why the
Department of Homeland Security, as opposed to those other
agencies, should have that responsibility?
Mr. Reitinger. Sir, the Department of Homeland Security has
been given the responsibility for helping to protect the dot-
gov, the civilian government systems, and working with the
private sector under both the prior Administration and this
Administration. It is what we do, it is our role, and that is
appropriate.
Every agency brings its own capabilities to bear, and I by
no means wish to undercut the key role of the Department of
Defense or the expertise it brings to bear. This Nation has
spent significant dollars over a long period of time to develop
technical capabilities in the Department of Defense, which the
Department of Homeland Security can and does leverage in its
role of working with the private sector and protecting civilian
government systems. We leverage and synchronize the
capabilities of the Department of Defense in significant
amounts of the work that we do, and we coordinate with them
fully and partner with them across the Federal Government
enterprise.
DHS has in its own space developed its own capabilities. We
have built as a part of the National Infrastructure Protection
Plan the partnership framework under which we work with the
private sector. We have built the capability to deploy teams to
work in particular private sector environments and provide
support. We have built the ability to help control systems'
vendors and those who deploy control systems to respond to
cyber events and to help secure their systems.
By working together and each playing our positions and
bringing our capabilities to bear, one team, one fight, we can
be most effective across government.
Chairman Lieberman. Do you have particular concerns, for
instance, about DOD or the intelligence community taking over
nondefense civilian government networks or private
infrastructure? I know some people have been concerned about
privacy or civil liberties in that case.
Mr. Reitinger. Sir, I believe both General Alexander, the
Director of the National Security Agency (NSA), and now the
head of Cyber Command, and other individuals from DOD have been
clear over time that protection of the civilian government
space and working with the private sector is the mission space
of the Department of Homeland Security, that they are intent to
support. And I believe they will do that, and we will work
effectively together.
Chairman Lieberman. Let me ask you one last question. I
believe that DHS is the right place for this authority to be. I
am also encouraged because I think you bring a lot to the
position you are in now. Personnel are really key in this, and
our bill respects that by creating flexibility in hiring for
the new section that we are creating and beefing up in DHS. So
I want to ask you to respond to those suggestions in our bill
and whether you think they are important and whether you think
they are adequate.
Mr. Reitinger. Sir, I cannot comment on the specific
provisions in the bill because the Administration is still
reviewing it, but I can say that hiring flexibility is very
important to the Department of Homeland Security, in particular
in the cyber security area.
Chairman Lieberman. And this really means being able to pay
people more than the normal pay scale in Federal service
because that is what you have to do to get the best people. Is
that right?
Mr. Reitinger. It means paying more in particular cases. It
means having the flexibilities to be able to hire people
rapidly. As you can imagine, there are far too few cyber
security experts in our country. And, indeed, one of the long-
term things we need to accomplish is enhancing our educational
system so that there are more such people available to go to
the private sector and the government.
But now we are in a space where we are competing
substantially with private industry that can pay a lot more. We
succeed by, first of all, giving those individuals a chance to
really make a difference, to tell them that we have a critical
mission, and you as a patriot can help your country; second, by
giving them the ability and capability to actually make a
difference; and, third, by asking them not to make too many
sacrifices. We are very clear. If you come to work for the
government, indeed, any part of the government, you are going
to make a sacrifice if you are in cyber security because you
are not going to make what you could in the private sector. But
if we can bring them on more rapidly and pay them something
comparable to what they would get in the private sector, they
will do that to help protect their country.
Chairman Lieberman. Thank you. Senator Collins.
Senator Collins. Thank you.
I was struck in your written testimony by the
Administration's continued reliance on Section 706 of the
Communications Act as the basis for emergency authority in the
event of a cyber attack. In fact, while your testimony is a
little bit unclear on this point, you seem to be opposing the
attempt that we have in our bill to lay out the authorities of
the President, and instead you are pointing back to this Act.
I would point out that authority was passed in January
1942. It was passed a month after the attack by the Japanese on
Pearl Harbor--obviously, a very different time and long before
the Internet was even conceived of.
In light of the current nature of our communications
infrastructure, the Communications Act grants very broad
authority to the President, but it is authority that can only
be exercised when a certain threshold is met, and that is the
state of war or the threat of war. It is wholly lacking in the
kinds of flexibility to respond to a serious attack targeting
some of our most critical infrastructure that may fall below
that threshold.
Is it clear, based on legal research DHS has done, the
opinions of the Federal Communications Commission, or some
court decision, that the authority of Section 706 could be used
to respond to an attack on our critical infrastructure that
does not rise to the level of the state of war or the threat of
war?
Mr. Reitinger. So, ma'am, let me first begin by saying
while Section 706 is one authority and, as you point out, a
hoary one that inures to the President of the United States,
there are other legal authorities the President could bring to
bear. Your point I think is well taken, though, that those
authorities, for the most part, are older or not specifically
designed for this case.
That said, the Administration's position is to prefer to
see if those authorities could be aligned in a way that would
allow the need to be met, and if movement goes forward, to do
so in a way that would be minimally disruptive. I would say
that there are a lot of legal questions that have not been
answered. The Cyberspace Policy Review identified a significant
number of them. We and the Administration, I think, would be
happy to work with this Committee to make sure that the
authorities that are necessary to meet the coming need are
present to the Department of Homeland Security or the President
of the United States in an appropriate emergency.
Senator Collins. Well, shouldn't we be carefully defining
what authority the President has? Our bill has far more
targeted authority to respond to a cyber emergency, but that
authority is limited both in duration and scope. It requires
notice to Congress. It does not authorize the President to take
over networks. It allows the private sector to propose
alternative means of achieving the goal.
Shouldn't we be spelling out exactly what the President's
authority is short of a state of war?
Mr. Reitinger. Ma'am, I apologize that I cannot take a
position on the bill at this time, but I do appreciate the
effort that the Committee made to tailor the authorities so
they are focused on the expected need.
Senator Collins. I will take that as a yes. [Laughter.]
I would say--and I am not trying to put you in an
uncomfortable spot, but as you know, we have been working with
the Department on this issue for more than a year, and I just
do not understand why the Department is not further along in
its thinking on what should be done. And that is one reason why
the three of us proceeded with a bill. We cannot wait. Those
hackers are not waiting. The 1.8 billion attacks per month are
occurring now.
So I guess I would ask you to take a look at those
provisions of the bill. They are carefully circumscribed and
yet aggressive enough, and they reflect the reality. Relying on
a law passed in World War II is just foolhardy. It is out of
date.
Let me switch to another issue. Tomorrow the DHS Inspector
General will release a report that the Chairman referred to
that will say that the U.S. Computer Emergency Readiness Team
(US-CERT) program, which is charged with monitoring the
security of civilian cyber networks, does not have the
enforcement authority that it needs to ensure that agencies
comply with its recommendations and mitigation guidance. It
also notes that US-CERT does not have the authority to compel
agencies to deploy technology for determining in real time if a
cyber attack is taking place.
Our bill would correct those problems. We would enhance the
authorities of US-CERT and create a stronger cyber center
within DHS, including providing the center with the authority
to enforce compliance with its cyber security directives.
Do you agree that the Department needs additional
authorities to enforce security policies for civilian Federal
networks?
Mr. Reitinger. Ma'am, as your question points out, the
Department does have broad authority within the civilian
government space to set requirements for other agencies to
meet. The Department does not have direct enforcement authority
over those departments and agencies, which has raised issues in
particular cases, for example, in Conficker, where we had
difficulty in obtaining responses regarding the scope of the
issue for different departments and agencies.
So we have, I think, strong authorities right now in terms
of setting requirements. In terms of enforcement, we have the
commitment, I think, from both the cyber security coordinator
at the White House and the Office of Management and Budget
(OMB) to work with us when agencies have difficulty in
responding to our requirements. And they may do so for a number
of valid reasons, including they themselves have limited
resources and ability to respond because they are, in fact,
just barely able to keep the attackers at bay. We will work
through the White House in order to make sure that there is as
full compliance as possible.
Senator Collins. Well, it is evident to me that the
Department needs more teeth in its directives, or agencies are
going to feel free to ignore them, and that is one of the
problems we are trying to rectify. Thank you, Mr. Chairman.
Chairman Lieberman. Thanks very much, Senator Collins.
I just want to endorse both lines of the Senator's
questioning, but particularly the first one about the need for
a clear statement of the authority of the President in the case
of a national emergency regarding cyber networks, because I
think the old Telecommunications Act does not do it. It is at
best unclear. And, of course, in a crisis I would hate to have
lawyers arguing in front of the President about what the right
thing to do is as we are about to be attacked in cyberspace. If
there is an attack on our electric grid, I do not see in the
old telecommunications law the power in the President, or
anybody, for instance, to order that a patch be put on some
part of the grid to protect it. So I hope you will take a good
look at that and agree when you do that we need new clearly
stated authority.
Senator Carper.
Senator Carper. Thanks, Mr. Chairman.
Mr. Reitinger, welcome. Good to see you. Thank you for your
testimony and for your service on many fronts.
You may have said this and I missed it, but I can
appreciate why the Administration may not have a position on
this legislation today. Did you say when you expect to have
that kind of position--or establish a position?
You said later or tomorrow? Is that what you said?
Mr. Reitinger. Predictions about the vagaries of the
interagency process are beyond my cognitive skills. I would
hesitate to venture a guess, but it is of importance to us and
the Administration, and we will be focusing on the bill.
Senator Carper. All right. The old saying goes something
like this: ``The best defense is a good offense.'' And we are
talking a lot here today and have been talking for several
years about how to play good defense. Talk to us about how we
might play better offense.
Mr. Reitinger. Sir, offense is mostly outside my realm of
responsibility now. I am in a part of the U.S. Government that
plays defense.
What I can say is that particularly with regard--if you
count law enforcement investigations as part of offense, we do
need to have the right deterrence structure, and so we partner
very closely with our friends in the Federal Bureau of
Investigation (FBI) and the Secret Service to make sure that we
bring the necessary capabilities to bear, that we liaise with
them so that they are able to work as a part of a cross-
government partnership. But we are, within the parts of DHS
that report to me, very focused on playing defense, and that is
our area of responsibility.
Senator Carper. Whose job is it to play offense on our
team?
Mr. Reitinger. Well, generally it would depend on what the
role would be, sir. I am not necessarily in a position to say
who does what different pieces, but the overall
responsibilities roll up to the White House.
Senator Carper. All right. A month or so ago, I believe, we
met with you and some of your colleagues to discuss the role of
the Department in securing our Nation from cyber attacks. In
addition, we discussed whether or not the Department needed to
be internally reorganized to more effectively prevent and
defend against both physical and against cyber attacks. In your
written testimony today, you mentioned that you believe the
Department should have an all-hazards approach to security. I
have a couple of questions that flow from that.
Do you believe our bill reorganizes the Department of
Homeland Security in a way to better handle both cyber and
physical attacks? And a second half to the question is: Do you
think there will be any unintended consequences by splitting
cyber and physical security responsibilities into two entities?
Mr. Reitinger. Sir, I would say that I appreciate the
effort the Committee made to ensure coordination between
physical and cyber by including a deputy for physical
infrastructure protection within the NCCC, if I could use that
acronym. However, I do believe that DHS will be more effective
if we keep physical infrastructure protection and cyber
infrastructure protection co-joined.
We are, as we move forward, increasingly finding ways that
those sub-components, can work together even more effectively.
For example, when we do assessment work for our critical
infrastructure facilities, doing physical and cyber
infrastructure assessments at the same time by working to build
out our all-hazards response capability. We have already
collocated our cyber watch centers in the National
Cybersecurity and Communications Integration Center, and we are
thinking through the extent to which we should better merge
those with our National Infrastructure Coordinating Center,
which coordinates a lot of physical response activities,
because the private sector speaks the language of all hazards.
They worry about risk, as a telecommunications company would
say, whether it is from a cyber attack or a backhoe.
We, in government, need to step to that and speak their
same language. If we want to influence how they behave in an
all-hazards way, in a risk-based way, and if something bad
happens, physical or cyber, to be able to address it
seamlessly.
Senator Carper. All right. I have one more question. I
chair a subcommittee of the Committee on Environment and Public
Works that deals with nuclear safety. We have about 104 nuclear
power plants, as you may know, and the nuclear industry and the
Nuclear Regulatory Commission (NRC) which regulates that
industry use force-on-force exercises where good guys act like
bad guys and they test whether or not our 104 nuclear power
plants are prepared for an assault from a force of truly bad
guys. This is also known as offense informing the defense.
It is widely recognized that the National Security Agency
has developed the most sophisticated capabilities in the world
to exploit other groups' sensitive networks. This knowledge and
experience of the offense has allowed the NSA to develop better
defenses to protect their own systems and networks. I included
provisions in our cyber bill to help the Department of Homeland
Security also to do this.
What is the Department doing now to better enhance the
defenses of the Federal Government using the NSA model?
Mr. Reitinger. I guess I would answer that in two parts,
sir. To begin with, we rely on NSA technical assistance and we
leverage their capabilities. So we look strongly at the
capabilities they have developed as we move forward with
technical approaches to decide what the best approach to
protecting dot-gov is. That is the general answer.
The more specific answer is with regard to the activities
you talk about, such as red teaming and blue teaming. I would
say we have yet to fully develop the capability to be able to
execute on that. The ability to do that sort of red teaming and
blue teaming activity is included in our fiscal year 2011
budget, and we will fully coordinate with and rely on the
capabilities and the expertise that NSA has developed in doing
that.
I have specifically spoken to Tony Sager at NSA who is a
nationwide expert in the cyber defense part of NSA, and we will
fully rely on what they can bring to bear as we develop our own
capabilities to execute a similar strategy within the dot-gov
space.
Senator Carper. My time has expired. Thank you very much.
Mr. Reitinger. Thank you.
Chairman Lieberman. Thank you, Senator Carper. Senator
McCain.
OPENING STATEMENT OF SENATOR MCCAIN
Senator McCain. Thank you, Mr. Chairman, and I thank you
and Senator Collins for your hard work on this comprehensive
legislation.
Mr. Reitinger, besides the fact that you work there, why
should the Department of Homeland Security be the lead agency?
Mr. Reitinger. For defending government and the private
sector? Because we are ideally positioned to do it, sir,
because it is a part of homeland security, because we can and
will partner with the Department of Defense and other key
government agencies to bring all national capabilities to bear,
including leveraging the capabilities of the Department of
Defense, and because we can provide the transparency and
accountability that the American people expect in full
partnership with other government agencies.
Senator McCain. What does ``full partnership'' mean, Mr.
Reitinger? Somebody has to lead. ``Full partnership'' means
equality, so let us be careful with our verbiage here. Do you
think that we have already been the victim of cyber attacks?
Mr. Reitinger. Yes, sir.
Senator McCain. Do you think we are basically in a cyber
war right now?
Mr. Reitinger. Sir, I hesitate to use----
Senator McCain. Cyber conflict?
Mr. Reitinger. Sir, we live in a very threatening cyber
environment, yes.
Senator McCain. Who is our greatest attacker, most
significant attackers?
Mr. Reitinger. Sir, I would prefer to address that more in
closed session, but the scope of attackers runs the spectrum
from low-level criminal hackers to the most significant
adversaries.
Senator McCain. Russia mobilized a very effective cyber
attack against Georgia prior to their invasion by conventional
forces. Isn't that correct?
Mr. Reitinger. Sir, there was a significant attack against
Georgia. Yes, sir.
Senator McCain. And there has been one against Estonia?
Mr. Reitinger. Estonia suffered a significant attack as
well.
Senator McCain. And do we know where that came from, from
Russia?
Mr. Reitinger. Sir, I am not prepared to attribute that
activity on the record.
Senator McCain. Every media in America is, but you cannot.
Mr. Reitinger. Sir, from our perspective, if I could, sir--
and I do not mean to be flippant.
Senator McCain. You are not flippant. You are just not
forthcoming.
Mr. Reitinger. I apologize, sir.
Senator McCain. That is all right.
Mr. Reitinger. For us in the Department of Homeland
Security and for the people that work for me and with me, we
approach these events to cover the spectrum of threats.
Certainly the attackers run the gamut from Nation states down
to criminal hackers and everything in between--organized
criminal groups, organized hacker groups--and we need to bring
the right protections to bear to enable us to protect against
that full spectrum of threats.
And ``full partnership,'' sir means that we are involved in
helping to secure government systems. We do not secure the
Department of Defense systems or the intelligence community
systems. We do not engage in international cyber conflict. We
instead work to fulfill our role and enable entities like the
Department of Defense to fulfill theirs. And I think that the
Department of Defense would say the same thing about us.
Senator McCain. But obviously the Department of Defense
would be probably the area we would most want to protect over
any other if we had to prioritize.
Mr. Reitinger. The Department of Defense is a key entity to
protect, sir, as are other parts of government and key parts of
the private sector that provide essential services, such as the
power grid and our financial services system.
Senator McCain. Well, Mr. Chairman, I notice that there are
different bills going through different committees--the Senate
Armed Services Committee, the House Armed Services Committee,
the Commerce Committee, and the Foreign Relations Committee. At
some point I would suggest we are going to have to consolidate
or discuss or come to some kind of agreement rather than have a
number of competing pieces of legislation here.
I have to say, after the Department of Homeland Security's
handling of the Christmas bomber and other activities, I am not
confident that DHS, at this particular time, is the proper
bureaucracy to work in partnership with the Department of
Defense.
I thank you, Mr. Chairman.
Chairman Lieberman. Thanks, Senator McCain. We will
continue to try to convince you that DHS can do it, and Senator
Collins and I agree that--we hate to attribute blame, but the
State Department made the more consequential errors,
unfortunately, leading up to the Christmas Day bombing. So we
will continue to work on that.
Senator McCain. Thank you, and I thank the witness.
Chairman Lieberman. Incidentally, you are absolutely right.
There are bills on this subject that are moving through various
committees. There is none quite--well, I should not say that.
Senator Snowe and Senator Rockefeller have introduced a bill in
the Commerce Committee that is comprehensive. We think ours is
more comprehensive, but the other bills in the Armed Services
and Judiciary Committees go to points of this. I know the
Majority Leader intends for there to be a blending of these
bills into one bill that comes to the floor.
Senator Burris.
OPENING STATEMENT OF SENATOR BURRIS
Senator Burris. Thank you, Mr. Chairman.
Mr. Reitinger, I understand that you cannot comment on the
legislation, and some of the questions that Senator McCain just
raised or some of the points that are going through my mind in
terms of the current status. What is the current status of our
protection of cyber piracy within our financial system, our
military system,and our power grid? What is your current
assessment of the cyber activity today?
Mr. Reitinger. Sir, I would say, although this may be an
unsatisfying answer, it varies greatly. Through all the
infrastructures you mentioned and government agencies you
mentioned, the level of defenses vary considerably. There are
parts of the government, such as the Department of Defense and
other agencies, that are very well protected. There are other
agencies that have more areas of growth.
There are sectors and components of sectors in places like
the financial sector or the energy sector that do very well and
others that have a lot of work to do. That is, I think, one of
the concerns because sometimes cyber security is only as strong
as its weakest link and the interdependencies are very great.
Senator Burris. Do we currently have authority to protect
our financial system? Can Homeland Security deal with the
hundreds of billions of dollars that is being stolen from the
financial arena today which they do not even report?
Mr. Reitinger. Sir, there are certainly authorities in that
space. There are a number of law enforcement authorities that
would allow investigation and prosecution of those who commit--
--
Senator Burris. Does Homeland Security have any input in
that today?
Mr. Reitinger. Yes, through the Secret Service, sir.
Senator Burris. So the Secret Service has the cyber
authority.
Mr. Reitinger. The Secret Service has the investigative
authority along with the FBI for those types of crimes, yes,
sir.
Senator Burris. So you do not have that authority?
Mr. Reitinger. Not within the parts of Homeland Security
that report up to me, no, sir.
Senator Burris. OK.
Mr. Reitinger. Our authority, sir, with regard to the
private sector is that of coordination. We can raise awareness.
We have capabilities that could help them.
Senator Burris. I do not give too much credence to all our
TV programs, but ``60 Minutes'' just the other day ran a
segment on cyber terrorism. Are you familiar with that
information that came out to the public recently?
Mr. Reitinger. I am familiar with some of the things the
program said, sir.
Senator Burris. Sir, are you familiar with the ``60
Minutes'' program? It is a simple yes or no answer.
Mr. Reitinger. Yes, sir, I am familiar with ``60 Minutes''
generally.
Senator Burris. No, the program.
Mr. Reitinger. No, sir, I am not.
Senator Burris. Thank you. It took us 2 seconds to say no.
Do not be so defensive.
What we have here, Mr. Reitinger, is a concern of public
confidence in our system, and what I would assume is that there
are entities out there that are seeking to enrich themselves,
but also to break the confidence of the public. So there is a
public factor to this if Americans feel that we are not secure.
I want to ask you whether or not you think we can protect our
systems?
Mr. Reitinger. Completely, sir? No. Substantially, we can
take action and respond to attacks when they occur, and we are
continuing to enhance our ability to do that. But completely
protect and prevent----
Senator Burris. What is your timetable on that? Because as
I understand the ``60 Minutes'' report, we are losing data
every day. They are right now from this report sitting in the
Pentagon on our military computers, little types of information
that can now direct those systems that we might not even be
able to control. Are we dealing with anything like that? Are
you familiar?
Mr. Reitinger. Sir, we are moving forward very rapidly. As
I mentioned, we are rolling out the EINSTEIN 2 intrusion
detection system. That is deployed to 12 of 19 departments and
agencies where it will be deployed, and it will be deployed to
all 19, we forecast, by the end of the fiscal year, so by the
end of September.
In terms of when compromises take place, pursuant to the
President's Cyberspace Policy Review, we are developing a
national cyber instant response plan process. That is nearing
substantial completion. It will be vetted, and it is going to
be tested in September of this year. There are other efforts on
a longer timeline and other efforts on a short timeline. So we
have significant efforts going across the ecosystem.
For example, you talk about the financial services sector,
sir. We are right now piloting an activity in partnership with
the Department of Defense and the financial services sector
through their Information Sharing and Analysis Center, a body
they voluntarily formed, where we share threat information with
them now on an unclassified level, going forward on a
classified level, where they also share information through the
financial services Information Sharing and Analysis Center back
with us and each other. So that is building a much better
understanding of the threat and what entities need to do to
respond to it in that sector.
So there are a number of different efforts we are moving,
sir.
Senator Burris. I just wonder what we are doing to other
countries with our system. I just hope that we also have cyber
piracy going on to counteract the cyber piracy that is coming
against us. And in your layman's opinion--not your professional
opinion--would you say that we have some going on?
Mr. Reitinger. Sir, I cannot comment on that. I apologize.
Senator Burris. Thank you, Mr. Chairman. I have to end my
questioning.
Chairman Lieberman. Thanks, Senator Burris.
If I may offer an opinion, not being a member of the
Administration, my own impression, let us put it that way, is
that the U.S. Government has a very well developed cyber
offensive capacity if it becomes necessary to use that to
protect our security, and that should be comforting to the
American people. But I do want to come back and underline
something Secretary Reitinger said, which is the capacity of
those who would attack us is much greater right now than our
capacity to defend against those attacks. And we are closing
that gap. But this legislation and the resources that the
Administration is putting behind this are aimed at eliminating
the gap. So it is with that intention that we go forward.
I want to indicate--you may have heard this already--that
Senator Collins and I are going to take this bill to a
Committee markup next week, so we really want to move this out.
And in that regard, I urge you to do everything you can--
although I know a lot of this ultimately will be in OMB--to
have an Administration position developed on this legislation
and the other legislation.
Senator Harry Reid has been very clear, at least to me,
that he really wants to pass a cyber security act this year, so
I hope you will be authorized soon to get more explicitly into
the debate.
Mr. Reitinger. Thank you, sir.
Chairman Lieberman. Thank you. Thanks for your testimony.
We will call the second panel, beginning with Fran
Townsend. It must give you real pleasure to be out of Federal
service as you hear me talk about the need for approval from
OMB.
Ms. Townsend. Exactly.
Chairman Lieberman. On the second panel, we are very
pleased to begin with Fran Townsend while you are getting
seated. She is now the Chairwoman of the Board of the
Intelligence and National Security Alliance, a former Homeland
Security Advisor to President George W. Bush, and a star of
screen, if not yet stage. Welcome.
TESTIMONY OF FRANCES FRAGOS TOWNSEND,\1\ CHAIRWOMAN OF THE
BOARD, INTELLIGENCE AND NATIONAL SECURITY ALLIANCE
Ms. Townsend. Well, thank you, Mr. Chairman, for that
introduction. It is really a privilege to be back with you and
Ranking Member Senator Collins. Thank you very much for your
invitation to testify at this hearing and to offer my thoughts
on the Protecting Cyberspace as a National Asset Act of 2010.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Townsend appears in the Appendix
on page 80.
---------------------------------------------------------------------------
I am here today in my role, as you noted, as Chairwoman of
the Board of the Intelligence and National Security Alliance
(INSA). It is a premier not-for-profit private sector
professional organization providing a structure and interactive
forum for thought leadership, the sharing of ideas, and
networking within the intelligence and national security
communities. INSA has over 100 corporate members as well as
several hundred individual members who are leaders within the
government, private sector, and academia. And as I think you
are aware, INSA prepared and submitted my statement for the
record while I was out of the country. I arrived home
yesterday. So I will also add a few of my personal observations
before I close.
Through its Cyber Security Council, INSA has emphasized the
importance of creating a strong public-private partnerships
that can provide meaningful recommendations to address the
national and economic security threat today. I would like to
specifically speak to the importance of establishing a public-
private partnership to promote national cyber security
priorities, strengthen and clarify authorities regarding the
protection of Federal civilian systems, and improve national
cyber security defenses.
Collective national cyber security can only be effectively
addressed through a partnership approach between the government
and private industry. While the government has the legal
authority required to organize markets, enforce laws, and
protect citizens' privacy and property, the vast majority of
cyberspace infrastructure, as you all noted, is privately owned
and operated. And as a result, industry is where most of the
expertise in the fields of IT and cyber security reside.
Because of this, a partnership is really the only way forward.
INSA's Cyber Security Council studied several different
models of public-private partnerships during the preparation
and research for its November 2009 report entitled ``Addressing
Cyber Security Through Public-Private Partnership.''
Historically, effective public-private partnerships have
inclusive private sector membership, unified in the pursuit of
common goals, a single responsible and accountable government
partner organization, and clearly delineated roles for both
public and private entities. We are very pleased to see these
concerns and this organizational structure reflected in the
legislation we are here discussing today. This bill not only
establishes a clearly responsible center for the problem, but
requires a private sector advisory council to advise the center
on their actions' effects on industry.
Assuring that private sector concerns are heard within
government is an important first step to the creation of a
public-private partnership, but this alone is not sufficient to
guarantee success. INSA's Cyber Security Council has identified
three additional components, specific to a public-private
partnership on cyber security, which would be required for a
successful effort: First, a flexible or incentivized approach
to regulation; second, robust information sharing and
cooperation; and, last, communication on standards and best
practices.
In the interest of time, I will not go through each of
those and would ask that you refer to my statement for the
record which we earlier submitted.
In terms of my personal observations, all of which are
addressed by the legislation, but I think based on my own
experience, knowing that this will go to a negotiated process
in the Senate, I think it is worth underscoring their
importance.
I support the creation of a National Center for
Cybersecurity within DHS because of their abilities uniquely to
address privacy and civil liberties concerns that affect all
Americans. Because of their necessary reliance on the Internet
for our personal lives, I think that their ability to address
those concerns will be critically important in ensuring public
support for such a center. But I want to be clear that in my
judgment to be effective, wherever such a center is, in fact,
housed, it must have several key ingredients to be successful.
And, again, these are all contemplated by your bill.
First, interagency and cross-government capability, both
vertical down to the State and local level and up to the
Federal Government, and across the Federal Government as well
as including the private sector. As Senator Collins noted,
NCTC, which is effectively in the Office of the Director of
National Intelligence, is the best analogy, and the NCTC does
report to the White House. And that is a model that ought to be
preserved as stated in the bill.
Second, budget and enforcement authority is really
necessary. Money to implement any steps or affect Federal
agency spending is a necessity, and authority to punish or call
out across Federal agencies those departments that fail to meet
basic standards is also a necessity.
Personnel authority, adequate ability to hire and fire, is
necessary to ensure a competent and experienced staff of
professionals. While the current bill, as I noted, does
contemplate these important steps, I worry about language such
as develop a plan, coordinate, recommend, assess, and consult.
I had the privilege of working with the Chairman and
Ranking Member on the Intelligence Reform and Prevention of
Terror Act, and while we were well intentioned and I believe
that was a good and necessary bill, it is the bill which
established the Director of National Intelligence. And while
this was an important and necessary step, it has been referred
to recently as ``organized to fail.'' I think what those
critics would say is that the position lacks some of the
necessary authorities that this bill contemplates and would
most respectfully suggest that as this bill moves forward, it
will be important for the people of the United States for our
own national security to ensure that those sorts of authorities
remain tied to the Director of the National Cyber Center.
I believe that the private sector advisory council is very
important and urge that, too, be implemented. I will say,
however, since leaving government, I often hear from frustrated
chief executive officers (CEOs) that the U.S. Government and
DHS, in particular, have at times been both unresponsive and
not engaged with them. We should look at existing mechanisms
before creating new advisory councils. The President has the
National Security Telecommunications Advisory Council (NSTAC),
and the National Infrastructure Advisory Council (NIAC), which
reports to the President through DHS. These exist now and must
be used, but they need interaction and dialogue with the
President of the United States, not just with the White House
and agency staff.
Third, as addressed in Section 251 of your bill,
information sharing with the private sector must be a two-way
street, and sensitive commercial data must be explicitly
protected.
Last, while the bill creates both the White House position
and the DHS center, both positions are Senate-confirmed. And
while I understand why that is so and I strongly support
congressional oversight, I believe that the position in the
White House must be left to the President's prerogative to
decide how to adequately staff it and, thus, do not necessarily
believe that the White House position should be Senate-
confirmed.
I applaud the Committee's focus on this important issue and
hope that this legislation as it proceeds will only be further
strengthened and not diminished by compromise. The goal is to
make a positive and meaningful contribution to the national
security of the United States, and this bill goes a long way
towards achieving that goal.
I thank you and look forward to answering your questions.
Chairman Lieberman. Thanks very much for that very helpful
testimony.
I do want to say at this point that we had intended to have
Robert Jamison as a witness. He is President now of the Eline
Group and former Under Secretary at the Department of Homeland
Security during the Bush Administration, where he was the
senior official on all cyber and communications operations.
Unfortunately, he was not able to attend because of a family
emergency, but his testimony, I think, is quite strong, and we
have left copies of it on the tables for those who are
interested.\1\
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Jamison appears in the Appendix
on page 116.
---------------------------------------------------------------------------
Next, we are pleased to have Alan Paller, Director of
Research at the SANS Institute and former member of the
National Infrastructure Assurance Council, widely recognized as
an expert in cyber matters. We are glad to welcome you back to
the Committee and look forward to your testimony now.
TESTIMONY OF ALAN PALLER,\2\ DIRECTOR OF RESEARCH, THE SANS
INSTITUTE
Mr. Paller. Thank you, Mr. Chairman, Senator Collins, and
Senator Carper. You made last Thursday a very good day for the
people who had despaired the government would ever lead by
example. So it was just a wonderful day that you made for us,
and the bill that you put together actually solves sort of the
main problems that had kept the government from doing the right
thing. I will summarize a few of them.
---------------------------------------------------------------------------
\2\ The prepared statement of Mr. Paller appears in the Appendix on
page 84.
---------------------------------------------------------------------------
Before I do that, part of the bill is this little thing
called the cyber challenge, and Senator Carper has been just
wonderful at helping it. But I wanted to come back to you, Mr.
Chairman, because last August you met with a young man from
Connecticut named Michael Coppola who, at 16 years old, beat
all these adults in a major competition. He was moved by that.
While he was in school, he was asked what were the courses that
the high schools are not teaching that would have allowed the
other students to do well. So we outlined the courses, and I
said, ``That is good. Can you give us a syllabus?'' He said yes
and he built a syllabus. And I said, ``That is good. Can you
give us the exams that you would give to see if the people had
learned it?'' And he did that with some friends.
About that time, the State of California was getting ready
for the California cyber camp. I heard your song on Thursday
about the cyber camp. But they wanted to go to the high
schools, and we went to the high schools, and none of the high
school kids had ever seen cyber security. They did not know
what to do with it. So they could not take the exam that the
college kids were taking that was a real cyber security exam.
So we took Mr. Coppala's exams, built a competition; 150 high
school kids took it. They took hours and hours and hours out
during the weeks they had AP exams, I mean, they were so
excited about it. Governor Arnold Schwarzenegger personally
came to give them--or he actually wrote the letters that
recognized the winners of it. It was a very nice thing. So your
16-year-old from the high school that does not even have a
programming course did awfully well.
Chairman Lieberman. That is great to hear. Thank you. I am
proud of him. And he won a contest, as I recall.
Mr. Paller. Yes, he beat a bunch of adults and other people
in a King of the Hill cyber competition, a tough one.
Chairman Lieberman. I am glad he is on our side.
Mr. Paller. Exactly right.
The most important parts of your bill are the ones that
reduce our vulnerabilities because we have so much of our
existence dependent on the Internet, we are much more
vulnerable to an attack. Even if an attacker has lesser
capabilities than we do, they could do much more damage to us
because we are so dependent on it. We can take out other
people's capabilities, but they are not hurt as much. So our
ability to defend ourselves completely is actually the only
first--and you do first things first. It is the only thing we
have to do first. And what you did in the bill is you enabled
that, and I want to tell you why--because I think there will be
pushback, I would sort of like to give you why I think it
worked.
The White House office was controversial the last time, and
I was so happy you went ahead and put it in the White House.
And the reason has nothing to do with whether DHS can or if the
White House is better. It has to do with this cross-agency
action that nothing any one agency does ever moves another
agency. It is not until somebody in the White House beats them
about the head and face that they actually move. And so putting
it back in the White House under a tough boss can actually make
a difference. And you gave it the right authorities to do that.
The reason is that we have this odd attitude about security
where we get mad at people for not defending themselves well.
So we talk about the government is not doing a good job of
defending themselves. It is the wrong order.
Remember, we train tens of thousands of people a year to
defend things, so we know what they can and cannot do. You
cannot defend yourself using the off-the-shelf tools that the
vendors sell you. You cannot defend yourself using the networks
that the internet service providers (ISPs) provide to you. You
cannot. You can barely survive at that level.
The only way to actually do the defense is a partnership
between the users--think of them as automobile drivers--and the
car manufacturers, the people who sell the IT services and
software and the people who sell the IT online services, the
ISPs. It is a partnership. They have to get better and the
users have to get better. But it is cheaper for the vendors to
say you users are bad drivers. We do not want to fix our cars
because you guys do not drive well. It is the partnership. When
the cars got safer and the people drove better, we actually had
a lot fewer accidents on the road. That is what we have to do.
But you cannot do that without procurement because none of
those vendors will listen to any user except a very large user.
So you need cross-agency buying, and the only way you are going
to get cross-agency buying is with that White House office.
So I am trying to put the pieces together. You cannot have
procurement without that White House office because no one else
has the power to pull the money together to make it spend
together.
The third one is the regulatory framework you put in. If we
do not get that right, we have no defense on the civilian
side--no recovery on the civilian side. I read this article
about unintended consequences. The industry is saying there may
be unintended consequences, and I had this immediate image of
all the taxi drivers setting up a block so that the military
could not get in to stop traffic because the taxi drivers
needed to keep on making their money with tolls. And there is a
nuclear bomb that the army was trying to stop, and the taxi
drivers said, ``Look, there are unintended consequences of you
coming. Could we have a meeting? Can we talk about it?'' I had
this exact image of them. It might not be fair to share. But
somebody is making money, and they really do not want to stop
for anything. I guess that is all right.
But I do want to go back to this procurement thing. There
are actually two sides. We have this idea that we need to
protect our systems. We keep talking about that. We will be
able to do that well if we do all the things that you are
talking about, and I am going to show you a cool thing that one
of the agencies has done--that Senator Carper found, actually--
that will actually make a huge difference in that. But once we
get the hygiene right--that is Bob Dix's old word. Once we get
hygiene right, people will still make it through. There are
organizations with enough money that they will, in fact, get
through all the defenses when we have as perfect defenses as we
can. So there is another half--and it is literally a half--
which are the people who the air force has given a wonderful
name to--they are called the hunters, and they are the people
who can unravel the data about an attack, figure out what it is
and what they are doing and how they are doing it and stop
them. So you helped set that up. The reason that DHS is having
such trouble relative to DOD is they have none of those
hunters. And all these people they are hiring are not hunters
because you need seeds for the crystal, and they do not have
any seeds there. The seeds are all at NSA, and when they are
hiring 300 more people, when you go look at their skills, they
are just not the hunters. They are not the people we have to
have.
In closing, I want to tell you about a wonderful positive
story. There is a concept of reducing risk. This is a chart
that shows every embassy around the world and every State
Department office around the world over 12 months, a reliable
measurement of cyber security risk, reliable as in the NSA has
been there to say, yes, they are doing pretty good. And it is a
90-percent reduction in cyber risk in all of the embassies and
89 percent across all the State Department offices. This ended
in August just this year. They are almost half again as good.
This is the model that you will not find in any other agency
around government. And it is a model that actually gives us
response. When the Google hack happened at all agencies--it was
an Internet Explorer vulnerability. We all had Internet
Explorer. So every machine had this. Every agency sent out
emails saying fix it, fix it, fix it. State did not say fix it.
State actually changed the risk score on the vulnerability. It
is called the Aurora Vulnerability. They changed it. So when
you talk to DOD, they will tell you, ``We got 70 percent
compliance in about 4 months.'' If you talk to other agencies,
60 percent, 50 percent. State Department got 90 percent in 6
days. So 4 months, 70, 60 percent versus 90 percent in 6 days.
This is what continuous monitoring is all about.
Maybe one last thing, or am I way over my time?
Chairman Lieberman. You are way over, but one last quick
thing.
Mr. Paller. So the reason agencies could not do it is this:
The last FISMA gave the power to set standards to the National
Institute of Standards and Technology (NIST), and they had no
adult supervision. So it wrote a standard that said that one of
its guidance documents was mandatory, and that guidance
document required all of these, 8,511 pages, that you have to
do every day, and I am sure that all cyber security will. But,
anyway, that is it.
Chairman Lieberman. That was great. Thank you. You are the
most mobile witness we have had before the Committee in a long
time. [Laughter.]
Thanks for your excellent testimony, and I appreciate your
words of support for what we have proposed here.
Next we have Steven Naumann, who is Vice President for
Wholesale Market Development for Exelon Corporation and
Chairman of the Member Representatives Committee of the North
American Electric Reliability Corporation (NERC). Mr. Naumann
is going to be testifying today on behalf of the Edison
Electric Institute (EEI), which represents about 70 percent of
our electric sector, and the Electric Power Supply Association
(EPSA). Thanks very much for being here.
TESTIMONY OF STEVEN T. NAUMANN,\1\ VICE PRESIDENT, WHOLESALE
MARKET DEVELOPMENT, EXELON CORPORATION, ON BEHALF OF THE EDISON
ELECTRIC INSTITUTE AND THE ELECTRIC POWER SUPPLY ASSOCIATION
Mr. Naumann. Thank you, Chairman Lieberman, Ranking Member
Collins, and Senator Carper.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Naumann appears in the Appendix
on page 101.
---------------------------------------------------------------------------
Just quickly, Exelon serves more than 5.4 million customers
in the Chicago and Philadelphia areas. We operate approximately
30,000 megawatts of generation, including 17 nuclear units,
just to give you an idea of our scope. And as you said, I am
representing EEI and EPSA today. We are members of both trade
organizations.
At the outset, I would like to thank you, Chairman
Lieberman, Ranking Member Collins, and Senator Carper, for your
thoughtful approach to the bill and for your leadership on this
issue. The owners, operators, and users of the electric power
grid take cyber security very seriously. In fact, a broad
coalition representing the full range of generation,
transmission, and distribution interests in the United States
as well as regulators, Canadian interests, and large industrial
customers all agree on the need for government involvement in
protecting critical infrastructure from cyber attack. While I
am not testifying officially on behalf of the coalition, this
cooperative relationship to address threats to the power grid
is vital to improving cyber security.
There are three principles in the bill that I would like to
emphasize: First, leveraging public and private sector
expertise, including information sharing between the two areas;
second, concentrating on truly critical infrastructure; and,
third, addressing cyber security in a comprehensive, multi-
sector way.
First, both the government and the electric power sector
have distinct areas of responsibility and expertise. With its
intelligence-gathering and law enforcement capabilities, the
government is able to detect threats, evaluate the likelihood
of malicious attacks, and identify patterns of potential
infiltration. Power companies, on the other hand, are
experienced at operating their systems and engineering
resiliency and recovery, depending on a threat.
To best ensure the cyber security of the Nation's electric
grid, we need to clearly define these roles and
responsibilities while facilitating cooperation and information
sharing between government agencies and the power sector. The
government-wide coordinator your bill envisions is critical to
ensuring that information does not fall through the cracks and
that the right people have complete information to make sound
operational decisions in times of crisis. This careful
consultation with industry helps ensure that government actions
in protecting the grid from a cyber attack do not have
unintended or harmful consequences, and I will be glad to
explain that I do not mean taxi drivers blocking the streets,
but when you are operating a system, if you do not do the right
thing, you might get things happening that you really do not
want to.
Second is the bill's narrow scope. It focuses appropriately
on the need to protect truly critical assets and deal with
cyber security emergencies. There is a security axiom that
states, ``If you try to protect everything, you protect
nothing.'' Therefore, the risk-based prioritization reflected
in the proposed bill ensures that both government and private
sector resources are allocated wisely.
The industry believes your bill focuses on the more
relevant question and urgent security gap. What additional
authority is needed in order to promote clarity and focus in
response to national cyber security emergencies?
Third is the comprehensive approach to dealing with cyber
security. While the electric power industry's focus is on
operating and protecting the electric grid, the interconnected
nature of our critical infrastructure requires a multi-sector
approach. We in the power industry rely on telecommunications
systems to operate the grid, pipelines and railroads to bring
fuel to our generation, and wholesale markets to sell our
product. Should any of these critical sectors be compromised,
the reliability of the electric power system would be impacted.
Likewise, each of these sectors depends on a reliable supply of
electricity to operate. Your bill recognizes this truth, as did
the President's ``60-Day Cyber Review'' completed last year. I
would urge the Congress to follow your leadership and approach
this issue holistically.
Again, the industry's perspective on sound cyber policy
includes promoting clearly defined roles and responsibilities,
as well as ongoing consultation and sharing of information
between government and the private sector. Using a risk-based
model that secures truly critical assets against cyber security
emergencies is the best use of the limited security resources
and approaching the issue in a comprehensive, multi-sector way.
Again, I appreciate the opportunity to appear today and
would be happy to answer any questions. Thank you.
Chairman Lieberman. Thank you very much, Mr. Naumann.
Finally, we go to Sara Santarelli, Verizon's Chief Network
Security Officer. I hope that you will be able to offer us a
perspective on the type of intrusions and probes that Verizon
is seeing on a regular basis, but thanks for being here.
TESTIMONY OF SARA C. SANTARELLI,\1\ CHIEF NETWORK SECURITY
OFFICER, VERIZON COMMUNICATIONS
Ms. Santarelli. Thank you for having me today. Mr.
Chairman, Ranking Member Collins, and Members of the Committee,
thank you for the opportunity to discuss this important topic
of cyber security today.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Santarelli appears in the
Appendix on page 109.
---------------------------------------------------------------------------
Your legislation represents a positive step forward. We
feel that the majority of the legislation supports the common
goal of creating a much safer online environment, even if we
may not agree with every specific provision.
Cyber security initiatives take place at many different
layers at Verizon. We work closely with our suppliers to help
ensure that their products meet our security requirements. We
use technologies to identify and mitigate threats on our
network. We have developed an internal dashboard to help manage
security of our own corporate systems, and we offer a wide
range of services to our customers to help them better protect
their networks and their data.
Security events are a constant reminder that our networks
and our customers' networks are under steady assault. These
threats are constantly changing and evolving as criminals
develop new techniques to get around the latest defenses, and
once launched, these attacks can escalate with an astonishing
speed. Speed and flexibility are critical to the success of our
response.
The Slammer worm, launched in January 2003, was the fastest
spreading computer worm in history. It doubled in size roughly
every 8.5 seconds. Within 3 minutes, the worm had achieved its
full potential with more than 55 million computers being
scanned per second. Success in stopping the Slammer worm was
predicated on the ability to take fast and decisive action
without extraneous briefing, consultations, or declarations.
Similarly, the experience in 2009 and 2008 as well with the
Conficker worm illustrates how important it is to maintain a
flexible approach in responding to cyber threats.
In response to this threat, an international working group
was actually formed consisting of 30 named members and many
more partners and contributors from around the world, including
Verizon. Information sharing by that working group proved very
effective.
Each incident we respond to teaches us different lessons,
but the one common denominator is this: While government has a
role to play in enhancing cyber security, it must not act in
ways that diminish our flexibility, speed, and independence
that network providers find essential in waging the war on
cyber crime. Any government-directed information-sharing
mechanism must not place restrictions or requirements on the
free flow of information about the Internet and must not deter
participation by knowledgeable entities.
Network providers like Verizon are on the front lines of
this war, but the fight cannot be left solely to the private
sector. There is a role for government to play. We applaud the
Committee's efforts to help bring clarity and definition to
that role.
The government can do things that the private sector simply
cannot. My written statement identifies eight ways in which the
government can be uniquely helpful. Let me summarize three.
First, the government should lead by example, working to
enhance the security of public networks, centralizing,
clarifying agency roles and responsibilities; eliminating
regulatory duplication; and purchasing technology solutions
that raise the level of security technology in the marketplace
generally. Proposals in this bill would help streamline public-
private interaction and ensure consistency in the security of
the government's infrastructure. The bill also takes several
positive steps towards eliminating duplication, enhancing the
security of government networks, and using the government's
budget power for targeted investment in cyber security
technologies.
Second, the government should promote enhanced security for
private sector infrastructure but not at the expense of speed
and flexibility of response. For those who are slow in adopting
best practices in the areas of cyber security, it is
appropriate for government to provide strong incentives for
them to do so. However, given the wide range of networks and
technologies, as well as the rapid pace with which cyber
threats are evolving, we simply cannot lock ourselves into a
single regulated approach. The most effective approach, which
this bill does take, is a public-private partnership where
government provides assistance and expertise to the private
sector. Confidentiality and liability protection will encourage
the private sector to implement desired activities.
Finally, the government should eliminate legal barriers to
the collection, use, and sharing of information by network
operators, their customers, and the government. Striking an
appropriate balance between privacy and the need for
information sharing will directly support our shared goal of
enhanced cyber security.
We look forward to continuing to work with you and the
Committee on cyber security legislation, and I look forward to
answering your questions today.
Chairman Lieberman. Very good. Thank you. We will do 7-
minute rounds of questions.
Ms. Townsend, since you have been liberated from official
Federal service, maybe you can respond more directly to some of
the questions that were asked of Mr. Reitinger, which are,
really, who would you say are the main sources of attack
against American cyber systems?
Ms. Townsend. Sure. I mean, I think if you look at the open
source material that is available, it is commonly understood
that our most capable adversaries, potential adversaries are
both the Russian government and the Chinese government.
Chairman Lieberman. Right.
Ms. Townsend. We have capable allies, of course, in Western
Europe in the British and the French, but, of course, once you
know you have capability, how they use it is really dependent
on their own agenda.
Chairman Lieberman. Do we think that the non-state actors,
both terrorist groups and organized crime syndicates, are
developing the capacity to cyber attack us or others?
Ms. Townsend. It is an interesting question, Senator,
because I think our understanding as you watch terrorist
organizations, in particular, is that their operational
capability is often dependent on their ability to use the
Internet. Whether that is to pass information, propaganda,
recruit, or fundraise, they need the Internet just as we need
the Internet. And so that sort of mutual need has been
something of a protective measure in terms of their willingness
to cyber attack. That is not a guarantee. And so, of course, I
think the government watches quite closely how the capability
of our terrorist adversaries increases and looks for the
potential that they may turn and decide it is worth using it as
an attack method.
Chairman Lieberman. Thanks for those answers. They are very
helpful.
I appreciate very much that both Mr. Naumann and Ms.
Santarelli are here because you represent major private sector
entities that are affected. And I know that both the
corporations that you work for and the sectors of the private
economy that you are associated with are aware and sensitive to
the threat in cyberspace, and that it represents a threat not
just to your businesses but to our national security if a
vulnerability is tapped.
So I wanted to ask you--and then Mr. Paller and Ms.
Townsend if they want to get in this question: Obviously, this
legislation is premised on a conclusion that there is a need
for governmental involvement. We try very hard to have a
balanced, collaborative public-private sector approach in the
bill. But there are some who might argue that there is actually
little or no need for government involvement here because
industry has the same incentive that the government has to
secure its networks. And I wanted to ask you if you agree with
that, and if you disagree, why. In other words, is there a
necessary role for government here?
Mr. Naumann. Chairman Lieberman, the electric power
industry believes there is. As I said in my remarks, we all
take protection of our networks very seriously, and for the
reasons you state. But our capabilities do not go to
intelligence gathering. They do not go to evaluation of some of
these threats. We need to be able, first of all, to be notified
of these threats. We need to be able, working with the
intelligence agencies or those who have that information, to
understand how those threats can affect our equipment and our
service to our customers, and then to devise mitigation
measures together with the government.
We simply do not have that ability, nor, obviously, is that
our expertise. Our expertise is running power systems. And so
as I said, there is this gap. Could it be filled in some
informal way? Yes, but the problem is when you get into a real
emergency, there need to be lines of communication and
procedures that are set up, practiced and drilled so that we
know that information will get down to the people who need to
actually put it into effect.
Chairman Lieberman. Ms. Santarelli.
Ms. Santarelli. Senator, when I look and I think about how
can the government help the private sector, I think it is
important to understand that the ecosystem of the Internet is
actually made up of multiple layers. We have the suppliers of
equipment and information systems. On top of that, that
equipment and the systems are pulled together to make the
infrastructure. On top of that, we have applications and
systems that ride and the content that rides on the network.
And then beyond that, connecting it all together, we have our
end user population. I like to call it Grandma and Grandpa
checking out the Internet at night or our kids that are on
Facebook or whatever.
So when we look at this as from a pure network provider
perspective, we are just one part of the ecosystem, and I do
not think any one part has the power or the ability to drive a
solution in terms of security threat. All of those layers need
to work together, and I think that government can help us with
that.
You note in the bill in particular the dispensation for
security controls on your vendors. As one of the largest
purchasers, we would like to see the government definitely
drive that into our equipment providers so that as we take that
equipment and build networks and applications with equipment
that does have the security requirements.
Chairman Lieberman. Very good. Would either of you like to
add anything? Ms. Townsend.
Ms. Townsend. Senator, just very quickly, of course, the
government is the only entity capable of prosecution of crime,
and so you are going to see acts that are crimes. But I would
also note that in the intelligence and national security arena,
we have seen instances in Estonia where one might rightly
classify a cyber attack as an act of war. And so the government
must play a role in working with the private sector. I
absolutely believe the government cannot run it uniquely, and I
have talked to the issue of the need for a public-private
partnership. But we would be remiss if we did not believe that
the government has a very substantial role.
Chairman Lieberman. This is a most unusual area because we
went for long periods of our history--after the initial
chapters of our history--without being attacked here in our
homeland, with the blessing of the protection that the oceans
gave us. Then came Pearl Harbor, then another long period when
we feared attack but there really were not any any during the
Cold War. Now, unfortunately, we have been regularly the target
of attack by the Islamist terrorist movement. But now in a way
that is really totally unprecedented, through cyberspace, we
can be attacked from far away here in our homeland. And it
seems to me that perhaps the most attractive, if I can use a
bad adjective, targets for an enemy will be private sector
targets because of the extent to which our society depends on
them, whether the electric grid or a dam that is holding back
an enormous amount of water that is controlled over the
Internet.
I appreciate the answers that all of you gave, and to me it
really cries out for the kind of public-private collaboration
that we are talking about.
My time is up in this round. Senator Collins.
Senator Collins. Thank you, Mr. Chairman.
Ms. Townsend, I had a discussion with the previous witness
about the existing emergency authorities of the President that
were passed in the wake of the attack on Pearl Harbor in World
War II. Let me get your opinion on this issue. Do you believe
the existing emergency authorities, the authorities in current
law, are sufficient for the President to deal with cyber
attacks?
Ms. Townsend. Senator Collins, thank you for the
opportunity to address that question. I can say unequivocally
my belief is that the existing authorities are not adequate,
and they are ambiguous, as you noted.
I would say in the Cyber Shockwave exercise that I had the
privilege to participate in, Jamie Gorelick, the former Deputy
Attorney General in the Clinton Administration, acted in the
role as the Attorney General, and she said that existing
authorities are not only inadequate, but that in the absence of
adequate authorities, she made the point that a president in a
crisis will act and look to right it later with the Congress
and the American people.
I do not think that is the way we want to behave. I think
you quite rightly point out that we ought to tackle the tough
problems up front and make sure that the President and the
Executive Branch have the authorities they need to act and that
we are comfortable balancing security versus privacy and civil
liberties.
Senator Collins. Thank you. That is excellent testimony,
and your point is very well taken. A President is going to act,
and that is, frankly, also where you see abuses, where there
are problems when there is not clear authority. So since it is
so evident that cyber attacks are happening every day and are
only going to get worse, it just cries out for us to establish
the rules now in a thoughtful way.
Mr. Paller, I want to bring up a different issue with you
which was prompted by your demonstrating your extraordinary
knowledge of what is going on in the Federal Government. If
government agencies, as required by our bill, coordinate to
establish a government-wide security standard or set of
standards for the purchase of IT products, do you believe there
would be a favorable impact on price? In other words, if that
happens, is there a potential of saving taxpayers some money in
these purchases?
Mr. Paller. Thank you for asking that question. It actually
not only will save money for the government, it will actually
make a lot of money for the vendors. The same vendors that say,
no, you are a bad human being to ask for that are going to make
a lot of money. Here is the example.
Do you remember when the Department of Veterans Affairs
(VA) lost 17 million pieces of information?
Senator Collins. Yes.
Mr. Paller. Everyone wanted to encrypt their laptops. There
were millions of laptops in the government. The commercial
price for a laptop encryption was $243. The General Services
Administration (GSA) price was $97. It was not enough. I mean,
they did not have enough money to buy that.
They got together, the White House, DOD, the States
actually got together, pooled their buying. They did not pick
one, they picked several. So it was not we are going to define
you are the winner, everybody else is the loser. But they
picked several, and they negotiated prices in which that price
went from $97 to $11 in the first buy. But the amount of money
that the software--I built a software company. We in the
software business want the revenue. It is not the price per
package. Buying millions of copies at $11 still makes us a
whole lot more money than your buying five at $100,000 apiece.
So what you do when you do the buying together is you lower
the price across government, but you also radically expand
their market, and they make more money. And the ones who win
that actually go on to take over markets all across the world
because they were the ones that were selected for the
government buy. It is a win-win kind of operation.
Senator Collins. Thank you.
Mr. Naumann, your company operates in more than one sector
of the economy, and thus, you are regulated by various Federal
agencies. For example, you operate nuclear plants, correct? So
you are under the Nuclear Regulatory Commission. You also
operate an electric transmission business that is regulated by
the Federal Energy Regulatory Commission (FERC). So because you
have experience in dealing with different regulatory agencies,
I want to get your view on the need to have a Federal agency
involved in addressing cyber security in a coordinated way
across all the critical infrastructures.
In other words, if we do not act to make clear who is doing
what in cyber security, are you likely to be subject to
different standards by different agencies?
Mr. Naumann. Thank you, Senator Collins. That is correct.
At present, I will tell you the agencies, for example, the NRC
and the FERC through the North American Electric Reliability
Corporation, are trying to coordinate their cyber security
policies. Of course, that does not include, for example, in our
case the Illinois Commerce Commission, which has authority over
our distribution network, and the Pennsylvania Public Utility
Commission, which has authority over the network in
Pennsylvania.
Having one set of best practices, including the feedback
that the legislation contemplates of being able to go back and
showing how we would solve a problem, I think would make it
easier not only for us; it would make it easier for the various
regulatory organizations and be more cost-effective. So we
would support a single agency being the coordinator and then
cascading down.
Senator Collins. Ms. Santarelli, same question for you.
Ms. Santarelli. Yes, Senator Collins. Thank you for the
opportunity to comment on that. As a national infrastructure
provider, we agree with Mr. Naumann that it would be beneficial
to us to have a single one voice into the government entities
rather than having to work through multiple entities. As I
mentioned in my oral testimony and my written testimony, it is
very important to us to continue to have the speed to respond
to any threat in near real time, if not real time, and working
across multiple agencies I think could complicate that ability.
Senator Collins. Thank you. Thank you, Mr. Chairman.
Chairman Lieberman. Thanks very much, Senator Collins.
Senator Carper.
Senator Carper. Thank you, Mr. Chairman. I just want to
observe, if I could, to our Chairman and Ranking Member that
the subject that is before us today can be pretty dense and
pretty hard to understand. And I say that as a guy who, until
just a couple years ago, could barely spell the word FISMA, and
today I actually understand what it means. And you have taken
some tough, complex subjects and made them really
understandable, even for me, and I thank you for that. Really
good presentations and answers.
I have heard from Mr. Paller a number of times before, and
I have always observed that your presentations are, I think,
especially effective. Have you ever thought of writing a book
on this subject?
Mr. Paller. If you look at my written testimony, it is
really long. [Laughter.]
Senator Collins. He already has.
Senator Carper. Fair enough. Sometimes I start off my
questioning when we have a second panel, I ask the second panel
to look back at the testimony of the first panel and ask if
there was anything that you especially agreed with or disagreed
with from our first witness. And then I just want to ask you to
kind of play off of each other and ask you to think about some
of the things that your colleagues said during their testimony,
and say, ``Well, I really agreed with that,'' or, ``Boy, they
are out to lunch on that one.'' But go back to the first panel
with us. Anything that was said that you especially want to
underline or emphasize for us. If you would just start off, Ms.
Townsend, please.
Ms. Townsend. Thank you, Senator. I do think I was struck
by Senator McCain's question about partnership and Phil
Reitinger's answer. A quick vignette, I led the Katrina lessons
learned about how we could do things better, and I remember
interviewing General Russ Honore, and we talked about the
national incident commander's role to coordinate the response.
And he had this great line that I never forgot. He said, ``You
know, when you have a coordinator, a coordinator starts out to
make a horse and ends up with a camel.'' And it was graphic
enough and there is something to that.
And so I do think we have to be careful. That is why I said
if DHS is simply in the role of coordinating, somebody does
need to lead. Senator McCain is quite right. I think DHS is
right to lead, to understand where greater capability in the
government may reside to protect defense systems, intelligence
systems, but somebody must lead. I think that makes it
especially important that you have a White House office.
Everybody needs a Daddy, and if this is----
Senator Carper. And a Mommy.
Ms. Townsend [continuing]. Inside DHS, that person will
need the gravitas of a White House office to break through the
interagency process that can only be done there. And so I do
think we have to be careful to make sure to give them the
authority to actually get the job done and then the link to the
White House to implement it.
Senator Carper. All right. Mr. Paller.
Mr. Paller. Only one. When Mr. Reitinger was talking about
the people and how critical the people are, I think he was
radically understating the problem. A man named Jim Gosler, who
ran the Clandestine Information Technology Office (CITO), in
the Central Intelligence Agency (CIA), said to a bunch of
people in the Pentagon and NSA, ``We have only a thousand
people that can fight at world-class levels right now.'' There
was another person at the meeting who was a senior DOD official
that was frowning, and I asked him why he was frowning, he
said, ``Because I cannot get to a thousand.'' We need 20,000 to
30,000 of those people.
The problem with what Mr. Reitinger is doing, is he is
trying to hire them away from other people. But if you only
have a thousand, you are just going to grab them from a DOD
contractor or a NSA contractor. He has to change his mood from
we are going to go get these people to we are going to go build
these people, and he has to really take that on. His legacy is
the building of those people because until DHS has that core of
excellent people who are not contractors but are inside the
organization, they cannot compete with NSA and they cannot
defend the Nation.
Senator Carper. Good point. Thank you. Mr. Naumann.
Mr. Naumann. Senator, actually it was something you said
about----
Senator Carper. Something I said?
Mr. Naumann. Yes, sir. The difference between what is on
paper and implementation. And for the electric power industry,
when there is an immediate threat, having a single point of
contact to cascade that down with communications protocols and
channels that have been drilled and practiced is essential.
When time is of the essence, there is no time for confusion.
And so having the clear chain of command to get the information
to us, to be able to work with us to devise mitigation, and get
that information out to the right people becomes essential. And
that involves the implementation and it involves drilling and
it involves getting it right.
Senator Carper. Thank you. Ms. Santarelli.
Ms. Santarelli. Thank you, Senator Carper. When I was
listening to Mr. Reitinger's testimony and he spoke of a recent
worm, Conficker, he shared some of the difficulties in working
through all of the different agencies and getting information,
it struck me because in my oral comments I referenced the same
worm. And in the private sector, it was a different experience.
We very quickly pulled together a working group that stands
over 30 entities strong with a lot of additional partners
outside of that, a worldwide group of folks, technical folks
coming together to share, ``Hey, what worked for you? What is
the issue? What are you seeing?'' ``Hey, here is this IP
address. Here are where the machines are that you need to avoid
and not interact with them.''
And so it struck me that partnership is important and that
we should learn from each other, because on the one side it
works so well in the private industry to be able to share that
information live, and we would really look forward to working
with the Committee to share some of those best practices that
we have in our ability to communicate and interact with
organizations like SANS and others to share that information.
Thank you.
Senator Carper. Thank you. One last quick question, if I
could. My colleagues have heard me say from time to time that
the role of government is to steer the boat, not row the boat.
And another thing that has fascinated me for a long time is how
do we use market forces to try to drive good public policy
behavior?
Let me just ask, for those two principles, for me cardinal
principles, how well do we do in terms of measuring up to those
principles in the legislation that we have introduced? Ms.
Santarelli, do you want to go first?
Ms. Santarelli. Yes. I think that there are some really
positive aspects in the legislation that you have introduced. I
do like the ability to continue to grow in terms of the public-
private partnership. I think that there is improvement in
opportunities where we can work together to share information.
I would like to see and continue to work with the Committee
to address some of the legal barriers that we believe are there
that restrict us a bit in terms of being able to share
information. So we would like to see those barriers ironed out
a bit to ensure more success in our ability to share
information.
Senator Carper. Thanks. Mr. Naumann.
Mr. Naumann. What this bill does is it puts an overlay on
the security and reliability processes the industry has now
through the North American Electric Reliability Corporation
setting mandatory standards. It acts or puts into place
something that really the government is the one who has that
capability on the intelligence gathering.
There are processes now. What is contemplated here is
better because, as I said earlier, you need certainty and also
the feedback in providing industry solutions back to the
government to get the best solutions. And so what it does is it
lets us do what we do best, and we do set through NERC cyber
security standards. But it puts an overlay on that for the part
where the government has the real expertise, and that is simply
not our--intelligence gathering is not our job.
Senator Carper. All right. Mr. Chairman, could we hear just
briefly from Mr. Paller and Ms. Townsend?
Mr. Paller. I give you a 9.1. It is really well down.
Senator Carper. Was that on a scale of 100?
Mr. Paller. On a scale of 10--9.1.
Senator Carper. Thanks. Ms. Townsend, last word.
Ms. Townsend. Yes, I think the liability protection
provided in the bill is incredibly important for the private
sector. If there is something I would strengthen, we have to
protect the information that we are encouraging be shared, and
I think that is important whether it is traveling from the
State and local level all the way up through the Federal
Government to the private sector or the other way. We have to
ensure that across the spectrum of shared information we are
making sure that the information is protected, or the private
sector will not share.
Senator Carper. All right. Thank you all very much.
Chairman Lieberman. Thank you, Senator Carper.
Senator Carper. And, Mr. Chairman, thank you very much for
allowing me to a be a part of this trio, and I think we are on
to something good here, and we very much look forward to
working with you.
Chairman Lieberman. Thank you. Our pleasure to work with
you, and you did say something, just in answer to your
question.
I want to just highlight--and then we will let everybody
go--this last exchange because there is something I came to
appreciate as we worked on this bill, and Senator Collins
particularly made a very significant contribution on this
point, which was that when we talk about the emergency
authorities of the President with regard to the most critical
parts of cyberspace, a lot of what we are talking about is the
importance that the President has the capacity to say to an
electric company or to say to Verizon in the national interest,
``There is an attack about to come,'' or ``We are in the midst
of an attack, and I hereby order you to put a patch on this or
put your network down in this part or stop accepting anything
incoming from Country A.''
That might be the kind of thing that an individual company
would want to do or know they should do, but the potential
liability in doing that is enormous, because in the normal
business sense, you might well be putting down operations with
enormous financial consequences or losses. But it is in the
national interest to do that at that moment to stop greater
losses.
So I wanted to explain that just in this last line of
questioning and your answers to Senator Carper because that is
really what we have in mind. There is no authority here, as
Senator Collins said at the beginning, for the President to
have the government take over cyberspace. It is really through
the National Cyberspace and Communications Center at DHS to
issue orders probably as a result of previous agreement and
collaboration with the private sector, to do things that in a
normal business sense you would be hesitant to do, but in terms
of national security there is no question that you should do
it, and we should protect you from liability.
Do you want to add anything to that, Senator Collins? You
made a very important contribution to that part of the bill.
Senator Collins. Thank you. Mr. Chairman, I do think that
we got that right, and I very much appreciate the strong
testimony in support of it.
I just wanted to make a couple of final comments. This is
very complex legislation dealing with an extraordinarily
important issue, and I want to thank our staffs and all the
private sector partners that assisted us in drafting this bill.
I think that is why I will say that I believe we have come up
with the best approach of all the bills that are out there. It
is because we did get a great deal of advice, insight, and
input from the private sector partners, from former government
officials, and from current government officials.
So I just wanted to thank those individuals, many of whom
are here or are represented here today, as well as our staffs
for their hard work. This has been a long time coming, but I
think we have produced a very good bill, and I thank you for
your leadership as well.
Chairman Lieberman. Thanks, Senator Collins. You are
absolutely right. It took longer than we wanted, really. A lot
of it was because there was a lot of consultation. We tried to
do this in a collaborative way, and as a result I think it is a
better bill.
Incidentally, we took a long time in getting to this point,
but now we have our foot on the gas, because this is really
urgent. So we are going to report the bill out hopefully next
week, and as I said earlier, I believe Senator Reid is going to
try to bring the various bills together to reconcile
differences and then schedule floor time this year to move this
along.
This has been an excellent panel. You have been helpful to
us before today and today. I thank you very much for that.
We will leave the record of the hearing open for 15 days
for additional statements and questions, and with that, I thank
you and adjourn the hearing.
[Whereupon, at 5:08 p.m., the Committee was adjourned.]
SECURING CRITICAL INFRASTRUCTURE IN THE AGE OF STUXNET
----------
WEDNESDAY, NOVEMBER 17, 2010
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10:07 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Joseph I.
Lieberman, Chairman of the Committee, presiding.
Present: Senators Lieberman, Coons, and Collins.
OPENING STATEMENT OF CHAIRMAN LIEBERMAN
Chairman Lieberman. Good morning. The hearing will come to
order. I apologize for being a little late. I was set to
introduce a nominee for a State Department position at the
Foreign Relations Committee, and they started a 9:30 hearing at
10 o'clock, so I will blame it on them. But they blamed it on
Secretary Clinton, so the line of accountability continues.
In a sense, this is a hearing to both remind us and educate
those who are watching--hopefully, the public and Members of
the Committee--about the reality of the cyber threat to the
United States and how important it was that we work hard to
develop cyber security reform legislation in this Congress, and
how unfortunate it is that the clock is going to run out on us
before we have a chance to complete negotiations with other
committees and with the Administration, who I regret to say, I
think did not engage as early and as fully in the process of
developing this legislation as was necessary.
But this Stuxnet story really takes the reality of the
threat to a new level, I believe, and I think should awaken any
skeptics. And there are some, of course, who think that we are
overstating the threat and, therefore, overreacting in the
public resources that we are devoting to the protection of our
cyber systems here in America. Of course, I totally disagree
with that argument.
We have an extraordinary group of witnesses here today who
will not only explain to us what Stuxnet is but will, I hope,
talk more generally about the cyber threat to our country.
I will say, in terms of our legislation, that it is
certainly my intention--and I know it is Senator Collins'--to
come back to this legislation really early in the next session
of Congress and try to get it out as soon as possible. And,
again, I want to say this will require more immediate and
intense engagement by the Administration and by some of the
other committees that claim jurisdiction here. We, of course,
think we are the ultimate source of jurisdiction for cyber
security matters that are non-defense, which is the Armed
Services Committee. But this will be a real priority for the
Committee when the session begins next year.
Because I am late, I am going to put the rest of my
statement in the record \1\ and call on Senator Collins.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Lieberman appears in the
Appendix on page 124.
---------------------------------------------------------------------------
OPENING STATEMENT OF SENATOR COLLINS
Senator Collins. Thank you, Mr. Chairman. I know that we
have votes starting at 11 o'clock this morning, so I am going
to follow your lead. Let me just make a couple of comments.
Much attention has been paid to cyber crimes, such as
identity theft, and to cyber attacks that are intended to steal
proprietary information or government secrets. But lurking
beyond those serious threats are potentially devastating
attacks that could disrupt, damage, or even destroy our
critical infrastructure, such as the electric power grid, oil
and gas pipelines, dams, or communication networks. These cyber
threats could cause catastrophic damage in the physical world,
and this threat is not theoretical. It is real and present, and
the newest weapon in the cyber toolkit that was introduced to
the world in June when cyber security experts detected the
cyber worm called ``Stuxnet,'' which demonstrates to us the
extraordinary capacity that a worm could have to disrupt
absolutely critical infrastructure.
It is evident that the development of this very
sophisticated malware was likely the work of a well-financed
team of experts with extensive knowledge of the targeted
systems. It is my understanding that more than 100,000
computers were infected and that the damage could have been
catastrophic.
Like Senator Lieberman, I believe that this problem is
urgent. We have introduced bipartisan, comprehensive
legislation to deal with this threat. I personally think it is
an ideal issue for the lame duck session of Congress to take
up. My fear is that we will wait until we have a successful
cyber September 11, 2001, before acting, so I would like to see
us be proactive on this issue, and I believe our bill points
the way.
In the meantime, I look forward to hearing the testimony of
all the extraordinary experts that we have today to shine a
spotlight on what the impact would be of an attack on critical
infrastructure, an attack that this worm has made evident could
happen at any time.
Thank you, Mr. Chairman, and I would ask that my full
statement be put in the record.\2\
---------------------------------------------------------------------------
\2\ The prepared statement of Senator Collins appears in the
Appendix on page 127.
---------------------------------------------------------------------------
Chairman Lieberman. Without objection. Thanks, Senator
Collins. Just listening to you reminded me of something I heard
a businessman say a couple of days ago, which is that one of
the problems with our government is that too often
metaphorically it waits until there are four or five major car
accidents at a cross-section before it decides to put up a
stoplight. And we want to make sure that we put the stoplight
and the protections up before we have not just an accident but
suffer a major attack.
When my staff presented the memo to me about this hearing,
including the description of the witnesses, my reaction was we
could not have a better group of witnesses. And I really
appreciate both your work in this area and your presence here
today.
We are going to begin with Sean P. McGurk, Acting Director,
National Cybersecurity and Communications Integration Center at
the U.S. Department of Homeland Security. Good morning, Mr.
McGurk.
TESTIMONY OF SEAN MCGURK,\1\ ACTING DIRECTOR, NATIONAL
CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER, OFFICE OF
CYBERSECURITY AND COMMUNICATIONS, U.S. DEPARTMENT OF HOMELAND
SECURITY
Mr. McGurk. Good morning, Chairman Lieberman and Ranking
Member Collins. My name is Sean McGurk. I am the Acting
Director for the National Cybersecurity and Communications
Integration Center, and up until recently I was the Director
for the Control Systems Security Program and the Industrial
Control Systems Cyber Emergency Response Team (ICS-CERT) also
at the Department of Homeland Security (DHS). The Department
greatly appreciates this Committee's support in our ongoing
efforts to identify cyber threats and to combat cyber concerns
in the critical infrastructure, and in addition, I appreciate
the opportunity to appear before you today to provide some
insight into the activities that we have analyzed and
identified in relation to Stuxnet.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. McGurk appears in the Appendix on
page 129.
---------------------------------------------------------------------------
I would like to discuss the importance of securing these
control systems and how they significantly differ from the
information technology systems that we have been focusing on
over the past few years, and to also discuss DHS' approach in
addressing cyber threats and cyber risks as they apply to the
control system. And, finally, I would like to spend a few
minutes discussing Stuxnet itself and how Stuxnet has changed
the landscape when it comes to critical infrastructure.
Something as simple and innocuous as this becomes a
challenge for all of us to maintain accountability and control
of our critical infrastructure systems. This actually contains
the Stuxnet virus.
Chairman Lieberman. Mr. McGurk, take just a moment and
define a control system.
Mr. McGurk. Yes, sir. A control system in our common
terminology is any of the automated or embedded systems that we
use in our day-to-day activities. The National Infrastructure
Protection Plan has identified 18 critical infrastructures in
the United States. As you are all well aware, the foundational
element between those 18 critical infrastructures are control
systems. Energy is different than water which is different than
nuclear, but the fundamental foundation is those control
systems, those automated, digital-to-analog robotic systems
that manufacture cars, purify water, generate electricity, or
actually produce the goods and services that we rely on on a
day-to-day basis.
So recognizing the unique nature of those systems, the
Department created the Control System Security Program back in
2004 to address those challenges.
Much of what we have learned from information technology
practices are basic principles that we can apply, but just the
nature of these operational systems requires us to take a
different approach in protecting them. How we protect the
systems that generate power, purify our control over traffic
flow systems, or our rail and aviation transportation systems
is fundamentally different than the way we protect our
information technology infrastructure. That is why the
Department takes this all-hazards, all-risk approach when
identifying those challenges.
In order to focus on that foundation, the Control System
Security Program has established many activities in order to
increase the level of awareness for the control systems
community. One of those activities involves a Workforce
Development Program. In partnership with the Idaho National
Lab, we have built a very comprehensive and extensive hands-on
training environment where, working with the private sector and
with other Federal departments and agencies, we have been able
to train over 16,000 individuals, both asset owners, operators,
and vendors and other Federal agencies, in control systems
security--again, focusing on the unique nature between
information technology and control systems.
We have also worked closely with the standards community to
ensure that we are focusing on how to apply those principles
and practices from information technology into a control
systems environment. It is very important to recognize those
unique requirements and the differences between the systems and
not try to apply a one-size-fits-all.
In order to support the asset owner and operator community
in the private sector, we developed a series of tools that
could be used in order to enable a self-assessment of the
control systems security. There are many automated systems that
enable the evaluation of information technology and enterprise
networks, but we needed to focus on those unique
characteristics of control systems. Subsequently, we worked
with the Department of Energy laboratory community and
developed these tools so that we could actually apply them in
the general public.
In addition to the 16,000 personnel that we have trained,
we have also trained partners in 30 different countries to
increase the level of awareness of industrial control security.
We actually chair an international body focusing on increasing
the level of awareness for industrial control, and we have also
conducted more than 50 on-site assessments at facilities
throughout the United States, in 15 different States and three
territories. We plan on increasing that level of activity in
the coming years.
ICS-CERT also maintains fly-away teams. These fly-away
teams are incident response teams that work with the private
sector asset owners and operators upon request to do either
remote maintenance and analysis or physical analysis. When
requested, we will deploy a team. They will assist asset owners
and operators in identifying restoration methods, digital media
capture methods, and then we will conduct the analysis to
determine what the extent of the vulnerability is and what the
potential impacts are. We do this in order to understand the
overall risk profile to an industrial control environment,
looking at the threats, the vulnerabilities, and then
potentially the consequences. And then we work closely with the
community, the asset owners, operators, and the private sector
to build those mitigation strategies.
When the Department first identified a vulnerability back
in 2007 that we termed ``Aurora''--which had to do with hacking
into and modifying settings in digital protective networks,
physically destroying electric generation capacity--we
recognized the need to partner closely with industry so that we
could develop mitigation strategies that were sector-specific.
Fundamentally, what fixes the energy sector may not work in the
water sector, so that is why it is important for the Department
to continue to partner with those 18 sectors to identify proper
mitigation strategies. We understand we need to work with the
broad community in order to be effective in mitigating the
risk.
We also generated fly-away team checklists. Up until this
point, the understanding of what data was necessary to identify
risks to control systems was not well understood, so we worked
with academia and with other researchers to identify those
digital capture methods so that we could actually build a
forensic path to enable us to actually identify variants of
vulnerability such as Stuxnet.
The Department operates a malware lab; this is a physical
laboratory where we can actually install equipment and analyze
how it operates. In the case of Stuxnet, we were able to
configure the actual manufacturer's equipment in a live
environment and not only dissect the code to determine what it
is capable of doing, but actually analyze what it does once it
gains access to the equipment. So that gives us a better
understanding of not just the analytics behind the code itself,
but also its impact in a physical infrastructure. So the
Department still maintains that capability, and we share that
with the general public.
We also look at our responsibility to continue to partner
with the Federal departments and agencies to ensure that we are
sharing the information as we analyze it. It is important for
us to recognize that the intelligence community and the law
enforcement community have their responsibilities in these
areas, and we provide the intellectual capability behind it
from a very unique skill set of industrial control to forward
their efforts as well. So as we analyze the data, we share that
information with the intelligence community, the law
enforcement community, and other departments and agencies at
the State and local level so that they understand the impacts
of something like Stuxnet.
As I said, Stuxnet is a one-of-a-kind type of situation. We
have not seen this coordinated effort of information technology
vulnerabilities, industrial control exploitations, completely
wrapped up in one unique package. For us, to use a very
overused term, it is a game changer. Stuxnet actually modifies
not only the physical settings of an information technology
system, but it also modifies the physical settings of a process
control environment.
Essentially, if I wanted to find out what the process is
doing, I have the capability of removing those files or
exfiltrating the data, so I do not have to break into the front
door and actually steal the formula or the intellectual
property of what you are manufacturing. I can actually go to
the devices themselves, read the settings, and reverse engineer
the formula for whatever the process is that is being
manufactured. In addition, I can make modifications to the
physical environment so that you would be unaware of those
changes being made, and subsequently it would have an adverse
impact on the environment.
So the products that you are producing may not be of the
specifications that you originally analyzed because Stuxnet
demonstrates the capability of bypassing the safety and
security systems to go down to the root level to make those
changes; so the operator may believe the indicators on the
panel are accurate, but, in fact, there is malicious activity
occurring at the base level. These are capabilities that we
have seen demonstrated in Stuxnet that we have never seen
before in any analysis of code that we have conducted.
Now, as I mentioned, there is a significant amount of
concern also. Stuxnet is a pathway that people can then
exploit. It has basically been a road map, and it was written
in a modular format so that people could actually remove the
vendor-specific payload, that malicious code that attacked the
control system, and substitute it with any other type of
control system code that they desire. So it was written in such
a way that it allows that flexibility and capability, and that
really causes us concern as we move forward. And that is why we
continue to partner with the departments and agencies and the
private sector to analyze the capabilities and the risks
associated with Stuxnet.
Again, Chairman Lieberman, Ranking Member Collins, I
appreciate this opportunity today to appear before you, and I
am standing by and happy to answer any questions. Thank you.
Chairman Lieberman. Thanks, Mr. McGurk. That was a very
good beginning, both very informative and, frankly, chilling in
terms of the effectiveness of Stuxnet. You could make a lot of
comparisons to guided missiles and multiple independently
targetable reentry vehicle (MIRVs) and all the rest, and from
an earlier time of combat but quite something.
Michael Assante, who has a long background in this area, is
currently president and chief executive officer of the National
Board of Information Security Examiners. Thanks for being here.
TESTIMONY OF MICHAEL J. ASSANTE,\1\ PRESIDENT AND CHIEF
EXECUTIVE OFFICER, NATIONAL BOARD OF INFORMATION SECURITY
EXAMINERS OF THE UNITED STATES, INC.
Mr. Assante. Thank you. Good morning, Chairman Lieberman
and Senator Collins. I am coming here today in the capacity of
the National Board of Information Security Examiners of the
United States, Inc. (NBISE), but also a lot of work that I have
done in the field of critical infrastructure protection with a
focus on control system security. I am pleased that this
hearing is taking place today to explore the implications of
very advanced cyber threats on our Nation and our critical
infrastructure. The Stuxnet code is a very worthy centerpiece
for this discussion today. Even though it is, I believe,
neither the first nor will it be the last attempt to compromise
and use an operational system to effect physical outcomes,
Stuxnet is, at the very least, an important wake-up call for
digitally reliant nations; and at worst, it is a blueprint for
future attackers.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Assante appears in the Appendix
on page 142.
---------------------------------------------------------------------------
My remarks today will paint a very difficult challenge, but
it is important to note that I remain an optimist. This Nation,
as it has done countless times in past contests, should turn to
its men and women, both in and out of uniform, to muster an
effective defense. Our obligation is to best organize, train,
and equip these individuals to be successful in this very
important task.
Stuxnet is a highly disruptive innovation. Simply put,
Pandora's box was opened years ago as the United States became
reliant on digital technology to help operators complete and
control complex processes. Stuxnet is an important harbinger of
things that I believe may come if we do not use this
opportunity to learn about the risks to our infrastructures. No
one should be shocked by the cyber exploits that can be
engineered to successfully compromise and impact control
systems. Study after study has identified common
vulnerabilities found across control system products and
implementations.
Stuxnet is the best example of a cyber threat that was
thought to be hypothetically possible; that is, some would say
the fantastic story line of those that are just spreading fear,
uncertainty, and doubt. Well, in this all too real story,
possible did not merely just become probable, but it snuck onto
the world stage, undetected by defenders for months. Its
features, capabilities, the targeted technology, and the
purpose should shock security professionals, engineers,
business leaders, and government leaders into action. And I say
this very important statement for the following three reasons.
First, it is important that we understand there is a very
well resourced group possessing the necessary motivation, who
have successfully acquired the knowledge, skills, and
capabilities to systematically develop and launch a highly
sophisticated attack against control system technology. The now
public occurrence of such a cyber attack is very important
because it dispels conventional thinking that it is just ``too
hard'' for an attacker to assemble the necessary information,
gain familiarity with the technology, and acquire the knowledge
of specific implementations to devise an attack that could
disrupt or damage the physical components of an industrial
process. It is simply not true.
What is shocking to control system security experts is not
that it was done, but that it was done in such a manner as to
rely upon pre-programmed code, one that had the ability to
autonomously analyze the system that has been compromised and
identify very specific conditions desired for the delivery of
its ``digital warhead.''
The lesson that we must not gloss over is that highly
resourced actors can assemble people and the capability to plan
and to deal with system variances, anticipated security
controls, obscure and proprietary technology, and complex
industrial processes.
Second, we must understand that the attacks that we should
be most concerned with are not designed to disable their
digital targets, but to manipulate them in a very unintended
fashion. Many professionals have limited their thinking to
dealing with the loss of individual elements or components of
their control systems and have failed to fully embrace the
implications of calculated misuse.
In modern control systems, most of the process safety
depends on logic that is found in the controllers. By analyzing
this code, one can not only determine what the engineer wants
to happen but also what the engineer wants to avoid.
Finally, our current defense and protection models are not
sufficient against highly structured and resourced cyber
adversaries capable of employing new and high-consequence
attacks. Our defensive thinking has been shaped by the more
frequent and more survivable threats of the past. This means
that while current cyber defense tactics, security
architectures, and tools are necessary and can be responsive to
the most likely of threats, they are not sufficient to deal
with emerging advanced threats. The optimist always points to a
new type of security tool or practice as the solution to
current protection inadequacies. But should we not believe that
if it had been necessary to assure their success, the authors
of the Stuxnet worm would have simply developed a way to
counter any near measures that we would have fielded in force.
This requires us to consider not only security but also how
we can design and engineer survivability into our complex
systems and achieve a level of resilience not only in our
organizations but to our technology and our processes, and
better prepared to respond and recover to these types of
advanced threats. The susceptibility of our modern
interconnected and digitally reliant infrastructures is well
established.
I would also like to spend a minute on the flaws of our
current efforts to regulate cyber security. The National
American Electric Reliability Corporation (NERC)-developed
critical infrastructure protection (CIP) reliability standards
represent a very early attempt to manage cyber security risks
through mandatory standards with very significant penalties for
noncompliance. It is clear to me that the standards as written
and implemented are not materially contributing to the
management of risk posed by very advanced cyber threats, such
as the Stuxnet worm.
The standards are comprised of 43 specific requirements
designed to provide what I would call a minimum set of
practices that, if properly implemented, should serve as a
simple foundation to built from. Many of the requirements
should have already been commonplace in the industry but were
not.
The standards also include significant gaps and exclusions,
but their greatest weakness is in how they have been
implemented. The result has been a conscious and inevitable
retreat to a compliance- or checklist-focused approach to
security. Unfortunately, the NERC CIP standards have become a
glass ceiling for many utility security programs, which
prevents the emergence of the very type of security programs we
need to deal with Stuxnet-like attacks.
Regulation, although necessary, should be re-evaluated and
designed to emphasize learning, enable the development of
greater technical capabilities, require qualified staffs, and
discourage the creation of a very predictable and static
defense.
We must recognize that we are in the time of Stuxnet, and
in turn, it is the time to be honest. We do not have immediate
technical answers to better protect industrial control systems
from Stuxnet-like attacks. We do not have an effective
defenses, and we do not have adequate detection techniques. We
lack a functioning information-sharing and learning framework
and have limited abilities to apply new-found knowledge. The
public-private partnership has failed to produce satisfactory
results in these areas.
We must develop and implement protection strategies that
accept the unfortunate reality that many of our networks are
already contested territory. Accepting this very important
assumption will help stimulate industry and community efforts
to develop new and improved approaches to addressing the most
material of risks.
Why did some not see this coming? Well, significant cause
for concern is that much of the information about cyber
security-related threats remains classified in the homeland
security, defense, and intelligence communities, with
restricted opportunities to share information with the cyber
security researchers, technology providers, and possibly
affected private asset owners.
I would like to specifically emphasize one of the necessary
investments to combat advanced cyber threats like Stuxnet.
Through the years, working as the chief security officer at a
major utility, or by supporting researchers in a national
laboratory, and coordinating protection efforts while I was at
NERC, I have gained an appreciation for the importance and the
difference made by skilled and well-developed people. As in
this case, you must have a human complement up to the task of
optimally detecting and calling out the faint signals by which
these attacks sometimes announce themselves.
I have never understood why we have not embraced better
training and development methods for our front-line security
and operations staff. We train pilots using advanced simulators
to deal with very difficult conditions and mechanical failures.
Why do we not use simulators to allow security and operational
staff to experience low-frequently but high-consequence attacks
against systems and designs? Mr. McGurk's program that helps
develop that is a great first step.
Why do we not use performance-based examinations to qualify
our professionals? We have allowed chance to be our schoolhouse
where targeted organizations simply suffer in silence, not
willing to pass along the tough lessons that they have learned
to others.
I commend this Committee for its exploration of the
implications that advanced threats like Stuxnet pose to our
critical infrastructure and to our Nation. We must waste no
more time debating our susceptibility. We must accept that
well-resourced adversaries are capable of causing damage to
industrial processes in very difficult to anticipate ways. I
believe the following steps are necessary.
We must remove and remediate architectural weaknesses,
known vulnerabilities, and poor security designs in industrial
control system technology over time.
We need to promote greater progress designing and
integrating security and forensic tools into control system
environments.
We must prioritize our efforts by jointly studying the
potential consequences that may result from directed and well-
resourced attacks of control systems and protection systems in
high-risk segments of our critical infrastructure. In the cases
where the consequences are absolutely unacceptable, we must
assume that an attacker can successfully defeat our security
and, therefore, direct our efforts to engineering away the risk
that more survivable designs and practices might be able to
obtain.
We need to organize a well-funded, multi-year research
program to design toward a more resilient infrastructure,
especially in the area of industrial and digital control
systems.
We must establish new regulation in the form of performance
requirements that value learning, promote innovation, and
better equip and prepare control system environments and the
teams that protect, operate, and maintain them. The current
regulatory structure will not, in my view, be capable of
achieving this end.
We must require critical infrastructure asset owners and
control system vendors to report industrial control system-
specific security incidents.
We must task appropriate U.S. Government agencies to
provide up-to-date information to asset owners and operators on
observed adversary tactics and techniques, especially when
investigations reveal attacker capabilities to side-step or
exploit the very security technologies we rely upon.
We must invest in the workforce that defends and operates
our infrastructure systems. We need scalable, immersive, hands-
on training environments, and local simulator training
technology should be used to optimize the development of this
workforce. The same workforce should then be qualified through
periodic rigorous performance-based assessments and, where
appropriate, examinations.
In conclusion, my greatest fear is that we are running out
of time to learn these important lessons. Ultimately, we know
that our conventional approach to more common security threats
will be necessary but woefully insufficient to protect us from
threats like the Stuxnet worm. We must act now to develop our
greatest resources in this important contest. That would be the
professionals that defend, operate, and protect the critical
infrastructure and critical systems of this country. Thank you.
Chairman Lieberman. Thanks, Mr. Assante. Very practical and
constructive recommendations.
Dean Turner is our next witness, Director of the Global
Intelligence Network at Symantec Security Response, Symantec
Corporation. Thank you for being here.
TESTIMONY OF DEAN TURNER,\1\ DIRECTOR, GLOBAL INTELLIGENCE
NETWORK, SYMANTEC SECURITY RESPONSE, SYMANTEC CORPORATION
Mr. Turner. Thank you, Mr. Chairman and Ranking Member
Collins. I would like to thank you for, of course, allowing us
the opportunity to appear here today and to discuss not only
the Stuxnet worm but how we can better begin to secure the
industrial control systems that underpin this country's
national critical infrastructure.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Turner appears in the Appendix on
page 156.
---------------------------------------------------------------------------
As you have pointed out, I am the Director of Symantec's
Global Intelligence Network. As a leader in the security space,
Symantec welcomes the opportunity to provide comments to the
Committee as it continues its, arguably, important efforts to
enhance the security of critical infrastructure systems from
cyber attack. We believe that critical infrastructure
protection is an essential element of a resilient and secure
nation.
Let me begin by providing Symantec's observations on
Stuxnet and offering our insights on the threat that the worm
poses to this Nation's industrial control systems.
Symantec examined each of the Stuxnet components in order
to better understand exactly how the threat worked in detail.
We found Stuxnet to be an incredibly large and complex threat,
and it is the first threat that Symantec has identified that
targets critical industrial infrastructure and is written
specifically to attack industrial control systems used in part
to control and monitor industrial processes. Not only can
Stuxnet successfully reprogram the programmable logic
controllers (PLCs), that are part of these industrial control
systems, but it also, as Mr. Assante and Mr. McGurk have
pointed out, cleverly hides those modifications.
Stuxnet is able to accomplish this task via a rootkit,
which is a type of malicious software that keeps itself hidden
from the computer's operating system. Computer source code
contained in the PLC is the function that allows control
systems to operate and to control machinery in a plant or a
factory. The ability to reprogram this function allows for the
potential to control or alter how the system operates.
We speculate that the ultimate goal of Stuxnet is to
reprogram and sabotage industrial control systems. The threat
is targeting a specific industrial control system, and that is
the one utilized by energy sectors, such as with a gas pipeline
or power plant.
Stuxnet demonstrates the vulnerability of our critical
infrastructure industrial control systems to attack and, again,
as other witnesses' testimonies today have pointed out,
highlights a problem and should serve as a wake-up call for our
critical infrastructure systems around the world.
The potential for attackers to gain control of critical
infrastructure assets, such as power plants, dams, and chemical
facilities, is extremely serious. Whether Stuxnet ushers in a
new generation of malicious code attacks toward critical
infrastructure remains to be seen. Stuxnet is of such
complexity--requiring significant resources to develop--that
only a select few attackers are capable of producing such a
threat. So we do not expect masses of similar sophisticated
threats to suddenly appear.
Stuxnet does, however, highlight that attacks to control
critical infrastructure are possible and not just a plot in a
spy novel. The real-world implications of Stuxnet are some of
the most serious that we have ever seen in a threat.
The intended target of Stuxnet is not known. We know even
less about who could have written Stuxnet than the target
itself. What we do know is that whoever was behind it has good
knowledge of ICS systems, particularly those systems that were
targeted. Without better knowledge of the persons behind these
attacks, it is nearly impossible to say with any certainty who
was ultimately responsible and what were the possible motives
behind the attack. The combination of sophisticated attacker
and their target means that any speculation as to who was
behind that is just that: Speculation.
Symantec believes that education and awareness is a key
component to securing critical systems from cyber attack. From
the classroom to the boardroom, from the management level to
the security professional, education is needed to ensure
security is part of an organization's ethos. Good security
requires secure software and well-designed and maintained
networks. In other words, security needs to be baked in from
the outset, and part of this is ensuring that all of those
involved continuously maintain their skill sets in what is
arguably a fast-changing environment.
The question being asked now of security professionals
associated with U.S. critical infrastructure is what we should
be doing in response to this particular discovery.
The first obvious measures to protecting these types of
systems from Stuxnet and similar threats is to deploy up-to-
date anti-malware solutions. Unfortunately, many industrial
control systems today still need to be modernized in order to
be able to do just that.
The second most important element is to watch for vendor
security notifications and alerts and apply patches as soon as
possible.
Last, but certainly not least, is know your assets,
identify your perimeter of security operations, and maintain a
high level of situational awareness to ensure you are aware of
and can respond to these types of incidents in a timely manner.
Keeping in mind that over 85 percent of the U.S. critical
infrastructure is owned and/or operated by the private sector,
Symantec commissioned a recent study on critical infrastructure
protection. Our goal here was to find out how aware critical
infrastructure companies were of government efforts in this
area and to determine how engaged business was about working
government. And we came up with four key findings from that
particular survey.
One, critical infrastructure providers are increasingly
attacked.
Two, attacks on critical infrastructure are effective and
costly.
Three, industry wants to partner with government on
critical infrastructure protection.
And finally, fourth, critical infrastructure providers feel
more readiness is needed to counter these types of attacks.
Most telling was that respondents cited security training,
awareness by executive management of serious threats, endpoint
security measures, security response, and security audits as
the major safeguard areas in need of the most improvement.
Since most of the Nation's cyber infrastructure is not
government owned, a public-private partnership of government
and private stakeholders is required to secure the Internet and
ICS systems. Cooperation is needed now more than ever, given
that industrial control systems face an ever-increasing risk
due to cyber threats such as Stuxnet.
Toward that end, Symantec commends the Department of
Homeland Security for their engagement with the private sector
on critical infrastructure protection. DHS has been a valuable
partner to Symantec and others in the private sector, through
the Sector Coordinating Councils as well as the IT Information
Sharing and Analysis Center.
Symantec has provided input to DHS on the Comprehensive
National Cyber Initiative projects, and we have been engaged
with the Department on the National Cyber Incident Response
Plan. Additionally, we participated in the National Cyber
Exercise, Cyber Storm III, which demonstrated the value of
operational incident collaboration across the public and
private sectors. Further, we have held several briefings with
DHS to share our expertise on Stuxnet and how critical
infrastructures can better secure their systems against these
threats. We look forward to continuing to partner with DHS and
other agencies on the many issues and preparedness activities
related to the Nation's critical infrastructure protection.
Stuxnet demonstrates the importance of public-private
information-sharing partnerships across the entire critical
infrastructure community. While DHS has made strides to partner
with control system vendors through its ICS-CERT, it should
build on its 2009 ``Strategy for Securing Control Systems'' and
enhance its control systems partnerships by including the IT
and IT security communities, who have traditionally worked with
the DHS U.S. Computer Emergency Readiness Team (US-CERT).
Cross-collaboration within DHS is the key to improved
situational awareness and operational response, and DHS should
continue its efforts to integrate these functions.
Until there is greater coordination between IT and IT
security vendors and the industrial control systems owners and
operators, there is an increased risk that multiple
organizations will conduct duplicative work and miss
opportunities to learn from and collectively respond to
threats. We recommend that DHS further enhance information
sharing on control systems vulnerabilities with the IT and IT
security communities and continue to work on integrating its
information-sharing capabilities to improve situational
awareness and operational response partnerships with industry.
In closing, Symantec would like to convey our strong
support for the Protecting Cyberspace as a National Asset Act.
We believe that this important legislation will enhance and
modernize the Nation's overall cyber security posture in order
to safeguard the critical infrastructure from attack. The bill
also importantly recognizes cyber security as a shared
government and private sector responsibility, one which
requires a coordinated strategy to detect, report, and mitigate
cyber incidents. We look forward to working with the Committee
to help advance this important legislation.
Thank you for the opportunity to testify today. We remain
committed to continuing to work in coordination with Congress,
the administration, and our private sector partners to secure
our Nation's critical infrastructure from cyber attack. And I
will be happy to respond to any questions the Committee may
have.
Chairman Lieberman. Thanks very much, Mr. Turner. Thanks
for your specific explicit endorsement of the legislation,
which Senator Collins and I introduced and which the Committee
reported out unanimously, obviously across party lines, and
really thank you for the fact that your entire statement was
really an explanation, in a sense a call to action for us to
pass such legislation and to create a public-private alliance
here to protect our country from this very serious threat.
Mark Gandy is our last witness. He is the Global Manager of
Information Technology Security and Information Asset
Management at the Dow Corning Corporation. Thank you for being
here.
TESTIMONY OF MARK W. GANDY,\1\ GLOBAL MANAGER, INFORMATION
TECHNOLOGY SECURITY AND INFORMATION ASSET MANAGEMENT, DOW
CORNING CORPORATION
Mr. Gandy. Thank you. Good morning, Chairman Lieberman,
Ranking Member Collins, and Members of the Senate Homeland
Security Committee. My name is Mark Gandy, and I am the Global
Manager of Cybersecurity for the Dow Corning Corporation. I am
also Chairman of the American Chemistry Council's Cybersecurity
Steering Committee.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Gandy appears in the Appendix on
page 165.
---------------------------------------------------------------------------
To begin, I would like to thank the Committee for holding
this important hearing today on the critical issue of cyber
security. While I realize this is not a legislative hearing, I
would like to commend your efforts in crafting bipartisan
legislation during this Congress that effectively balances the
need for increased vigilance through the promotion of a risk-
based framework whereby the critical infrastructure sectors can
appropriately address their cyber threats.
The American Chemistry Council (ACC) and its members stand
ready to support a continued momentum on this issue as we
proceed into the next Congress. Today I will be making comments
or statements on behalf of the American Chemistry Council.
The ACC represents the leading chemical companies in the
United States. The business of chemistry is a critical aspect
of our Nation's economy, employing more than 800,000 Americans
and producing more than 19 percent of the world's chemical
products. In fact, more than 96 percent of all manufactured
goods are directly touched by the business of chemistry.
Cyber security is a top priority for ACC and the chemical
sector. Because of our critical role in the economy and our
commitments to our communities, security is a top priority for
ACC members.
In 2001, our members voluntarily adopted an aggressive
security program--the Responsible Care Security Code (RCSC)--
which is mandatory for all members of the ACC. The RCSC is a
comprehensive security management program that addresses both
physical and cyber security and requires a comprehensive
assessment of security vulnerabilities and risks and to
implement protective measures across a company's entire value
chain. Each company's security plan is then reviewed by an
independent third-party auditor. The RCSC has been a model for
State-level chemical security regulatory programs in New
Jersey, New York, and Maryland and was deemed equivalent to the
U.S. Coast Guard's Maritime Transportation Security Act.
Public-private partnerships are vital to winning the war on
cyber terrorism. The ACC and its members have been proactively
engaged with the former and current administrations on
improving cyber security. In June 2002, ACC members began
implementation of the Chemical Sector Cybersecurity Strategy,
which was referenced by the Bush Administration's National
Strategy to Secure Cyber Space of 2003. ACC participated in the
White House 60-day cyber policy review, and our cyber experts
work closely with the DHS National Cybersecurity Division in
many areas, including national Cyber Storm exercises,
information-sharing programs, and development and
implementation of the road map to securing control systems in
the chemical sector.
ACC was gratified that in 2009 the Obama Administration
made cyber security a top priority. A 2009 program update can
be found on the Obama Administration's Web site, ``Making
Strides to Improve Cybersecurity in the Chemical Sector.''
Since 2001, ACC members have invested more than $8 billion
in your enhancements, including both physical and cyber
security protections. Security in all its dimensions continues
to be a top priority for ACC and the chemical industry, and our
record of accomplishment and cooperation with Congress, DHS,
and others is undisputed.
Considering the industry's perspective on the increased
threat, we have seen the threat landscape evolve from
relatively unorganized, unsophisticated exploits of virus and
worm activity with a notoriety objective--making a name for the
hacker--to increasingly more sophisticated and economically
disruptive attacks to network computing into today's relatively
sophisticated and stealthy threats that target intellectual
property for economic gain and are potentially disruptive to
operational stability of critical infrastructure.
However, while the threat landscape is evolving in
sophistication and intent, many vulnerabilities exploited
remain relatively unsophisticated, whereby well-known counter
measures are possible. Cyber threats to control systems are
evolving in complexity and sophistication as well-funded and
highly motivated groups become more active. Specifically,
Stuxnet is more advanced with respect to a targeted control
system attack by a knowledgeable subject matter expert using
typical technology exploits of common vulnerabilities inherent
in any system. Stuxnet demonstrates that threats to process
control systems are real and need to be a significant part of
the cyber security risk management equation.
The industry recognizes the vulnerabilities of industrial
control systems as they have increasingly become enterprise
network connected. The threat is serious and the industry is
responding by increased preparation and response planning with
significant resources.
In response to the evolving threat landscape and the
relatively commonly avoidable exploits, the industry is working
proactively to improve information sharing among the industry
and with government about threats, working with technology
suppliers and the U.S. Government to enhance the robustness of
control systems through the development of international
standards for improved security of control systems, and
developing and publishing risk management best practices and
security guidance that help owner-operators better prepare and
respond to cyber threats such as Stuxnet.
The industry approach is a comprehensive risk management
strategy that includes proactive steps through ACC and the U.S.
Government, emphasizing the importance of effectiveness threat
and best practice information sharing and robust technology
solutions. Our sector is also leading the development of
comprehensive international standards by the International
Society for Automation. These standards will lead to the
development of control systems that are more resilient to cyber
attacks.
ACC and its members are also actively engaged in the road
map to secure control systems in the chemical sector along with
our active partnerships with DHS and the Chemical Sector
Coordinating Council. These and other activities make up a
coordinated comprehensive sector program that was significantly
informed through participation in exercises such as the
recently completed Cyber Storm III.
In summary, the ACC and its members remain committed to
advancing cyber security practices and systems in the chemical
industry by working in partnership with Congress, DHS,
technology organizations, and developers. Working with the
chemical sector at large, we are improving how we share
information and striving for continuous improvement of critical
control systems that are protected from the loss of critical
function during a major cyber event.
The Federal Government plays a crucial role in helping the
sector to achieve this goal by creating and supporting programs
and incentives that promote advances in new technologies and
standards and upgrading of legacy systems across the sector.
Sharing of timely and actionable threat information with
the private sector and working together on risk-based solutions
that focus on the resiliency of control systems should be an
area of heightened attention and focus to mitigate the evolving
threats.
And, last, identifying and holding accountable those who
attack our critical cyber infrastructure, whether it is for
notoriety or for financial gain, must be a priority.
That concludes my opening statement. We have submitted a
written statement for the record. Thank you for this
opportunity to present on behalf of the ACC, and I will be
happy to take any questions that you have. Thank you.
Chairman Lieberman. Thanks, Mr. Gandy. Encouraging to hear
that private sector response to the growing threat, and your
statement, along with others, will be entered into the record.
I want to just formally welcome Senator Coons for the first
time. He was sworn in 2 days ago as the new Senator from
Delaware. There is a great tradition of Delaware Senators
serving on this Committee. I know you bring extraordinary
experience and ability, and we look forward to working with you
on the Committee.
Senator Coons. Thank you, Mr. Chairman.
Senator Collins. Let me join the Chairman in also welcoming
Senator Coons to our Committee. As he mentioned, I think there
has been a Senator from Delaware on this Committee going back
to Bill Roth's days for decades.
Chairman Lieberman. Bill Roth, right.
Senator Collins. And we are delighted to have you join us
and hope it will be a permanent assignment. I know that is
still up in the air. Thank you.
Chairman Lieberman. Me, too. Thanks, Senator Collins.
I think we will do 6-minute rounds here so we can try to
give everybody an opportunity in case the vote actually goes
off on time at 11 a.m.
This has been excellent testimony, and what it reminds me
of, obviously, as a lay person, if you will, here, is that
cyberspace is a lot different from the normal space we occupy,
even in terms of what we are describing as the threat. I think
you, Mr. Turner, said something so interesting, which is we
really do not know who the attacker was in the Stuxnet case.
That I can understand because of all the difficulty. But what
is fascinating is that--and I believe I understand this--we do
not know what the target was either. But we know that there was
a Stuxnet attack and that it is real.
So, Mr. McGurk, maybe I will start with you on this to help
our education because my understanding is--and I say this with
pride--that the Department of Homeland Security's Industrial
Control Systems Computer Emergency Response Team, which we call
more simply ICS-CERT, played a critical role in unraveling
Stuxnet. So help us understand a little more what this thing
is, whose origin and destination we do not understand.
Mr. McGurk. Yes, Senator. Thank you for that opportunity.
As you had mentioned, the ICS-CERT took the initial focus of
analyzing what the capabilities of Stuxnet were. In order to
understand its code, we identified by reverse engineering the
physical attributes of the code and how it actually exploited
the information technology vulnerabilities. There were these
undocumented capabilities in the operating system, which are
often called ``zero day'' vulnerabilities. They are called
``zero day'' because no one knows about them.
In this particular case, this code utilized four zero day
vulnerabilities to ensure that the malicious part that affects
the industrial control system was delivered. So using a device
such as the USB device, it actually migrated through the
networks and then went into the physical process control
environment. We were able to take the equipment at our
laboratory out at Idaho National Labs and physically configure
it with representatives from the vendor community themselves.
The actual vendors of the products came out and helped
configure the equipment, and then we actually allowed Stuxnet
to go loose into the environment, if you will.
Because it was written with such advanced cryptological and
obfuscation technologies, Stuxnet actually used the equipment
itself that it was attacking to encode itself. So we were able
to actually give it that programmable logic controller that it
was looking for because it focuses on a specific hardware and
software combination, and actually it was able to dissect the
code by accessing the programmable logic controller, and it
started decrypting itself. That allowed us to speed our
analysis along, and it did not take as much time to identify
not how it was written but what it was capable of doing.
Our focus was on developing and understanding its
capabilities and then identifying those mitigation strategies.
So our efforts allowed us to do that.
Chairman Lieberman. So where was it found? I am thinking in
conventional terms, but this thing that you analyzed, whose
origin and destination was not clear, nonetheless had to exist
somewhere so you could analyze it.
Mr. McGurk. The first sample of code that we received was
actually working in our partnership with various international
CERTs. We received it from the German CERT, who in turn
received it from the vendor themselves.
Chairman Lieberman. The vendor was a Germany company?
Mr. McGurk. It was a German company; yes, sir. So,
subsequently, we were able to get a pure sample of the code
that was in the wild, and that allowed us to conduct that
reverse analysis.
Chairman Lieberman. And the control system targeted here,
as I think one of you said, was a control system that is
usually used for the control of power plants? Is that right?
Mr. McGurk. Essentially, these devices are ubiquitous. This
particular vendor has a market share of about 7 percent here in
the United States. There are other companies that have larger
percentages. But these particular pieces of equipment are used
in agriculture, manufacturing, power generation, water
treatment, several sectors across the United States. Power
generation and distribution is only one of those and not
necessarily in this particular case the largest. Manufacturing
is actually the larger infrastructure that uses these types of
systems.
Chairman Lieberman. In terms of the origin of it, although
I understand we do not conclusively know, I presume--do we
think that this was a Nation state actor and that there are a
limited number of Nation states that have such advanced
capability?
Mr. McGurk. Nothing in the code really points to any
specific sense of origin or where it was developed. Based on
our analysis, we feel that it was probably developed over a set
period of time. These individual blocks were put together by a
team or a series of teams working in concert, because there are
indicators that it was strung together in such a fashion. But
we have also identified with other types of malicious code and
botnets where they actually generate $30 million a month in
revenue from operating as various botnets. So when you have
that capability from a criminal intent standpoint, you have
resources to be able to buy this type of capability.
Chairman Lieberman. There has been some speculation in the
media that the target here might have been the nuclear power
systems within Iran. In fact, at one point--perhaps unrelated
to Stuxnet--an Iranian official complained about the fact that
their nuclear program was under cyber attack, not linking these
two. What would you say in response to that?
Mr. McGurk. Again, sir, attribution and intent are the
fields for other departments and agencies. We are focusing
primarily on capability. But I would also like to also
acknowledge Mr. Turner's comments that there would be an
incredible amount of knowledge necessary to be able to identify
specifically what the target was, and there are no indicators
in the code. We understand what it is capable of doing.
Chairman Lieberman. Right.
Mr. McGurk. But to specifically say it was designed to
target a particular facility is very difficult for anyone to
say with any assurance.
Chairman Lieberman. Thank you. My time is up. Senator
Collins.
Senator Collins. Thank you, Mr. Chairman.
Mr. Turner reminded all of us that 85 percent of critical
infrastructure is in the private sector, and that is why the
bill that the Chairman and I drafted focuses on public-private
partnerships and information sharing that is absolutely
critical. I would like to ask each of you to comment on two
issues related to that.
First, how vulnerable is our Nation's critical
infrastructure to cyber threats like Stuxnet? And then, second,
how would you characterize the level of preparedness in the
private sector to deal with a threat of this sophistication?
We will start with you, Mr. McGurk, and just go down the
table. Thank you.
Mr. McGurk. Thank you, Senator. As far as how vulnerable, I
think the issue was made clear earlier in many of the
testimonies before the Committee that the advent and adoption
of commercial off-the-shelf technology into a critical process
environment has now opened each of those former legacy-based
systems to the same types of vulnerabilities we have in
information technology today. By connecting these systems and,
if you will, systems of systems together, we have actually
increased the risk profile associated with those networks and
operating those networks.
The private sector has been working diligently to identify
those mitigation strategies and those steps as they integrate
that technology. The Department has been working in our
private-public partnership capacity to provide the services and
the expertise that we have to help identify those processes in
securing the critical infrastructure.
It is an uphill battle, and when we see something like
Stuxnet come into play that significantly alters the landscape,
we need to reassess and re-evaluate our mitigation plans so
that we can identify new methods of increasing that security,
and the private sector working with the Department has been
focusing on that for quite some time now.
Senator Collins. Thank you. Mr. Assante.
Mr. Assante. I think it is important to note that in my
time at NERC and working with the industry, there were lots of
incidents where we had non-directed and not very structured
cyber threats that impacted or found their ways onto control
systems. That was very concerning because it was not by design.
It found its way because technology is very cross-cutting. That
indicates to me that we are not only very susceptible, but not
very well prepared since we had architectures that allowed for
that to happen.
When you look at the Stuxnet worm, you are talking about a
very well resourced and very structured cyber adversary with
advance planning capability. In that sense, I believe we are
extremely susceptible. In fact, I believe our susceptibility
grows every day. If you just look at the very trends within the
technologies that we deploy, we are doing things that would
allow an attacker more freedom of action within these
environments.
As an example, we are converging safety systems with
control systems at the network layer. It is a very dangerous
combination because you allow somebody to get free access to
both the system that is designed to make sure a process stays
safe and the system that controls what a process does. Those
types of trends that our manufacturers, vendors, and even our
asset owners have called for because there is great business
efficiencies to do are very dangerous and troublesome. So I
believe we are becoming more susceptible to these types of
attacks every day.
Senator Collins. Thank you. Mr. Turner.
Mr. Turner. Senator Collins, I concur with Mr. McGurk and
Mr. Assante, to the level of complexity in the issues that we
are facing today. In my role within Symantec, I spent a good
deal of time looking at vulnerabilities and talking about
numbers and trends and threats and all the rest of it. And I
think what I would like to do is maybe illustrate using Stuxnet
just exactly where we stand.
As of early last week, we saw approximately 44,000 unique
Stuxnet infections worldwide. Now, that may not sound like a
big number, but when we are talking about a highly
sophisticated threat that requires an awful lot of knowledge
and skills and people to pull together, that is a big number.
In terms of the United States, we have seen a little over
1,600 unique Stuxnet infections, 50 of which we have identified
as having the WinCC/Step7 Stuxnet--the software that Stuxnet
trojans installed. Sixty percent of the global infections of
Stuxnet are in Iran. And we can talk about speculation and all
those other things about where the evidence points, but the
point here is that even if something like this is tied to one
particular country or group of countries, the ability for these
types of threats to have a global reach is enormous. We have
gone from the days, in 2004, where we saw a little over 260,000
new threats to where we saw 2.9 million last year.
Vulnerabilities in software and hardware have become,
unfortunately, in some ways a cost of doing business. There is
an awful lot of issues here.
Our level of preparedness, I think, is to some degree,
certainly in the private sector, better than it ever has been,
but still has a long way to go. It is a cliche, but
unfortunately, we do not know what we do not know. And when we
start talking about industrial control systems and some of the
other things where the partnership is not quite as developed as
it should be, it is a little more difficult to answer.
So how vulnerable are the industrial control systems and
supervisory control and data acquisition (SCADA) systems within
the United States or anywhere else? That is a difficult
question to answer until we know exactly the scope of the
problem and how many vulnerabilities there are.
Senator Collins. Thank you. Mr. Gandy.
Mr. Gandy. Regarding the vulnerability question, the
chemical sector understands this evolving threat, has been
working proactively to ensure the resiliency of our control
systems from both the physical and cyber approach through a
risk-based framework that identifies these vulnerabilities and
then works on implementing appropriate mitigating controls. As
mentioned, the Responsible Care Security Code, the road map to
securing control systems in the chemical sector, ongoing
Chemical Facility Anti-Terrorism Standards (CFATS) compliance
work, are all working to comprehensively provide a framework of
assessment, design, engineering, implementation, and monitoring
for these kinds of vulnerabilities.
The level of preparedness in the sector, the ACC and its
members have been working for years across the sector to
prepare and share information about these issues, both from an
industry peer-to-peer sharing and sharing with technology
suppliers and DHS and national cyber information-sharing
exercises. We continue to comprehensively improve control
system security in the chemical sector.
The road map to security in the control system in the
chemical sector is further driving the resiliency of control
systems through preparedness and awareness.
Senator Collins. Thank you.
Chairman Lieberman. Thanks, Senator Collins. Senator Coons.
OPENING STATEMENT OF SENATOR COONS
Senator Coons. Thank you, Mr. Chairman, for holding these
interesting and important hearings.
If I might, Mr. Gandy, I just want to commend the ACC for
its model private sector initiative.
For the whole panel, one of the things that made Stuxnet, I
think, particularly concerning is its ability to both
infiltrate and then exfiltrate data that are operational in
nature and would allow an unknown observer to then map an
industrial process. What sort of risks does this pose for trade
secrets in the event that we have foreign nations who are
competitors to this country interested in using this kind of
capability to learn about detailed operational configuration of
our manufacturing processes, our power grid, our chemical
processes in a way that would allow them to then mimic them,
map them, and expand them, or make them strong?
So I would be interested, if I could, in brief answers from
all the members of the panel to two questions. Does Stuxnet
signal not just a risk in terms of infrastructure but also
intellectual property and the potential loss of American trade
secrets? And then, second, what could we be doing to strengthen
the public-private partnership on both fronts, both the
intellectual property and the operational control of critical
infrastructure? If we could start with Mr. McGurk. Thank you.
Mr. McGurk. Thank you, Senator. To answer the question
succinctly, yes, it does demonstrate the very unique capability
of exfiltrating or removing that data associated with critical
process development. In addition, it has an advanced capability
that we have seen demonstrated where it can actually remove the
historical files associated with the process. That is a key
element because it actually goes into development and
refinement of your process, so I know not only what you are
currently producing but what you have produced in the past and
what changes you have made to refine that process. So,
subsequently, from an intellectual property standpoint, it
poses a very great risk.
In order to strengthen that partnership, I think we are all
discussing the very same topic of awareness and understanding
and putting those mechanisms in place, whether it is through
education, certification, or through information sharing, and
actually collaborative development of information in order to
address risks such as Stuxnet. Thank you, sir.
Senator Coons. Thank you.
Mr. Assante. I think the Stuxnet worm was very
sophisticated and capable and that not only did it allow you to
maintain a foothold in the environment that you compromise,
which is what the attacker wants to do, through the exportation
of information it allows them to conduct discovery. Discovery
is a very important element to being able to plan follow-on
attacks, if that is what the author would so choose to do. And
so whether discovery is by pulling out information that has
value or that has information that would support future
planning processes or the ability to just recognize how you
maintain a sustained foothold, that is a very significant issue
for the industrial control system world, and certainly we have
seen that play out in threats across financial services,
defense industrial base, and other key sectors of our economy
where we have trade secrets or proprietary information that is
important to our economic stability.
I do not want to gloss over the idea that the Stuxnet worm
was so sophisticated that it was capable of acting
autonomously. So whether they lost that communication link,
that piece of code had quite a bit of intelligence to be able
to act. So I think the concept of follow-on attack is
important.
I believe from the public-private partnership perspective,
I have seen great progress. I have been involved in it over the
years. I do believe that the proposed legislation that this
Committee is looking at which be a significant step forward to
further ingraining how we should go about what I think is a
more productive partnership. I think that we need to not only
hold the asset owner responsible for the management of risk as
it relates to the systems that they manage, but also the
technology providers. We will constantly be trying to be very
reactive if we do not get the technology providers to take a
serious part in being able to program these systems more
securely, to help design the architectures, they will be better
suited to deal with these types of advanced threats.
Mr. Turner. Senator Coons, echoing the comments by Mr.
Assante and Mr. McGurk, the short answer is yes, absolutely it
is a risk. Ninety to 95 percent of all the threats we see today
are risks to personally identifiable information. The fact that
this is wrapped up into a threat that targets critical
infrastructure is just as important as any other one, and more
so in many ways.
We know, for example, that there was the capability before
the sink holes--the command-and-control (CnC) servers were
taken over by Symantec--that this particular code had the
ability to actually install a back door on those systems. So
the systems that we did not know about between June 2009 and
where we are today in 2010 could still be exfiltrating data. We
know that part of the threat's purpose was to steal the design
documents of the ICS systems. That particular information could
still be leaked.
We do need to take this seriously because it is all about
information--the secondary component, of course, being what
could you do not only with that information, but more
importantly changing the frequency control that drives
themselves and all the other things that could take place.
I think in terms of what do we need to do to strengthen our
partnerships, there is a fair amount of activity taking place
in back channels where security experts are discussing the
issues and the threats amongst themselves and also coordination
among the organizations. Organizations like TechAmerica have
undertaken industry working groups where we get together and we
discuss better ways to share information, not only between
ourselves but between government and the rest. And I think that
is also a very important step forward, in addition to,
obviously, the legislation that is proposed by the Committee.
Senator Coons. Thank you.
Mr. Gandy. Senator Coons, yes, we believe, the industry
believes that intellectual property is a target of these
malware writers. The intentions of Stuxnet, aside, we believe
malware will be on our enterprise business networks and on our
process control networks that will attempt to comprehensively
steal our intellectual property, reverse engineering our
processes, and stealing other sensitive business information.
Regarding what can we be doing more from a public-private
partnership, we continue to believe that continued working
groups, such as the Industrial Control Systems Joint Working
Group, are essential to the government, industry, and the
suppliers working together to work on the resiliencies of
control system security. We also continue to encourage
participation in national exercises such as the Cyber Storms so
that we can continue to work on information sharing, continue
to practice information sharing, identify road blocks, improve
the efficiency, effectiveness, and timeliness of the
information that is shared.
Senator Coons. Thank you very much to the panel, and thank
you, Mr. Chairman, for the opportunity to ask questions.
Chairman Lieberman. Thank you, Senator. I appreciate it.
The votes have gone off. I think rather than holding you
here and coming back, I will try to ask a few more questions
and see if I can hustle over before the votes are done.
I want to get clear--I think it was you, Mr. Turner, who
said that 60 percent of computers infected with Stuxnet are in
Iran.
Mr. Turner. That is correct. Sixty percent of the
infections that we have observed worldwide are coming from
Internet Protocol (IP) addresses of machines identified as
being in Iran.
Chairman Lieberman. And have we identified any computers
infected in the United States?
Mr. Turner. We have.
Chairman Lieberman. Just as a natural movement of the
Stuxnet, or is it also a unique----
Mr. Turner. Well, intent is one of the hardest things to
determine, Mr. Chairman. This particular threat and the way it
first propagated was via a USB device, taking advantage of a
particular vulnerability in Microsoft, something known as
``.lnk.'' So in order for something like that to propagate to
get over to the United States, a USB drive would have to get on
a plane. But that does not mean, of course, that the particular
code could not be transferred from one person to another.
Chairman Lieberman. Right.
Mr. Turner. We think that most of the infections we see
worldwide are anecdotal and antecedent to the originals.
Chairman Lieberman. They have fed off the original.
Mr. Turner. Correct.
Chairman Lieberman. Understood. Mr. McGurk, we have heard
you discuss the resources that DHS can provide for the private
sector in this regard. These are resources that the private
sector can choose to utilize or choose to ignore, correct?
Mr. McGurk. Yes, that is correct, Senator. We only respond
when requested by the private sector. We have no authorities to
actually direct that activity.
Chairman Lieberman. Right. So my question naturally is--and
I would ask the others as well quickly--whether you believe
that we can increase cyber security of our country's most
critical infrastructure through voluntary measures alone. Or
does the Department of Homeland Security in this case need some
enhanced authority? Obviously, to state underneath that the
whole premise of this hearing today and the focus on Stuxnet is
both to educate the Committee, but also to say to us as the
Homeland Security Committee, if this can be done to somebody
else, obviously it now can be done to us, so we better raise
our guard.
So let me come back to the question. Can we do what we have
to do by voluntary measures? Or does DHS need some kind of
enhanced authority? Mr. McGurk.
Mr. McGurk. Again, Senator, I appreciate the opportunity to
reply to that. I am a simple sailor, 28 years in the Navy. I am
used to executing and operating my orders under the authorities
that are granted to me. The Department has policy
decisionmakers in place that actually identify those
requirements. My focus is on managing and leading the
operational environment that I am entrusted with at the
Department. And given those responsibilities, we have been
operating within those guidelines. And for the most part, we
have not been as successful as we could potentially be, but we
are as successful as we can be within those guidelines.
Chairman Lieberman. So you would accept enhanced authority
if we gave it to you, but you are not appealing for it right
now? [Laughter.]
Mr. McGurk. Sir, I feel confident that I am still able to
execute the current mission given the requirements.
Chairman Lieberman. Mr. Assante.
Mr. Assante. Well, as a fellow Navy shipmate, Mr. McGurk, I
believe that DHS and the U.S. Government would benefit from
additional authorities in this area. I believe it is critical
that organizations cannot suffer in silence. If an advanced
threat is on our shores impacting our systems, that should be a
required thing to report. We should be able to muster the
effective resources that we have, whether it is in government
or within industry, to be able to tackle those and very rapidly
share information so we can protect our systems. I think
advance authority would allow us to do so.
I believe participating in regulation in the electric power
industry, you get to be very smart in how you design the
regulation and the legislation. Performance requirements are
very important in my book. I think there are some unsafe
practices that we continue to use that we need to ensure that
they are curtailed. And I think that we need to maximize our
ability to learn and still be able to innovate. So I think
authority is necessary.
Chairman Lieberman. Thank you.
Mr. Turner, my time is running out, but see if you can give
a quick answer, the same to Mr. Gandy.
Mr. Turner. I think that more time and effort needs to be
spent in shoring up the current channels of communication
between all parties involved in the discussion. There are, of
course, very tricky legal and ethical issues around certain
types of data that might be personally identifiable information
(PII) and the rest of it, because it is not just data that
occurs in the United States of America but data that occurs
elsewhere in the world.
Chairman Lieberman. Right.
Mr. Turner. And if the goal is to get as much information
as possible into the hands of the people who can do the most to
take care of the issue, the best way to do that is to actually
strengthen the channels of communication that currently exist.
Chairman Lieberman. Mr. Gandy, the chemical industry, as
you well know, is actually subject now under other legislation
to risk-based performance requirements similar to those
contemplated in our legislation. What do you think?
Mr. Gandy. That is correct. My response would be that I
believe there is evidence that the industry is already working
voluntarily, very productively, and the CFATS work that is
ongoing right now where DHS is out reviewing the registered
most critical sites of the critical infrastructure in the
chemical sector against those risk-based performance standards
will help us continue to improve our security posture in the
face of this threat.
Chairman Lieberman. Thank you. We have covered a lot more
ground, I might say, in this period of time than the Committee
usually does, and it is because not only we were rushed, but
because of the quality of the witnesses. I cannot thank you
enough.
I want to restate that this Committee is going to make our
cyber security legislation or legislation like it a priority
early in the next session, beginning in January.
We are going to keep the record of this hearing open for 15
days for additional questions and statements, but I thank you
very much for what you have done today and for the work you are
doing to protect our country every day.
The hearing is adjourned.
[Whereupon, at 11:22 a.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC] [TIFF OMITTED] 58034.001
[GRAPHIC] [TIFF OMITTED] 58034.002
[GRAPHIC] [TIFF OMITTED] 58034.003
[GRAPHIC] [TIFF OMITTED] 58034.004
[GRAPHIC] [TIFF OMITTED] 58034.005
[GRAPHIC] [TIFF OMITTED] 58034.006
[GRAPHIC] [TIFF OMITTED] 58034.007
[GRAPHIC] [TIFF OMITTED] 58034.008
[GRAPHIC] [TIFF OMITTED] 58034.009
[GRAPHIC] [TIFF OMITTED] 58034.010
[GRAPHIC] [TIFF OMITTED] 58034.011
[GRAPHIC] [TIFF OMITTED] 58034.012
[GRAPHIC] [TIFF OMITTED] 58034.013
[GRAPHIC] [TIFF OMITTED] 58034.014
[GRAPHIC] [TIFF OMITTED] 58034.015
[GRAPHIC] [TIFF OMITTED] 58034.016
[GRAPHIC] [TIFF OMITTED] 58034.017
[GRAPHIC] [TIFF OMITTED] 58034.018
[GRAPHIC] [TIFF OMITTED] 58034.019
[GRAPHIC] [TIFF OMITTED] 58034.020
[GRAPHIC] [TIFF OMITTED] 58034.021
[GRAPHIC] [TIFF OMITTED] 58034.022
[GRAPHIC] [TIFF OMITTED] 58034.023
[GRAPHIC] [TIFF OMITTED] 58034.024
[GRAPHIC] [TIFF OMITTED] 58034.025
[GRAPHIC] [TIFF OMITTED] 58034.026
[GRAPHIC] [TIFF OMITTED] 58034.027
[GRAPHIC] [TIFF OMITTED] 58034.028
[GRAPHIC] [TIFF OMITTED] 58034.029
[GRAPHIC] [TIFF OMITTED] 58034.030
[GRAPHIC] [TIFF OMITTED] 58034.031
[GRAPHIC] [TIFF OMITTED] 58034.032
[GRAPHIC] [TIFF OMITTED] 58034.033
[GRAPHIC] [TIFF OMITTED] 58034.034
[GRAPHIC] [TIFF OMITTED] 58034.035
[GRAPHIC] [TIFF OMITTED] 58034.036
[GRAPHIC] [TIFF OMITTED] 58034.037
[GRAPHIC] [TIFF OMITTED] 58034.038
[GRAPHIC] [TIFF OMITTED] 58034.039
[GRAPHIC] [TIFF OMITTED] 58034.040
[GRAPHIC] [TIFF OMITTED] 58034.041
[GRAPHIC] [TIFF OMITTED] 58034.042
[GRAPHIC] [TIFF OMITTED] 58034.043
[GRAPHIC] [TIFF OMITTED] 58034.044
[GRAPHIC] [TIFF OMITTED] 58034.045
[GRAPHIC] [TIFF OMITTED] 58034.046
[GRAPHIC] [TIFF OMITTED] 58034.047
[GRAPHIC] [TIFF OMITTED] 58034.048
[GRAPHIC] [TIFF OMITTED] 58034.049
[GRAPHIC] [TIFF OMITTED] 58034.050
[GRAPHIC] [TIFF OMITTED] 58034.051
[GRAPHIC] [TIFF OMITTED] 58034.052
[GRAPHIC] [TIFF OMITTED] 58034.053
[GRAPHIC] [TIFF OMITTED] 58034.054
[GRAPHIC] [TIFF OMITTED] 58034.055
[GRAPHIC] [TIFF OMITTED] 58034.056
[GRAPHIC] [TIFF OMITTED] 58034.057
[GRAPHIC] [TIFF OMITTED] 58034.058
[GRAPHIC] [TIFF OMITTED] 58034.059
[GRAPHIC] [TIFF OMITTED] 58034.060
[GRAPHIC] [TIFF OMITTED] 58034.061
[GRAPHIC] [TIFF OMITTED] 58034.062
[GRAPHIC] [TIFF OMITTED] 58034.063
[GRAPHIC] [TIFF OMITTED] 58034.064
[GRAPHIC] [TIFF OMITTED] 58034.065
[GRAPHIC] [TIFF OMITTED] 58034.066
[GRAPHIC] [TIFF OMITTED] 58034.067
[GRAPHIC] [TIFF OMITTED] 58034.068
[GRAPHIC] [TIFF OMITTED] 58034.069
[GRAPHIC] [TIFF OMITTED] 58034.070
[GRAPHIC] [TIFF OMITTED] 58034.071
[GRAPHIC] [TIFF OMITTED] 58034.072
[GRAPHIC] [TIFF OMITTED] 58034.073
[GRAPHIC] [TIFF OMITTED] 58034.074
[GRAPHIC] [TIFF OMITTED] 58034.075
[GRAPHIC] [TIFF OMITTED] 58034.076
[GRAPHIC] [TIFF OMITTED] 58034.077
[GRAPHIC] [TIFF OMITTED] 58034.078
[GRAPHIC] [TIFF OMITTED] 58034.079
[GRAPHIC] [TIFF OMITTED] 58034.080
[GRAPHIC] [TIFF OMITTED] 58034.081
[GRAPHIC] [TIFF OMITTED] 58034.082
[GRAPHIC] [TIFF OMITTED] 58034.083
[GRAPHIC] [TIFF OMITTED] 58034.084
[GRAPHIC] [TIFF OMITTED] 58034.085
[GRAPHIC] [TIFF OMITTED] 58034.086
[GRAPHIC] [TIFF OMITTED] 58034.087
[GRAPHIC] [TIFF OMITTED] 58034.088
[GRAPHIC] [TIFF OMITTED] 58034.089
[GRAPHIC] [TIFF OMITTED] 58034.090
[GRAPHIC] [TIFF OMITTED] 58034.091
[GRAPHIC] [TIFF OMITTED] 58034.092
[GRAPHIC] [TIFF OMITTED] 58034.093
[GRAPHIC] [TIFF OMITTED] 58034.094
[GRAPHIC] [TIFF OMITTED] 58034.095
[GRAPHIC] [TIFF OMITTED] 58034.096
[GRAPHIC] [TIFF OMITTED] 58034.097
[GRAPHIC] [TIFF OMITTED] 58034.098
[GRAPHIC] [TIFF OMITTED] 58034.099
[GRAPHIC] [TIFF OMITTED] 58034.100
[GRAPHIC] [TIFF OMITTED] 58034.101
[GRAPHIC] [TIFF OMITTED] 58034.102
[GRAPHIC] [TIFF OMITTED] 58034.103
[GRAPHIC] [TIFF OMITTED] 58034.104
[GRAPHIC] [TIFF OMITTED] 58034.105
[GRAPHIC] [TIFF OMITTED] 58034.106
[GRAPHIC] [TIFF OMITTED] 58034.107
[GRAPHIC] [TIFF OMITTED] 58034.108
[GRAPHIC] [TIFF OMITTED] 58034.109
[GRAPHIC] [TIFF OMITTED] 58034.110
[GRAPHIC] [TIFF OMITTED] 58034.111
[GRAPHIC] [TIFF OMITTED] 58034.114
[GRAPHIC] [TIFF OMITTED] 58034.112
[GRAPHIC] [TIFF OMITTED] 58034.113
�