[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
EXAMINING THE CYBER THREAT TO CRITICAL INFRASTRUCTURE AND THE AMERICAN
ECONOMY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
MARCH 16, 2011
__________
Serial No. 112-11
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
72-221 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Peter T. King, New York, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Daniel E. Lungren, California Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Michael T. McCaul, Texas Henry Cuellar, Texas
Gus M. Bilirakis, Florida Yvette D. Clarke, New York
Paul C. Broun, Georgia Laura Richardson, California
Candice S. Miller, Michigan Danny K. Davis, Illinois
Tim Walberg, Michigan Brian Higgins, New York
Chip Cravaack, Minnesota Jackie Speier, California
Joe Walsh, Illinois Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania Hansen Clarke, Michigan
Ben Quayle, Arizona William R. Keating, Massachusetts
Scott Rigell, Virginia Vacancy
Billy Long, Missouri Vacancy
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Mo Brooks, Alabama
Michael J. Russell, Staff Director/Chief Counsel
Kerry Ann Watkins, Senior Policy Director
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Daniel E. Lungren, California, Chairman
Michael T. McCaul, Texas Yvette D. Clarke, New York
Tim Walberg, Michigan, Vice Chair Laura Richardson, California
Patrick Meehan, Pennsylvania Cedric L. Richmond, Louisiana
Billy Long, Missouri William R. Keating, Massachusetts
Tom Marino, Pennsylvania Bennie G. Thompson, Mississippi
Peter T. King, New York (Ex (Ex Officio)
Officio)
Coley C. O'Brien, Staff Director
Alan Carroll, Subcommittee Clerk
Dr. Chris Beck, Minority Subcommittee Director
C O N T E N T S
----------
Page
Statements
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies................................................... 1
The Honorable Yvette D. Clark, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies................................................... 2
Witness
Mr. Philip Reitinger, Deputy Under Secretary, National Protection
and Programs Directorate, Department of Homeland Security:
Oral Statement................................................. 5
Prepared Statement............................................. 6
Mr. Gregory Wilshusen, Director of Information Security Issues,
Government Accountability Office:
Oral Statement................................................. 14
Prepared Statement............................................. 16
Dr. Phyllis Schneck, Vice President and Chief Technical Officer,
McAfee Inc.:
Oral Statement................................................. 32
Prepared Statement............................................. 34
Mr. James A. Lewis, Director and Senior Fellow, Technology and
Public Policy Program, Center for Strategic and International
Studies:
Oral Statement................................................. 39
Prepared Statement............................................. 40
Ms. Mischel Kwon, President, Mischel Kwon Associates:
Oral Statement................................................. 46
Prepared Statement............................................. 47
Appendix
Question From Chairman Daniel E. Lungren of California........... 63
EXAMINING THE CYBER THREAT TO
CRITICAL INFRASTRUCTURE AND THE AMERICAN ECONOMY
----------
Wednesday, March 16, 2011
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to call, at 10:05 a.m., in
Room 311, Cannon House Office Building, Hon. Daniel E. Lungren
[Chairman of the subcommittee] presiding.
Present: Representatives Lungren, McCaul, Walberg, Meehan,
Long, Marino, Clarke, Richmond, and Keating.
Mr. Lungren. The Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies will come to order.
The subcommittee is meeting today to hear testimony from
Phil Reitinger, the Deputy Under Secretary for National
Protection and Programs Directorate of DHS; Gregory Wilshusen,
the Director of Information Security Issues at GAO; Phyllis
Schneck, Vice President and Chief Technology Officer at McAfee,
Inc.; James Lewis, Director and Senior Policy Fellow at the
Center for Strategic and International Studies; and Mischel
Kwon, President of Mischel Kwon Associates, LLC.
Today we will examine the cyber threat to U.S. critical
infrastructure, how it affects the economy, and what Government
is doing to address the threat.
Twenty-five years ago, the concept of cyber threat, or a
cyber attack, was an issue of interest to really only a few
researchers in academics. In this post-9/11 terrorist era the
cyber threat is serious, multifaceted, and boundless, posing a
significant risk to U.S. economic and National security.
The Director of National Intelligence stated in testimony
before the Congress, ``The growing connectivity between
information systems, the internet, and other infrastructures
creates opportunities for attackers to disrupt
telecommunications, electrical power, energy pipelines,
financial networks, and other critical infrastructures.''
The information revolution launched by the internet has
reached into every corner of our lives. While it provides users
many benefits, it also exposes them to new and dangerous risks.
These new risks include cyber criminals, spies and terrorists,
using the digital internet as a pathway to personal bank
accounts as well as Government and industrial secrets. Cyber
attacks are growing more frequent, targeted, sophisticated, and
dangerous.
Most of these attacks are motivated by financial or
intellectual property theft, disruption of commerce, or
intelligence collection. Cyber attacks have been launched
against nations, Estonia in 2007, Georgia in 2009, and Iran in
2010. They were all the subject of cyber attacks that either
paralyzed Government operations or targeted critical
infrastructure. Last year, Google and 20 other major companies
were the targets of highly sophisticated attacks to steal their
intellectual property and user accounts. This attack allegedly
emanated from China.
If terror groups are watching this cyber activity and
targeting our critical infrastructure--and we believe they
are--this raises the stakes in our war on terror. U.S. critical
infrastructure--by that I mean roads, bridges, dams, electrical
system, power systems--overall, that critical infrastructure is
the backbone of our dynamic and productive economy. Attacks on
this critical infrastructure will impact our National and
economic security as well as the health and safety of our
fellow citizens.
Today, our critical infrastructure relies extensively on
computerized information systems and the internet which cannot
be protected as in the traditional way with guns, gates, and
guards. This reliance on computers and the internet makes our
critical infrastructure operations vulnerable to cyber attack.
This vulnerability was demonstrated a few years ago in a
simulated attack on our electric power grid, which also was
code-named Aurora.
The computer security company, McAfee, reports that 54
percent of executives of critical infrastructure companies
surveyed said their companies had been the victims of denial of
service attacks and network infiltration from organized crime,
terrorists, or other nation states.
Recent media reports have described a new cyber threat
called Stuxnet, which can target critical infrastructure,
including nuclear facilities. According to these published
reports, Stuxnet is a complex piece of malware designed to
interfere with the seamen's industrial control systems
operating the Iranian nuclear facilities. This makes Stuxnet,
at least according to published reports, it makes that malware
a very dangerous offensive cyber weapon that overtakes critical
control system operations.
So if an anonymous enemy or terrorist ever seizes the
control systems of, let's say, dams or chemical or power plants
via the cyber world, that terrorist could cause death and
destruction in the real world.
So many questions remain about how to defend our
cyberspace. What solutions, policies, or technology can we
develop to improve our Nation's cybersecurity? We welcome our
public and private witnesses today who will begin us on a
journey to answer these questions.
It is now my pleasure to recognize the Ranking Member of
our subcommittee, Ms. Clarke, for her opening statement.
Ms. Clarke. Good morning, and thank you to all of our
witnesses for appearing before us today.
I would like to thank Chairman Lungren for holding this
hearing on cybersecurity and for your intention to move
expeditiously on what I know we both recognize as a critical
issue.
While there are a number of new faces up here on the dais,
I believe this subcommittee will continue to place significant
focus on the issue of cybersecurity just as we did during the
110th Congress. I know Mr. Lungren takes this responsibility as
seriously as I do, and I look forward to partnering with him
again over the next 2 years to ensure the safety and security
of the American people, American businesses, American
infrastructure, and the American way of life.
Today's hearing will likely be the first of several
cybersecurity hearings that the subcommittee will hold, and it
is easy to understand why this issue dominates our agenda. We
rely on information technology in every aspect of our lives,
from our electric grid, banking systems, military and
government functions, to our e-mail and web browsers.
Interconnected computers and networks have led to amazing
developments in our society. Increased productivity, knowledge,
services, and revenues are all benefits generated by our modern
networked world. But in our rush to network everything, few
stopped to consider the security ramifications of this new
world we were creating, and so we find ourselves in an
extremely dangerous situation today.
Too many vulnerabilities exist on too many critical
networks which are exposed to too many skilled attackers who
can inflict too many intrusions into our systems.
Unfortunately, to this day, too few people are even aware of
these dangers and fewer still are doing anything about it. This
committee will continue to sound the alarm, raise awareness of
the problems we face, and move forward with practical,
effective solutions.
This hearing comes at a critical moment in our Nation's
approach to the cyber threat. There is a very real and
significant threat to our National and economic security that
we now face in cyberspace, and we must do something equally
real and significant to meet this challenge.
We are expecting, and this committee is eager to see, a
National cybersecurity strategy from the White House to be
released very soon. The Department is finalizing its National
cyber incident response plan and will also include a
cybersecurity strategy as called for in the 2010 Quadrennial
Homeland Security Review.
The Congress is interested in legislation to afford DHS
authority it needs to protect the dot-gov domain and critical
infrastructures in the private sector. The previous two decades
have seen countless reports from America's thought leaders in
cybersecurity containing hundreds of recommendations about how
to improve America's posture in cyberspace. What has been
lacking is the courage and leadership to actually implement
these recommendations. To ensure our National and economic
security, now is the time we must act.
The U.S. Government must chart a new course to cyberspace.
The private sector must also be a full partner and accept its
share of responsibility for our combined security. Now is the
time to stop planning and start acting.
The Chairman's intention with this hearing is to give this
subcommittee some background on the issues facing us.
Cybercrime costs this country billions of dollars a year. We
know that our Government networks are attacked tens of
thousands of times per day and private sector networks are
attacked even more often. We know that our critical
infrastructures are already compromised and penetrated. The
enemy has already successfully attacked and continues to do so.
We need to absorb this information, get up to speed quickly,
and move forward to address this issue. We have already lost
many small battles. We have to start protecting ourselves
before an attack big enough to cause irreparable damage is
carried out.
To the witnesses appearing before us today, I thank you for
being here, and I welcome your thoughts on the issues before
us, including what you think an effective National
cybersecurity policy should look like. Chairman Lungren and I
intend for this subcommittee, as well as the full committee, to
play a leading role in shaping our National cyber posture in
the years to come.
Thank you, Chairman, and I yield back.
Mr. Lungren. Thank you very much, Madam Ranking Member, and
I appreciate your spirit of cooperation with which you led this
subcommittee and continuing now.
Other Members are reminded that they may give us their
statements that will be entered into the record.
We are pleased to have a very distinguished panel of
witnesses before us today on this important topic. Deputy Under
Secretary Phil Reitinger was named Deputy Under Secretary for
NPPD in 2009. He also serves as the Director of the National
Cybersecurity Center. In this role, he provides strategic
direction to the Department's cybersecurity efforts. Prior to
joining the Department, he was the senior security strategist
for Microsoft's trustworthy computing program, so he is well
versed in the challenges facing both Government and the private
sector in dealing with the important issue of cybersecurity.
Prior to serving with Microsoft, Deputy Under Secretary
Reitinger was the Executive Director for the Department of
Defense's Cybercrime Center. Before that, he was the Deputy
Chief of the Department of Justice's Computer Crime and
Intellectual Property Section, proving that he just can't keep
a job. No. He has had tremendous experience and has a unique
perspective from multiple positions within the administration
and therefore has much wisdom with which to guide us.
Greg Wilshusen has been with the GAO for over 13 years and
has been over 29 years in auditing financial management
information systems. He is a certified public accountant,
certified internal auditor, certified information systems
auditor. He holds a B.S. degree in business administration from
the University of Missouri. Are they in the----
Mr. Wilshusen. Yes, they are. In fact, they are playing
tomorrow evening at 9:50 against----
Mr. Lungren. I see. Notre Dame doesn't play until Friday at
1:40 eastern time, but I hope to be in California so I will be
watching them from the Pacific coast.
An MS in information management from George Washington
University School of Engineering and Applied Sciences. At GAO,
he has overseen multiple reports on information security, both
at DHS and Government-wide.
The Chair recognizes Mr. Reitinger, who will testify on
behalf of the Department of Homeland Security.
STATEMENT OF PHILIP REITINGER, DEPUTY UNDER SECRETARY, NATIONAL
PROTECTION AND PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND
SECURITY
Mr. Reitinger. Thank you very much, Chairman Lungren and
Ranking Member Clarke. It is indeed an honor to be here today
to talk before the committee.
As you pointed out, sir, my name is Phillip Reitinger, and
I am the Deputy Under Secretary at the Department of Homeland
Security.
Appropos of your comment about my inability to keep a job,
I would say I am not sure I need to be here today based on the
opening comments that you and the Ranking Member made. Let me
give you an Amen from the congregation; you understand the
issue, you get it. So I am going to speak very briefly about
three quick points, and then I would be happy, after Greg
talks, to answer any questions that you have.
The three points I wanted to quickly raise are that
cybersecurity is a critical issue; second, there is no simple
solution, neither entity or technology, that is going to solve
the problem; and three, that although we have made significant
progress over the course of my 15 to 20 years involved in this
space and the more significant efforts of many more people over
a longer period of time, we are not yet where we need to be. We
need to actually--not to be jargonistic, but we need to take
this to a new level.
So let me start with the first point, that cybersecurity is
a critical issue. This goes back to the comments that you made,
Chairman. The threat is significant, and the threat is getting
more significant. Perhaps more important, we are depending more
on information networks every day--not just for looking at a
cute video on-line or our ability to send an e-mail, but for
the basic functioning of our economy.
It is not just a security issue, it is an economic issue.
We don't have power, we don't have phone service, we don't have
9-1-1 service, we don't get water, we don't have banking
without the proper functioning of the internet and the systems
that are connected to it. So we must treat this as a critical
issue, and, in fact, we have, over the course of the last two
administrations. Cybersecurity has been a bipartisan issue,
going from the launch of the Comprehensive National
Cybersecurity Initiative in the prior administration through
the current Presidents's Cyberspace Policy Review and the on-
going work to cross both administrations and across both
parties in both Houses of Congress to move the issue forward.
But it is a complex problem. There is no simple solution.
There is no single entity, no private sector player or even the
private sector together. DHS, DOD, the Department of Commerce,
all of them need to be involved, and none of them standing
alone--and none of them even standing in the forefront with a
little bit of help from others is going to solve the problem.
We actually do have to work this broadly in partnership. By
partnership, I don't mean saying partnership we all sing
Kumbaya and we go home. I mean, we actually work together to
drive outcomes, that we have known roles and responsibilities
and we execute on those things.
In that space, DHS plays a critical role. We are
responsible for leading the protection of the civilian
government systems and private sector, so-called dot-com
systems, even though it is broader than that. I say ``lead''
advisedly because this is not about DHS will come in and solve
all your problems for you. We are not going to do that. But
what we can do is we can help. Everybody has got to build
security into their own operations--private sector companies,
civilian government agencies and DHS; we have got to build it
into our DNA. DHS has got to do the job of helping people to
execute much more effectively. We have had signal successes in
that role. The Chairman mentioned the creation of the first
real National incident response plan to bring all of Government
and private sector together so we can respond as one Nation to
a significant cyber event.
A plan that we tested in a major exercise last year that
involved several thousand people--literally, several thousand
people around the globe, tens of private sector companies, over
10 nations around the world and over 10 States and localities.
I will talk more after my opening statement in response to your
questions.
The last thing I would say in closing is that much more
remains to be done. As the Ranking Member indicated, we are
systemically vulnerable. We have made significant progress, but
we are not yet where we need to be. So as the Ranking Member
indicated, what we have to do is focus on implementation. What
makes a difference day to day, week to week, month to month?
How can we do that? That is one of the reasons why partnership
from the Government Accountability Office is so important to
us. It can help us prioritize, indicate areas for further
progress, and help us find the best way forward.
Together, we need to have that broad public dialogue which
I am sure will take place this year across the public and
private sectors about how we close the gap between where we are
now and where we need to be. With that, I will look forward
very much to the questions of the subcommittee. Thank you.
[The statement of Mr. Reitinger follows:]
Prepared Statement of Philip Reitinger
March 16, 2011
introduction
Chairman Lungren, Vice Chairman Walberg, Ranking Member Clarke, and
distinguished Members of the subcommittee, it is a pleasure to appear
before you today to discuss the Department of Homeland Security's (DHS)
cybersecurity mission. I will provide an overview of the current
cybersecurity environment, the Department's cybersecurity mission as it
relates to critical infrastructure, and the coordination of this
mission with our public and private sector partners.
We would like to work more with you to convey the relevance of
cybersecurity to average Americans. Increasingly, the services we rely
on for daily life, such as water distribution and treatment,
electricity generation and transmission, health care, transportation,
and financial transactions depend on an underlying information
technology and communications infrastructure. Cyber threats put the
availability and security of these and other services at risk.
the current cybersecurity environment
The United States confronts a combination of known and unknown
vulnerabilities, strong and rapidly expanding adversary capabilities,
and a lack of comprehensive threat and vulnerability awareness. Within
this dynamic environment, we are confronted with threats that are more
targeted, more sophisticated, and more serious.
Sensitive information is routinely stolen from both Government and
private sector networks, undermining confidence in our information
systems and the information collection and sharing process, and as bad
as the loss of precious National intellectual capital is, we
increasingly face threats that are even greater. We currently cannot be
certain that our information infrastructure will remain accessible and
reliable during a time of crisis.
We face persistent, unauthorized, and often unattributed intrusions
into Federal Executive Branch civilian networks. These intruders span a
spectrum of malicious actors, including nation states, terrorist
networks, organized criminal groups, or individuals located here in the
United States. They have varying levels of access and technical
sophistication, but all have nefarious intent. Several are capable of
targeting elements of the U.S. information infrastructure to disrupt,
dismantle, or destroy systems upon which we depend. Motives include
intelligence collection, intellectual property or monetary theft, or
disruption of commercial activities, among others. Criminal elements
continue to show increasing levels of sophistication in their technical
and targeting capabilities and have shown a willingness to sell these
capabilities on the underground market. In addition, terrorist groups
and their sympathizers have expressed interest in using cyberspace to
target and harm the United States and its citizens. While some have
commented on terrorists' own lack of technical abilities, the
availability of technical tools for purchase and use remains a
potential threat.
Malicious cyber activity can instantaneously result in virtual or
physical consequences that threaten National and economic security,
critical infrastructure, public health and welfare, and confidence in
Government. Similarly, stealthy intruders can lay a hidden foundation
for future exploitation or attack, which they can then execute at their
leisure--and at their time of greatest advantage. Securing cyberspace
requires a layered security approach. Moreover, securing cyberspace is
also critical to accomplishing nearly all of DHS's other missions
successfully.
We need to support the efforts of our State and local government
and private sector partners to secure themselves against malicious
activity in cyberspace. Similarly, we need to ensure that the Federal
civilian environment is secure and that legitimate traffic is allowed
to flow freely while malicious traffic is prevented from penetrating
our defenses. Collaboratively, public and private sector partners must
use our knowledge of these systems and their interdependencies to
prepare to respond should defensive efforts fail. This is a serious
challenge, and DHS is continually making strides to improve the
Nation's overall operational posture and policy efforts. In addition,
other departments, such as the Department of Education, are working to
educate parents and students on internet safety and privacy protection.
cybersecurity mission
Let me be clear that no single technology--or single Government
entity--alone can overcome the cybersecurity challenges our Nation
faces. Cybersecurity must start with informed users taking necessary
precautions and extend through a coordinated effort between the private
sector, critical infrastructure owners and operators, and the extensive
expertise that lies across coordinated Government entities. The
National Protection and Programs Directorate (NPPD) within DHS is
responsible for the following key cybersecurity missions:
Leading the effort to secure Federal Executive Branch
civilian departments and agencies' unclassified networks;
Providing technical expertise to the private sector and
critical infrastructure and key resources (CIKR) owners and
operators--whether private sector, State, or municipality
owned--to bolster their cybersecurity preparedness, risk
assessment, mitigation and incident response capabilities;
Raising cybersecurity awareness among the general public;
and
Coordinating the National response to domestic cyber
emergencies.
Leveraging cyber defense capability across all departments
and agencies to detect, respond, isolate, and remediate cyber
attacks or practices dangerous to security and privacy.
In a reflection of the bipartisan nature with which the Federal
Government continues to approach cybersecurity, President Obama
determined that the Comprehensive National Cybersecurity Initiative
(CNCI) and its associated activities should evolve to become key
elements of the broader National cybersecurity efforts. These CNCI
initiatives play a central role in achieving many of the key
recommendations of the President's Cyberspace Policy Review: Assuring a
Trusted and Resilient Information and Communications Infrastructure.
Following the publication of those recommendations in May 2009, DHS and
its components developed a long-range vision of cybersecurity for the
Department and the Nation's homeland security enterprise, which is
encapsulated in the Quadrennial Homeland Security Review (QHSR). The
QHSR provides an overarching framework for the Department and defines
our key priorities and goals. One of the five priority areas detailed
in the QHSR is safeguarding and securing cyberspace. Within the
cybersecurity mission area, the QHSR identifies two overarching goals:
To help create a safe, secure, and resilient cyber environment; and to
promote cybersecurity knowledge and innovation.
In alignment with the QHSR, Secretary Napolitano consolidated many
of the Department's cybersecurity efforts under NPPD. The Office of
Cybersecurity and Communications (CS&C), a component of NPPD, focuses
on reducing risk to the Nation's communications and information
technology infrastructures and the sectors that depend upon them, as
well as enabling timely response and recovery of these infrastructures
under all circumstances. The functions and mission of the National
Cybersecurity Center (NCSC) are now supported by CS&C. These functions
include coordinating operations among the six largest Federal cyber
centers. CS&C also coordinates National security and emergency
preparedness communications planning and provisioning for the Federal
Government and other stakeholders. CS&C comprises three divisions: the
National Cyber Security Division (NCSD), the Office of Emergency
Communications, and the National Communications System. Within NCSD,
the United States Computer Emergency Readiness Team (US-CERT) is
working more closely than ever with our public and private sector
partners to share what we learn from EINSTEIN 2, a Federal executive
agency computer network intrusion detection system, to deepen our
collective understanding, identify threats collaboratively, and develop
effective security responses. EINSTEIN enables us to respond
proactively to warnings and other indicators of operational cyber
attacks, and we have many examples showing that this program investment
has paid for itself several times over.
Teamwork--ranging from intra-agency to international
collaboration--is essential to securing cyberspace. Simply put, the
cybersecurity mission cannot be accomplished by any one agency; it
requires teamwork and coordination. Together, we can leverage
resources, personnel, and skill sets that are needed to achieve a more
secure and reliable cyberspace.
NCSD collaborates with Federal Government stakeholders, including
civilian agencies, law enforcement, the military, the intelligence
community, State and local partners, and private sector stakeholders,
to conduct risk assessments and mitigate vulnerabilities and threats to
information technology assets and activities affecting the operation of
civilian government and private sector critical infrastructures. NCSD
also provides cyber threat and vulnerability analysis, early warning,
and incident response assistance for public and private sector
constituents. To that end, NCSD carries out the majority of DHS' non-
law enforcement cybersecurity responsibilities.
national cyber incident response
The President's Cyberspace Policy Review called for ``a
comprehensive framework to facilitate coordinated responses by
government, the private sector, and allies to a significant cyber
incident.'' DHS coordinated the interagency, State and local
government, and private sector working group that developed the
National Cyber Incident Response Plan. The plan provides a framework
for effective incident response capabilities and coordination among
Federal agencies, State and local governments, the private sector, and
international partners during significant cyber incidents. It is
designed to be flexible and adaptable to allow synchronization of
response activities across jurisdictional lines. In September 2010, DHS
hosted Cyber Storm III, a response exercise in which members of the
domestic and international cyber incident response community addressed
the scenario of a coordinated cyber event. During the event, the
National Cyber Incident Response Plan was activated and its incident
response framework was tested. Based on observations from the exercise,
the plan is in its final stages of revision prior to publication.
Cyber Storm III also tested the National Cybersecurity and
Communications Integration Center (NCCIC)--DHS' 24-hour cyber watch and
warning center--and the Federal Government's full suite of
cybersecurity response capabilities. The NCCIC works closely with
Government at all levels and with the private sector to coordinate the
integrated and unified response to cyber and communications incidents
impacting homeland security.
Numerous DHS components, including US-CERT, the Industrial Control
Systems Cyber Emergency Response Team (ICS-CERT), and the National
Coordinating Center for Telecommunications (NCC), are collocated into
the NCCIC. Also present in the NCCIC are other Federal partners, such
as the Department of Defense (DoD) and members of the law enforcement
and intelligence communities. The NCCIC also physically collocates
Federal staff with private sector and non-Governmental partners.
Currently, representatives from the Information Technology and
Communications sectors are located at the NCCIC. We are also finalizing
steps to add representatives from the Banking and Finance sector, as
well as the Multi-State Information Sharing and Analysis Center (MS-
ISAC).
By leveraging the integrated operational capabilities of its member
organizations, the NCCIC serves as an ``always on'' cyber incident
response and management center, providing indications and warning of
imminent incidents, and maintaining a National cyber ``common operating
picture.'' This facilitates situational awareness among all partner
organizations, and also creates a repository of all vulnerability,
intrusion, incident, and mitigation activities. The NCCIC also serves
as a National point of integration for cyber expertise and
collaboration, particularly when developing guidance to mitigate risks
and resolve incidents. Finally, the unique and integrated nature of the
NCCIC allows for a scalable and flexible coordination with all
interagency and private sector staff during steady-state operations, in
order to strengthen relationships and solidify procedures as well as
effectively incorporate partners as needed during incidents.
providing technical expertise to the private sector and critical
infrastructure
DHS has significant cybersecurity capabilities, and we are using
those capabilities to great effect as we work collaboratively with the
private sector to protect the Nation's CIKR. We engage with the private
sector on a voluntary basis to provide on-site analysis, mitigation
support, and assessment assistance. Over the past year, we have
repeatedly shown our ability to materially and expeditiously assist
companies with cyber intrusion mitigation and incident response. We are
able to do so through our trusted and close relationships with private
sector companies as well as Federal departments and agencies. Finally,
our success in assisting the private sector is due in no small part to
our dedication to properly and fully addressing privacy, civil rights,
and civil liberties in all that we do. Initiating technical assistance
with a private company to provide them analysis and mitigation advice
is a sensitive endeavor--one that requires trust and strict
confidentiality. Within our analysis and warning mission space, DHS has
a proven ability to provide that level of trust and confidence in the
engagement. Our efforts are unique among Federal agencies' capabilities
in that DHS focuses on computer network defense and protection rather
than law enforcement or intelligence functions. DHS engages precisely
to mitigate the threat to the network to reduce future risks.
Our approach requires vigilance and a voluntary public-private
partnership. Indeed, we are continuing to build our capabilities and
our relationships; we must because the cyber threat trends only more
sophisticated and more frequent.
Over the past year, we stood up the NCCIC and are adding staff to
that center, both from existing DHS personnel and from partner
organizations in the public and private sectors. More broadly, we are
continuing to hire more cybersecurity professionals and are increasing
training available to our employees. We have an operational National
Cyber Incident Response Plan (NCIRP), and we continue to update and
improve it with input from senior cybersecurity leaders. We will be
releasing the NCIRP publicly in the coming weeks. We are executing
within our current mission and authorities now: Receiving and
responding to substantial netflow data from our intrusion detection
technologies deployed to our Federal partners, and leveraging that data
to provide early warnings and indicators across Government and
industry. With our people, processes, and technology, we stand ready to
execute the responsibilities of the future.
US-CERT provides remote and on-site response support and defense
against malicious cyber activity for the Federal Executive Branch
civilian networks. US-CERT also collaborates, provides remote and on-
site response support and shares information with State and local
government, critical infrastructure owners and operators, and
international partners to address cyber threats and develop effective
security responses.
In addition to specific mitigation work we conduct with individual
companies and sectors, DHS looks at the interdependencies across
critical infrastructure sectors for a holistic approach to providing
our cyber expertise. For example, the electric, nuclear, water,
transportation, and communications sectors support functions across all
levels of government including Federal, State, local, and Tribal
governments, and the private sector. Government bodies and
organizations do not inherently produce these services and must rely on
private sector organizations, just as other businesses and private
citizens do. Therefore, an event impacting control systems has
potential implications at all these levels, and could also have
cascading effects upon all 18 sectors. For example, water and
wastewater treatment, chemical, and transportation depend on the energy
sector, and failure in one of these sectors could subsequently affect
Government and private sector operations.
NCCIC's operations are complemented in the arena of industrial
control systems by ICS-CERT. The term ``control system'' encompasses
several types of systems, including Supervisory Control and Data
Acquisition (SCADA), process control, and other automated systems that
are found in the industrial sectors and critical infrastructure. These
systems are used to operate physical processes that produce the goods
and services that we rely upon, such as energy, drinking water,
emergency services, transportation, postal and shipping, and public
health. Control systems security is particularly important because of
the inherent interconnectedness of the CIKR sectors and their
dependence on one another.
As such, assessing risk and effectively securing industrial control
systems are vital to maintaining our Nation's strategic interests,
public safety, and economic well-being. A successful cyber attack on a
control system could result in physical damage, loss of life, and
cascading effects that could disrupt services. DHS recognizes that the
protection and security of control systems is essential to the Nation's
overarching security and economy. In this context, as an example of
many related initiatives and activities, DHS--in coordination with the
Department of Commerce's National Institute of Standards and Technology
(NIST), the Department of Energy, and DoD--has provided a forum for
researchers, subject matter experts and practitioners dealing with
cyber-physical systems security to assess the current state of the art,
identify challenges, and provide input to developing strategies for
addressing these challenges. Specific infrastructure sectors considered
include energy, chemical, transportation, water and wastewater
treatment, health care and public health, and commercial facilities. A
2010 published report of findings and recommendations is available upon
request.
ICS-CERT provides on-site support to owners and operators of
critical infrastructure for protection against and response to cyber
threats, including incident response, forensic analysis, and site
assessments. ICS-CERT also provides tools and training to increase
stakeholder awareness of evolving threats to industrial control
systems.
A real-world threat emerged last year that significantly changed
the landscape of targeted cyber attacks on industrial control systems.
Malicious code, dubbed Stuxnet, was detected in July 2010. DHS analysis
concluded that this highly complex computer worm was the first of its
kind, written to specifically target mission-critical control systems
running a specific combination of software and hardware.
ICS-CERT analyzed the code and coordinated actions with critical
infrastructure asset owners and operators, Federal partners, and
Information Sharing and Analysis Centers. Our analysis quickly
uncovered that sophisticated malware of this type potentially has the
ability to gain access to, steal detailed proprietary information from,
and manipulate the systems that operate mission-critical processes
within the Nation's infrastructure. In other words, this code can
automatically enter a system, steal the formula for the product being
manufactured, alter the ingredients being mixed in the product, and
indicate to the operator and the operator's anti-virus software that
everything is functioning normally.
To combat this threat, ICS-CERT has been actively analyzing and
reporting on Stuxnet since it was first detected in July 2010. To date,
ICS-CERT has briefed dozens of Government and industry organizations
and released multiple advisories and updates to the industrial control
systems community describing steps for detecting an infection and
mitigating the threat. As always, we attempt to balance the need for
public information sharing while limiting the information that
malicious actors may exploit. DHS provided the alerts in accordance
with its responsible disclosure processes.
The purpose and function for responsible disclosure is to ensure
that DHS executes its mission of mitigating risk to critical
infrastructure, not necessarily to be the first to publish on a given
threat. For example, ICS-CERT's purpose in conducting the Stuxnet
analysis was to ensure that DHS understood the extent of the risks so
that they could be mitigated. After conducting in-depth malware
analysis and developing mitigation steps, we were able to release
actionable information that benefited our private sector partners.
Looking ahead, the Department is concerned that attackers could use
the increasingly public information about the code to develop variants
targeted at broader installations of programmable equipment in control
systems. Copies of the Stuxnet code, in various different iterations,
have been publicly available for some time now. ICS-CERT and the NCCIC
remain vigilant and continue analysis and mitigation efforts of any
derivative malware.
ICS-CERT will continue to work with the industrial control systems
community to investigate these and other threats through malicious code
and digital media analysis, on-site incident response activities, and
information sharing and partnerships.
protecting federal civilian government networks
In addition to its support of private sector owners and operators
of infrastructure, DHS also collaborates with its partners to increase
the security of Federal Executive Branch civilian agency networks. The
fundamental ways that DHS works to secure Federal networks are by
improving the ability of departments and agencies to defend their
systems and by directly providing expertise and specific technology
that detects, mitigates, and prevents malicious activity on these
networks.
As part of the CNCI, DHS works with the Office of Management and
Budget (OMB) to reduce and consolidate the number of external
connections that Federal agencies have to the internet through the
Trusted Internet Connection (TIC) initiative. This initiative reduces
the number of entry points for potential vulnerabilities into
Government networks and allows DHS to focus monitoring efforts on
limited and known avenues through which internet traffic must travel.
DHS conducts on-site evaluations of agencies' progress toward
implementing TIC goals.
In conjunction with the TIC initiative, the EINSTEIN system is
designed to provide the U.S. Government with an early warning system
for intrusions to Federal Executive Branch civilian networks, near
real-time identification of malicious activity, and automated
disruption of that malicious activity. The second phase of EINSTEIN,
known as EINSTEIN 2 and developed in 2008 as part of the CNCI,
incorporates intrusion detection capabilities into the original
EINSTEIN system. DHS is currently deploying EINSTEIN 2 to Federal
Executive Branch civilian agency TIC locations and Networx Managed
Trusted Internet Protocol Services (MTIPS) providers, which are private
internet service providers that serve Federal agencies, to assist them
with protecting their computers, networks, and information. EINSTEIN 2
has now been deployed at 15 of the 19 large departments and agencies
who maintain their own TIC locations. Also, the four MTIPS providers
currently provide service to seven additional Federal agencies. In
2010, EINSTEIN 2 sensors registered 5.4 million ``hits,'' an average of
more than 450,000 hits per month or nearly 15,000 hits per day. A hit
is an alert triggered by a predetermined intrusion detection signature
that corresponds to a known threat. Each hit represents potential
malicious activity for further assessment by US-CERT.
DHS is currently developing the third phase of the EINSTEIN
system--an intrusion prevention capability which will provide DHS with
the ability to automatically detect and disrupt malicious activity
before harm is done to critical networks and systems. In advance of
this development, DHS, in coordination with the National Security
Agency (NSA), conducted the CNCI Initiative 3 Exercise, which advanced
the potential capabilities of the EINSTEIN system by demonstrating
defensive technology, sharing near real-time threat information with
DoD for enhanced situational awareness, and providing a platform upon
which an oversight and compliance process can be implemented for the
evolving set of EINSTEIN capabilities. The Department's Privacy Office
and its Office for Civil Rights and Civil Liberties carefully reviewed
the exercise concept of operations, and the Privacy Office worked with
US-CERT to publicly release a detailed Privacy Impact Assessment
evaluating the exercise. US-CERT also briefed the exercise to the cyber
subcommittee of the independent DHS Data Privacy and Integrity
Committee.
Beyond the TIC initiative and the EINSTEIN system, DHS, OMB, and
the National Institute for Standards and Technology work cooperatively
with agencies across the Federal Government to coordinate the
protection of the Nation's Federal information systems through
compliance with the Federal Information Security Management Act of 2002
(FISMA). US-CERT monitors EINSTEIN 2 sensors for intrusion activity and
receives self-reported incident information from Federal agencies. This
information is reported to OMB for use in its FISMA oversight capacity.
In 2010, DHS also began to administer oversight of the CyberScope
system, which was developed by the Department of Justice. This system
collects agency information regarding FISMA compliance and, as DHS,
OMB, and their agency partners move toward automated reporting, the
system will enable real-time assessments of baseline security postures
across individual agencies and the Federal enterprise as a whole. This
activity complements the development of reference architectures that
DHS designs for Federal agency stakeholders that are interested in
implementing security solutions based on standards and best practices.
DHS also works with the General Services Administration to create
Blanket Purchase Agreements that address various security solutions for
Federal agencies.
the dhs cybersecurity workforce
As DHS continues to make progress on initiatives such as TIC and
EINSTEIN, the Department is also mindful that the Nation's
cybersecurity challenge will not be solved by a single technology
solution. Multiple innovative technical tools are necessary and indeed,
technology alone is insufficient. The mission requires a larger
cybersecurity professional workforce, governance structures for
enhanced partnerships, more robust information sharing and identity
protection, and increased cybersecurity awareness among the general
public. Responsibility for these solutions is, and will remain,
distributed across public and private sector partners.
DHS is focused on building a world-class cybersecurity team by
hiring a diverse group of cybersecurity professionals--computer
engineers, scientists, and analysts--to secure the Nation's digital
assets and protect against cyber threats to our critical infrastructure
and key resources. NCSD continues to hire cybersecurity and information
technology professionals, nearly tripling its cybersecurity workforce
in fiscal year 2009 and nearly doubling that number again in fiscal
year 2010. NCSD currently has more than 230 cybersecurity professionals
on board, with dozens more in the hiring pipeline.
Several initiatives are designed to increase the Nation's number of
highly qualified cybersecurity professionals. DHS and NSA co-sponsor
the Centers of Academic Excellence in Information Assurance Education
and Research programs, the goal of which is to produce a growing number
of professionals with information assurance expertise in various
disciplines. DHS and the Department of State co-hosted Operation Cyber
Threat (OCT1.0), the first in a series of Government-wide experiential
and interactive cybersecurity training pilots designed to apply
learning concepts and share best practices in a secure, simulated
environment to build capacity within the Federal workforce. In December
2010, the Institute of Electrical and Electronics Engineers Computer
Society, the world's leading organization of computing professionals,
formally recognized the Master of Software Assurance (MSwA) Reference
Curriculum, which DHS sponsored through its Software Assurance (SwA)
Curriculum Project. The MSwA program is the first curriculum of its
kind to focus on assuring the functionality, dependability, and
security of software and systems. Finally, DHS co-sponsored the annual
Colloquium for Information Systems Security Education and the
Scholarship for Services (SFS) Job Fair/Symposium, which brought
together 55 Federal agencies and more than 200 SFS students.
The National Initiative for Cybersecurity Education (NICE) has the
dual goals of a cyber-savvy citizenry and a cyber-capable workforce.
Working with NIST, which is the overall interagency lead, DHS heads the
NICE awareness elements and co-leads the training and professional
development components with DoD and the Office of the Director of
National Intelligence.
interagency and public-private coordination
Overcoming new cybersecurity challenges requires a coordinated and
focused approach to better secure the Nation's information and
communications infrastructures. President Obama's Cyberspace Policy
Review reaffirms cybersecurity's significance to the Nation's economy
and security. Establishment of a White House Cybersecurity Coordinator
position solidified the priority the administration places on improving
cybersecurity.
No single agency controls cyberspace and the success of our
cybersecurity mission relies on effective communication and critical
partnerships. Many Government players have complementary roles--
including DHS, the intelligence community, DoD, the Department of
Justice, the Department of State, and other Federal agencies--and they
require coordination and leadership to ensure effective and efficient
execution of our collective cyber missions. The creation of a senior-
level cyber position within the White House ensures coordination and
collaboration across Government agencies.
DHS works closely with its Federal, State, and local partners to
protect Government cyber networks. In September 2010, DHS and DoD
signed a memorandum of agreement that aligns and enhances America's
capabilities to protect against threats to our critical civilian and
military computer systems and networks, including deploying a National
Security Agency support team to the NCCIC to enhance the National Cyber
Incident Response Plan and sending a full-time senior DHS leader and
support team to the National Security Agency.
In November 2010, the MS-ISAC opened its Cyber Security Operations
Center, a 24-hour watch and warning facility, which will both enhance
situational awareness at the State and local level for the NCCIC and
allow the Federal Government to quickly and efficiently provide
critical cyber risk, vulnerability, and mitigation data to State and
local governments. An MS-ISAC analyst/liaison is collocated in the
NCCIC.
Private industry owns and operates the vast majority of the
Nation's critical infrastructure and cyber networks. Consequently, the
private sector plays an important role in cybersecurity, and DHS has
initiated several pilot programs to promote public-private sector
collaboration. In its engagement with the private sector, DHS
recognizes the need to avoid technology prescription and to support
innovation that enhances critical infrastructure cybersecurity. DHS,
through the National Infrastructure Protection Plan partnership
framework, has many years of experience in private sector
collaboration, leveraging our relationships in both the physical and
cybersecurity protection areas. Within current legal authorities, DHS
engages with the private sector on a voluntary basis. We stand by to
assist our private sector partners upon their request, and thus far
have been able to do so successfully due to our technical capabilities,
existing private sector relationships, and expertise in matters
relating to privacy and civil rights and civil liberties.
In February 2010, DHS, DoD, and the Financial Services Information
Sharing and Analysis Center (FS-ISAC) launched a pilot designed to help
protect key critical networks and infrastructure within the financial
services sector by sharing actionable, sensitive information. Based on
lessons learned from the pilot, DHS is developing comprehensive
information-sharing and incident response coordination processes with
CIKR sectors, leveraging capabilities from within DHS and across the
response community, through the NCCIC.
In June 2010, DHS implemented the Cybersecurity Partner Local
Access Plan, which allows security-cleared owners and operators of
CIKR, as well as State technology officials and law enforcement
officials, to access secret-level cybersecurity information and video
teleconference calls via State and local fusion centers. In November
2010, DHS signed an agreement with the Information Technology
Information Sharing and Analysis Center (IT-ISAC) to embed a full-time
IT-ISAC analyst and liaison to DHS at the NCCIC, part of the on-going
effort to collocate private sector representatives alongside Federal
and State government counterparts. The IT-ISAC consists of information
technology stakeholders from the private sector and facilitates
cooperation among members to identify sector-specific vulnerabilities
and risk mitigation strategies.
In July 2010, DHS worked extensively with the White House on the
publication of a draft National Strategy for Trusted Identities in
Cyberspace, which seeks to secure the digital identities of
individuals, organizations, services, and devices during on-line
transactions, as well as the infrastructure supporting the transaction.
This fulfills one of the near-term action items of the President's
Cyberspace Policy Review. The strategy is based on public-private
partnerships and supports the protection of privacy, and civil rights
and civil liberties by enabling only the minimum necessary amount of
personal information to be transferred in any particular transaction.
Its implementation will be led by the Department of Commerce.
In December 2010, DHS and NIST signed a Memorandum of Understanding
with the Financial Services Sector Coordinating Council. The goal of
the agreement is to speed the commercialization of cybersecurity
research innovations that support our Nation's critical
infrastructures. This agreement will accelerate the deployment of
network test beds for specific use cases that strengthen the
resiliency, security, integrity, and usability of financial services
and other critical infrastructures.
While considerable activity is focused on public and private sector
critical infrastructure protection, DHS is committed to developing
innovative ways to enhance the general public's awareness about the
importance of safeguarding America's computer systems and networks from
attacks. Every October, DHS and its public and private sector partners
promote efforts to educate citizens about guarding against cyber
threats as part of National Cybersecurity Awareness Month. In March
2010, Secretary Napolitano launched the National Cybersecurity
Awareness Challenge, which called on the general public and private
sector companies to develop creative and innovative ways to enhance
cybersecurity awareness. In July 2010, seven of the more than 80
proposals were selected and recognized at a White House ceremony. The
winning proposals helped inform the development of the National
Cybersecurity Awareness Campaign, Stop. Think. Connect., which DHS
launched in conjunction with private sector partners during the October
2010 National Cybersecurity Awareness Month. Stop. Think. Connect., a
message developed with the private sector, has evolved into an on-going
National public education campaign designed to increase public
understanding of cyber threats and how individual citizens can develop
safer cyber habits that will help make networks more secure. The
campaign fulfills a key element of President Obama's Cyberspace Policy
Review, which tasked DHS with developing a public awareness campaign to
inform Americans about ways to use technology safely. The program is
part of the NIST National Initiative for Cyber Education (NICE).
Throughout its public and private sector activities, DHS is
committed to supporting the public's privacy, civil rights, and civil
liberties. Accordingly, the Department has implemented strong privacy
and civil rights and civil liberties standards into all of its
cybersecurity programs and initiatives from the outset. To support
this, DHS established an Oversight and Compliance Officer within NPPD,
and key cybersecurity personnel receive specific training on the
protection of privacy and other civil liberties as they relate to
computer network security activities. In an effort to increase
transparency, DHS also publishes privacy impact assessments on its
website, www.dhs.gov, for all of its cybersecurity systems.
conclusion
Set within an environment characterized by a dangerous combination
of known and unknown vulnerabilities, strong and rapidly expanding
adversary capabilities, and a lack of comprehensive threat and
vulnerability awareness, the cybersecurity mission is truly a National
one requiring collaboration across the homeland security enterprise.
The Department of Homeland Security is committed to creating a safe,
secure, and resilient cyber environment while promoting cybersecurity
knowledge and innovation. We must continue to secure today's
infrastructure as we prepare for tomorrow's challenges and
opportunities. It is important to recognize that we do not undertake
cybersecurity for the sake of security itself, but rather to ensure
that Government, business, and critical societal functions can continue
to use the information technology and communications infrastructure on
which they depend.
Within our current legal authorities, DHS continues to engage and
collaborate with partners in the private and public sectors. We are
deploying intrusion detection and prevention technologies across the
Federal enterprise, aiding departments and agencies in securing their
networks, and providing analysis, vulnerability, and mitigation
assistance to private sector CIKR partners. Our continued dedication to
privacy, civil rights, and civil liberties ensures a positive,
sustainable model for cybersecurity engagement in the future. Finally,
we work closely with our interagency partners in law enforcement and
intelligence, providing the full complement of Federal capabilities in
preparation for, and in response to, significant cyber incidents.
Chairman Lungren, Vice Chairman Walberg, Ranking Member Clarke, and
distinguished Members of the subcommittee, let me end by reiterating
that I look forward to exploring opportunities to advance this mission
in collaboration with the subcommittee and my colleagues in the public
and private sectors. Thank you again for this opportunity to testify. I
would be happy to answer your questions.
Mr. Lungren. Thank you very much, Mr. Reitinger.
Now Mr. Wilshusen, who is looking forward to tomorrow's
basketball game, if you could give us about 5 minutes of your
best pitch right now and then we can ask questions.
STATEMENT OF GREGORY WILSHUSEN, DIRECTOR OF INFORMATION
SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Chairman Lungren, Ranking Member Clarke, and
Members of the subcommittee, thank you for the opportunity to
testify at today's hearing on cyber threats to critical
infrastructure and the American economy.
As you mentioned in your opening statements, pervasive and
sustained cyber attacks against the United States continue to
threaten Federal and non-Federal systems and operations. The
every-increasing interdependence on these systems to carry out
essential everyday operations and activities makes us
vulnerable to a wide array of cyber-based threats. Thus, it is
increasingly important that Federal and non-Federal entities
carry out concerted efforts to safeguard their systems and the
information they contain.
Mr. Chairman, today we will discuss the threats to cyber-
reliant critical infrastructures and with Federal information
systems and the challenges agencies face in protecting them.
Cyber threats to critical infrastructure and Federal
services are evolving and growing and can come from a variety
of sources, including criminals and foreign nations, as well as
hackers and disgruntled employees. It is important not to
forget about the insider threat. Potential hackers have a
variety of techniques at their disposal that can vastly expand
the risk, the reach, and impact of their operations, including
use of social engineering and malicious software. The
interconnectivity between information systems, the internet,
and other infrastructure also presents increasing opportunities
for such attacks. Not surprisingly, security incidents reported
by Federal agencies are on the rise, increasing over 650
percent during the past 5 years to nearly 42,000 in fiscal year
2010.
Cyber attack incidents can seriously impact our National
and economic security and have resulted in the loss of
classified information and intellectual property, and financial
crimes reportedly totaling billions of dollars. Although the
administration and Federal agencies continue to act to
strengthen the Nation's cybersecurity posture, challenges
remain. Key actions to improve our National approach to
cybersecurity have not been fully implemented, Federal capacity
to protect against cyber threats needs to improve, and Federal
agencies have not fully addressed persistent control weaknesses
or consistently implemented effective information security
programs. For these reasons, GAO once again identified
protecting the Federal Government's information systems and the
Nation's critical infrastructure as a Government-wide high-risk
area in its biennial report to the Congress on high-risk
Government programs.
Mr. Chairman, much work remains to be done. Additional
Federal efforts are needed to implement actions recommended by
the President's Cybersecurity Policy Review, update the
National strategy for securing the information and
communications infrastructure, develop a National strategy for
addressing the global aspects of cybersecurity, and create a
prioritized National and Federal cybersecurity research and
development agenda.
Federal agencies, and in particular DHS, need to enhance
their cyber analysis and warning capabilities and help
strengthen the effectiveness of public-private sector
partnerships in securing cyber critical infrastructure. Federal
agencies also need to mitigate known vulnerabilities, fully
implement comprehensive information security programs, and
facilitate Government-wide efforts to secure their systems.
GAO has made numerous recommendations to assist agencies in
these areas, and agencies have implemented or are in the
process of implementing many of them.
In summary, Mr. Chairman, the threats to information
systems are evolving and growing, and systems supporting
Federal operations and the Nation's critical infrastructures
are not sufficiently protected to consistently thwart those
threats. Until the administration and Federal agencies working
with the private sector fully address the challenges before
them, our Nation's cybersecurity critical infrastructure will
remain vulnerable.
Mr. Chairman, this concludes my statement. I would be happy
to answer any questions.
[The statement of Mr. Wilshusen follows:]
Prepared Statement of Gregory Wilshusen
March 16, 2011
cybersecurity: continued attention needed to protect our nation's
critical infrastructure and federal information systems
Chairman Lungren, Ranking Member Clarke, and Members of the
subcommittee: Thank you for the opportunity to testify at today's
hearing on the cyber threats to critical infrastructure and the
American economy.
Pervasive and sustained cyber attacks against the United States
continue to pose a potentially devastating impact on Federal and non-
Federal systems and operations. In February 2011, the Director of
National Intelligence testified that, in the past year, there had been
a dramatic increase in malicious cyber activity targeting U.S.
computers and networks, including a more than tripling of the volume of
malicious software since 2009.\1\ Recent press reports that computer
hackers broke into and stole proprietary information worth millions of
dollars from the networks of six U.S. and European energy companies
also demonstrate the risk that our Nation faces. Such attacks highlight
the importance of developing a concerted response to safeguard Federal
and non-Federal information systems.
---------------------------------------------------------------------------
\1\ Director of National Intelligence, Statement for the Record on
the Worldwide Threat Assessment of the U.S. Intelligence Community,
statement before the Senate Select Committee on Intelligence (Feb. 16,
2011).
---------------------------------------------------------------------------
Mr. Chairman, GAO recently issued its high-risk list of Government
programs that have greater vulnerability to fraud, waste, abuse, and
mismanagement or need transformation to address economy, efficiency, or
effectiveness challenges.\2\ Once again, we identified protecting the
Federal Government's information systems and the Nation's cyber
critical infrastructure as a Government-wide high-risk area. We have
designated Federal information security as a high-risk area since 1997;
in 2003, we expanded this high-risk area to include protecting systems
supporting our Nation's critical infrastructure, referred to as cyber
critical infrastructure protection or cyber CIP.
---------------------------------------------------------------------------
\2\ GAO, High-Risk Series: An Update, (Washington, DC: February
2011).
---------------------------------------------------------------------------
In my testimony today I will describe: (1) Cyber threats to cyber-
reliant critical infrastructures and Federal information systems and
(2) the continuing challenges Federal agencies face in protecting the
Nation's cyber-reliant critical infrastructures and Federal systems. In
preparing this statement in March 2011, we relied on our previous work
in these areas (please see the related GAO products page at the end of
this statement). These products contain detailed overviews of the scope
and methodology we used. The work on which this statement is based was
performed in accordance with generally accepted Government auditing
standards. Those standards require that we plan and perform audits to
obtain sufficient, appropriate evidence to provide a reasonable basis
for our findings and conclusions based on our audit objectives. We
believe that the evidence obtained provided a reasonable basis for our
findings and conclusions based on our audit objectives.
background
As computer technology has advanced, Federal agencies and our
Nation's critical infrastructures \3\--such as power distribution,
water supply, telecommunications, and emergency services--have become
increasingly dependent on computerized information systems to carry out
their operations and to process, maintain, and report essential
information. Public and private organizations rely on computer systems
to transfer increasing amounts of money and sensitive and proprietary
information, conduct operations, and deliver services to constituents.
---------------------------------------------------------------------------
\3\ Critical infrastructures are systems and assets, whether
physical or virtual, so vital to the Nation that their incapacity or
destruction would have a debilitating impact on National security,
National economic security, National public health or safety, or any
combination of those matters.
---------------------------------------------------------------------------
The security of these systems and data is essential to protecting
National and economic security, and public health and safety.
Conversely, ineffective information security controls can result in
significant risks, including the loss of resources, such as Federal
payments and collections; inappropriate access to sensitive
information, such as National security information, personal
information on taxpayers, or proprietary business information;
disruption of critical operations supporting critical infrastructure,
National defense, or emergency services; and undermining of agency
missions due to embarrassing incidents that diminish public confidence
in Government.
cyber-reliant critical infrastructure and federal systems face
increasing cyber threats
Threats to systems supporting critical infrastructure and Federal
information systems are evolving and growing. Government officials are
concerned about attacks from individuals and groups with malicious
intent, such as criminals, terrorists, and foreign nations. Federal law
enforcement and intelligence agencies have identified multiple sources
of threats to our Nation's critical information systems, including
foreign nations engaged in espionage and information warfare,
criminals, hackers, virus writers, and disgruntled employees and
contractors. These groups and individuals have a variety of attack
techniques at their disposal that can be used to determine
vulnerabilities and gain entry into targeted systems. For example,
phishing involves the creation and use of fake e-mails and websites to
deceive internet users into disclosing their personal data and other
sensitive information.
The connectivity between information systems, the internet, and
other infrastructures also creates opportunities for attackers to
disrupt telecommunications, electrical power, and other critical
services. For example, in May 2008, we reported that the Tennessee
Valley Authority's (TVA) corporate network contained security
weaknesses that could lead to the disruption of control systems
networks and devices connected to that network.\4\ We made 19
recommendations to improve the implementation of information security
program activities for the control systems governing TVA's critical
infrastructures and 73 recommendations to address weaknesses in
information security controls. TVA concurred with the recommendations
and has taken steps to implement them. As Government, private sector,
and personal activities continue to move to networked operations, the
threat will continue to grow.
---------------------------------------------------------------------------
\4\ GAO, Information Security: TVA Needs to Address Weaknesses in
Control Systems and Networks, (Washington, DC: May 21, 2008).
---------------------------------------------------------------------------
Reported Security Incidents Are on the Rise
Consistent with the evolving and growing nature of the threats to
Federal systems, agencies are reporting an increasing number of
security incidents. These incidents put sensitive information at risk.
Personally identifiable information about U.S. citizens has been lost,
stolen, or improperly disclosed, thereby potentially exposing those
individuals to loss of privacy, identity theft, and financial crimes.
Agencies have experienced a wide range of incidents involving data loss
or theft, computer intrusions, and privacy breaches, underscoring the
need for improved security practices. Further, reported attacks and
unintentional incidents involving critical infrastructure systems
demonstrate that a serious attack could be devastating.
When incidents occur, agencies are to notify the Federal
information security incident center--the United States Computer
Emergency Readiness Team (US-CERT). Over the past 5 years, the number
of incidents reported by Federal agencies to US-CERT has increased
dramatically, from 5,503 incidents reported in fiscal year 2006 to
about 41,776 incidents in fiscal year 2010 (a more than 650 percent
increase). The three most prevalent types of incidents and events
reported to US-CERT during fiscal year 2010 were: (1) Malicious code
(software that infects an operating system or application), (2)
improper usage (a violation of acceptable computing use policies), and
(3) unauthorized access (where an individual gains logical or physical
access to a system without permission). Additionally, according to
Department of Homeland Security (DHS) officials, US-CERT detects
incidents and events through its intrusion detection system,
supplemented by agency reports, for investigation (unconfirmed
incidents that are potentially malicious or anomalous activity deemed
by the reporting entity to warrant further review).
Reports of cyber attacks and information security incidents against
Federal systems and systems supporting critical infrastructure
illustrate the effect that such incidents could have on National and
economic security.
In July 2010, the Department of Defense (DOD) launched an
investigation to identify how thousands of classified military
documents (including Afghanistan and Iraq war operations, as
well as field reports on Pakistan) were obtained by the group
WikiLeaks.org. According to DOD, this investigation was related
to an on-going investigation of an Army private charged with,
among other things, transmitting National defense information
to an unauthorized source.
In 2010, the Deputy Secretary of Defense stated that DOD
suffered a significant compromise of its classified military
computer networks in 2008. It began when a flash drive's
malicious computer code, placed there by a foreign intelligence
agency, uploaded itself onto a network and spread on both
classified and unclassified systems.\5\
---------------------------------------------------------------------------
\5\ Foreign Affairs, Defending a New Domain: The Pentagon's
Cyberstrategy, William J. Lynn III, U.S. Deputy Secretary of Defense
(New York, NY: September/October 2010).
---------------------------------------------------------------------------
In February 2011, media reports stated that computer hackers
broke into and stole proprietary information worth millions of
dollars from the networks of six U.S. and European energy
companies.
the federal government has taken actions to address cyber threats, but
challenges remain in protecting critical systems
The Federal Government has a variety of roles and responsibilities
in protecting the Nation's cyber-reliant critical infrastructure,
enhancing the Nation's overall cybersecurity posture, and ensuring the
security of Federal systems and the information they contain. In light
of the pervasive and increasing threats to critical systems, the
Executive branch is taking a number of steps to strengthen the Nation's
approach to cybersecurity. For example, in its role as the focal point
for Federal efforts to protect the Nation's cyber critical
infrastructures,\6\ DHS issued a revised National infrastructure
protection plan in 2009 and an interim National cyber incident response
plan in 2010. Executive branch agencies have also made progress
instituting several Government-wide initiatives that are aimed at
bolstering aspects of Federal cybersecurity, such as reducing the
number of Federal access points to the internet, establishing security
configurations for desktop computers, and enhancing situational
awareness of cyber events. Despite these efforts, the Federal
Government continues to face significant challenges in protecting the
Nation's cyber-reliant critical infrastructure and Federal information
systems.
---------------------------------------------------------------------------
\6\ As established by Federal law and policy, including the
Homeland Security Act of 2002, Homeland Security Presidential
Directive--7, and the National Strategy to Secure Cyberspace.
---------------------------------------------------------------------------
Key Actions to Improve Our Current National Approach to Cybersecurity
Have Not Yet Been Fully Implemented
The administration and Executive branch agencies have not yet fully
implemented key actions that are intended to address threats and
improve the current U.S. approach to cybersecurity.
Implementing actions recommended by the President's
Cybersecurity Policy Review. In February 2009, the President
initiated a review of the Government's cybersecurity policies
and structures, which resulted in 24 near- and mid-term
recommendations to address organizational and policy changes to
improve the current U.S. approach to cybersecurity.\7\ In
October 2010, we reported that 2 recommendations had been
implemented and 22 were partially implemented.\8\ Officials
from key agencies involved in these efforts (e.g., DHS, DOD,
and the Office of Management and Budget (OMB)) stated that
progress had been slower than expected because agencies lacked
assigned roles and responsibilities and because several of the
mid-term recommendations would require action over multiple
years. We recommended that the National Cybersecurity
Coordinator (whose role was established as a result of the
policy review) designate roles and responsibilities for each
recommendation and develop milestones and plans, including
measures to show agencies' progress and performance.
---------------------------------------------------------------------------
\7\ The White House, Cyberspace Policy Review: Assuring a Trusted
and Resilient Information and Communications Infrastructure
(Washington, DC: May 29, 2009).
\8\ GAO, Cyberspace Policy: Executive Branch Is Making Progress
Implementing 2009 Policy Review Recommendations, but Sustained
Leadership Is Needed, GAO-11-24 (Washington, DC: Oct. 6, 2010).
---------------------------------------------------------------------------
Updating the National strategy for securing the information
and communications infrastructure. In March 2009, we testified
on the needed improvements to the Nation's cybersecurity
strategy.\9\ In preparation for that testimony, we convened a
panel of experts that included former Federal officials,
academics, and private sector executives. The panel highlighted
12 key improvements that are, in its view, essential to
improving the strategy and our National cybersecurity posture,
including the development of a National strategy that clearly
articulates strategic objectives, goals, and priorities.
---------------------------------------------------------------------------
\9\ GAO, National Cybersecurity Strategy: Key Improvements Are
Needed to Strengthen the Nation's Posture, GAO-09-432T (Washington, DC:
Mar. 10, 2009).
---------------------------------------------------------------------------
Developing a comprehensive National strategy for addressing
global cybersecurity and governance. In July 2010, we reported
that the U.S. Government faced a number of challenges in
formulating and implementing a coherent approach to global
aspects of cyberspace, including, among other things, providing
top-level leadership and developing a comprehensive
strategy.\10\ Specifically, we found that the National
Cybersecurity Coordinator's authority and capacity to
effectively coordinate and forge a coherent National approach
to cybersecurity were still under development. In addition, the
U.S. Government had not documented a clear vision of how the
international efforts of Federal entities, taken together,
support overarching National goals. We recommended that, among
other things, the National Cybersecurity Coordinator develop
with other relevant entities a comprehensive U.S. global
cyberspace strategy. The coordinator and his staff concurred
with our recommendations and stated that actions had already
been initiated to address them.
---------------------------------------------------------------------------
\10\ GAO, Cyberspace: United States Faces Challenges in Addressing
Global Cybersecurity and Governance, GAO-10-606 (Washington, DC: July
2, 2010).
---------------------------------------------------------------------------
Finalizing cybersecurity guidelines and monitoring
compliance related to electricity grid modernization. In
January 2011, we reported on efforts by the National Institute
of Standards and Technology (NIST) to develop cybersecurity
guidelines and Federal Energy Regulatory Commission (FERC)
efforts to adopt and monitor cybersecurity standards related to
the electric industry's incorporation of IT systems to improve
reliability and efficiency--commonly referred to as the smart
grid.\11\ We determined that NIST had not addressed all key
elements of cybersecurity in its initial guidelines or
finalized plans for doing so. We also determined that FERC had
not developed an approach for monitoring industry compliance
with its initial set of voluntary standards. Further, we
identified six key challenges with respect to securing smart
grid systems, including a lack of security features being built
into certain smart grid systems and an ineffective mechanism
for sharing information on cybersecurity within the industry.
We recommended that NIST finalize its plans for updating its
cybersecurity guidelines to incorporate missing elements and
that FERC develop a coordinated approach to monitor voluntary
standards and address any gaps in compliance. Both agencies
agreed with these recommendations.
---------------------------------------------------------------------------
\11\ GAO, Electricity Grid Modernization: Progress Being Made on
Cybersecurity Guidelines, but Key Challenges Remain to be Addressed,
GAO-11-117 (Washington, DC: Jan. 12, 2011).
---------------------------------------------------------------------------
Creating a prioritized National and Federal cybersecurity
research and development (R&D) agenda. In June 2010, we
reported that while efforts to improve cybersecurity R&D were
under way by the White House's Office Science and Technology
Policy (OSTP) and other Federal entities, six major challenges
impeded these efforts.\12\ Among the most critical was the lack
of a prioritized National cybersecurity research and
development agenda. We found that despite its legal
responsibility and our past recommendations, a key OSTP
subcommittee had not created a prioritized National R&D agenda,
increasing the risk that research pursued by individual
organizations will not reflect National priorities. We
recommended that OSTP direct the subcommittee to take several
actions, including developing a National cybersecurity R&D
agenda. OSTP agreed with our recommendation and provided
details on planned actions.
---------------------------------------------------------------------------
\12\ GAO, Cybersecurity: Key Challenges Need to Be Addressed to
Improve Research and Development, GAO-10-466 (Washington, DC: June 3,
2010).
---------------------------------------------------------------------------
We are in the process of verifying actions taken to implement our
recommendations. In addition, we have on-going work related to cyber
CIP efforts in several other areas including: (1) Cybersecurity-related
standards used by critical infrastructure sectors, (2) Federal efforts
to recruit, retain, train, and develop cybersecurity professionals, and
(3) Federal efforts to address risks to the information technology
supply chain.
Federal Capacity to Protect Against Cyber Threats Needs to Improve
In addition to improving our National capability to address
cybersecurity, Executive branch agencies, in particular DHS, also need
to improve their capacity to protect against cyber threats by, among
other things, advancing cyber analysis and warning capabilities and
strengthening the effectiveness of the public-private sector
partnerships in securing cyber critical infrastructure.
Enhancing cyber analysis and warning capabilities. In July
2008, we reported that DHS's US-CERT had not fully addressed 15
key attributes of cyber analysis and warning capabilities.\13\
As a result, we recommended that the Department address
shortfalls associated with the 15 attributes in order to fully
establish a National cyber analysis and warning capability as
envisioned in the National strategy. DHS agreed in large part
with our recommendations and has reported that it is taking
steps to implement them. We are currently working with DHS
officials to determine the status of their efforts to address
these recommendations.
---------------------------------------------------------------------------
\13\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in
Establishing a Comprehensive National Capability, GAO-08-588
(Washington, DC: Jul. 31, 2008).
---------------------------------------------------------------------------
Strengthening the public-private partnerships for securing
cyber critical infrastructure. In July 2010, we reported that
the expectations of private sector stakeholders were not being
met by their Federal partners in areas related to sharing
information about cyber-based threats to critical
infrastructure.\14\ Federal partners, such as DHS, were taking
steps that may address the key expectations of the private
sector, including developing new information-sharing
arrangements. We also reported that public sector stakeholders
believed that improvements could be made to the partnership,
including improving private sector sharing of sensitive
information. We recommended that the National Cybersecurity
Coordinator and DHS work with their Federal and private sector
partners to enhance information-sharing efforts, including
leveraging a central focal point for sharing information among
the private sector, civilian government, law enforcement, the
military, and the intelligence community. DHS officials stated
that they have made progress in addressing these
recommendations, and we will be determining the extent of that
progress as part of our audit follow-up efforts.
---------------------------------------------------------------------------
\14\ GAO, Critical Infrastructure Protection: Key Private and
Public Cyber Expectations Need to Be Consistently Addressed, GAO-10-628
(Washington, DC: July 15, 2010).
---------------------------------------------------------------------------
Federal Agencies Have Not Addressed Persistent Control Weaknesses or
Implemented Effective Information Security Programs
Federal systems continue to be afflicted by persistent information
security control weaknesses. Specifically, agencies did not
consistently implement effective controls to prevent, limit, and detect
unauthorized access or manage the configuration of network devices to
prevent unauthorized access and ensure system integrity. Most of the 24
major Federal agencies had information security weaknesses in five key
internal control categories,\15\ as illustrated in Figure 1. In
addition, GAO determined that serious and widespread information
security control deficiencies were a Government-wide material weakness
in internal control over financial reporting as part of its audit of
the fiscal year 2010 financial statements for the United States
Government.
---------------------------------------------------------------------------
\15\ The five internal controls are access controls, which ensure
that only authorized individuals can read, alter, or delete data;
configuration management controls, which provide assurance that only
authorized software programs are implemented; segregation of duties,
which reduces the risk that one individual can independently perform
inappropriate actions without detection; continuity of operations
planning, which provides for the prevention of significant disruptions
of computer-dependent operations; and an agency-wide information
security program (security management), which provides the framework
for ensuring that risks are understood and that effective controls are
selected and properly implemented.
Over the past several years, we and inspectors general have made
hundreds of recommendations to agencies for actions necessary to
resolve prior significant control deficiencies and information security
program shortfalls. For example, we recommended that agencies correct
specific information security deficiencies related to user
identification and authentication, authorization, boundary protections,
cryptography, audit and monitoring, physical security, configuration
management, segregation of duties, and contingency planning. We have
also recommended that agencies fully implement comprehensive, agency-
wide information security programs by correcting weaknesses in risk
assessments, information security policies and procedures, security
planning, security training, system tests and evaluations, and remedial
actions. The effective implementation of these recommendations will
strengthen the security posture at these agencies. Agencies have
implemented or are in the process of implementing many of our
recommendations.
In addition, the White House, OMB, and selected Federal agencies
have undertaken Government-wide initiatives to enhance information
security at Federal agencies. For example, the Comprehensive National
Cybersecurity Initiative, a series of 12 projects, is aimed primarily
at improving DHS's and other Federal agencies' efforts to reduce
vulnerabilities, protect against intrusion attempts, and anticipate
future threats against Federal Executive branch information systems.
However, the projects face challenges in achieving their objectives
related to securing Federal information, including better defining
agency roles and responsibilities, establishing measures of
effectiveness, and establishing an appropriate level of transparency.
These challenges require sustained attention, which agencies have begun
to provide.
In summary, the threats to information systems are evolving and
growing, and systems supporting our Nation's critical infrastructure
and Federal systems are not sufficiently protected to consistently
thwart the threats. Administration and Executive branch agencies need
to take actions to improve our Nation's cybersecurity posture,
including implementing the actions recommended by the President's
cybersecurity policy review and enhancing cyber analysis and warning
capabilities. In addition, actions are needed to enhance security over
Federal systems and information, including fully developing and
effectively implementing agency-wide information security programs and
implementing open recommendations. Until these actions are taken, our
Nation's Federal and non-Federal cyber critical infrastructure will
remain vulnerable. Mr. Chairman, this completes my statement. I would
be happy to answer any questions you or other Members of the
subcommittee have at this time.
Mr. Lungren. Thank you very much. We will now start a round
of questioning, and I yield myself 5 minutes.
Mr. Reitinger, it is so easy to be a Monday morning
quarterback. As we look at what is happening in Japan, you see
the effects of one of the largest recorded, most powerful
earthquakes in history, a tsunami that, if you watch it via the
internet, if you watch it via YouTube, you see something that
is stronger than any words could present. Then you see the
resulting failure at the nuclear power plants. I wonder if
Japan, in analyzing threats, would ever have seen that triple
whammy scenario.
So I wonder what is it that you worry most about, Mr.
Reitinger? The only reason I ask you that is, I think we need
to do something to get a sense of urgency about this particular
subject matter, not only in the Congress, but in the public at
large. So what is the most serious threat that you see to our
critical infrastructure as a result of something that may visit
it by way of cybersecurity, or a lack of cybersecurity, an
invasion of our cyber system, penetration of our cyber system.
Mr. Reitinger. Thank you very much, Mr. Chairman.
I would like to take that in a slightly different
direction, if I might. The threats are very serious, but I
think it is somewhat difficult to say that this particular
vector of attack is greater than this particular vector.
Certainly I do worry very much about things like attacks on
control systems, where it is not just, well, we can't get
access to our data, but we can't have the power on; or it is
not just we can't get access to our data or somebody access to
our data, somebody may have filled with our data, not just
attacks on confidentiality, but integrity. So if someone got
access to a major medical database and changed the contents of
it, that could have significant consequences in terms of human
life for a large number of people.
But what concerns me the most is not any of those
particular things, it is what you started out your question
with. Was Japan fully prepared? As much as they prepared, were
they prepared? Are we now prepared for that type of cyber
attack and are we doing the things that we need to do now to be
ready when and if that sort of event takes place? We have done
considerable things to raise the priority of cybersecurity.
Just last year, the Ranking Member mentioned the first-ever
Quadrennial Homeland Security Review which identified
cybersecurity as one of the top mission areas for the entire
homeland security enterprise on a par with protecting our
borders and having domestic security and providing resilience
to disasters. On a par with those things, cybersecurity is just
as important. But are we, as a Nation, going to do the things
that we need to do to make sure that we have got the
capabilities and ability to respond across the public and
private sectors? Are we going to keep the focus and move
forward rather than waiting to respond when it is too late?
Mr. Lungren. Mr. Wilshusen, looking at your report and your
comments, your suggestion is we are not doing all that we need
to do. Can you outline, in your opinion, for instance, what is
hindering DHS's cybersecurity mission right now?
Mr. Wilshusen. Well, I think there are probably a couple of
issues. Just to echo what Mr. Reitinger mentioned, too, is that
preparation is key in order to address these threats because
often you may not know exactly what will happen, but you will
need to be able to respond to them and hopefully take
corrective action before the need occurs.
One of the things that DHS could do to help the private
sector and others to better protect their systems is to provide
clear, actionable, and alert threat information and share
techniques with the private sector to improve their security.
Mr. Lungren. Is that not being done, in your opinion, to
the extent necessary?
Mr. Wilshusen. Well, we recently completed a review in
which we asked private sector organizations what its key
expectations are of the private sector/public partnerships.
Over 98 percent of the respondents indicated that having
actionable and timely threat and alert information was
essential to a great or moderate extent, but only 27 percent
felt that they were actually receiving that type of information
to a great or moderate extent.
So clearly, one of the actions that DHS can do is to help
provide value-added services to its constituents and to the
private sector. It is attempting to and has taken actions to
help improve its cyber analysis and warning capabilities, but
as Mr. Reitinger mentioned in his opening remarks, more needs
to be done.
Mr. Lungren. My time is up.
The Ranking Member is recognized for 5 minutes.
Ms. Clarke. Mr. Reitinger and Mr. Wilshusen, DHS has many
detractors on any number of issues, but we want to make sure
that the right people are tasked with doing the job of
addressing cybersecurity to our critical infrastructure. The
other agencies in the Federal Government with considerable
cybersecurity expertise are the NSA and the DOD. Is DHS the
proper agency to lead Federal cybersecurity efforts? Is there
another Federal agency that should do this?
Mr. Reitinger. Thank you, ma'am. I think I will start, if
that is all right.
I think DHS absolutely is the right place to lead efforts
with regard to Federal civilian systems and the private sector.
I would like to respond in part of response to your question to
what Greg had indicated. There is a long way to go in terms of
being able to share the right information with the private
sector. We have made significant strides. If you just take the
last couple of years, at the start of fiscal year 2009, DHS and
the entire National Cybersecurity Division had, I think, 38
people at the start of the year. Over the last 2 years, we have
roughly tripled that, and then roughly doubled it in 2009 and
2010, so we are up to about 240 right now. In the President's
request in the fiscal year 2012 budget, we grow that to a
little more than 400 people.
So we are significantly expanding our people, and expanding
our people expands our capabilities. I think Greg would tell
you that we have done a lot.
We have had significant successes, for example, in terms of
sharing actionable information. We are in the course of a pilot
right now with the financial services sector where we share
information--and we partnered with DOD and the financial
services sector for this. We have shared literally hundreds of
pieces of actionable information with the financial services
sector, which has also shared hundreds of pieces of information
back to us. We then take that information, it comes back to us
in an itemized form, we can glean data from it and pass that
out. So we are moving forward on actionable activities that
actually add value.
There are lots of roles to play here. DOD has an essential
role to play protecting military systems and providing a core
and deep technical expertise in the National Security Agency
and Cyber Command on which all of us in appropriate cases rely.
We at DHS have our own expertise. For example, we have
deployed, in the much messier environment of the Federal
civilian infrastructure, EINSTEIN 2, which is a system designed
to detect attempts to break into Federal civilian systems. Just
last year, it detected over 5.4 million events. We have not
done that in a unitary network that is subject to command and
control, but in, so far, 15 of 19 different major Federal
agencies and at four internet service providers.
So we have developed the expertise on how to act in that
environment, move forward to protect security, and to protect
privacy at the same time.
Mr. Wilshusen. I would just like to add that DHS is
building out its capabilities to provide services to its
constituents. It has also received responsibility for providing
increased oversight and assistance to other Federal agencies in
implementing their information security programs and practices.
One of the issues confronting DHS, at least as we see it,
do they have the proper authorities to do that? There are
challenges associated with one agency providing oversight over
another agency. At present, under the Federal Information
Security Management Act, many of the authorities are granted to
the Office of Management and Budget. But last year, in July,
OMB assigned some of those responsibilities over to DHS, and
DHS is working to build out its capacity to perform those
services.
Certainly, as you mentioned before with DOD and NSA, they
have a high level of skill and capabilities in this area. To my
knowledge, they have been working with DHS to some extent in
transferring some of those skills and abilities as DHS builds
out its own capabilities.
Ms. Clarke. Just following up, Mr. Reitinger, on the
EINSTEIN issue, the National Cybersecurity Division is
currently planning to deploy five EINSTEIN monitors or five key
nodes in the dot-gov domain that will be used to prevent and
detect intrusions on computer systems. If the continuing
resolution is adopted by Congress and you don't receive your
requested funds for 2011, how would it affect this much-needed
project and the request for $226.6 million in the fiscal year
2012 budget?
Mr. Reitinger. Thank you, ma'am.
I think the proposal under H.R. 1 would cut roughly $60
million from the entire NPPD budget. It is actually a budget
cut not specifically to cyber, but more broadly to NPPD, but
there is no way in our budget to do that without a cut to
cyber. So a big chunk of those resources would, in fact, be
drawn from the resources we would use to deploy what you are
referring to, the EINSTEIN 3 system, and it would adversely
affect the time line for deployment of those sensors, yes,
ma'am, and our ability to provide advice and assistance to
agencies on the data that we receive.
Ms. Clarke. Thank you very much.
I yield back, Mr. Chairman.
Mr. Lungren. Mr. Reitinger, you are not here to testify as
to whether or not we should have another month in which we have
a $228 billion addition to the debt, are you? I didn't think
so.
Mr. Walberg is recognized for 5 minutes.
Mr. Walberg. Thank you, Mr. Chairman. Thanks to the panel
for being here talking about an area that is expanding my mind
daily, as I think about it--so far not causing me a lot of loss
of sleep because I know that there are people who are thinking
about it regularly, but I appreciate your testimony this
morning.
The question I would just begin with to each of you is a
short question with an answer that probably I would ask you to
consider answering in relationship to what you know today and
what you perceive today.
In which sector could a cyber attack do the most damage?
Mr. Reitinger. So, sir, I am somewhat hesitant simply
because it is hard to say that one sector grown large is
critical from top to bottom whereas another sector is not
critical from top to bottom. There are, however, critical
entities in many sectors, and some of the sectors we worry most
about are, for example, financial services and electric power,
primarily because those are sectors, along with information and
communications, where you notice adverse effects in
milliseconds--and I mean that, milliseconds--as opposed to
seconds, minutes, hours, or days.
Mr. Walberg. Thank you.
Mr. Wilshusen.
Mr. Wilshusen. I would agree with Mr. Reitinger's remarks,
particularly as it relates to the financial services and
electrical power sectors.
There was an incident a couple years ago at a power plant,
nuclear power plant in Alabama. Now this was an unintended
incident, it was not due to a cyber attack, but it does
represent and illustrate the impact that could occur from such
an attack. It was due to an equipment failure on a network that
was connected to one of the control systems. Through a series
of events that occurred as a result of that equipment failure,
the plant had to bring down its nuclear reactor for a time. Its
due to, in part, because of the interconnectivity of these
systems to control systems. So it can have a potentially
devastating effect.
Certainly on the financial services side, there have been
numerous reports where literally millions of dollars have been
lost and absconded with through cyber attacks.
Mr. Walberg. Thank you.
Mr. Reitinger, moving on from that--and I would suggest
that your answers coincided with my thoughts, as elementary as
they may be, in talking with energy providers and financial
institutions in the past several weeks, that just the effect of
a keystroke is amazing.
But let me ask you, Mr. Reitinger, are private sector
entities responsive to the efforts the Government makes with
them to warn of threats and mitigate the consequence of
attacks? What is the experience there?
Mr. Reitinger. I think, sir, you would find that the
experience in the private sector is similar to that in
Government agencies. There are a lot of entities who get it and
some who don't. The private sector has created wholly new
technical capabilities over the last 10 years and has itself
built new ways of working together and sharing information, not
only expanding their information sharing and analysis centers,
but creating other mechanisms to work together.
All that said, we are not yet where we need to be in terms
of broad awareness, but within the business community and among
individuals, in terms of what the threat is and what actions
they need to take. One of the things that we are trying very
much to do in the Department of Homeland Security is do less of
the talking to ourselves, and as we raise awareness, making
sure we are talking to the right people, talking not just to
CISs, chief information security officers or chief risk
management officers, but talking to chief financial officers
and chief operating officers, the people who cut the checks and
say this will affect your bottom line.
There is broad willingness and interest across the public
and private sectors to work together. There is still a long way
to go to have uniform action.
Mr. Walberg. Mr. Wilshusen, you mentioned that the
Government must improve the public-private partnership by
improving information sharing. What are some specific
recommendations you would have?
Mr. Wilshusen. Well, one is, as I mentioned before, for
DHS, in its role as a key focal point with dealing with the
private sector, is to provide actionable, timely notices of
either warnings, threat warnings, as well as alerts of specific
actions currently underway. That has been one of the key
services that the private sector organizations have indicated
that they expect to receive but have not yet fully received to
the levels of expectations. So that would be one area that DHS
could work on. Indeed, as Mr. Reitinger mentioned earlier, they
are taking steps to address those areas.
Mr. Walberg. I see my time is up. Thank you.
Mr. Lungren. The gentleman from Louisiana, Mr. Richmond, is
recognized for 5 minutes.
Mr. Richmond. Thank you, Mr. Chairman.
I guess my question is for whoever wants to answer. Part of
what at least I saw in the BP Horizon oil spill in Louisiana
was that as soon as it happened, there was a clear chain of
command and there was a set up protocol and people who took
over at certain points. Do we have, in the event of a cyber
attack, a clear chain of command with defined roles and
responsibilities within Government?
Mr. Reitinger. Sir, to be frank, I think we could use
further clarity. We have made significant strides in that
regard. Overall, cyber incidents are going to be incredibly
complex, and so it is hard to generalize. But it is clear that
the President is in charge overall, that with regard to
domestic response, the Secretary of Homeland Security, under
her Homeland Security Act and authorities under the various
Presidential directives, is responsible, and DOD is responsible
for National defense. We built the mechanisms to work
effectively together. We now have a National cyber incident
response plan that defines roles and responsibilities, and we
are going to continue to improve that as our experience
develops.
We have also established a mechanism so that two of the
largest players--DOD and DHS--can work effectively together,
notably signing a memorandum of agreement which was driven, I
will tell you, at the Secretarial level; so directly between
the Secretary of Homeland Security and the Secretary of Defense
to enable effective synchronization between DOD. So we have a
team of senior people, are deploying a team of senior people at
NSA and Cyber Command, and they are deploying two groups--one
from NSA and one from Cyber Command--to our cyber operation
center so they can effectively support us.
One of the things that we are doing in DHS is--and this is
not just about cyber, it is also about infrastructure
protection--is, as we develop capability, we are becoming an
operational entity. We think it is very important that we be
not about discussing, but about doing and enabling others to
do. So that is where our focus is.
Mr. Wilshusen. I would just add that one of the key aspects
to this that would also be helpful to have a straight line of
chain of command is for the administration and Federal agencies
to establish and update the National Policy for Securing
Cyberspace. This is a document that is many years old. It has
had a number of issues with it that have impeded its progress
in being able to be implemented. One thing that needs to be
developed is just a clear articulation of the objectives,
goals, and priorities for Federal agencies and the private
sector to implement security over cyberspace and the systems
that they operate.
Mr. Richmond. Thank you.
As I was talking to my community health centers yesterday,
we started talking about electronic health records and they
mentioned to me that there were 60 companies just in my area
that provided those services. Then I started thinking about
smart grids. Do we have an industry standard or is there a
published standard that these companies have to have in
relation to protecting their electronic health records? Or have
we set a baseline that they have to at least adhere to to make
sure that we protect people's privacy and we protect the risk
of an attack in that area?
Mr. Wilshusen. Well, the Department of Health and Human
Services, under HIPAA, issues a security rule that health care
providers are required to follow certain security and privacy
guidelines. So that is probably as close as anything that
exists to a standard, if you will, or guidelines and
requirements for protecting the confidentiality and integrity
of health information.
Mr. Richmond. But under HIPAA, have they--I hate to put it
this way, have they gotten to the level of sophistication to
address cybersecurity in terms of protecting those health
records? I know traditionally we just said don't leak people's
medical condition, don't publish it, you have to protect it and
put it in a safe place. But now when we start going to
electronic health records, the question is whether somebody has
put out the technical guidelines and the technical
responsibilities to make sure that at least those companies are
not easily hacked. That will be my question, and I yield back,
Mr. Chairman.
Mr. Wilshusen. Well, the security rule does provide some
guidelines, but probably not to the level that you are
referring to in terms of the very detailed technical standards
that may be required.
One of the issues that also comes up is in terms of data
interoperability between various different health organizations
and States to make sure that this health information is
actually interoperable among different States as they develop
their own individual standards. So that is another issue that
is attendant to the one you are asking about.
Mr. Lungren. The gentleman's time has expired.
Mr. Meehan is recognized for 5 minutes.
Mr. Meehan. Thank you, Mr. Chairman. Thank you to each of
our panelists for their very revealing testimony today.
Let me ask both of you, 15 million reports in the course of
a year, and yet we are trying to communicate with the private
sector simultaneously, particularly those with these control
systems. How do you triage to know what to communicate down the
line and say this is something we ought to be reaching out to
without becoming a point in time where you are--what is the old
adage--crying wolf and they don't know when to really be
alerted?
Mr. Reitinger. Sir, I would say you have to do a couple of
things. One, you broadly have to find the broader points of
influence. In a time that we all have those scarce resources,
what is the most effective way to institute protections to get
the private sector not only to understand the threat, but
implement the threat? So we focus very much on that.
You try to have broad campaigns. So one of the things that
we did this year for the first time as a response to the
President's Cyberspace Policy Review, instead of just having an
annual Cybersecurity Security Awareness Month, we have now got
an annual campaign, the ``Stop. Think. Connect.'' Campaign,
which we are advocating for. It was developed--not by DHS, but
actually by a partnership. That is something a partnership can
do; it is people in the private sector and the public sector
working together to come up with a message that we can all work
together to implement, something fairly actionable.
The last thing is that you do have to make choices, you do
have to triage. That is something we do generally in the space.
We have 5.4 million events. You can't look in detail at every
one of them. You have to figure out fairly rapidly, look for
indicators for what are the most severe? You try to expand our
capabilities.
One of the things we have done in DHS is established fly-
away teams. So we have a team of people that we can deploy if
there is a significant incident in at a private sector company
and they need our assistance.
In some sense it is because of the act, in some sense it is
because of a prioritization, that team is typically deployed
for control systems-type incidents because that is one of the
things that we worry about significantly. So there are a lot of
processes that one has to go through to try to figure out where
you are most effectively applying resources to the effect you
need.
Mr. Meehan. Do you agree with that sort of assessment?
Mr. Wilshusen. Yes, I would.
Mr. Meehan. The thing that really strikes me again is the
interoperability. We keep talking about these control systems
and the capacity to be able to impact entire areas which are
interdependent. How can we create the kind of requirement, so
to speak, from the private sector to collaborate with you to be
able to, as we say, meet some kind of National policy standards
or objectives so that we are working together? We have
effectively independent agencies that have oversight over
critical pieces of this infrastructure which are at risk.
Mr. Reitinger. So, sir--I feel like I keep jumping ahead of
Greg. Do you want to go first or I will?
I would say there are a number of things we need to do. We
at DHS are focused on executing within our existing authorities
to accomplish that mission. There are a number of things we can
do. We talked a lot about awareness, so raising awareness among
the companies is a key part of this. As Greg has indicated,
sharing classified and unclassified threat information so that
they are really sensitized to what the issues are.
Second, we can work on things like helping develop
standards and working with the private sector to make sure that
they have available solutions so that there is a known path to
better security.
Mr. Meehan. My time will run out, but are there minimal
standards right now that we have in the industry that we can
expect people to abide by so that at least there is some kind
of a baseline that we can expect collaboration that they will
address within their own institution so that they are capable
of communicating with you about these issues?
Mr. Reitinger. So there are many standards, sir, of
differing degrees or prescriptiveness, if you will, and
effectiveness. One of the things that I don't think we have
right now is what one might think of as a baseline ability to
say across all of the critical infrastructures we are meeting
the standard that we need. So one of the things that we are
doing is working with not only other agencies within the
Federal Government so that they are aware of what the
requirements are, but we have, in one case, DHS has specific
authority, and that is for the chemical facilities sector, or
the chemical sector where we have put in a risk-based
performance standard into the existing CFATS regime related to
cybersecurity. We will be continuing to look at that going
forward to make sure that it meets National requirements.
Mr. Wilshusen. If I may add, we have an on-going engagement
right now looking at what standards are in effect at various
different critical infrastructure sectors and to assess, to the
extent that those standards exist, whether they are voluntary;
and how those sectors either enforce or assure that their
members actually implement those standards. We expect to be
reporting out on that later this year.
Mr. Meehan. Thank you, Mr. Chairman.
Mr. Lungren. I will just tell the gentleman that we will
shortly schedule a markup on the CFATS bill so that we will
have that issue going forward.
I understand Mr. Keating has no questions at this time, so
Mr. McCaul is recognized for 5 minutes.
Mr. McCaul. Thank you, Mr. Chairman. Phil, it is good to
see you again. Thank you for your hard work on the CSIS
Commission. It is a great report, outstanding.
I mean, the threats are real, we all know what they are--
the power grids, financial sectors. You know, when I was
Ranking Member of this subcommittee two Congresses ago, we held
hearings and talked about what is the coordination between DHS?
DHS has a primary mission to defend. Are they talking to DOD or
NSA that has the offensive capability, not that one is charged
with defensive, are those coordinating as well?
I will say, I think, DHS has come a long way since those
hearings, and that is very good news. I noticed, Phil, in your
testimony you talked about an MOU that has been signed between
DHS and the DOD, and I was very glad to see that. Can you
explain how that is working? Also, do you anticipate doing
something similar with NSA?
Mr. Reitinger. Absolutely, sir. So I talked a little bit
about that before. We signed, at the Secretarial level, an MOA,
a memorandum of agreement--sorry, I fall back into acronyms too
much--between the Department of Defense and the Department
Homeland Security. There are two points of contact on that; one
is me, and the other is Dr. Jim Miller, who is the Principal
Under Secretary of Defense for Policy at DOD. Under that
agreement, DHS, so that we can stay fully synched with our
partners in the Department of Defense, has and is deploying a
team of people to Fort Meade that will be led by a DHS senior,
who is currently Rear Admiral Mike Brown, who has been in the
Department of Homeland Security on detail from DOD for a number
of years.
He will have a team of people that will comprise first a
joint coordination element to do joint planning at DOD, make
sure we can stay operationally synched, a group of people who
are going to work with NSA on its technology, and another group
of people who will be embedded in the NTOC at NSA so that we
have full assay of the NSA's knowledge of the threat.
NSA and Cyber Command are both deploying teams of people to
our Cyber Operation Center to support our domestic cyber
operations. So there will be a cryptologic support group from
NSA and a cyber support element--I am more comfortable with CSG
and CSE, but those are what they are called--from Cyber Command
that will directly support us. We are in the initial stages of
developing these capabilities, but it is already working very
well. I would also say that those are not the only means that
we have to coordinate. So we literally hold a weekly SVTC, a
secure video teleconference, with our partners in DOD to make
sure we are staying coordinated. We work with them at deputies
committee meetings and lots of other administrative policy and
other processes. So we have come a long way between these two
departments in our ability to support each other and our
respective mission spaces.
Mr. McCaul. That is certainly good news, and I do want to
commend you for that. Again, from two Congresses ago, that is
great progress, and I am very glad to hear that. They have the
assets, the expertise, and the capabilities, so it makes no
sense for them not to work with you and share that.
Private sector sharing threat information, it is always
difficult for the private sector to share that with the Federal
Government. The incentives are still lacking, I think, to some
extent. They have a duty to their shareholders, they don't want
to report this kind of stuff. How do you incentivize them to do
that? Would an exception to FOIA be helpful in terms of that
threat information not being subjected to a FOIA request?
Mr. Reitinger. With regard to at least some information
submitted under the Protected Critical Information
Infrastructure program, the PCII program, there is a FOIA
exception. The issue I think is a little broader, and that is
that there remains a lack of clarity about the costs and risks
of sharing information from the private sector to the
Government. So sometimes one has the problem that when the
private sector and Government want to talk--I think generally
if something is happening, the private sector will lean forward
to figure out a way to share information, as will the
Government. Because when you get operators talking with
operators, they have a problem to solve. If it is more on-
going, the problem is, nowadays, if you get together and you
want to work together, you want to share information, not just
to share information to solve a particular problem, sometimes
the first thing you have to do is call the lawyers into the
room. You and I, sir, are both lawyers, we love lawyers, but--
--
Mr. McCaul. I wouldn't necessarily say that.
Mr. Reitinger. So we have some internal processes going now
to try and generate some clarity with the private sector about
what the rules are so that you can have a more rapid and
effective conversation.
Mr. McCaul. Last, if I could indulge the Chair, the
National Policy for Cyberspace--it was mentioned earlier--sir,
the last one was developed in 2003, I think one of the
recommendations we had with the Commission was to develop a
National policy. That is within the jurisdiction and authority
of the White House. Can you demonstrate why that is so
important and so critical?
Mr. Reitinger. Well, I think having a National policy is
critical. I would personally favor, while I think we knew new
ways to do things, focusing very heavily on implementation. We
at DHS are working right now on the strategy which will
underlie the cybersecurity part of the Quadrennial Homeland
Security Review that the Ranking Member brought up. So for us
this is mission four or cybersecurity across the Homeland
Security enterprise. We are working now across Government and
with the private sector to develop that strategy that will roll
out to the broader National strategy.
Mr. McCaul. Thank you so much.
Mr. Lungren. I want to thank our panelists for not only
your oral testimony here today but your written testimony. You
have helped us considerably.
Mr. Reitinger, and also in classified briefings, I just
want to tell you that members of this panel very much
appreciated your participation and the participation of others,
and that has helped us a great deal.
I will be calling on both of you in the future to help us a
little bit more as we go forward on an issue that will not go
away and only needs greater clarity and greater visibility. So
we thank both of you.
Now, we would move to our second panel, and I know it will
take a little while for the three of them to get there.
We are very pleased to have our second panel. We have
outstanding panelists in both panels, and we very much
appreciate your time and your effort and the knowledge that you
are relaying to us here today.
Dr. Phyllis Schneck is the vice president and chief
technical officer of Global Public Sector for McAfee. She also
serves as a volunteer as chairman of the board of directors of
the National Cyber-Forensics & Training Alliance, which is an
important partnership between Government, law enforcement, and
the private sector for information analytics and has been used
to prosecute over 150 cyber criminals worldwide.
Earlier Dr. Schneck worked as vice president of Threat
Intelligence at McAfee and was responsible for the design and
application of McAfee's internet reputation intelligence. She
has Ph.D. in computer science from Georgia Tech where she
pioneered the field of information security and security-based
higher-performance computing.
Thank you for being here.
Dr. James Lewis is a senior fellow and program director at
CSIS where he writes on technology, National security, and the
international economy.
Before joining CSIS, he worked in the Federal Government as
a Foreign Service officer and as a member of the Senior
Executive Service. Most recently he was the project director of
CSIS's Commission on Cyber Security for the 44th Presidency.
That report has been downloaded, I understand, more than 40,000
times, so no secrets there. He received his Ph.D. from the
University of Chicago in 1984.
Mischel Kwon is an IT executive with more than 29 years of
experience ranging from application, design, and development to
building organizational and National level computer emergency
instant response and readiness teams. She is most recently the
vice president of Public Sector Security for RSA, the security
division of the EMC Corporation, and prior to that, she was the
director of the United States Computer Emergency Readiness
Team, US-CERT, at DHS.
We welcome all of our witnesses. We are pleased that you
are able to share your perspective with us. As I said, your
written testimony will be made part of the record. We would
like to recognize each of you in order for 5 minutes, and I
know that is a short period of time, but we will try and stay
with that as much as possible and then ask you questions.
So, first of all, Dr. Schneck.
STATEMENTS OF PHYLLIS SCHNECK, VICE PRESIDENT AND CHIEF
TECHNICAL OFFICER, MC AFEE INC.
Ms. Schneck. Good morning.
Chairman Lungren, Ranking Member Clarke, and other
distinguished Members of the subcommittee, thank you for
requesting McAfee's views on cyber threat to critical
infrastructure and the American economy. It is an honor and a
pleasure to be part of the process and to be here today.
Your committee is playing a vital role in helping to define
the contours of cybersecurity debate, and your aim to write
thoughtful and incentives-based legislation must be commended.
As you mentioned, I focused my entire career on
cybersecurity, looking at both the technology and the
applications and certainly the trust engaged in public-private
partnership and the need for more information sharing.
McAfee is the largest dedicated cybersecurity company in
the world, and we are also a wholly-owned subsidy of the Intel
Corporation. We protect the cyber spectrum, from the biggest
computers and the big cloud computing, as we all refer, to the
smallest components, even down to our cell phones or airplane
avionics systems and our cars and certainly now to the chip.
My testimony will focus on the following key areas: The
evolution of the cyber threat landscape; McAfee's Global Threat
Intelligence Solution; and the paradigm change that we need to
make in order to protect our cyber infrastructures and thus our
global critical infrastructures; two major cyber security
events, advanced persistent threats that we have seen, these
are just two of many, many, just two that have been vocalized;
and certainly some policy recommendations to improve public-
private sector information sharing.
Our adversary is strong. Our adversary is smart. They act
faster than we do. They have full funding, in many cases, from
governments, from nation states. They have malicious intent,
and they don't have the intellectual property barriers that we
do. They don't have the legal barriers that we do to execute.
They are criminals; there is nothing to lose.
So when you look at the landscape from 20 years ago and you
look at ``antivirus,'' all of the adversary's ability over the
past 2 decades, all of the damage we have talked about this
morning, has been enabled by malicious code, the ability of an
adversary to execute their will somewhere else, and whether it
causes, as in the old days, just something to prove that
somebody can do something all the way to financial organized
crime with a financial motivation, and now, as we are seeing,
government-structured or nation-state attacks that look for
destruction and/or the taking of intellectual property.
As we look at how we fight that, a signature will not beat
this adversary. Signature was a legacy model. We should know
about the attack. We will protect everybody, and boom, they are
fine when they get it, sort of like a vaccination.
That doesn't work anymore. We need a full paradigm shift to
retake the global cybersecurity picture that we have as a
private industry and Government and infuse that into our
network fabric, again from cloud to chip, where the enemy's
will is blocked before it reaches a target.
When you think about global threat intelligence and what we
mean by that, McAfee and other companies in the IT
infrastructure and other infrastructures have the ability and
have developed very sophisticated information-gathering
capabilities where we have a weather map, a cyber weather map
of events that happen all over the world, an understanding of
traffic volumes, an understanding of what machines are doing,
what harm and to where, where they are targeting, where
malicious code that looks just like other malicious code is
being sent.
We have to react in two ways: We have to react first and
foremost to beat this adversary in milliseconds. The one thing
this enemy can't do is understand how the entire system works
and block it in real time, so the disease never reaches your
body or your body can fight the disease in real time without
understanding the name of the germ first.
The second thing we have to do is better enable ourselves
to share information at the human level. While that is not real
time, it helps us understand the motivation, understand future
targets and, first and foremost, protect ourselves.
We looked at two major threats over the past couple of
years and led the investigations at McAfee. There are many
others like this, but first one was Operation Aurora, same name
as the diesel generator explosion at INL; however, we kept the
name for this one. That is the name the bad guys gave it. It is
in the file path.
This was the most sophisticated event we have ever seen
targeted toward the private sector. They usually save this for
our friends in Government. We estimate it took teams of people
many weeks to target the 20 or so companies they looked for,
the information they wanted to get, and, most powerfully, the
people in those companies that had an access to code stores of
that size, meaning the people that tested the code, the people
that have to see all of it working together.
They exfiltrated or took the copies of the code out to
servers placed in different countries, and they are using that
likely today. Many attacks exist that look just like this
today. They lurk; they are often called advance persistent
threat.
The other one we recently discovered and investigated was
called Night Dragon, similar set up but less sophisticated,
again one of many. But they were looking specifically at
architectural plans for pipelines in the oil and gas sector,
and this one was around the world.
Leading to the policy recommendations, the private sector
needs some stronger protections to share information with
Government and law enforcement. It was said in the earlier
panel, in the middle of the crisis, the operators will talk,
and they do. But we need to be better protected.
We and other companies put little pieces of the puzzle
together, and we get a very big picture, and we want to share
that with our colleagues in Government and in law enforcement.
We want to do that faster. We can't. It creates in many
cases material information that affects shareholders,
companies' bottom lines, and it can breach trust. We need much
stronger protection, so that when someone in law enforcement,
as they did, called me up and says, why didn't I have this
yesterday when you knew it, my answer doesn't have to be,
because I could get fired.
We have to beat this adversary, and we have to--we all of
the--we have a lot of the information we need among the private
sector to use the great collaborative organizations that DHS
and the FBI and others have created for us with the private
sector. Great construct exists. If we can put more information
into those, we can use those constructs to their fullest
potential.
So, in conclusion, I do want to thank you very much for
having us today, for being a part of the process. McAfee is
very committed to working with the U.S. Government to solve the
cybersecurity challenges and to beat this adversary.
[The statement of Ms. Schneck follows:]
Prepared Statement of Phyllis Schneck
March 16, 2011
Chairman Lungren, Ranking Member Clarke, and other distinguished
Members of the subcommittee, thank you for requesting McAfee's views on
the cyber threat to critical infrastructure and the American economy.
Your committee is playing a vital role in helping to define the
contours of the cyber security debate, and your aim to write
thoughtful, incentives-based legislation must be commended.
My name is Phyllis Schneck and I have dedicated my entire
professional career to the security and infrastructure protection
community. My technical background is in high performance computing and
cryptography. In addition to serving as Vice President and Chief
Technology Officer, Global Public Sector, for McAfee, I serve as
Chairman of the Board of Directors of the National Cyber Forensics and
Training Alliance, a partnership between Government, law enforcement,
and the private sector for information analytics that has been used to
prosecute over 150 cyber criminals world-wide. Earlier, I worked as
Vice President of Threat Intelligence at McAfee and was responsible for
the design and application of McAfee'sTM internet reputation
intelligence. I have also served as a commissioner and working group
co-chair on the public-private partnership for the CSIS Commission to
Advise the 44th President on Cyber Security.
Additionally, I served for 8 years as chairman of the National
Board of Directors of the FBI's InfraGardTM program and as
founding president of InfraGard Atlanta, growing the InfraGard program
from 2,000 to over 33,000 members Nation-wide. Before joining McAfee, I
was Vice President of Research Integration at Secure Computing. I hold
a Ph.D. in Computer Science from Georgia Tech, where I pioneered the
field of information security and security-based high-performance
computing.
My testimony will focus on the following key areas:
The evolution of the cyber security threat landscape;
McAfee's Global Threat Intelligence Solution and the role it
plays in enabling us to detect and remediate a wide range of
cyber security attacks on our Nation's critical
infrastructures;
Two major cyber security attacks, Night Dragon and Operation
Aurora, and their implications for our homeland security; and
Policy recommendations to improve public/private sector
information sharing that is essential to give the Government
the capabilities it needs to respond to the modern
cybersecurity challenge.
First I would like to provide a little background on McAfee and
some of our cybersecurity initiatives.
mc afee's role in cyber security
McAfee, Inc. protects businesses, consumers, and the public sector
from cyber attacks, viruses, and a wide range of on-line security
threats. Headquartered in Santa Clara, California, and Plano, Texas,
McAfee is the world's largest dedicated security technology company and
is a proven force in combating the world's toughest security
challenges. McAfee is a wholly owned subsidiary of Intel Corporation.
McAfee delivers proactive and proven solutions, services, and
global threat intelligence that help secure systems and networks around
the world, allowing users to safely connect to the internet and browse
and shop the web more securely. Fueled by an award-winning research
team, McAfee creates innovative products that empower home users,
businesses, the public sector and service providers by enabling them to
prove compliance with regulations, protect data, prevent disruptions,
identify vulnerabilities, and continuously monitor and improve their
security.
To help organizations take full advantage of their security
infrastructure, McAfee launched the Security Innovation Alliance, which
allows organizations to benefit from the most innovative security
technologies from thousands of developers who can now snap into our
extensible management platform. Today, more than 100 technology
partners--large and small businesses all committed to continuous
innovation in security--have joined the alliance, with more to be
announced soon.
Two years ago, McAfee announced an initiative to fight cybercrime,
a wide-ranging initiative aimed at closing critical gaps in assisting
victims of cybercrime and preventing new events. The initiative is
anchored by a multi-point plan that includes calls for action from law
enforcement, academia, service providers, Government, the security
industry and society at large to deliver more effective investigations
and prosecutions of cybercrime.
Key elements of the plan include:
Education and Awareness.--McAfee works to ensure that
officials around the world have the capacity to properly fight
cybercrime, while helping users build ``street smarts'' so that
they don't become easy victims.
Legal Frameworks and Law Enforcement.--McAfee works to
facilitate international collaboration and mutual assistance on
cybercrime among governments, industry, and non-governmental
organizations (NGOs).
Innovation.--McAfee works with the technology industry to
provide technology solutions that stay one step ahead of the
threats.
McAfee is also supportive of the National Strategy for Trusted
Identities in Cyberspace (NSTIC), working with our partners in
Government and industry to enable innovation for more efficient
authentication and other technologies facilitating a safer and more
pleasant experience for electronic transactions.
McAfee is committed to bringing the best security products and
services to the market, partnering with leading IT vendors to ensure
that customers have the ability to pick and choose the best solutions
to close their security gaps, and giving consumers and organizations
additional resources and support to fight cyber-crime ranging from
organized financial crime to attacks that user the cyber infrastructure
to gain access to intellectual property or physical infrastructure.
Likewise, McAfee is committed to taking part in a constructive dialogue
with policy makers on cyber security initiatives, as we are pleased to
do in this hearing today.
the evolution of the cyber security threat landscape
For purposes of this testimony, we define malware as a set of
instructions for a computer that causes the computer to behave in the
will of the malware owner, such as providing unauthorized access to
information or systems that control physical/kinetic infrastructure.
Computers execute instructions. Malware puts the enemy's instruction
next on the list, and then the adversary controls all actions forward,
sometimes hiding its presence. Malware enters a machine from a variety
of ports, typically email, web, or connection-level access that is
unprotected or ill advised to admit these harmful instructions. Malware
can also be referred to commonly as a ``virus.'' As in biology, when a
machine has a virus it is compromised and its functions can cause harm.
Historically, security software relied on antivirus ``signatures''
to recognize and block malware. Once a virus was detected, a signature
was developed by the security software vendor and deployed in the form
of a DAT file downloaded to the security software on customers'
computers. That software would then be in a position to recognize and
block the malware--an approach much like a vaccine that requires
advance knowledge of the threat. However, this approach is not
sufficiently fast to fight today's cyber adversary, and that is why
McAfee is changing the paradigm to proactive defence in real-time: to
make our networks sufficiently intelligent to prevent malicious
instructions from reaching the target--instead of requiring that the
target be vaccinated with a signature.
Today, malware developers combine web, host, and network
vulnerabilities with spam, rootkits, spyware, worms, and other means of
attack. Significantly, malware is often distributed with micro-
variations (polymorphism), or the ability to change quickly, with the
effect that a signature developed when the malware is first discovered
is ineffective against the multiple, very slightly different forms of
the same malware. This is analogous to a disease mutating so that the
vaccine is no longer effective. Malware may be distributed indirectly
by networks of computers that have been corrupted by a criminal (a
``botnet'').
Criminals, terrorists, and nation states often invest great efforts
to deploy their software in hundreds of thousands or indeed millions of
computers owned by innocent third parties, in order then remotely to
command their botnet to launch an attack on a particular set of
targets. The malicious software distributed by botnets will often
actively evolve to become whatever is needed by its controller and is
not limited by the boundaries of antivirus labels. This means that code
that appears otherwise harmless in order to be let into the network can
be told to spread rapidly. This is why we refer to this type of code as
a worm. It means, for example, that malware originally configured to
generate spam messages can be instructed to steal banking information.
Again, cyber actions rely on the execution of instructions, and a
compromised machine often follows the adversary's instructions to reach
out to a server in another location for its next set of instructions,
which can vary widely.
By leveraging multiple threat vectors and ``one-time usage,''
hackers are able to extend the time period in which their malware
remains undetected and are thus able to steal the money, personal data,
and other valuable information of users throughout the United States
and the world. In this way, what might be called classic ``viruses''
have been blended in recent years with other types of malware and
techniques used by malicious hackers intent on stealing personal data.
Hackers have discovered that direct external attacks are unnecessary
and risky. It is now easier to engineer malicious software that is
delivered to a system remotely through various means.
Modern malware thus can no longer be classified by its perceived
purpose or propagation method, because those change in an instant. Some
types of software can be engineered to gain access to and maintain
control over the victim's machine. Once the malware is on the system,
it seeks to communicate with its controlling entity--the criminal
actor. Once communication is established over the internet, any
compromised machine can be instructed both to pass over any data of
value to the criminal and to act as an instrument of attack against
other computers and networks.
mc afee global threat intelligence
McAfee and other sophisticated cyber security providers have
developed multi-vector, real-time, predictive protection against these
more sophisticated attacks on information systems. McAfee's solution is
known as Global Threat Intelligence, or GTI. Cybersecurity solutions
based on this GTI approach protect the customer's computer by
calculating the potential risk of a piece of content based on
experience with the IP address from which it originates, the website,
or other elements associated with the content in question.
Thus cybersecurity providers offer solutions enabling the customer
to stop content that is analyzed as having a risk probability score
that in the customer's view is ``too risky'' to be loaded into the
memory of the customer's computer. McAfee GTI tracks the anomalous
behavior and proactively adjusts an entity's reputation--its website,
IP address, domain, file, network connection, and so forth--so that
McAfee products can block the threat and protect customers. Then McAfee
GTI looks out across its broad network of sensors and connects the dots
between the website and associated malware, email messages, IP
addresses, and other associations, adjusting the reputation of each
related entity so that McAfee's security products--from endpoint to
network to gateway--can protect users from cyber threats at every
angle.
McAfee GTI offers the most comprehensive threat intelligence in the
market. With visibility across all threat vectors--file, web, message,
and network--and a view into the latest vulnerabilities across the IT
industry, McAfee correlates real-world data collected from millions of
sensors around the globe and delivers real-time, and often predictive,
protection via its security products.
Our cyber enemies are smart and fast. They maintain their knowledge
of networks and techniques by freely sharing information, enjoying a
lack of legal or intellectual property barriers that often block the
defenders. The adversary is well-funded, often by governments, and has
no barrier to swift execution. This is why our cyber infrastructures
have become their play land. The ability to see a global cyber picture
and to have situational awareness is what the adversary cannot do. This
is where we can win--by making the network fabric reject malicious
instructions in real-time, at the speed of light, before they can hit a
target. This is how we can be faster than the adversary, and this is
the paradigm shift from vaccines to a cyber immune system that enhances
cross-sector cyber resiliency.
Our Global Threat Intelligence service as well as a number of our
other products and services helped us first detect and then remediate
two important global cyber security attacks--Night Dragon and Operation
Aurora. These attacks are significant because they were managed by
coordinated and organized teams that succeeded in extracting billions
of dollars of intellectual property from leading American companies in
the information technology, defense, and energy sectors--strategic
industries vital to the country's long-term economic success and
National security.
operation aurora
On January 14, 2010 McAfee Labs identified a zero-day (previously
publicly unknown) vulnerability in Microsoft Internet Explorer that was
used as an entry point for Operation Aurora to exploit Google and at
least 20 other companies. Microsoft has since issued a security
bulletin and patch.
Operation Aurora was a coordinated attack that included a piece of
computer code that exploits the Microsoft Internet Explorer
vulnerability to gain access to computer systems. This exploit is then
extended to download and activate malware within the systems. The
attack, which was initiated surreptitiously when targeted users
accessed a malicious web page (likely because they believed it to be
reputable), ultimately connected those computer systems to a remote
server. That connection was used to steal company intellectual property
and, according to Google, additionally gain access to user accounts.
We also discovered that intruders used a social engineering
message, known as spear-phishing, to target employees with a high level
of access in these companies (either software developers, quality
assurance engineers, or domain administrators). The message would come
from a previous acquaintance of the targeted user and would ask them to
click on a web link pointing to a web server in Taiwan. As we uncovered
and then reported to Microsoft, the web link hosted an obfuscated and
encoded exploit for a zero-day vulnerability in Internet Explorer.
If a user had clicked on a link with Internet Explorer version 6,
their machine would be automatically compromised and malicious code
would be downloaded and executed stealthily on the computer. The Trojan
would establish an evasive backdoor command and control channel to the
same server in Taiwan through which live attackers would jump onto the
system and proceed to escalate their privileges on the local machine as
well as other servers within the network. As they moved rapidly through
the network, they would identify and compromise repositories of
intellectual property and exfiltrated data of interest out of the
company. In many cases, this data included source code--the crown
jewels of these information technology companies--which then could be
used by attackers to discover new vulnerabilities in software that is
used by the critical infrastructure industry, Government agencies, and
many other organizations across the globe.
McAfee is continuing to work with multiple organizations that were
impacted by this attack, as well as with various Government agencies,
to address this major supply chain attack in the U.S. commercial
sector.
night dragon
McAfee has identified a string of attacks designed to steal
sensitive data from targeted organizations. Unlike opportunistic
attacks, the perpetrators appear to be highly organized, premeditative,
and motivated in their pursuits.
Night Dragon attacks are similar to Operation Aurora and other
advanced persistent threats, or APTs, in that they employ a combination
of social engineering and well-coordinated, targeted cyber attacks
using remote control software and other malware. McAfee has linked
these attacks to intrusions starting in November 2009, and there is
circumstantial evidence suggesting they may have begun as early as
2007. Currently, new Night Dragon victims are being identified almost
weekly.
Night Dragon attacks leverage coordinated, covert, and targeted
cyber attacks involving social engineering, spear-phishing,
vulnerability exploits in the Windows operating system, Active
Directory compromises, and remote administration tools, or RATs. The
attack sequence is as follows:
Public-facing web servers are compromised via SQL injection;
malware and RATs are installed.
The compromised web servers are used to stage attacks on
internal targets.
Spear-phishing email attacks on mobile, VPN-connected
workers are used to gain additional internal access.
Attackers use password-stealing tools to access other
systems--installing RATs and malware as they go.
Systems belonging to executives are targeted for emails and
files, which are captured and extracted by the attackers.
McAfee has evidence of Night Dragon malware infections in the
Americas, Europe, and Asia. McAfee has also identified tactics,
techniques, and procedures (TTPs) utilized during these continuing
attacks that point to individuals in China as the primary source. The
Night Dragon attackers are currently targeting global oil, energy, and
petrochemical companies with the apparent intent of stealing sensitive
information such as operational details, exploration research, and
financial data related to new oil and gas field bid negotiations. As we
saw with the WikiLeaks document disclosures brought about by a
malicious insider, sensitive data theft can be highly damaging beyond
regulatory penalties and lost revenue. And unlike Stuxnet, the tools
and techniques behind Night Dragon are not specific to critical
infrastructure and can be used to launch attacks against any industry.
policy recommendations
Officials have made tremendous progress in the creation of
information-sharing constructs comprising multiple agencies and the
private sector. With good information, the collaboration enabled by
these constructs will help us to achieve what the enemy already has:
Speed and alacrity of information sharing and acting on it for high
impact.
In many cases, private sector companies can solve a cybersecurity
puzzle by evaluating many disparate clues. Private companies need
protected ways to share their big-picture research findings with the
Government without loss of trust or creation of material events for
stockholders, so that the most significant cybersecurity information is
expeditiously actionable. This is the human component of what Global
Threat Intelligence does at machine speed. We need both in order to
defeat cyber adversaries, whose aim is to harm our way of life.
Existing public/private partnerships should ensure that senior
corporate and Government officials are positioned to share vital
information and best practices. Among other things, this means access
to sensitive (or classified) information and a secure mechanism for
sharing it.
Broad-based situational awareness is vital to securing our global
cyber systems and ensuring our National security. Policies that enable
companies and governments to work together, using global threat
intelligence (e.g., combining cyber, energy, finance, and other data)
to enhance correlation and predictive capabilities, are critical to
real-time responsiveness within the network switching/routing fabric.
The Lieberman-Collins-Carper bill supports such information sharing by
requiring the Government to share information, including threat
analysis and warning information, with owners and operators regarding
risks to their networks. Legislation developed in the House of
Representatives would benefit from similar language.
conclusion
The cybersecurity challenge faced by our country is a serious
matter that requires an evolution in the way in which both the public
and private sectors collaborate. Each sector has its own set of core
capabilities; only the Government can implement the complex set of
organizational and policy responses necessary to counter the growing
cybersecurity threat. Leading information technology companies and
their customers are uniquely positioned to act as early warning systems
that can identify and help address cybersecurity attacks as a real-time
cyber immune system.
With the right industry-Government collaboration, networks of the
future can comprise intelligence and create resiliency by instantly
rejecting harmful code in milliseconds as opposed to the hours it
traditionally takes to make a signature, just as our bodies reject
viruses even though we may not know the name of the particular disease.
Information technology companies focused on cybersecurity in particular
have the resources and the economic incentives to continue to invent
and develop the technologies and solutions needed to stay ahead of
sophisticated cyber attackers. In the best American tradition of
collaboration, the public and private sectors have made important
strides to address the cybersecurity challenge and to enhance trusted
working relationships. As we work together to further evolve our
collaboration models, we can succeed in protecting our homeland from
the threat of cyber attacks.
Thank you for asking me to take part in this hearing on behalf of
McAfee. I would be happy to answer your questions.
Mr. Lungren. Thank you very much.
Mr. Lewis.
STATEMENT OF JAMES A. LEWIS, DIRECTOR AND SENIOR FELLOW,
TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND
INTERNATIONAL STUDIES
Mr. Lewis. Thank you very much, Mr. Chairman, and thanks to
Ranking Member Clarke and, of course, hello to Congressman
McCaul, who was invaluable as the cochair in leading the CSIS
commission. So one of the reasons it has been downloaded so
many times is due to him.
This will be a good year for cyber security because of the
work of this committee and others. With luck, I think in this
Congress, we will see real progress in making our Nation more
secure.
But this outcome is not guaranteed. We have been trying for
years to secure our networks, and we have not succeeded, right.
So you have heard the litany of problems, major
corporations, banks, Government agencies; they have all been
victims. We have lost sensitive military information, oil
exploration data, valuable commercial technologies and millions
of dollars from banks.
The interesting thing about these crimes is that they are
risk-free. No one has ever been punished for them, and so, of
course, when you have a crime and no one gets punished, they
are just going to do it again, right.
What we are doing now to secure cyberspace is not working.
There has been real progress at some agencies, like DHS, but we
need to rethink our approach. To put this in perspective, think
about the threats we face. First, a few advanced militaries
have the ability to use cyber attacks to disrupt critical
infrastructure and service. They have done the reconnaissance
on critical infrastructure. They have planned how to do this.
They will not launch a cyber attack because they are not
going to start a war for no reason with the United States; they
are deterred by our military. But if they ever did attack us,
we are prepared to defend ourselves.
Terrorists do not yet have the capability to launch cyber
attacks, but groups like al-Qaeda in the Arabian Peninsula are
seeking to acquire these capabilities. Perhaps more worrisome,
Iran and North Korea are developing cyber attack capabilities.
When these terrorist and rogue states can launch a cyber
attack, they, too, will find that we are unprepared.
Cyber espionage and cyber crime are daily occurrences in
the United States, and they do long-term damage to our economy
and to our global competitiveness. They also help set the stage
for cyber attack. Some of our opponents use cyber criminals as
mercenaries, as proxy forces. Our most advanced opponents in
cyber crime and cyber espionage can overpower even the most
technologically sophisticated U.S. company, and we have seen
many examples of that.
Agencies have made strenuous efforts, but we are not yet
prepared to defend ourselves. There are three key issues that I
call to the committee's attention, how to give Government a
leading role in cybersecurity, how to ensure cybersecurity at
critical infrastructure, something we cannot do now, and how to
create international rules to reduce the risk of cyber crime
and the risk of cyber war?
These are all hard problems, but they are not impossible.
CSIS' Cyber-Security Commission, which Congressman McCaul
helped lead, has released two reports with recommendations. Our
fundamental point, and this gets to the question about the 2003
National strategy, our fundamental point is that the old
approach doesn't work, and we need a new strategy that uses all
the tools of American power, military, law enforcement,
Homeland Security, partnership with the private sector. If we
can come up with this new combined strategy, we will be able to
do something effective to protect ourselves, but we are not
there yet by any stretch of the imagination.
With this, I thank the committee and look forward to your
questions.
[The statement of Mr. Lewis follows:]
Prepared Statement of James A. Lewis
March 16, 2010
Chairman Lungren, Ranking Member Clarke, and Members of the
committee. Let me begin by thanking you for this opportunity to testify
on this important subject.
Cybersecurity first came to the attention of the public in the mid-
1990s, some 15 years ago. The first major policy for cybersecurity,
Presidential Decision Directive 63, appeared in 1998.
In the intervening years, there has been much discussion and a few
new ideas. We can get a sense of the state of cybersecurity and whether
there has been any progress the United States by reviewing major
cybersecurity events that have occurred since the start of 2010.
January 2010.--Google announced that an attack had
penetrated its networks, along with the networks of more than
80 other U.S. high-tech companies. The goal of the
penetrations, which Google ascribed to China, were to collect
technology, gain access to activist Gmail accounts and to
Google's password management system.
January 2010.--Intel Corporation also disclosed that it has
experienced a harmful cyber attack at the same time.
January 2010.--Global financial services firm Morgan Stanley
experienced a ``very sensitive'' break-in to its network by the
same hackers who attacked Google, according to leaked e-mails.
March 2010.--NATO and the European Union warned that the
number of successful cyber attacks against their networks have
increased significantly over the past 12 months.
March 2010.--Australian authorities say there were more than
200 attempts to hack into the networks of the legal defense
team for executives from Australian energy company Rio Tinto,
to gain inside information on the trial defense strategy.
April 2010.--Hackers break into classified systems at the
Indian Defence Ministry and Indian embassies around the world,
gaining access to Indian defense and armament planning.
May 2010.--A leaked memo from the Canadian Security and
Intelligence Service (CSIS) says, ``Compromises of computer and
combinations networks of the Government of Canada, Canadian
universities, private companies and individual customer
networks have increased substantially . . . In addition to
being virtually unattributable, these remotely operated attacks
offer a productive, secure, and low-risk means to conduct
espionage.''
October 2010.--Stuxnet, a complex piece of malware designed
to interfere with Siemens Industrial Control Systems discovered
in Iran, Indonesia, and elsewhere, results in significant
physical damage to the Iranian nuclear program.
October 2010.--The Wall Street Journal reports that hackers
using ``Zeus'' malware, available in cybercrime black markets
for about $1,200, were able to steal over $12 million from five
banks in the United States and United Kingdom.
December 2010.--British Foreign Minister William Hague
reported (in February 2011) attacks by a foreign power on the
U.K. Foreign Ministry, a defence contractor and ``other British
interests.'' The attack succeeded by pretending to come from
the White House.
January 2011.--The Canadian government reports a major cyber
intrusion involving the Defence Research and Development
Canada, a research agency for the Department of National
Defence, the Department of Finance, and the Treasury Board,
Canada's main economic agencies. The intrusions forced the
Finance Department and the Treasury Board, to disconnect from
the internet.
March 2011.--Hackers penetrate French government computer
networks in search of sensitive information on upcoming G-20
meetings.
March 2011.--The Republic of Korea said that foreign hackers
penetrated its defense networks in an attempt to steal
information on the U.S.-made Global Hawk unmanned aircraft,
provided to Korea as it considers whether to buy the UAV.
Major corporations, financial firms, Government agencies, and
allies have all been victims, and these are just the events we know
about. There are of course many more incidents stretching back into the
1990s, that include the loss of tens of thousands of pages of sensitive
military information, market and exploration data worth millions from
oil companies, the loss of valuable commercial technologies, and
hundreds of millions of dollars from banks and other financial
institutions. Classified military networks have been penetrated by
foreign intelligence agencies. Best of all, from the perpetrators'
perspective, no one has ever been punished for any of these actions.
This is not a record of success. Whatever we are doing is not
working. Since 1998, we have repeatedly tried a combination of
information sharing, market-based approaches, public/private
partnership and self-regulation in a vain effort to strengthen our
cyber defenses. However, despite this dispiriting record of opponent
success, I feel confident in predicting that this year, the old, failed
formulas will be trotted out again this year. Many of the reports and
essays we see emerging now will advocate tired ideas in order to block
change rather than increase cybersecurity. While individual Government
agencies have made strenuous efforts to improve our cyber defenses, as
a Nation, despite all the talk, we are still not serious about
cybersecurity.
This is due to a reluctance to make the changes cybersecurity
requires. People still advocate strategies and policies that appeared
more than a decade ago and which have not worked. We have consistently
underestimated the risks and damage from weak cybersecurity. Everyone
is for better security, but there has always been some other objective
that seemed more important.
Cybersecurity is another of those situations in American history,
ranging from Pearl Harbor to 9/11, where we knew there was risk and
that we were unprepared, but assumed it would never happen because
America is too powerful or too big to attack.
Nothing has yet punctured this misplaced sense of invulnerability.
America is still powerful, and it is easy to say that the sky is not
falling and there is no need for haste. The effect of this over
confidence is to make tolerable the slow erosion of our National power
due to feeble cybersecurity. Some call it the ``death of a thousand
cuts,'' where each tiny cut goes unnoticed by the victim. There are
warning signs that even a Nation as rich and as powerful as the United
States is at risk. The challenges to our financial system and the loss
of manufacturing and innovative capabilities are subjects for another
hearing, but weak cybersecurity exacerbates these problems. Business as
usual means long-term decline as our economic and technological
leadership is damaged by cyber espionage.
There are also two sets of risk. One is immediate and real. Two of
our potential military opponents have the capability to launch damaging
cyber attacks against America's critical infrastructure. The Aurora
test at the Idaho National Labs and the Stuxnet worm showed that cyber
attacks can do physical damage. These opponents have carried out
network reconnaissance against critical infrastructure to allow them to
plan their attacks. The issue for this committee is that after 12 years
of information sharing, public private partnership, and voluntary
action, critical infrastructure in the United States is not ready for
an attack.
While these militaries have the capability to launch a damaging
cyber attack, they are unlikely to do so short of an armed conflict.
They are deterred by the threat of an American military response. Only
if we were to get into a shooting war with them, over Taiwan or
Estonia, could we expect to see cyber attacks. However, while we can
deter military attack, our military strength does not deter espionage
and crime in cyberspace. Deterrence not a solution for cybersecurity's
most pressing problems.
Cyber terrorism is still a distant threat, but it is a threat that
is increasing. Terrorists lack the capability to launch cyber attacks.
If they had this capability, they would have already used it. Our
original emphasis on ``cyber terrorism'' was wrong. The day a terrorist
group gets cyber attack capabilities, they will use them. At that
moment, if we have not improved our cyber defenses, they will succeed
in causing disruption and damage. It is concerning to note that a few
terrorist groups have expressed interest in acquiring cyber attack
capabilities--the most recent was al-Qaeda in the Arabian Peninsula
(AQAP). This group is worrisome. They are inventive in using the
internet for propaganda and organization, and they have said one of
their goals is to disrupt the American economy--this was the alleged
motive for their effort using printer cartridges in air shipments. We
have some number of years--I hope--before AQAP or another group, or an
irresponsible nation like North Korea or Iran, acquires cyber attack
capabilities, because we will not be able to deter them from attacking
and our defenses are inadequate.
If there is one conclusion that we can draw from the long list of
cyber incidents, it is that we are not prepared to defend ourselves. So
we are vulnerable, but the risk of attack is low for the moment. As
long as our opponents do not attack us, we are safe. This is not an
ideal strategy for a superpower. Our current approach to cybersecurity
leaves initiative and control to our opponents. It also is ineffective
in stopping the slow but steady damage to our economy and to our
National security that comes from cyber espionage.
Remedying the situation will take a concerted effort, but we are
far from consensus on how to proceed. We will hear that public-private
partnership is essential, because the private sector owns 85% of
critical infrastructure. The private sector owns 100% of the airlines
in the United States as well, but no one uses this as an excuse to say
we do not need an air force. We will hear that the internet must be
protected because it is a source of innovation. Now, in other fora, it
is common to hear that the United States is lagging behind in
innovation, so it is fair to ask just how much the internet has helped.
Innovation is a complex process and focusing on the internet as its
source is probably wrong, perhaps a last left-over form the dot-com
bubble. But the notion that ability to better protect intellectual
property and proprietary business information will somehow hurt
innovation is bound to reappear. We will hear that technology moves too
fast for regulation, but this is true only if you try to write
prescriptive regulations. It is an avoidable mistake. And there will be
a call for incentives, as if paying for an inadequate defense will
somehow make it better.
No sector has a greater incentive than banks to protect their
networks. They are a constant target. Some banks, particularly the top
tier banks, have sophisticated defenses. Despite this, they are hacked.
This is not surprising considering the thousand of probes they face
each year, but even with all the incentives in the world and with a
strong focus on cybersecurity that is matched in few other critical
sectors, they cannot be secure. If the banks cannot protect themselves,
why do we think other sectors will be able to do so?
The business implications for spending on cybersecurity by private
companies, especially critical infrastructure companies, are
straightforward. Investing in increased cybersecurity requires them to
spend on nonproductive assets. They will not get an increased return on
investment from this spending. There is a notion that if we could only
demonstrate the scope of the losses, companies would be incentivized to
recalculate the business case for cybersecurity and spend more. This
may not make sense for critical infrastructure. The bulk of the losses
come from the theft of intellectual property from commercial research
and manufacturing companies. Critical infrastructure companies are
likely experience less loss of this kind of data. The risk they face is
the potential for service disruption, but before the disruption occurs,
the cost may be so low as to be unnoticeable.
Additionally, it is likely that some industry sectors are more
important than others for cybersecurity. Opponents may consider the
defense, high-tech, or energy sectors as higher-value targets for
economic espionage. Electrical and telephone grids may be high-value
targets for critical infrastructure attacks, as disrupting them could
have cascading effects through the economy. The financial sector may be
particularly attractive as it is both a critical infrastructure--stop
the flow of money and you trigger immense disruption--and attractive as
a target for crime. There are indications that the financial sector and
the electrical grid face increasing risk because of heightened opponent
interest (whether State or criminal) in these sectors as targets.
This has implications for a National resiliency strategy. Without
external incentives, companies will be unwilling to invest in redundant
infrastructure to provide resilience. On the other hand, providing
incentives without also being able to enforce compliance means at best,
we will get a very uneven level of implementation and continued
vulnerability. Incentives only make sense if increased authority for
the Department of Homeland Security (DHS) accompanies them. Incentives
by themselves are a give-away without benefit to security.
Incentives will not solve the problem of our reliance on a
disaggregated, point cyber defense, where each network or user is
responsible for their own defense. This is the worst possible defense
against a skilled opponent. Every company is on its own, and they can
be picked off one by one. Providing incentives without being able to
coordinate our cyber defenses and ensure a common level of performance
is not an improvement.
Voluntary action is also not enough. Is there a more sophisticated
technology company than Google? Google has unparalleled skills and
resources. The same is true for Intel, Adobe, Microsoft, and the many
other companies that have allegedly been hacked. Voluntary action by
even the most sophisticated tech companies is inadequate. The reason
for this is simple. Pros always beat amateurs. We are asking
corporations to take on the most powerful military and intelligence
agencies in the world, agencies that do not observe our laws and that
do not like us. It is no contest. It is like sending the company
softball team against the Giants or the Yankees. Voluntary action by
itself will always be inadequate against dangerous foreign opponents.
Efforts to secure the Smart Grid are a good example of the problems
with a voluntary approach. Security standards published by the National
Institute for Standards and Technology in August 2010 were developed by
a consensus process that included 475 participants from the private
sector participants. A consensus process involving 475 people is itself
problematic. This is why the founders wisely opted for majority rule in
the Constitution. A report by the General Accountability Office from
January 2011 found that since these consensus standards are voluntary,
there is no way to enforce them or even know if companies are following
them. Perhaps unsurprisingly, the GAO also found that critical smart
grid elements ``do not have adequate security built in, thus increasing
their vulnerability to attack.''\1\
---------------------------------------------------------------------------
\1\ GAO, Electricity Grid Modernization (http://www.gao.gov/
new.items/d11117.pdf).
---------------------------------------------------------------------------
Voluntary action has not worked, but some argue it deserves another
chance and that we should pay companies to put better cybersecurity in
place, using incentives, but that we should also not tell them what to
do. This is a recipe for disaster. There is no other area of National
security were we rely on voluntary action reinforced by incentives. A
policy of voluntary efforts for better cybersecurity reinforced by
incentives is not a serious effort to protect National security against
real damage and a growing threat. These proposals are best seen as
intended to block reform rather than to promote cybersecurity.
Information sharing is a more difficult problem. No single agency
or company knows the full range of threats we face in cyberspace. The
National Security Agency, Cyber Command, and DHS have part of the
puzzle, the big telecom companies have another part, the antivirus
companies and big internet service providers another. If we could put
these parts together, our ability to protect the Nation would be
significantly improved. Perhaps 20 or 30 companies and two or three
agencies would need to share information and be partners in a National
defense. This would be a public-private partnership that could make a
difference.
And of course, it is impossible do to this in the United States.
Our laws and our policies block the one area where we could have
meaningful public private partnership and information sharing that
could make a difference. Some of the very organizations that stoutly
proclaim the need for public-private partnership also object to
meaningful information sharing, the one area where public-private
partnership makes sense.
After 12 years of experience, we can now say with confidence that a
voluntary approach to cybersecurity based on public-private partnership
and information sharing is inadequate to defend America. These are
elements of a comprehensive defense, but by themselves they are not
enough. They must be reinforced by an active defense that uses our
military and intelligence assets, by flexible regulation of critical
infrastructures and internet service providers, by a strong diplomatic
effort to extend the rule of law into cyberspace, and by expanding law
enforcement cooperation in every country to which we are connected.
In December 2008, CSIS issued a report by its Commission on
Cybersecurity for the 44th Presidency that laid out a number of
recommendations for a comprehensive National approach to
cybersecurity.\2\ While the report was well received, the
implementation of the recommendation has been slow. In February 2011,
the Commission issued a second, final report \3\ that assessed where
progress still needs to be made. We identified ten key areas and listed
the tangible steps that need to be taken. The most important of these
were the need for coherent Federal leadership, clear authority to
mandate better cybersecurity in critical infrastructure, and a foreign
policy that used both military and diplomatic tools to bring the rule
of law to cyberspace.
---------------------------------------------------------------------------
\2\ http://csis.org/files/media/csis/pubs/
081208_securingcyberspace_44.pdf.
\3\ http://csis.org/files/publication/
110128_Lewis_CybersecurityTwoYearsLater_Web.pdf.
---------------------------------------------------------------------------
These are crucial areas for improvement, but each raises
significant issues for the upcoming legislative debate. One issue is
whether DHS or at the White House should lead cybersecurity efforts. In
this case, there is not simple answer. DHS is best placed, working with
the Department of Defense and the National Institute of Standards and
Technology (NIST), to develop standards and regulations. DHS is best
placed to work with first-party regulators--FERC, FCC, FFIEC, and
others--to ensure compliance. On the other hand, the White House is
best placed to develop a National strategy, to coordinate military,
intelligence, law enforcement, and diplomatic activities, and to
provide Executive branch oversight and guidance for cybersecurity
activities and for privacy protection.
The first CSIS report discussed a new, flexible approach to
regulation that gave the private sector a greater role in designing the
rules while leaving enforcement to the Federal Government. Now, it is
quite true that regulation done badly can be very damaging. There are
countless example of that kind of prescriptive overregulation and
finding ways to streamline regulation is an essential task for America.
It is also true that no regulation leads to disaster. Even the
strongest proponents of deregulation do not call for the elimination of
the Federal Aviation Authority. All the airlines mean well and do their
best, but we do not feel comfortable leaving air safety to voluntary
action because lives are at stake. We do not feel comfortable saying to
companies, you make the decision on whether to sell nuclear or missile
technology to a foreign customer. We regulate them. Public safety and
National security require it. Regulation is unpleasant, but in some
cases, the alternative is worse. Cybersecurity is one such case. The
approach proposed in draft legislation, which is based on the Chemical
Facilities Anti-Terrorism Standards found in the Homeland Security Act,
offers a reasonable approach to better cybersecurity.
Precedents for a new approach can be found in recent changes to the
implementation of the Federal Information Systems Management Act
Reporting Guidelines or in the Consensus Audit Guidelines developed by
a consortium of Federal agencies including NSA and private
organizations. These guidelines identify technical security controls
that are effective in blocking high-priority attacks. They show that is
possible to identify practices that improve cybersecurity and measure
their effectiveness, since technology does not change too fast. I
recently spoke to the Deputy Chief Information Officer of an agency
that had implemented the guidelines--this was an agency that suffered
major losses to hacking a few years ago--and he said the improvement in
their defenses has been dramatic. I asked if the Guidelines are not
getting out of date, as they are 2 years old, and he replied that not
only are they are still effective, that implementing the first four
guidelines stops most of the attacks. It is now possible to identify
effective practices and continuously measure how well they work--if
they are implemented.
A comprehensive strategy that coordinates military, intelligence,
law enforcement, and diplomatic activities is essential for securing a
global network. Reducing cyber crime will require a strategic,
National-level approach that uses law enforcement, intelligence, and
diplomacy. The most sophisticated cyber criminals live overseas, in
countries that do not cooperate with U.S. law enforcement. The problem
is complicated by the fact that a few countries tolerate and even
encourage cyber criminals. They use them as proxies, as irregular
forces to carry out operations for the Government. The provide
resources and sometimes training. It will not be an easy task to get
these countries to stop cybercrime, and there is little that the
private sector can do.
Limitations on the use of our military and intelligence
capabilities continue to weaken cybersecurity in the United States. A
case from last year shows the situation. We are told that a leading
American bank had its networks penetrated by Russian hackers. The
hackers extracted millions of dollars. The bank, of course, said
nothing publicly. But while the crime was in progress, it was detected
by an American intelligence agency. As an intelligence agency with no
domestic authority, there was nothing it could do other than relay the
information to law enforcement agencies, a cumbersome process under
today's laws. By the time this was done, the crime was over. Active
defense would have let the intelligence agency detect the incoming
attack on the internet backbone, on the borders of America's National
networks, and stop it. Active defense could be structured to operate
like NORAD, where the Air Force protects our skies, by focusing on
foreign threats. It is not perfect, but it works and other nations are
deploying this kind of defense against foreign attacks.
Active defense is the future of cybersecurity. It raises two key
issues, the first being the need for additional privacy safeguards and
oversight and the second being the division of responsibility between
DHS and DOD. Stronger cybersecurity probably requires a new approach to
privacy and a strengthening of existing oversight mechanisms. To give
two examples, the Privacy and Civil Liberties Oversight Board, PCLOB,
does not have cybersecurity in its legislative charter, nor is there
Executive branch guidance (along the lines of Executive Order 12333,
which governs intelligence activities) for agencies in how to perform
their cybersecurity missions. Both of these reflect the need to adjust
our laws and regulations to the new cyber environment.
DHS and DOD both have important and potentially complementary roles
to play in cybersecurity. DHS is best placed to work with critical
infrastructure and to ensure domestic preparedness. Only DOD has the
capability to respond to foreign opponents. There are still
coordination issues that need to be worked through, and some of these
issues will be resolved only when the White House has a stronger role
in cybersecurity, but the recently signed Memorandum of Understanding
signed between Secretaries Napolitano and Gates is an important first
step in building a coordinated defense.
The problem of international engagement is challenging, in part
because for years the United States believed that cyberspace would be
some kind of self-governing utopia. As the security situation worsened,
as cyberspace became a new domain for conflict, and as the political
implications of the new technologies became apparent, other nations
have decided to extend government control into cyberspace. This trend
is irreversible. The United States must engage with these nations in
order to influence, if not lead, this restructuring of cyberspace
governance, in order to ensure that the political values we cherish--
openness, global connectivity, and freedom of speech--continue to guide
development of the global network. Thinking on how to do this is at a
very early stage. New kinds of expertise are required and there are
only a handful of people with relevant experience. The State Department
has just created a new cyber coordinator position and with the right
support form Congress, this could allow the United States to regain
international influence.
These are complicated issues and the account above is necessarily
summary. They receive more detailed treatment in the CSIS reports.
However, in drafting the final report, we found that as the prospect
for change increases, so will resistance to it. People are wedded to
old ideas, even if they do not work. New kinds of expertise are
required for understanding cybersecurity. Above all, many still place
some other priority above securing our Nation's networks.
It is this last point that worries me the most. When we look at
nations that have fallen on hard times, losing their power and their
international standing, very often it was because of internal problems.
Often, the leaders of these countries knew what the problems were. They
even knew what the solutions were, but their beliefs and reliance on
old approaches kept them from making the needed changes. So far, this
has been the case with cybersecurity in America. We are in a new world
and face new problems that old ideas will not solve, but it is hard to
give them up. Better cybersecurity is possible, but not if we continue
to use failed approaches.
This puts a great responsibility on Congress and the White House.
We have a real opportunity in the next 2 years to improve our cyber
defense. Doing this will require leaving old ideas behind, even though
many will still advocate them, and moving to a new, comprehensive
approach to cybersecurity that treats it as a major component of
National defense and homeland security. I thank the committee for the
opportunity to testify and will be happy to take any questions.
Mr. Lungren. Ms. Kwon.
STATEMENT OF MISCHEL KWON, PRESIDENT, MISCHEL KWON ASSOCIATES
Ms. Kwon. Thank you.
Good morning, Chairman Lungren, Ranking Member Clarke, and
other distinguished Members of the subcommittee.
My name is Mischel Kwon, and I am the president of Mischel
Kwon and Associates, LLC, a consulting firm specializing in
technical defense security, security operations, and
information assurance.
It is interesting to look at the changes and advances and
struggles of IT over the 30 years of my experience. If we look
out into the future, if I were to be testifying before this
committee in 10 years, I predict a very different situation. No
longer will governments or car manufacturers or hospitals or
electric power companies be in the business of IT.
None of these organizations will have large data centers
and infrastructures, e-mail servers, or application
programmers. Instead, we will have IT providers, just as we
have power providers and health care providers.
The cloud today is the first move to this new paradigm.
This movement is our opportunity to fix many of the problems
that rapid individualized IT growth has caused. We have the
opportunity to build security in, to fix the IT refresh
problem, to enable innovative technology, and to collapse the
IT community, allowing better collaboration, communication, and
sharing.
In looking to the future, it is important to recognize
where we have been successful and where we are stuck. We must
look at where IT is going in the next 10 years and prioritize
what we are working on so that we are addressing the issues
head on.
We have had significant progress over the 10 years in
heightening the importance of securing our IT systems and
infrastructures. We now understand the importance of policy,
process, technology, and detection.
We clearly understand the need for information sharing. We
now also realize we are all in the same infrastructure, the
internet, and that the idea of sharing infrastructure is the
wave of future.
Much-needed progress is being made in the modernization of
FISMA, understanding the need for continuous monitoring and
cyber scope that will enable the departments and agencies to
have a real understanding of the health and well-being of the
systems and networks supporting the Federal missions.
It is critical that as we move into this era of the cloud
that we are careful not to create home-grown solutions but rely
on the private sector and the COTS, commercial off-the-shelf
products, that can accomplish the requirements needed.
Difficulties have challenged us in security governance,
authorities, and information sharing. Many of these issues have
been complicated because we are trying to solve the policy
issues and the operational issues at the same time.
I do believe good efforts by good people with good
intentions have been made at the Department of Homeland
Security and across the U.S. Federal Government.
Today, many of the impediments in Federal Government that
slow down efforts to improve cybersecurity are caused by a lack
of clear governance structure, clear defined mission spaces,
and the authorities and budgets to successfully accomplish
those missions and understanding where collaboration is needed.
I do believe DHS has a primary role in cyber. Though I have
not always thought DHS could handle the important and broad
mission of cyber because of the maturation level of this young
agency, I do believe the operational mission of US-CERT belongs
to DHS, but as an autonomous, operational component, similar to
FEMA, with direct reporting capabilities to the Secretary.
I believe the mission of US-CERT must be more clearly
defined to enable it to be successful. It must be enabled to
succeed in the important operational mission and firewalled
away from the struggles of policy and relationship development.
The appropriate authorities must be given to US-CERT to allow
it to carry out the assigned mission.
Effective and actionable information sharing and a public-
private partnership is essential for cyber today and for the
future. We have made significant progress over the years but
now seem to be in a holding pattern, struggling with
procurement and legal issues that have frozen progress.
As we move to the new model of IT and the cloud, we will
need to take two steps: One to understand how we can
technologically share information more efficiently; and two,
how the private sector can take a leadership role, possibly
through a non-profit organization, to help free us from the
holding pattern from both sides.
We are moving rapidly to the new world in IT, a new world
in cyber with many opportunities. We must be prepared with a
strong, well-defined operational US-CERT that has the autonomy,
authority, budget to be successful in protecting the Federal-
civilian space. We must defend the shared space together with
the ability to share information through a healthy, public-
private partnership.
Thank you very much for the opportunity to testify.
[The statement of Ms. Kwon follows:]
Prepared Statement of Mischel Kwon
March 16, 2011
Good morning Chairman Lungren, Ranking Member Clarke, and other
distinguished Members of the subcommittee. Thank you for the
opportunity to testify before the Subcommittee for Cybersecurity,
Infrastructure Protection, and Security Technologies.
My name is Mischel Kwon and I am the President of Mischel Kwon and
Associates, LLC, a consulting firm specializing in Technical Defensive
Security, Security Operations and Information Assurance.
Previously I served as the Director of the United States Computer
Emergency Readiness Team (US-CERT) at the Department of Homeland
Security (DHS), and as the Deputy Chief Information Security Officer
and Director of the Justice Security Operations Center at the
Department of Justice. Most recently I was the Vice President of Public
Sector Security Solutions for RSA, the Security Division of EMC
Corporation. I received my Bachelor of Science and Master of Science
from Marymount University and a Master Certificate in Information
Assurance from George Washington University. I was a Cyber Corps
Scholar. In the nearly 30 years of my career to date as an IT
professional I have been a programmer, systems developer, network
engineer, program manager, and security professional.
Over the past 10 years the U.S. Federal Government has been
struggling, learning, and discovering what to do about ``cyber''. We
have been moving on a continuum that started with the discovery of
adversaries in our networks, has found us struggling with how to manage
our systems through the Federal Information Security and Management Act
(FISMA) and compliance, how to identify threats, attacks,
vulnerabilities, and how to work together to defend our networks. As we
move forward in a constantly evolving world of technology, life as we
know it is changing rapidly. Soon, most companies, even Government
departments and agencies, will no longer have data centers or continue
to own or manage their own e-mail servers, applications, or desktops.
The use of virtualized IT infrastructure is the future.
Virtualization, as the foundation of cloud computing infrastructure
will enable the ``Cloud'' to be the provider of most IT services. You
may say this is jumping ahead, but we must look at the answers to the
questions you are asking with the near-term future in mind, and the
near-term future is now--as many departments and agencies are already
moving applications such as e-mail to the cloud, many are building
private clouds, and many private sector companies are rapidly moving to
the cloud. This is not only an innovative solution to a much-needed
technology refresh in the civil government space, but if done
correctly, could be the answer to information sharing, infrastructure-
based defensive security, the cyber talent pool shortage and guaranteed
life-cycle management of our infrastructure resources. No longer will
companies or departments and agencies with missions different than
Information Technology need to be in the ``IT'' business. No longer
will we need to educate the heads of these organizations and have them
making IT risk decisions outside of the scope of their knowledge base.
We will deliver the requirements to the vendors; the vendors will then
supply the appropriate infrastructure and services, with security built
right into the technologies and the offerings.
This brings us to a critical crossroads in the continuum of
cybersecurity. Not only are we at the point where we realize the need
for governance, leadership, and cooperation between the Government and
private sector in order to have a chance at combating the adversaries
in an efficient manner, but we also are now at the part of the
continuum where the responsibility of protecting our assets processed
on IT systems--whether it is data or an operational function--will be
the responsibility of the private sector infrastructure providers. This
point was driven home during the initial phases of the Comprehensive
National Cybersecurity Initiative (CNCI) when the Federal Government
realized just how much of the internet is private sector-owned and -
operated, and that even if we do better at securing Federal systems, we
can't improve our Nation's cybersecurity posture without improvements
in the private sector in partnership with industry. As we continue to
move infrastructure and services to the ``cloud'', effective and
lasting partnerships with the private sector must be fully embraced and
leveraged.
Understanding the Information Technology roadmap that we are all
moving rapidly on also increases the importance of enhancing the
governance, authorities, and relationships that the Federal Government
has between and among the civilian departments and agencies, the
homeland security and law enforcement communities, the defense and
intelligence community and of course, the private sector.
As I move into the portion of my testimony where I will be
identifying obstacles and problems I have encountered during my Federal
Government service, there are a few caveats and points I would like to
make clear. First of all, cyber is a new field. At most, we can say
this is a 25-30-year-old industry. We must understand this is going to
take some time to mature. We will and have encountered issues, we will
learn of new problems . . . but we must work together to overcome these
challenges, quickly and effectively. Second, the Department of Homeland
Security (DHS) is a new Department and because of that it struggles
with the fundamental daily functions of being a Department from
procurement and budgets to hiring and operations. DHS is going to take
some time to develop the processes, policies, and procedures needed to
run smoothly and efficiently. It will not happen overnight and will not
occur without specific actions and programs to improve the baseline
operations. In addition, DHS has a very broad set of missions and
duties. Cybersecurity often takes a back seat to physical threats and
natural disasters in the daily and weekly grind of the Department.
Congress should do more to enable the cybersecurity components in the
Department to operate more effectively and independently without
getting bogged down in other DHS mission spaces, allowing cyber to
effectively operate as an independent component; allowing cyber to
separate itself from the quagmire of internal politics and jostling for
resources and mindshare. Third, there are a lot of really good people
who have worked this problem in the past and are working on
cybersecurity challenges today. As we point out the weaknesses and
problems, we must be cautious of tying the hands of dedicated security
professionals who are currently doing battle on a daily basis
(unfortunately not just with adversaries in cyberspace, but with the
bureaucracy within DHS). We cannot afford to forget these people. We
need these qualified individuals in this young and growing field. They
make sacrifices with their families, careers, and personal sanity to
serve our country in trying to fix these problems. We should take the
time to remember their service and take care not to diminish their
contributions as we examine and address cybersecurity challenges in
both the public and private sector.
During my tenure at US-CERT, we were at the very early stages of
developing critical relationships with Federal civilian departments and
agencies as well as relationships with the homeland security, law
enforcement, defense and intelligence communities, and the private
sector. It was clear there was a lack of governance and lack of
authorities to carry out the poorly-defined mission US-CERT set out to
accomplish. To examine this problem it is critical to break down the
US-CERT mission into: (1) Protecting the Federal civilian departments
and agencies, and (2) coordinating and collaborating with the private
sector.
Governance over IT in the Federal space has been an issue for many
years and to date has not been solved. FISMA, which was enacted in late
2002, was a start in attempting to set up roles and responsibilities,
including defining the roles of Federal CIOs and CISOs enabling
security structures to be built in Federal Executive branch departments
and agencies, as well as establishing reporting process for incidents
to US-CERT. This all being said, there were overarching and important
components of a success risk management strategy that have been
missing. As it stands today, the only requirement a Federal department
or agency has is to report the incident to US-CERT in the dictated time
frame based upon incident categorization using a 20-year-old taxonomy
that no longer describes the types of attacks that organizations are
experiencing. This creates inaccurate metrics, and little to no real
data on the actual attacks that are occurring in the Federal civil
space. US-CERT does not have the authority to require the departments
or agencies to share detailed information, or follow any specific
instructions. Departments and agencies interpret their reporting
requirements differently and therefore each reports incidents using
different definitions and methodologies. When I was the Director of US-
CERT if we needed Federal departments and agencies to follow specific
instructions, we would have to have the Office of Management and Budget
(OMB) require them to follow the instructions. Despite even OMB
guidance, the cooperation from Federal civilian agencies was
consistently on the low end.
Because many of the existing IT systems are owned and operated by
Federal departments and agencies, there is no existing direct authority
for DHS to require cooperation with US-CERT. This being said, it should
also be understood that some of the departments and agencies have more
sophisticated operations than US-CERT. The security operations centers
at State Department, Department of Justice, the Federal Aviation
Administration have a much higher technical monitoring and response
capability than US-CERT. In order for US-CERT to accomplish the mission
of protecting the Federal civilian agencies and departments day in and
day out, US-CERT must be empowered and its capabilities must continue
to be developed. It must have a clearly defined mission, authority, and
budget. It must have tools. These tools must be determined by what will
support the mission, not be tied to legacy systems, management, or
contractors. This must be a collaborative mission between US-CERT and
the departments and agencies. A ``dictatorship'' is not what is needed.
Collaboration and cooperation will enable the road to success. Even
more important is to clearly define US-CERT's role and the authorities
the organization and Director carry. Developing a ``council'' of
Federal department and agency Security Operations Center Directors and
the Director of US-CERT to help guide this mission makes sense in order
to ensure the mission of US-CERT stays on track, serves its Government
customers, and has a focused and effective mission strategy.
Today US-CERT is buried too deep within DHS. To even confuse the
issue more, US-CERT is a part of the National Cybersecurity and
Communications Integration Center. Instead of integrating the NCC into
US-CERT, yet another functional area has been opened, creating and
compounding the confusion. US-CERT must be given autonomy to allow it
to function as a successful operational entity--not laden in the
political quagmire of DHS, NPPD, CS&C, NCSD. In my view, in order to be
successful, US-CERT should be removed from the National Cybersecurity
Division (NCSD) and treated as a component organization similar to
FEMA. It should have its own budget that is not constantly diluted by
other, projects, programs and internal politics in NPPD, CS&C and NCSD.
US-CERT should have a clearly defined mission with attainable goals and
the autonomy to succeed in this operational mission. Yes, operational.
This is a roll up your sleeves and respond mission. This mission cannot
be performed anywhere else in the Federal civilian government . . . the
White House cannot carry out an operational function, the DoD cannot
perform an operational function of this nature domestically based on
the Constitution, and no other department or agency has the overarching
mission that allows for both emergency response and homeland
protection. DHS makes functional sense; US-CERT must be empowered to
fulfill its operational mission. As it stands today, US-CERT is
constantly caught up in political priorities and much time is spent
thrashing around, attempting to service too many projects and
stakeholders. A clear governance process in the Federal space, a
clearly defined mission and the authorities to support that mission, a
budget to carry out this operational mission, as well as autonomy to
operationally perform the operational duties are the steps to US-CERT
having the capability to make a difference in supporting the
departments and agencies as a part of DHS.
US-CERT's other mission is to coordinate and collaborate with the
private sector--specifically with critical infrastructure owners and
operators--is equally as important. Again, great mission, but rarely
accomplished. The work is often clouded by poorly defined expectations
and internal politics. US-CERT has absolutely no authority within
critical infrastructure that is owned or operated by the private
sector--nor should it. The Federal Government has no claims or
authority over privately held companies. Even in some of the current
draft legislation in both the House and Senate, participation in
Government-led cyber activities is by invitation only. Today's private-
public partnership efforts are bogged down with the same rhetoric,
politics, and legal barriers of the past 20 years. I will say that
presently US-CERT does little of the coordination. This is done
primarily through NCSD. Most of the communications is done by the
CSCSWG (Cross Sector Cybersecurity Working Group, a working group of
the ISACs) and most of the members are not actual security
professionals running security organizations, but a confusing mix of IT
and communications companies with individual company-focused agendas
and little or no focus on the operational agenda. An operational unit
like US-CERT must be firewalled away from this kind of dysfunction to
allow it to concentrate on the operation response mission.
The relationship between US-CERT and the private sector must be a
focused and well-defined mission. Prioritizing work with the
infrastructure providers--not individual IT product vendors--such as
ISPs, web hosting and caching, cloud providers and IT infrastructure
providers--to enable the focus on the operational response mission. I
understand the entire private sector IT and communications sector wants
to participate in future policy creation, but that function must not be
mixed with the operational mission US-CERT must succeed in.
So far, I haven't painted a very pretty picture of what is going on
at DHS in regards to cyber, but I want to re-iterate that I do believe
DHS is the right place for cyber. I also believe changes need to be
made in order for DHS to have a successful cyber mission. Giving US-
CERT the autonomy to embrace a well-defined operational response
mission (both with the departments and agencies as well as with
critical private sector players), with a budget and capabilities to
execute on the mission, and authorities to enable them to execute on
the mission is a very important step to success.
Creating a successful public-private partnership to help secure
cyber space is yet another mission that must be addressed. I think we
need to approach this problem from a different direction. We must not
look at it as a ``cyber space'' problem. That mission space is far too
broad. We must look at this problem in digestible pieces. Internet
infrastructure: Internet Service Providers, Cloud Providers, Web
Providers and Information Infrastructure Providers. Separate this from
the ``cyber war'' issue, separate this from the policy and legislative
issues. Move these layers away from the operational mission of US-CERT.
Take on the protect the infrastructure problem first. Work on the
information sharing problem with an operational lens. I truly believe a
technical solution must come in order to break the stalemate we find
ourselves in with regards to cooperation and information sharing. The
stalemate is centered on procurement, legal, privacy and proprietary
information issues. We must determine a technical function for
anonymously exchanging information. In addition, we must start
articulating the problem with the same vernacular. We must spend time
redefining the taxonomy and vernacular we use to work the cyber
problem. We must do this in order to establish meaningful metrics,
solutions, and focused solutions to the problem.
The ancient category one through eight taxonomy, where 99% of all
incidents are categorized as category three ``malware''--is useless in
the world of complex attacks and sophisticated adversaries. I do
believe this will become easier as we move on our continuum to the
cloud. I believe as it becomes a more defined industry and who actually
runs the ``IT infrastructures'' (i.e. clouds) becomes more defined,
information sharing will become better as a function of how many
entities must actually participate in the defense of IT as a whole. It
must be understood that a public-private relationship is a two-way
street. Often the Government is left holding the bag of failure when it
comes to this relationship. The burden here is not and should not be
solely on the Government. We all have critical information that, if
shared, would help the community as a whole. In the near future, the
Government will be squarely in the customer role as we move on the IT
continuum to the Cloud. We must look at how the Government and private
sector can shape a healthy relationship. I am a firm believer that the
private sector needs a private non-profit entity that would facilitate
the relationships of the many privately held IT companies. This non-
profit entity would facilitate the information sharing both on the
private side as well as a focused conduit for information sharing with
the Government. I do not see this as an inherent Government-only role.
I clearly understand there is a National defense role for the
Government in times of war, but we need to clearly define what that
means in terms of cyber, and yes that is clearly a DoD role--not a
civil Government role.
This being said, I do see technology developments that will remove
the legal and privacy issues around information sharing. We must
technologically come to a place where we can exchange information on a
technical level about threats, attacks, and mitigations without
disclosing information about the entity or entities involved. We must
focus as a community--not as a Government--on moving this solution
track along. We must be mindful of the circular rhetoric trap we get
caught in when we hear the words--public-private partnership--and
realize the actual work that needs to happen to accomplish the goal--
defending our IT assets and missions. The work that needs to be done is
to create technical processes, overcome procurement and legal issues.
This must be done as a community, lead by the private sector. The
Government's participation should be as a member of the community.
In conclusion, I do believe DHS has a primary role in cyber. Though
I have not always thought DHS could handle the important mission
because of its maturation level, I do believe the operational mission
of US-CERT belongs in DHS--but as an autonomous operational component
with direct reporting capabilities to the Secretary. I believe the
mission of US-CERT must be more clearly defined to enable it to be
successful. The appropriate authorities must be given to US-CERT to
allow it to function. Public-private partnerships need to be rescued
from the circling drain of rhetoric and lead by the private sector with
Government participation.
We are moving rapidly to a new world--we must clear our plates of
the static yada yada of stale circular discussions, identify the
operational function and technical solutions. Empower US-CERT to
succeed. Empower the private sector to lead. Empower the Government to
participate.
Thank you for this opportunity to testify. I would be happy to
answer any questions you may have at this time.
Mr. Lungren. I thank you all for your testimony.
I thank you all for being cognizant of our time limits, and
I appreciate that.
Dr. Schneck, how do we solve this problem of stronger
protections for sharing information from the private sector to
the Government? The reason I say that is, you have members of
the public who are naturally suspicious or skeptical of the
Government working with the private sector and not protecting
the individual rights of consumers and so forth.
If I am a credit card holder and all of a sudden, I find
that my credit card has been cancelled through no action of my
own, which happened one time when I tried to present it at a
restaurant, and then 2 days later, after we called one of the
major credit--that night when we tried to call them--well,
first of all, my wife went on the internet to find out what our
account was, and our account was gone. Then they told us, well,
they would send us a card in a couple of days. Now, obviously
there had been some sort of a loss of security within their
operation, but they didn't tell me what it was all about.
I suppose, so long as I didn't suffer anything beyond
that--however, if I had been traveling in the middle of the
country and only had one credit card, I would have been in real
trouble. But they obviously didn't want to share with me
whatever that was; they believe that they took care of it
internally.
But members of the public might be a little skeptical if
there is this broad protection that no matter what the company
involved with that information did, as long as they shared it
with the Government, they were protected from any liability, on
the one hand.
On the other hand, we want companies to come forward with
information about how there has been an intrusion. We want that
shared.
Where do we strike that balance? How do we strike that
balance from your point of view?
Ms. Schneck. So, thank you, Chairman Lungren, I will start
out by saying I am not a lawyer. I surround myself with a lot
and actually find it fun.
Mr. Lungren. Well, we have an abundance of lawyers here, so
we need some help.
Ms. Schneck. So, first, on the note of your lost account,
it likely is somewhere in Romania, and we can help with that
later.
The issue is difficult at best from what we see. You said
the word that I would choose, and that is balance. So, first
and foremost, we are not talking about sharing any kind of PII
or private information.
This type of data looks at volumes of traffic, malicious
code, malicious code that we can say, at a human level and at a
machine level for a lot of math, looks the same for a variety
of parameters. One might be an encryption algorithm that is not
commonly used, but, look, it is used here and it was used here
on the other side of the planet within the same 2 hours from
machines that have the same pattern of sending traffic.
That is the kind of data that our analysts and we call our
colleagues within the sector and across the critical
infrastructure sectors, and we reach out to the US-CERT. We
reach out to the FBI National Cyber Investigative Joint Task
Force with this kind of data of, and then it builds into a much
bigger picture.
The analogy I would use is from my days working as an
intern in a weather lab. If you see a lot of cold air above a
lot of hot air with wind direction in the opposite waves at
certain levels from the altitudes and then an air pressure that
is fairly low over a large region, any one of those things
could mean just a little storm. But if you put those together,
and you have a tornado, high probability.
What we want to share is not the air temperature in every
county; what we want to share is the people that need to leave
their homes, and we need to be able to do that more quickly. So
there is a big picture that we draw.
The problem is when you share out that big picture, such as
XYZ is happening in this sector, are we endangering the
companies in those sectors that we have already protected, both
electronically as well as informing the humans in those
companies, do we risk them having material shareholder issues?
This is such a new area for policy. That is the problem.
Mr. Lungren. Well, I would love to work with you and any
lawyers that you might run into on that, because I do think
that we have to have a greater accessibility of information in
both directions, and sometimes liability issues will interfere.
Let me ask you this. You used a great analogy, you said
vaccination doesn't work any more. Golly, I have McAfee on my
computer, and I thought I had vaccinated myself against
intrusions. Now you are telling me that my attempt at
vaccinating myself, my computer system, isn't enough?
Ms. Schneck. First of all, any security provider that says
you are 100 percent safe, I would get rid of them.
Mr. Lungren. Well, McAfee has never told me that.
Ms. Schneck. All right. So, second, you are vaccinated
against everything that we in the community know about.
The problem is the bad guy creates this code that changes
itself, just like the flu mutates, so we worry about the new
vaccine, in case your body can't deal with the mutation of the
disease and you get sick anyway.
What you are protected by with McAfee is the view of the
whole world now, so not just what we know about but what we are
seeing happening right now. Believe it or not, you are able to
be protected against something that might have been developed
on the other side of the planet that comes in with a risk score
so high it may not have a name, but you are going to block it.
That is the new paradigm we need, and it is not just our
data. We need the ability to combine our data with data from
other sectors, across the energy sector. What is the energy
sector seeing in cyber?
As a vision for the future, to Mischel's point, it will
look a lot different and a lot better in the future and we can
leverage the power of the cloud that was mentioned by being
able to put this kind of data together, infuse it into the
fabric, and make things more intelligent.
Mr. Lungren. Thank you.
My time has expired.
The gentlelady from New York is recognized for 5 minutes.
Ms. Clarke. Thank you very much, Mr. Chairman.
Ms. Kwon, cyber intrusions affect the private sector even
more than Government networks. Some of these private networks
involve critical infrastructures necessary for our society and
our economy to function.
What can DHS do to foster better cybersecurity practices in
the private sector? Does DHS need regulatory or enforcement
authority for critical infrastructure sectors, and should the
private sector be doing more on its own? If so, why isn't it
happening?
Ms. Kwon. Well, this has been always the very difficult
question because our critical infrastructure is not owned or
operated by the Government. Therefore, the Government does not
have any authority over the private sector.
What is needed here is better collaboration and better
communication.
Whether regulation is needed or not, I am not a regulator.
I am not in that kind of business. I am a technical geek by
nature. So I will leave that decision to the lawmakers and the
regulators.
But enabling us to more clearly communicate amongst the
Government and the private sector and share that critical
threat information is actually--is very important. But even
more than that, DHS helping the security teams that work in
those critical infrastructure environments to communicate with
their executives and their board members to enable the
financing that needs to be put behind securing critical
infrastructure is critical and important and to helping them
accomplish their mission.
Mr. Lewis. Can I just jump in on that one for a second? We
did a poll with McAfee recently, and it found that two-thirds
of the electrical companies in the United States had found
Stuxnet on their system, two-thirds. Of those two-thirds, only
40 percent had taken steps to remove it.
Does that make you feel good? Not me.
I think if we don't give DHS more authority, we will not
succeed at this, and I think CFATS might be a useful model to
think about.
Ms. Clarke. Thank you.
Dr. Schneck, your recent report on Chinese-sponsored
hacking into our energy sector computers was very concerning.
Is the industry now fully aware of this issue, and if so, have
you seen evidence that they have acted to protect themselves?
If not, why not, and where is the disconnect?
Ms. Schneck. So, on the question of, is the industry fully
aware, from reports like these that we have done with CSIS, we
consistently get surprise answers back. So, for example,
security spending last year went down with the recession, even
though awareness of the threat went up. So awareness and acting
may not always be related.
In addition, when you talk about being aware, although many
are aware there is a threat, I think that both public and
private can do a better job of explaining what that threat
really means. For example, you can have, you can have the
malicious code on your system, and it wouldn't be a threat, and
there are two cases why this is true.
One is, if you are not running any systems that that code
can actually access or use to your harm, you don't need to
worry about that particular threat, so we need to do some risk
analysis, back to the comment earlier about looking to the CFOs
and the risk people in each company; this is all a question of
the risk.
But the second thing is there is technology today that can
sit very quietly on a system and just decide these X processes
may run, that is it. Anything outside of those processes simply
should not run. So we are working with our colleagues and our
partners on how you embed this kind of technology into the big
component levels of industrial control systems, because we
can't always assume everyone is aware. This rose so quickly, we
can't make everyone aware, and we certainly can't predict the
next threat as quickly as the bad guy can send it.
You are leveraging the power of light. This is happening in
bits and bytes at the speed of light. So what we can do is say,
only those authorized can act.
Ms. Clarke. Thank you.
Mr. Lewis, in your writings, you have talked a lot about
public-private partnerships for the cybersecurity mission. Can
you explain to us what roles you feel each side needs to play?
What, for example, are the inherently Government functions, the
public side, and what components are best left for or even must
be left for the private sector?
Mr. Lewis. Thanks. That is a great question. The obvious
place to start for me is that development of technology has to
be left to the private sector, and they are just the masters at
it. We have to let them do it.
A place where public-private partnership makes sense is on
information sharing, and it is easy to get sort-of distracted
by the numbers in information sharing, but basically, there is
a small set of companies that have, including McAfee and
Symantec and others, the big telco operators, the big ISPs like
Comcast or Cox, put them together with DHS and with NSA, and we
will have a pretty complete picture of what is going on, on the
internet.
Now there are legal impediments to doing that, right, and
that is a harm to the ability to secure our Nation's networks.
But that kind of focused information sharing with a small group
of companies is a perfect place for a public-private
partnership.
On the other hand, there are some threats that only the
government can deal with. If we are talking about the Russian
military or the German military or al-Qaeda or the Iranian and
North Korean military, that is a government response, and there
is no company--the story I like to show is Google, greatest
technology company in the world, some would say, didn't take
the Chinese very long to get through their defenses. There are
some things only government can do.
Mr. Lungren. The gentleman from the second-largest State in
the union, Mr. McCaul, is recognized.
Mr. McCaul. California is close behind, I might add.
Jim, it is great to see you again.
Dr. Schneck, thank you for your service on the commission
as well.
I assure the Chairman that I was not personally responsible
for the 40,000 downloads of that report, but I will, I just
want to commend your leadership, which was far greater than
mine, in really herding cats on some of the top experts in the
Nation, putting that report together. Perhaps we should call
you the bots herder in cyber terms, I don't know.
You know, 15,000 Federal intrusions take place per day, so
you are going to have 40,000 downloads over a period of a year
or so, but 15,000 intrusions per day on the Federal Government.
As was pointed out, the three levels we always talk about is
the criminal aspect, the espionage and the warfare piece.
God knows how many are taking place in the private sector.
I am sure it is far greater than that. When you look at the
amount of data that has been stolen from just the Federal
Government alone, it rivals the Library of Congress, so it is a
very serious issue.
Jim, I just want to throw out just a very generic question.
Since the time of the report, I think the threat level has
increased. Do you feel that we have made any progress, and do
you feel that in any way we are safer?
Mr. Lewis. Thank you, and I do want to say that I believe
Congressman McCaul is right in that there were lots of clicking
noises late at night from both of our offices, but that wasn't
the cause of the downloads. So are we making progress? The
answer, I think, is, ``Depends.''
When you look at the Department of Defense, some tremendous
efforts with the creation of Cyber Command. When you look at
the Department of Homeland Security, significant improvement. I
think you heard Phil describe that. Other departments, State,
Commerce, have made some efforts.
So, overall as a Nation, OMB with its efforts to revise
FISMA and to find a better way to secure Federal systems, those
are all signs of progress, but it is not enough. We were behind
when we started, as you know, and we have not caught up.
So do I feel like we were more secure? We were on the path
to being more secure, and I think the work that this committee
and others in Congress can do might get us there by 2012, but
we are not there yet.
Mr. McCaul. With respect to--I am sorry, Ms. Kwon.
Ms. Kwon. Yes. I just want to add something to that in that
we do spend a lot of time talking about the success of DHS, but
I also want to say that there has been a lot of great success
among the departments and agencies. They have, over the past
several years, stood up several security operation centers and
have improved the security amongst some of the larger
departments and agencies, and I think that needs to be
recognized.
I think a lot of that comes from the actual awareness that
has been brought to bear through the CSIS Commission and other
efforts in getting the word out that cyber needs to be a
priority.
But I do think, in looking towards the future and things
that we need to improve is improving that communication within
the Government on the Federal, civil, civilian side of the
house, getting DHS to work more closely, not only with private
sector but with the civil agencies, CIOs and CISOs and work
that improvement across the Federal space together.
Mr. McCaul. One thing I noticed both you, Ms. Kwon, and Jim
mentioned was that DHS needs more authorities and that you, I
think you mentioned appropriate authorities must be given to
US-CERT. Can you be more specific?
Ms. Kwon. Well US-CERT does not--the authorities US-CERT
has today are centered around what they have with FISMA and the
reporting that the departments and agencies must do with them.
The problem with that is reporting is simply reporting,
working together is not working together.
So being able to work from a position of authority during
an incident with the departments and agencies, to request
information from them, to have certain actions performed, it is
very important for them to have that authority over the space
they are trying to protect, and they don't have that authority
today.
But in giving them the authority, they also have to have
the relationship with those departments and agencies. I think
that is where we are falling short; we are talking a lot about
authorities and more of a dictatorship and what we really need
to have is a collaborative partnership with those departments
and agencies so that they can take the actions needed in the
time of an event.
Mr. McCaul. I couldn't agree with you more on that.
You said something interesting that caught my attention
that I hadn't heard before, and that is that the nonprofit
could play a role in protecting the private sector.
Ms. Kwon. Well, I often find that private sector also has a
problem sharing with themselves. So sharing information about a
cyber attack is very difficult. I mean, it goes to reputation.
It has financial implications. It can ruin and crush companies,
as we have seen in the near recent past.
So it is important to be able to share. I think if we take
the Government out of the picture and allow private sector to
create a nonprofit together and start that sharing with the
Government as being a member but not the leader, I think we
might be able to find some success.
I also think that there are different levels of information
that we are talking about here, whether we are talking about
broad-threat information with attribution or whether we are
talking about technical TTPs, ways in which the malware works,
the actual code itself, how to detect it.
Being able to put together an organization that can share
those very granular, technical bits of information I think is
critical and important in moving forward and a way in which we
can do it circumventing some of the problems of law.
Mr. McCaul. I wanted to ask a question about Einstein-3,
but I see my time has expired.
Mr. Lungren. We might come back to you.
Mr. McCaul. Or somebody else. I would love a grade on
Einstein-3. Maybe I will ask it in a written question.
Mr. Lungren. The gentleman from Louisiana, Mr. Richmond, is
recognized for 5 minutes.
Mr. Richmond. Thank you, Mr. Chairman.
I guess this question is to Mr. Lewis. You were here when I
was asking the question about the health, electronic health
records and a baseline or a set of standards that we should
have, and I am looking at part of your testimony where we talk
about the smart grids and the voluntary approach.
I guess I am interested in your opinion on both with
electronic health records and the small grid and how vulnerable
we are, where we should be going and where we are today in
light of where we should be.
Mr. Lewis. Certainly. Thank you.
You know, a lot of times you will hear people say that we
don't know what standards to put in place and there are too
many standards or there are lots of standards, and that was
probably true a few years ago.
But we are now at the point where between our ability to
collect data, our ability to identify best practices, we can
now start to do things. We can now start to think of standards
or mandatory best practices that would improve cybersecurity,
either in health or in smart grids, in the electrical sector.
So I think we are on the cusp of being able to make that
leap. You can look at places like the Department of State that
have put into place a set of standards that have been very
effective.
In 2003, State lost 3 to 4 terabytes of information to an
unknown foreign opponent who probably lived in China. Three or
4 terabytes is about the equivalent of a third of the Library
of Congress. Today that couldn't happen because they have
identified best practices and things you can do.
So I think we can say now, do this and we will be safer,
right.
When it comes to actually putting those in place, HIPAA,
very old, very prescriptive regulations have immense drawbacks,
and we need to find a more flexible approach.
Smart grids, well, it will take a while before it's secure,
that might be the nicest thing to say. It is not secure now.
People are trying hard, but as I think I mentioned in my
written testimony, the process that the National Institute of
Standards and Technology used was a consensus process of 475
members. One way to put that in perspective is that is about as
many people as there are in the Congress. Suppose you had to
get every single person in the Congress to agree to a rule. It
would be a challenging exercise, and I think that is what is in
front of us.
We can come up with standards. It is possible to say what
works, but we don't have the processes in place to do that yet.
Mr. Richmond. Well, which is very long and especially when
you talk about the smart grid, and now I think that my utility
is starting to experiment with smart meters on homes. Is that
just as vulnerable?
Mr. Lewis. No, fortunately, because it means that an
individual home or perhaps a block of homes would be more
vulnerable, right, because the smart grid itself can be hacked.
But it doesn't mean you will be able to hack the actual power-
generating facility. It doesn't increase the vulnerability
there.
So are you as an individual more vulnerable? Yes. But as a
Nation, is our critical infrastructure more vulnerable? Not as
much.
Mr. Richmond. It appears that in, I think it is just a
given that we can accept is true, that this changes every
minute, every second of every day, the risk assessment. I know,
as a lawyer, the law changes a little less frequently, but we
are required to do continuing education on changes in the law.
Is there an industry practice where the chief technology
officer or whoever is responsible for threat assessments, do we
have an industry standard or something where they stay up-to-
date with the new threats, new technology, and as it comes
abroad? I am sure McAfee probably has it; they do it on their
own. But what I am thinking about, just smaller businesses, to
make sure that they are aware of the seriousness of the
threats.
Mr. Lewis. I think we all want to talk on this one.
Ms. Schneck. So, thank you. I can speak for McAfee, and I
can speak for the colleagues with whom we work. I will leverage
a little bit of my experience.
A few years ago I ran, for about 8 years, the private-side
sector of the FBI's InfraGard program. We grew that from 2,000
members to 33,000 members, bringing subject-matter experts
across the critical infrastructure sectors into relationships
with their Federal, State, and, most importantly, local
community law enforcement officers and Government officials to
share information about cyber and about all the sectors as they
are all connected.
One of the things we learned very quickly is our small to
medium business base, about 60 percent of our GDP, was probably
the biggest beneficiary of these relationships because without
that, they don't have the access and the resources that we are
privileged to have in larger companies to educate our
executives, to give our executives the time to go out and learn
what is really outside of your four walls.
I would recommend that, not just our organization but
others, small to medium businesses, to your point, need to
educate their executives on the crossover between the legal,
the policy, and the technical because it really--they work
together so much now. The point was made, a beautiful point
earlier, about how we are now focusing on the chief financial
officers and the risk officers.
When we need to tell a company not to sell something but to
understand that there is a big risk, we go to the CEO or the
CFO, so you will see law and policy, I believe, greater value
placed on that and more effused used in our businesses' future.
Mr. Richmond. Thank you, Mr. Chairman. I yield back.
Mr. Lungren. The gentleman from Missouri, Mr. Long, is
recognized for 5 minutes.
Mr. Long. Thank you, Mr. Chairman. Mr. Lewis, I don't
understand if I understood you right, were you talking about
CFATS program when you said we should emulate that? CFATS, can
you elaborate on that?
Mr. Lewis. Sure, I think it was in Phil Reitinger's
testimony as well. This is a program for the Department of
Homeland Security that lets the Department set standards in
cooperation with the operators and owners of chemical
facilities for anti-terrorism purposes to make the chemical
facilities more secure.
It is a little bit of a regulatory authority. It is a
little bit of a partnership. CFATS is not a bad model, and
there are things that need to be fixed in it, I think, and
there are probably some issues on liability. But it is a way to
say to the companies, here is our goal, you need to make your
network secure and here are some hints, here are some
suggestions on how you can do that. But you can do whatever you
think is best to secure your networks. We have the ability to
come in and look and say is it actually working.
So CFATS, not a perfect model, but it is a little more
flexible than a heavy-handed regulatory approach, and it does
seem to have had some success.
Mr. Long. I, as a precautionary note, we had the folks from
CFATS in a couple of weeks ago, and I asked them, after 4 years
of their program and hundreds of millions of dollars, if they
could name their top three accomplishments, things they had
done. They said, well, Mr. Long, we would say, No. 1, we have
identified the problem. So I didn't listen too hard to 2 and 3.
So before we go dovetailing in and trying to emulate CFATS, I
just want to make sure I understood which program you were
talking about.
Dr. Schneck, I think that you kind of answered my question
that I was going to ask you and on Mr. Richmond, however, I
just wanted to for the record state that there is a small
business in my district, a title company, that had $400,000
electronically removed, and we think, over the weekend, this is
within the last 12 months, $400,000 removed from their bank
account, and we believe, the authorities are telling us, that
it ended up in Pakistan.
When we had Secretary Napolitano in, I was asking her about
if the Secret Service is the one that is in charge of that. She
didn't seem to think they were. The Secret Service had told us
all please listen all along that they are. So I guess, is there
any way small businesses like that can protect themselves? So
you did kind of cover part of it in Mr. Richmond's testimony.
Ms. Schneck. Absolutely. I think it is a good point to note
also, and Ms. Kwon made this point earlier, there are many
agencies that work together in this cyber endeavor. The FBI or
the Secret Service, there are ways that they are
interconnected. I think sometimes when we name one agency over
another, we don't give enough credit to that point.
The Secret Service, not only part of DHS and their efforts,
but they are an integral part of the National Cyber
Investigative Joint Task Force, which I analogize a little bit
to Noah's ark. There are one or two of each in that task force,
so when we have a cyber investigation, we call them directly
because I know that that data that we can share will get all
across the agencies more quickly than if I make 20 phone calls.
So the Secret Service or the FBI, one may be working it at
one point; the other organizations, like the US-CERT, the NCIC,
everybody is engaged at that point.
There are things that small to medium businesses can do. My
best advice from personal experience driving news programs at
the local level as well, build those relationships before you
need them. You can meet your State Homeland Security officers.
You can meet your local police. You can meet--every FBI, every
State has an FBI field office, some have more than one. Go in
and meet, I would recommend, the cyber people, meet the Secret
Service people that work there. They are all friendly, and they
really do want that outreach.
DHS actually has a Protective Service Advisor Program, the
CSAs. These are Federal employees that are positioned in each
of our States. Some States, the bigger ones, have more than
others. Their job, part of their job is to know the community,
know the people there and know the mission of that State, and
those are also great people and know they can tie you directly
back to DHS.
The resources are there. I don't think we as a country have
done enough to tell the smallest communities and the small to
medium businesses that they are available.
Mr. Long. Okay, thank you.
Ms. Kwon, for you, the large U.S. banks have tremendous
security setups, and they still get hit, and if the largest
U.S. banks can't defend themselves, how are regulations that we
are going to impose, or what can we do to help the small
businesses?
Ms. Kwon. Well, this actually goes back to the question
with Mr. Richmond and is a very difficult question because
often implementing defensive security is expensive and often it
is not affordable for a small business or even a medium-sized
business, or in large corporations where large budget cuts have
been seen over the past year, this is often a problem.
I do see the future of moving IT out of the individual
organizations and into a hosted environment, into a cloud
environment, is a good defensive mechanism for a lot of small
companies. You are seeing a lot of that happening today,
particularly in health care, as we are going to electronic
health care records.
You are seeing a lot of doctors moving to IT services
instead of hosting it in their own offices. That way the
security costs can be spread over many doctors' offices as
opposed to being burdened with one. So I definitely see moving
to new ways of implementing IT as a good solution for
particularly small businesses.
Mr. Long. Okay, thank you.
I yield back.
Mr. Lungren. I thank the gentleman for yielding back.
I thank the witnesses for your valuable testimony, both
this panel and the previous panel. You have both help us very
much as we are on this journey to ask the right questions and
to come up with some of the right answers and to see what the
proper role of the Federal Government is in this and where
regulation is appropriate, where cooperation is appropriate.
I have also wondered where the insurance industry is
appropriate in this, since they seem to have a record for risk
management in the world, and how you join all those things
together? Those are some of the things that we will be pursuing
with this subcommittee.
Some Members of the committee may have additional questions
for our witnesses, and I would ask you, if you would, to
respond to those in writing. The hearing record will remain
open for 10 days.
Without objection, the subcommittee stands adjourned.
[Whereupon, at 11:55 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairman Daniel E. Lungren of California for Philip
Reitinger
Question 1. The various drafts of comprehensive cyber legislation
that have been circulating recently have attempted to re-organize the
Department. In fact, the former Director of US-CERT states today in her
written testimony that US-CERT should report directly to the Secretary.
Is this necessary?
What are the positives and negatives, as the Department sees them,
to re-organization?
Answer. As detailed in the Quadrennial Homeland Security Review
(QHSR), cybersecurity is a recognized and vital mission responsibility
of the Department of Homeland Security (DHS). The United States
Computer Emergency Readiness Team (US-CERT) is the operational
component of the integrated capabilities within the Department to
satisfy its cybersecurity responsibilities. US-CERT has an enhanced
ability to keep DHS informed about important cybersecurity events since
2009. US-CERT provides watch, warning, and response functions through
the National Cybersecurity and Communications Integration Center to the
Government and to our international and private sector partners. The
US-CERT provides daily input to the Secretary of Homeland Security. The
current reporting arrangement has proven successful through CyberStorm
III as well as all cyber events that have occurred over the past year.
Moreover, the QHSR was followed by the Bottom-Up Review (BUR),
which included a plan for DHS to:
``Increase the focus and integration of DHS's operational cybersecurity
and infrastructure resilience activities. DHS has substantial
operational cybersecurity responsibilities, which are inextricably
intertwined with its responsibilities to manage all hazards risk to
critical infrastructure. DHS typically manages its operational
responsibilities through operating components. However, the majority of
DHS's operational activities relating to cybersecurity and
infrastructure protection and resilience are currently administered by
NPPD, which is designated as a DHS headquarters element. DHS will focus
NPPD's activities on operations and more closely align cyber and
critical infrastructure protection and resilience efforts, in
cooperation with the private sector, to secure cyber networks and make
critical infrastructure resilient.''
Thus, DHS is moving to increasingly integrate physical and
cybersecurity operations across critical infrastructure. Isolating US-
CERT from that integration could degrade the Department's ability to
respond to complex incidents.
Question 2. You mentioned in your statement that DHS signed an MOU
with DoD that ``aligns and enhances America's capabilities to protect
against threats to our critical civilian and military computer systems
and networks.'' How does this MOU benefit the private sector, if at
all?
Answer. The Department of Defense (DOD) and the Department of
Homeland Security (DHS) already work closely together, and this
agreement formalizes a process to increase the ability of each agency
to work in its mission space. In particular, DHS leverages DOD's
significant technical capabilities through its National Security Agency
(NSA). To support DHS activities in protecting Government civilian
networks and critical infrastructure, DOD has collocated a Cryptologic
Services Group and a Cyber Support Element at DHS's National
Cybersecurity and Communications Integration Center (NCCIC), the hub
for responding to domestic cyber incidents.
Through enhanced joint planning and better visibility into each
others' operational processes, the Memorandum of Agreement (MOA) will
increase each agency's effectiveness and build on the capabilities of
each. This in turn will enhance the response capabilities of both
agencies while dealing with incidents that may affect the private
sector.
The MOA does not alter existing DOD and DHS authorities, command
relationships, or other oversight relationships. The MOA will not
extend DOD's cyber involvement with the private sector beyond its
current role. DOD already operates within DHS's National Infrastructure
Protection Plan (NIPP) framework as the Sector Specific Agency for the
Defense Industrial Base. Within the critical infrastructure and key
resources community, DOD works directly with defense industrial base
partners, DHS and Sector Specific Agencies (SSA), and other critical
infrastructure partners in developing plans to assist in reducing risk
and better securing critical infrastructure information systems.
Moreover, the MOA provides a framework that enables DHS to fuse DOD
and NSA information, through the NCCIC, with that of the private
sector. This provides all parties with a more comprehensive situational
awareness of cyber activity impacting the Nation, and permits all
parties to respond more effectively to those threats.
Question 3. How has the OMB memo providing DHS with operational
review of Federal CIO's compliance with FISMA going to affect the
cybersecurity program within NPPD?
Will taking on such wide responsibilities alter the priorities
within the cybersecurity mission? How will the cyber mission be
affected?
Answer. Office of Management and Budget (OMB) Memorandum M-10-28
``outlines and clarifies the respective responsibilities and activities
of OMB, the Cybersecurity Coordinator, and the Department of Homeland
Security (DHS), in particular with respect to the Federal Government's
implementation of the Federal Information Security Management Act of
2002 (FISMA).'' It assigns DHS immediate primary responsibility for the
operational aspects of Federal agency cybersecurity with respect to
FISMA, including, but not limited to:
1. Overseeing the Government-wide and agency-specific
implementation of and reporting on cybersecurity policies and
guidance;
2. Overseeing and assisting Government-wide and agency-specific
efforts to provide adequate, risk-based and cost-effective
cybersecurity;
3. Overseeing the agencies' compliance with FISMA and developing
analyses for OMB to assist in the development of the FISMA
annual report;
4. Overseeing the agencies' cybersecurity operations and incident
response and providing appropriate assistance; and,
5. Annually reviewing the agencies' cybersecurity programs.
The memorandum enables new, proactive protection activities, which
complement the Department's pre-existing, reactive incident response
activities in the area of Federal Executive branch agency
cybersecurity. While the United States Computer Emergency Readiness
Team (US-CERT) is already focused on detecting malicious activity and
providing incident response support, the new activities permit DHS to
better understand the Federal Executive branch's cybersecurity posture
from both an agency-specific perspective and on an enterprise-wide
basis. Examples of specific activities include: FISMA reporting to OMB
based on agency periodic reporting through the CyberScope platform;
recurring Cybersecurity Compliance Validation (CCV) program engagements
with agencies; and establishment of Government or private sector Shared
Service Centers (SSCs) and Blanket Purchase Agreements (BPAs) that
deliver cost-effective security solutions to Federal agencies and
further permit those agencies to allocate limited resources to more
mission-critical activities.
As it continues to implement the memorandum, DHS will conduct
annual agency Chief Information Officer (CIO)/Chief Information
Security Officer (CISO) interviews to maintain awareness of agency-
specific successes and challenges. Interview input enables DHS to
better assess Government-wide and agency-specific needs and gaps, which
ultimately leads to establishing new, targeted capabilities or
processes. DHS recently also began conducting CyberStat reviews with
Agency CIOs and CISOs in coordination with the National Security Staff
and OMB to assist agencies in defining action plans to improve FISMA-
related cybersecurity capabilities.
Undertaken by the Federal Network Security (FNS) branch within DHS'
National Cyber Security Division, the activities pursuant to the
memorandum enable DHS and its agency partners to enhance their security
posture before incidents occur. They also provide US-CERT with a
clearer picture of an agency's networks, systems, and policies when
investigating an incident and providing support.
Question 4. With regard to the private sector the Department is
still more of a coordinator rather than a directive authority, is that
an effective role?
Is the private sector being best served by DHS?
What additional authorities does the Department feel are necessary
to better serve and protect the private sector, and especially critical
infrastructure?
Answer. The Department of Homeland Security (DHS) has a clear
authority to conduct analysis, develop mitigation plans, and provide
warnings with regards to cybersecurity. DHS serves the private sector
in these capacities on a daily basis. However, nearly all of our
private sector programs are built on voluntary participation. These
programs have provided valuable, timely, and actionable vulnerability
information, risk assessments, and mitigation strategies to our private
sector partners.
For instance, both the Cyber Security Evaluations Program and the
Control Systems Security Program (CSSP) conducted more than 50 on-site
voluntary assessments in fiscal year 2010. Within CSSP, the Industrial
Control Systems Cyber Emergency Response Team (ICS-CERT) provides on-
site support to owners and operators of critical infrastructure for
protection against and response to cyber threats, including incident
response, forensic analysis, and site assessments. ICS-CERT also
provides tools and training to increase stakeholder awareness of
evolving threats to industrial control systems. The United States
Computer Emergency Readiness Team (US-CERT) also provides similar
vulnerability, assessment, and mitigation information for private
sector business networks, upon request. Similarly, a large number of
private sector participants take part in the Cyber Exercise Program,
including the recent Cyber Storm III. These exercises are designed to
increase the preparedness of individual participants, and across the
public-private response community as a whole.
Question 5. What is the goal 10-15 years down the road for dot-gov
protection?
Answer. Dot-gov protection is a complex, multi-enterprise issue.
The challenge for dot-gov protection increases as the complexity of the
Information Technology (IT) environment and the data and services
consumed become more distributed. The technologies used to manage
information and to create services that defend information must evolve
with the larger environment.
Dot-gov protection must transition from network and signature-based
security to security that also incorporates information and user-
centric security. Government must adopt IT innovations that better
serve Federal dot-gov users and the users who interface with Government
systems. To effect this transition, Government must make fundamental
changes in the following areas:
Security Operations
Coordinated Risk Management.--Policy and standards must build on
knowledge and experience drawn from various sources, including
intelligence, law enforcement, industry, Government departments and
agencies (D/As), and others. The Federal Government will continue to
play a significant role in the development of policy, standards, and
countermeasures.
Information Sharing.--Information sharing that ensures the rights,
privacy, and protection of individuals and their information is
critical--particularly with the continued expansion of cloud computing,
solutions as a service, and social networking.
Distributed Execution.--Distributed execution requires increased
partnership with D/As and industry. D/As must continuously monitor
their networks and hosts in order to provide insight into the health
and status of Federal systems. Government relies on industry to: (1)
Build product capabilities that secure customers, (2) develop system
capabilities to provide increased capability to self-heal, and (3)
provide prevention-oriented solutions to seek out, detect, and protect
the user from malicious actors.
Technology Attributes
Identity Awareness.--Full protection of dot-gov requires
development of ``identity awareness,'' which is a capability that
provides every component in the ``service chain'' with the ability to
validate identity, ensure its authenticity, and provide access based on
the role of that identity.
Agility.--Advances in mobile computing, cloud-based systems, and
telework are posing new security challenges to the traditional concept
of a static security perimeter protecting private Government systems
and information. Government must be able to adapt as Government
information is stored and accessed wherever an agency mission requires
it. The security challenge associated with this agility is deciding
which new risks are, or are not, acceptable when operating in a
dynamic, mobile, and cloud-based computing environment, which may be
only partially under the agency's control.
Diversity.--In the past, Government agencies operated relatively
homogenous computing environments; Intel-based workstations running
Microsoft operating systems were the norm. Now, we see a proliferation
of device types (netbooks, smart-phones, and tablets) joining
traditional workstations and laptops. The industry development cycle is
now measured in months. We can't predict the next great device or
program, however, we know the trend runs towards smaller, more capable,
and cheaper devices. Furthermore, capabilities begin to blur as new
generations of devices emerge. For example, we now judge phones on
their ability to run applications and computers on their ability to
make calls. The security challenges associated with this diversity of
devices ultimately impacts our ability to secure these devices without
degrading their capabilities.
Convergence.--As device diversity grows, we begin to see a
convergence in network space and functionality. Accessing dot-gov no
longer requires a user to sit in front of a computer. They may access
our networks from any type of network, including traditional Ethernet,
telephone systems, cellular lines, or wireless networks. Gone are the
days when we could devise protections based on relatively stable,
predicable network paths. The security challenge associated with this
convergence ultimately concerns our ability to secure these pathways
without disrupting connectivity.
In order to address these changes, Government must partner with the
private sector and academia to develop new security ideas. These new
ideas must be based on an information- and user-centric view that
enhances new capabilities, rather than impeding them. These
considerations are among those addressed in Enabling Distributed
Security in Cyberspace: Building a Healthy and Resilient Cyber
Ecosystem with Automated Collective Action. This paper, recently
published by DHS, presents a five-level maturity model for ecosystem
focus and convergence that is associated with increasing agility and
provides an approach for achieving and employing these various levels.
Ecosystem maturity is further explored through a discussion of healthy
attributes.
Source: http://blog.dhs.gov/2011/03/enabling-distributed-security-
in.html.
Question 6. Are private sector entities responsive to the efforts
the Government makes with them to warn of threats and mitigate the
consequences of attacks?
Answer. Due to the variety of Department of Homeland Security (DHS)
programs and activities engaged in collaboratively improving
cybersecurity, and the diverse nature of the private sector, private
sector responsiveness varies considerably. Several examples of private
sector responsiveness are outlined below.
United States Computer Emergency Readiness Team (US-CERT).--Formed
in 2003, US-CERT is the operational arm of DHS' National Cyber Security
Division. US-CERT's mission is to lead and direct efforts to improve
the Nation's cybersecurity posture, coordinate cyber information
sharing, and proactively manage cyber risks to the Nation while
protecting the Constitutional rights of Americans.
If a private-sector entity requests assistance from the Government,
DHS may provide on-site or remote assistance to perform analysis and
recommend mitigation actions through US-CERT. This assistance, which is
based on a signed request for technical assistance, is designed to
assist private sector entities in detecting the scope of the malicious
activity and determining mitigation actions to protect the system from
current and future attacks or breaches. In addition, US-CERT provides
standardized warning and mitigation information products to its private
sector partners and constituents through its secure portal and through
its public facing website.
The private sector's response varies depending on the entity and
circumstances. However, we have seen growing private sector interest in
receiving DHS on-site or remote analytical support. Some issues that
may inhibit private sector responsiveness include concerns about: (1)
Exposure of proprietary data; (2) prosecution or regulatory action; and
(3) negative publicity.
Cyber Security Evaluations Program.--Since 2009, the National Cyber
Security Division's (NCSD) Cyber Security Evaluations Program has
conducted on-site assessments through its Cyber Resilience Review. In
2010, NCSD deployed its first Cyber Security Advisor (CSA), located in
the mid-Atlantic region, to promote cyber preparedness, risk
mitigation, and incident response. In this short period of time, it has
become apparent that many critical infrastructure owners and operators
have a general awareness of cybersecurity issues, but only those
partnering with fusion centers, the Federal Bureau of Investigation's
(FBI) Infragard program, local communities-of-interest, or those that
subscribed to the United States Computer Emergency Readiness Team (US-
CERT) informational products, routinely receive Government-provided
threat warnings. To date, only a limited set of owners and operators
have been directly engaged in assessments or other targeted
cybersecurity activities.
Private sector entities, however, respond well when the Government
solicits their participation in specific initiatives and they readily
work with the Government to identify appropriate subject matter experts
within their organizations. They also work with DHS personnel and other
Government representatives to develop threat mitigations. For example,
recent Cyber Unified Coordination Group Integrated Management Team
operations, under the National Cyber Incident Response Plan (NCIRP),
used joint private-public partnerships to raise alerts, and to focus
subject matter expertise and create tractable risk mitigations.
Cyber Exercise Program.--Private sector partners repeatedly mention
that Cyber Storm and other DHS-sponsored exercises help improve their
individual and collective cybersecurity and incident response
capabilities. The number of private sector organizations that played in
Cyber Storm III represented a 75 percent increase over Cyber Storm II
(from 40 to 70 participants). Private sector organizations also
actively participated in initiatives resulting from Cyber Storm III,
including development of the Cyber Storm III summary and observations
report, making edits to the NCIRP, and continuing active membership in
the Unified Coordination Group, an interagency and inter-organizational
coordination body that incorporates public and private sector
officials. Private sector organizations from three critical
infrastructure sectors already have engaged with NCSD to conduct
follow-on exercise activities that examine operational changes made as
a result of Cyber Storm III.
Control Systems Security Program.--The private sector has shown
growing interest in the services of the DHS Control Systems Security
Program (CSSP), which works with public and private sector partners to
improve cybersecurity of critical infrastructure industrial control
systems. Since the advent of their activities, CSSP and the Industrial
Control Systems Cyber Emergency Response Team (ICS-CERT) have grown in
scope and received increasingly more requests for on-site incident
response, assessments, control systems training, and other offerings.
The statistical trend from year-to-year indicates that the community as
a whole is showing an increased interest in the Government program.
Their interest also serves as an indicator of the effectiveness of the
program's outreach and awareness efforts.
More specifically, ICS-CERT works on a voluntary basis with
critical infrastructure owner-operators to respond to and analyze
control systems related incidents, vulnerabilities, and threats. The
team can perform a comprehensive range of services and activities,
including providing sophisticated analysis of malware and deploying
full fly-away teams. ICS-CERT incident response teams (also known as
fly-away teams), which are routinely requested by the private sector,
deploy to critical infrastructure facilities bringing advanced and
unique malware evaluation capabilities and leveraging our control
systems expertise and fused intelligence analysis. The team then works
with the company to develop and implement a mitigation plan to
eliminate the malicious activity and limit the risk of future
incidents. The team appropriately addresses sensitive information using
Protected Critical Infrastructure Information (PCII) protections and
works to mitigate any privacy and civil liberties issues. ICS-CERT is
then able to carefully aggregate and anonymize data about the incident
and disseminate early warning alerts and advisories to critical
infrastructure owners and operators on a sector-by-sector basis.
Actionable alerts to our stakeholder communities include threat
information, validated vulnerabilities, and related patches and
mitigation strategies.
Once the ICS-CERT actively engages with a specific private sector
entity via the voluntary incident response process, oftentimes the
company will continue to implement the mitigation solutions that are
offered, and, if needed, request additional support from DHS in the
area of control systems security. Quite often these engagements evolve
into trusted long-term information-sharing relationships that benefit
both the Government and the private sector.
In addition to sending fly-away teams, DHS is also able to
proactively work with companies to conduct cybersecurity assessments
using the Cyber Security Evaluation Tool (CSET). These no-cost
assessments enable users to assess their network and ICS security
practices against recognized industry and Government standards,
guidelines, and practices. The assessment tool can be used
independently by the asset owner, or upon request, CSSP teams can
assist with a full assessment on-site. The completed CSET assessment
provides a prioritized list of recommendations for increasing the
cybersecurity posture of an organization's ICS or enterprise network
and identifies what is needed to achieve the desired level of security
within the specific standard(s) selected. The CSET has increased in
popularity among our partners over the years; in 2010, for example, the
CSSP conducted 50 on-site assessments spanning 12 critical
infrastructure sectors (including the Electric subsector) and is on
target to complete 75 in fiscal year 2011. The tool is now publicly
available for download on the CSSP website, and countless copies of the
CSET have already been handed out at conferences and other events.
CSSP also works closely with the Department of Energy Idaho
National Laboratory (INL) to provide cybersecurity training to private
sector employees. The training consists of a weeklong class held at
INL, instructing in cyber protection and intrusion mitigation
techniques. Response to the classes has been highly positive--thus far,
DHS and Idaho National Labs have trained over 16,000 control system
officials, from chief executive officers to technical operators.
DHS has worked closely with the private sector as it expands its
diverse set of resources available to the private sector, including
threat and vulnerability situational awareness, risk assessment, and
mitigation, and remote and on-site assistance. The trusted
relationships DHS has with the private sector--through engagements,
working groups, co-location on the NCCIC operations floor, and
outreach--have allowed DHS to incorporate private sector input at every
step as we build our capabilities. Private sector engagement is a
cornerstone of the Department's cybersecurity mission and we look
forward to working with Congress to continue to improve private sector
outreach efforts.
Question 7. How does the cloud, or computing as a service, change
the cybersecurity mission?
Is the Department prepared for the Government's effort to move more
and more computing resources to ``the cloud''?
Answer. The cyber threat environment changes continuously as
malicious actors adjust their tactics and adopt new technologies.
Similarly, the evolution of network architectures necessitates a
cybersecurity posture that is adaptable and focused on risk mitigation.
Regardless of changes in network architecture, the Department of
Homeland Security (DHS) will continue to execute its critical mission
to create a safe and secure cyberspace.
Cloud computing, computing as a service, time-sharing, and utility
computing raise many of the same security issues that emerged when
shared computer services were created in the 1960's. Yet, the
cybersecurity mission remains the same. The many advantages of cloud
computing also create many security challenges. We can never eliminate
all the risks inherent to cloud computing. Instead, we must accept that
differing levels of acceptable risk will exist for different users.
Even if private, community, and public cloud computing business models
use the same security techniques and tools, different business models
create different security risk environments.
DHS encourages cloud computing providers to propose innovative
security solutions that effectively protect Federal systems,
information, communications, and ultimately, the agency's mission.
DHS has avoided requiring providers to follow particular designs or
architecture for cloud computing. For example, due to a constantly
evolving threat environment, the Federal Risk and Authorization
Management Program (FedRAMP) was established to provide a standard
approach to assessing and authorizing cloud computing services and
products. The National Cyber Security Division is actively
participating in the FedRAMP development. FedRAMP allows joint
authorizations and continuous security monitoring services for
Government and commercial cloud computing systems intended for multi-
agency use.
These considerations are among those addressed in Enabling
Distributed Security in Cyberspace: Building a Healthy and Resilient
Cyber Ecosystem with Automated Collective Action. This paper, recently
published by DHS, presents a five-level maturity model for ecosystem
focus and convergence that is associated with increasing agility and
provides an approach for achieving and employing these various levels.
Ecosystem maturity is further explored through a discussion of healthy
attributes.
Source: http://blog.dhs.gov/2011/03/enabling-distributed-security-
in.html.
Questions From Chairman Daniel E. Lungren of California for Gregory C.
Wilshusen
Question 1a. In your testimony you comment how the Government is
lacking a National cybersecurity strategy. I have three related
questions for that issue:
How is the lack of a National cybersecurity strategy hindering the
Government-wide cybersecurity mission?
Question 1b. How, in your opinion, is it hindering DHS's
cybersecurity mission?
Question 1c. How is it affecting the private sector?
Answer. The lack of an updated National cybersecurity strategy can
hinder the effective implementation of the Government-wide
cybersecurity mission. Our work has demonstrated the importance of
comprehensive strategies that specify overarching goals, subordinate
objectives, supporting activities, roles, and responsibilities, and
outcome-oriented performance metrics, as well as time frames to help
ensure accountability and align agency activities with National
priorities. National strategies help shape the policies, programs,
priorities, resource allocations, and standards that can enable Federal
agencies and other stakeholders to implement the strategies and achieve
the intended results. Without such an updated comprehensive National
strategy for cybersecurity, increased risk exists that our Nation will
not be able to obtain the desired posture against sophisticated
threats.
Our work has shown that Federal initiatives and efforts to improve
information security have consistently fallen short of the mark. The
following are illustrative examples:
In October 2010, we reported that only 2 of the 24
recommendations in the President's May 2009 cyber policy review
had been fully implemented. Officials from key agencies
involved in these efforts attributed the partial implementation
status of the remaining 22 recommendations in part to the fact
that agencies had not been assigned roles and responsibilities
with regard to recommendation implementation.\1\ One of these
recommendations was to develop an updated National cyber
strategy; however, administration officials were unable to
provide a draft strategy or milestones for when the updated
strategy is to be finalized and issued. We concluded that
Federal agencies appeared to be making progress toward
implementing the recommendations, but lacked milestones, plans,
and measures that are essential to ensuring successful
recommendation implementation, including the development of an
updated strategy. We recommended that the National
Cybersecurity Coordinator (whose role was established as a
result of the policy review) designate roles and
responsibilities for each recommendation and develop milestones
and plans, including measures to show agencies' progress and
performance.
---------------------------------------------------------------------------
\1\ GAO, Cyberspace Policy: Executive Branch Is Making Progress
Implementing 2009 Policy Review Recommendations, but Sustained
Leadership Is Needed, GAO-11-24 (Washington, DC: Oct. 6, 2010).
---------------------------------------------------------------------------
Our examination of Federal efforts to address the global
aspects of cyberspace determined that the U.S. Government had
not documented a clear vision of how the international efforts
of Federal entities, taken together, support overarching
National goals and that the Federal Government had not forged a
coherent and comprehensive strategy for cyberspace security and
governance policy.\2\ As a result, the United States is
hindered in promoting our National interests in the realm of
cyberspace. We recommended that, among other things, the
National Cybersecurity Coordinator develop with other relevant
entities a comprehensive U.S. global cyberspace strategy. The
coordinator and his staff concurred with our recommendations.
---------------------------------------------------------------------------
\2\ GAO, Cyberspace: United States Faces Challenges in Addressing
Global Cybersecurity and Governance, GAO-10-606 (Washington, DC: July
2, 2010).
---------------------------------------------------------------------------
Our review of Federal cybersecurity research and development
efforts found that among the most critical challenges was the
lack of a prioritized National cybersecurity research and
development agenda, which increased the risk that research and
development efforts will not reflect National priorities, key
decisions will be postponed, and Federal agencies will lack
overall direction for their efforts.\3\ We recommended several
actions, including developing such a National cybersecurity
research and development agenda. The White House Office of
Science and Technology Policy agreed with our recommendation
and provided details on planned actions.
---------------------------------------------------------------------------
\3\ GAO, Cybersecurity: Key Challenges Need to Be Addressed to
Improve Research and Development, GAO-10-466 (Washington, DC: June 3,
2010).
---------------------------------------------------------------------------
The lack of an updated strategy can also affect the Department of
Homeland Security's (DHS) and the private sector's cybersecurity
efforts. While the existing strategy encourages action by private-
sector owners and operators of cyber critical infrastructure, we
testified in March 2009 that a panel of experts agreed that there were
not adequate economic and other incentives (i.e., a value proposition)
for greater investment and partnering in cybersecurity.\4\ The
panelists also stated that the Federal Government should provide valued
services (such as offering useful threat or analysis and warning
information) or incentives (such as grants or tax reductions) to
encourage action by and effective partnerships with the private sector.
---------------------------------------------------------------------------
\4\ GAO, National Cybersecurity Strategy: Key Improvements Are
Needed to Strengthen the Nation's Posture, GAO-09-432T (Washington, DC:
Mar. 10, 2009).
---------------------------------------------------------------------------
In addition, we reported in July 2010 that public sector
stakeholders from DHS and other entities stated that improvements could
be made to the public-private partnership, including improving private
sector sharing of sensitive information.\5\ We also reported that the
expectations of private sector stakeholders were not being met by their
Federal partners in areas related to sharing information about cyber-
based threats to critical infrastructure. We concluded that the public-
private partnership remained a key part of our Nation's efforts but
without improvements in meeting public and private sector expectations,
the partnership would remain less than optimal. As a result, increased
risk existed that owners of critical infrastructure would not have the
appropriate information and mechanisms to thwart sophisticated cyber
attacks that could have catastrophic effects on our Nation's cyber-
reliant critical infrastructure. We recommended that the National
Cybersecurity Coordinator and DHS work with their Federal and private
sector partners to enhance information-sharing efforts, including
leveraging a central focal point for sharing information among the
private sector, civilian government, law enforcement, the military, and
the intelligence community. DHS officials stated that they have made
progress in addressing these recommendations; we will be determining
the extent of that progress as part of our follow-up efforts.
---------------------------------------------------------------------------
\5\ GAO, Critical Infrastructure Protection: Key Private and Public
Cyber Expectations Need to Be Consistently Addressed, GAO-10-628
(Washington, DC: July 15, 2010).
---------------------------------------------------------------------------
Updating the National cybersecurity strategy can increase the
likelihood of improving the cybersecurity posture of our Nation.
Additionally, an updated strategy could help ensure accountability and
align agency activities with the United States' long-term economic and
National security interests, including globally promoting our National
interests in the realm of cyberspace and ensuring that the Nation does
not fall behind in cybersecurity and will be able to adequately protect
its digital infrastructure. As the administration updates the current
strategy, it needs to focus on clearly articulating goals and
objectives, assigning roles and responsibilities, developing
milestones, deploying sufficient resources, defining performance
metrics, monitoring progress, and validating effectiveness of completed
actions.
Our responses to these questions are based on previous work that
was performed in accordance with generally accepted Government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives. Should you
or your office have any questions on the matters discussed in this
letter, please contact me.
Questions From Chairman Daniel E. Lungren of California for Phyllis
Schneck
Question 1a. In your Although it's oft repeated, McAfee shared with
us that when they discovered the Night Dragon attacks, those Federal
agencies who were not contacted first, even maybe hours later,
expressed their disapproval.
How do you coordinate sharing the information with the Federal
Government?
Answer. We are committed to sharing threat information to help the
U.S. Government gain a deeper insight into the threat landscape and
respond to specific attacks. Toward this goal, we work closely with our
customers to ensure that we adhere to our NDA's as required by the law.
Once we are sure that we have met all of our obligations to our
customers, we contact representatives in the various agencies with
authority over cyber security. We do our best to contact all of the
actors at the same time--whether in defense, civilian, or crime
prevention institutions.
Question 1b. Does there need to be a single source of contact?
Answer. We believe that the information-sharing process is
improving. A few years ago, we would experience, on a regular basis, a
high degree of complexity and difficulty getting to all of the right
decision makers in a timely way. We often found that agencies that had
been briefed were unwilling to share information with their colleagues
in other agencies. It generally took us 2 weeks to brief all of the
officials in the agencies. More recently, we have found that the
process is improving. During the recent Night Dragon event, we did one
briefing, for instance, which included defense, NSA, and FBI officials.
This was an example of an improved process.
We understand how complex the information-sharing challenge is in
the U.S. Government. Many rules regulate the way in which information
sharing is done, and there are limitations on the types of information
various agencies can share with each other. These limitations derive
from law and agency regulations that seek to balance National security,
domestic security, and privacy rights. Nevertheless, we would urge that
some type of enhanced procedure be put in place to facilitate the
ability of companies to share information in a manner that enhances
their ability to share information in a rapid and efficient manner with
the Government. Remediating cyber attacks is a complex, time-consuming
process and the more rapidly the private and the public sectors can
respond, the sooner our teams can ensure that vital information and
systems are protected from additional attacks. Bringing down the
response time from weeks to a few days would do much to enhance the
security posture of our country.
Question 2. In a briefing to staff, McAfee brought up the technique
of ``white listing'' where a computer is essentially limited in what
applications it could run, which could potentially limit malware from
infecting a computer.
Could you give us a little more information about the technique and
how you see it being used most effectively?
Answer. White listing technology ensures that only good executable
code can run on protected systems. The technology is used to protect
servers, endpoints, embedded devices, and mobile devices. It is used in
many ATM's, point-of-sale terminals, and Supervisory Control and Data
Acquisition (SCADA) systems. White listing technology narrows the scope
of many embedded systems to ensure that an attacker can't install
malicious code.
White listing is one of the exciting technologies of the future
because it can enable organizations to be much more proactive in
protecting their systems--it gives them much more control because only
good communications can be received. This contrasts in a considerable
way with the older model of security, the anti-virus model, which is
inherently defensive. This model is based on blocking malicious code
and letting everything else into customer sites. This model has been
breaking down for some time given the geometric growth in malware over
the last few years. McAfee detected as much new malware in 2010 as we
detected since the founding of our company 19 years ago. White listing
is an important part of the cyber security solution moving forward.
Questions From Chairman Daniel E. Lungren of California for James A.
Lewis
Question 1a. In some regulated industries, companies do only the
minimum needed to stay compliant with the regulations. In the world of
security, the minimum effort does not necessarily make one more secure.
How does one prevent the ``race to the bottom'' in a regulatory
regime?
Question 1b. How do we change that culture of security to one not
of mere compliance, but security?
Answer. Doing the minimum would be an improvement from where we are
now. That said, there are several measures that can to prevent a ``race
to the bottom.''
The first is to increase transparency and reporting on the number
of probes, breaches, or service disruptions of computer networks. By
reporting on the number of security failures, we would be able to
assess the effectiveness of regulations. The larger goal is to move
companies to automatic monitoring of networks and to adopt something
like the ``IT Dashboard'' OMB is putting in place for Federal networks.
The Security Content Automation Protocol (SCAP) NIST is developing is
an example of emerging approaches that could automatic and accelerate
cybersecurity efforts.
The second would be to allow for some kind of ``spot checks'' of
computer systems, random checks to see if computer networks were
adequately secured. This is a standard law enforcement and regulatory
technique, and could involve DHS or some outside auditor inspecting the
adequacy of a company's cybersecurity efforts. The knowledge that a
random check could be carried out would in and of itself encourage
better compliance.
A related goal would be to avoid defining compliance as a paper-
driven process, where companies filed regular reports on performance.
These are inadequate for several reasons, but the most important is
frequency. Long annual written reports on compliance only benefit
report writers. A better approach would be to require companies to
immediately inform the appropriate agency when their networks have been
successfully penetrated. This changes the metric for compliance. We
want people to report failures and report the actions they have taken
in response immediately. In this, a regulatory approach would be part
of a larger effort to develop a broad understanding of the level and
kind of malicious activities in cyberspace.
Questions From Chairman Daniel E. Lungren of California for Mischel
Kwon
Question 1. In your written statement you advocate separating US-
CERT, the operational arm, from the more policy- and coordination-
driven NCSD. I'm interested in having you elaborate a bit more on that:
How does separating elements of the cybersecurity mission benefit the
Department and/or the private sector especially the critical
infrastructure?
Answer. US-CERT is an operational unit with a very important
mission to support the Federal departments and agencies.
(1) This mission is buried deep within DHS, which makes decision-
making slow because of all the chains of command it must go through
(NCSD, CS&C, NPPD). The operational mission is one that must be enabled
to focus and act quickly.
(2) US-CERT is often distracted and taken off this mission by the
policy and coordination arm of NCSD.
Cyber is a fast-moving space where nimbleness is important for
success. It often takes US-CERT days, even weeks, to get approval for
actions because of the need to go through NCSD, CS&S, NPPD, and then to
get to the Secretaries' attention. As issues go through this chain they
are often distracted by politics and other priorities and delayed
further, or veered off from the operationally correct decision. US-CERT
is often volunteered for programs and projects by the policy and
coordination arm, thereby taking it off its core mission and into
projects that are not planned for, budgeted for, or in the scope of
their expertise.
It is important for this operational mission to be clear. There
must be firm process for changing this mission. It cannot be constantly
changing and moving at the whim of politics driven by a policy team
seeking its own success at the price of US-CERT's.
Today, US-CERT's clear mission--as stated in FISMA--is to support
the Federal departments and agencies. If you were to ask the major
departments and agencies how often US-CERT assists them, you will be
surprised to find out that it is very little. US-CERT's focus is very
fragmented and confused. It has been tasked by NCSD, CS&S, and NPPD to
participate in a plethora of other projects that take US-CERT's
understaffed, under budgeted, and technology-limited National security
operations unit far away from its legislated mission space.
Question 2a. While you were with US-CERT, how often did you provide
technical assistance to private sector entities?
Answer. Once. This is not US-CERT's mission, nor do they have the
expertise, staff, or budget to assist the private sector on a regular
basis.
Question 2b. Does the Department have an established process for
private entities to request assistance?
Answer. No.
Question 2c. If so, how can it be improved? If not, what should it
look like?
Answer. If US-CERT is to take on the mission of assisting private
sector entities it would have to have an increase in budget, staffing,
and tools. Currently, it is not their mission to assist private sector
entities.
Question 3a. In your testimony, you stated that virtualization
through ``cloud'' technologies is the future for information technology
infrastructures.
What are the security risks of moving systems and applications to
the ``cloud''?
Answer. The security risks are similar to those of any IT
infrastructure. The key here is that moving to the ``cloud'' is an
opportunity to bake security in, build it more securely, and revitalize
IT infrastructure and share in the cost of better security mechanisms.
Question 3b. Will we be more secure or less secure from cyber
attacks?
Answer. It depends. If the opportunity to improve security is
taken, it could be more secure, if not . . . no.
Question 3c. If the Federal Government and private companies are
moving to the ``cloud,'' what precautionary measures should be taken to
maintain the integrity of these information systems?
Answer. First and foremost, we should be looking at new security
technologies. Technologies where we can cleanse the known malware from
the infrastructure layer. We need to move to technologies that allow us
to understand what is good and what is bad. We need to move away from
signature-based tools where we have to be infected first in order to
detect the attack. We must move to a more defensive posture where the
attacks can be detected and stopped on the infrastructure layer, before
they reach the users.
Question 4a. In your testimony you discussed the stalemate of
cooperation and information sharing with the private sector as a result
of procurement, privacy, and proprietary information issues.
Answer. First it must be understood that most networks have already
been compromised. It is actually the rare few who identify the
intrusions. With this in mind, we must not take a position of
punishment for those who identify the problems, but we must assist. We
cannot allow cyber attacks to defeat our private or public sector
entities.
Question 4b. What actions need to be taken to aggregate shared
information about known cyber vulnerabilities from the private sector?
Answer. I'm not sure cyber vulnerabilities are the problem. We know
about millions of vulnerabilities. We need to understand more about the
attacks. As a community--whether we are private or public--we need to
know more about the details of the attack that would enable detection.
Not the ``who'', not the ``what'' was taken, but the TTPs, The Tactics,
Techniques, and Procedures the attackers use. I believe, for both
private and public, we need an autonomous entity (I referred to this in
my testimony as a non-profit organization) that can take anonymous TTP
information and make it available for others to use.
Question 4c. What other measures should be taken to encourage
private sector's willingness to share information?
Answer. There are a few places where this can be improved for both
private and public sectors.
(1) Take the attacks and the responses out of the public and press.
You must take the reputational damage issue off the table.
(2) Lower the liability concerns.
(3) Have an anonymous way to share.
�