[Senate Hearing 113-]
[From the U.S. Government Publishing Office]
INVESTING IN CYBERSECURITY: UNDERSTANDING RISKS AND BUILDING
CAPABILITIES FOR THE FUTURE
----------
WEDNESDAY, MAY 7, 2014
U.S. Senate,
Subcommittee on Homeland Security,
Committee on Appropriations,
Washington, DC.
The subcommittee met at 2:01 p.m., in room SD-192, Dirksen
Senate Office Building, Hon. Mary L. Landrieu (chairman)
presiding.
Present: Senators Landrieu, Coons, Coats, and Cochran.
opening statement of senator mary l. landrieu
Senator Landrieu. Good afternoon, everyone. Let me call our
meeting to order, please. This is a meeting of the
Appropriations Subcommittee for Homeland Security. I appreciate
being joined by my ranking member, Senator Coats, and I
appreciate all the work of Senator Coons. Thank you for being
here as well. You've both been leaders in the area of
cybersecurity and I appreciate your support and help.
I thank our panelists for being here.
I'm going to shorten my opening statement, turn it then to
Senator Coats and Senator Coons if you have a brief opening
statement, go right into the panelists. We've had a vote called
at 3:15, so we're going to try to see if we can work through
the next hour and a half and not have to come back after the
vote. But we are very interested, of course, in the testimony,
and that will be subject to change as we go.
But today we meet to review our level of investment in
cybersecurity and the results that we have achieved to date.
Our purpose is to better understand the new and emerging risk
as well as the capabilities that we need to continue to build
to secure our networks for the future.
Serving on both the Homeland Security subcommittee and the
Energy subcommittee, I believe that I have a unique
perspective, along with other members as well, on the extent
that critical infrastructure throughout our country relies more
and more on our interdependent technologies that we need to
grow, innovate, and keep our country thriving. Without the use
of the Internet and advances in smart grid technology, for
instance, America's companies would not be able to keep the
power on in the most affordable, efficient way our Nation has
ever known.
Today we will talk about some of the vulnerabilities facing
these critical networks, what we're doing through Homeland
Security to help and be supportive of keeping our Government
and our economy strong and growing. We are all aware of some of
the threats that have occurred. We'll talk more specifically
about that, but I want to just thank you all for being a part
of this hearing.
We've got a wonderful panel that I'll introduce in just a
moment, a first and a second panel. At this point I'm going to
turn it over to Senator Coats for his opening remarks.
statement of senator daniel coats
Senator Coats. Madam Chairman, thank you. I'm going to be
brief also, given that vote coming up and the fact that we want
to get to the substance of this hearing.
We all know how interconnected we have become and
unfortunately vulnerable, vulnerable to some bad actors that
have not only disrupted a lot of people's personal lives by
securing their private information, but also pose a major
threat to our critical infrastructure. This cyber threat has
been labeled by many in the security business and in our
national security and military as the number one threat to the
United States. Now, there are a lot of threats out there, but
this is serious.
A number of us, the three of us on this panel that are here
today and others, have been working for some amount of time
through a couple of different Congresses to try to come up with
legislation that strengthens our ability to prevent these types
of attacks and protect our critical infrastructure as well as
the retail outlets and American business and just about
everyone who's affected with this. In fact, my law school alma
mater, Indiana University, was hacked. Fortunately, they were
able to--so this thing runs the gamut. It's not just our
electric grid and so forth, but it comes right down to our
private lives and even our educational institutions.
So clearly we need to move forward with sensible
legislation. The Department of Homeland Security (DHS) plays a
very critical role, not only in protecting dot-gov, but also in
being the portal through which a lot of this has to take place
and work through in order to provide the kind of protections we
need. Whether it's information-sharing, whether it's working
together with private sector and public sector, this is
something that is urgent, and the longer we put it off the more
vulnerable we become.
I'm pleased that on the second panel Scott Bowers from
Indiana will be talking about the impact of this on the private
sector. I'm glad to have him here.
Madam Chairman, I'm looking forward to the testimony and
the kind of questions and back and forth we can have to
hopefully move this thing forward in an expeditious way.
Senator Landrieu. Thank you very much, Senator Coats.
Senator Coons.
statement of senator christopher a. coons
Senator Coons. Thank you, Madam Chair. I'm grateful to you
for your leadership on this, to Senator Coats for your
partnership and leadership in this. This is a very real threat.
We have issues of jurisdiction, of funding, of workforce. We've
got a lot of good work to do and I'm really grateful for the
service of the folks who are going to be testifying in front of
us today.
Thank you, Madam Chair. I'm eager to hear the testimony.
Senator Landrieu. Thank you very much.
Let me introduce our first panel: Mrs. Phyllis Schneck,
Deputy Under Secretary for Cybersecurity, DHS, National
Protection and Programs Directorate (NPPD); Mr. Peter Edge,
Executive Associate Director, Homeland Security Investigations
(HSI); and Mr. William Noonan, Deputy Special Agent in Charge,
Criminal Investigations, Cyber Operations, DHS, U.S. Secret
Service.
Thank you all, and we'll begin with your 5-minute
testimony.
STATEMENT OF DR. PHYLLIS E. SCHNECK, DEPUTY UNDER
SECRETARY FOR CYBERSECURITY, NATIONAL
PROTECTION AND PROGRAMS DIRECTORATE,
DEPARTMENT OF HOMELAND SECURITY
Dr. Schneck. Good afternoon, Chairwoman Landrieu, Ranking
Member Coats, Senator Coons. Thank you very much for the strong
support that you've provided to the Department of Homeland
Security and to the National Protection and Programs
Directorate. First and foremost, we look forward to continuing
to work with you on these issues and securing our critical
infrastructure, our way of life, from that combined physical
and cyber threat, as we are all connected, as you mentioned.
Thank you very much for the opportunity to appear before
you today to discuss our efforts for critical infrastructure
resilience and cybersecurity. We focus very much on this
threat, this interconnected threat, as cybersecurity and cyber
and connectivity connect all of us through our way of life, our
water, our banks, our electricity, all of our States. It's a
privilege today to sit at the table with my colleagues from the
U.S. Secret Service, from Homeland Security Investigations,
representing that cybersecurity at the U.S. Department of
Homeland Security is a unity of effort. It is one DHS. Along
with our colleagues in the U.S. Coast Guard, we also enjoy a
strong relationship with our Office of the Chief Information
Officer to ensure that our programs also run well on our
network and we learn from that which tries to attack the sweet
target known as dhs.gov.
I'm going to talk about our operations, our major
investments, and our overall strategic vision, starting at our
core, our National Cybersecurity and Communications Integration
Center (NCCIC), which some of you have been able to visit.
That--great analogy, Senator Coons--is our portal. It's our
24�7 watch center, where we have cyber command and control,
understanding inputs that come in 24�7 from trusted
relationships, from partnerships in the inter-agency, law
enforcement, intelligence community, across DHS, and certainly
information that we learn from our own programs, those things
that are protecting our stakeholders, our Federal civilian
agencies, our State, local, tribal, territorial governments, as
well as the private sector.
One great example is the recent Heartbleed, a defect in a
piece of software. When we found out as the U.S. Government
that this existed, again the ability for an adversary to
decrypt, thus make not confidential, traffic that was thought
to be confidential through a defect in software--we found this
out on April 7. Within 24 hours, DHS had full resources out on
all of our Web sites for all of our stakeholders and was
beginning the process of scanning all of the U.S. Government
agencies to find where that software might be running.
For our programs, we work through humans, we work through
machines; humans through trusted partnerships, again with our
stakeholders and certainly across Federal and State government,
and with our private sector, building that trust across
infrastructure, across cyber and communications, so that
information can be shared quickly as we face an adversary that
works with great speed, has plenty of money, and has no lawyers
and no way of life to protect.
We also have invested in the critical infrastructure
cybersecurity community voluntary program to launch the efforts
of the cybersecurity framework built by the National Institute
of Standards and Technology (NIST) and DHS all of last year, to
take guidelines from cybersecurity and get them into even our
smallest companies, so that they can adopt good cybersecurity,
bring it as a boardroom issue, and enable larger companies to
now request better standards of cybersecurity for those
companies that supply them, connect to them, and protect all of
our private information.
On the machine side, our programs protect our Federal
Government agencies from things that come in and try to attack
them or vulnerabilities that can cause harm. We can also detect
those things. It's ``see something, say something,'' as with
the rest of Homeland Security. When those programs spot
something on one agency, we then have the ability through our
NCCIC, our core, our portal, to spot that behaviorally, like
your body fights a cold, and protect all the other agencies and
the private sector with that information, at the same time
providing all the best in privacy and civil liberties to the
extent that our law provides, as well as showing the public
everything we do. Full transparency is on our Web site.
So again, we are able to use Government information and
protect the private sector, and we roll that out to the
critical infrastructure as well as through enhanced
cybersecurity services, using classified information to protect
our private-sector entities, all the while combining what we
can see only in Government to protect all of our stakeholders.
We can also automate, running at machine speed, sending
information about bad cyber behavior to everybody. So again
``see something, say something,'' with the ability to, using
our cybersecurity integration center, through human analysis,
machine analysis, all kinds of inputs from all kinds of
partners, injecting that back into both automated programs as
well as automated information that we can disseminate as widely
as possible, as quickly as possible.
So I've talked about a lot of high-profile programs. I
don't want to forget the importance of our talented workforce
and building the talent of the future. It is a priority of
Secretary Johnson and he and I went and visited two
universities and we'll be doing more, and we spoke to students
in Ph.D. programs as well as undergrad programs. I've also gone
out and spoken with students at both the high school level and
the college level, so that we can begin to truly look at how we
not only show the talent of the future what DHS can do and what
they can learn from our larger mission, again from the Secret
Service, Homeland Security Investigations, U.S. Coast Guard,
our CIO, Federal Emergency Management Agency (FEMA), and
others, but also we can identify that talent set that we'll
need to be training for, so that we can start to look at how we
build that talent going forward.
I thank you very much again for your support and look very
forward to working with you, continuing to work with you, as we
build these programs and certainly, Chairwoman Landrieu,
Ranking Member Coats, and Senator Coons, look very forward to
your questions. Thank you.
[The statement follows:]
Prepared Statement of Dr. Phyllis Schneck
introduction
Chairwoman Landrieu, Ranking Member Coats, and distinguished
members of the subcommittee, let me begin by thanking you for the
strong support that you have provided the Department of Homeland
Security (DHS) and the National Protection and Programs Directorate
(NPPD). We look forward to continuing to work with you in the coming
year to ensure a homeland that is safe, secure, and resilient against
terrorism and other hazards.
Thank you for the opportunity to appear before the committee today
to discuss NPPD's efforts to strengthen the Nation's critical
infrastructure security and resilience against cyber events and other
catastrophic incidents. The President's fiscal year 2015 budget request
for NPPD is $2.9 billion, offset by $1.3 billion in collections for the
Federal Protective Service. This request includes $746 million for
cybersecurity capabilities and investments.
America's national security and economic prosperity are
increasingly dependent upon physical and digital critical
infrastructure that is at risk from a variety of hazards, including
attacks via the Internet. I view integrating cyber and physical
security as integral to the larger goal of infrastructure security and
resilience. DHS approaches physical security and cybersecurity
holistically; both to better understand how they integrate and how best
to mitigate the consequences of attacks that can cascade across all
sectors of critical infrastructure. This risk management approach helps
drive the discussion at the executive level in organizations of all
sizes across government and industry, where it can have the most impact
on resources and implementation.
leveraging integrated capabilities: implementing ppd-21 and eo 13636
On February 12, 2013, the President signed Executive Order (EO)
13636, Improving Critical Infrastructure Cybersecurity and Presidential
Policy Directive (PPD) 21, Critical Infrastructure Security and
Resilience, which set out steps to strengthen the security and
resilience of the Nation's critical infrastructure, and reflect the
increasing importance of integrating cybersecurity efforts with
traditional critical infrastructure protection. Taken together EO 13636
and PPD-21 are foundational efforts for helping drive the security
market and provide a framework for critical infrastructure to increase
their cybersecurity efforts. To implement both EO 13636 and PPD-21, the
Department established an Integrated Task Force to lead DHS
implementation and coordinate interagency, public and private sector
efforts, and to ensure effective integration and synchronization of
implementation across the homeland security enterprise.
The fiscal year 2015 budget request reflects targeted enhancements
to continue implementation of the EO and PPD. Enhancements of $14
million, including 48 positions, is requested for the Critical
Infrastructure Cyber Community (C\3\ or ``C-Cubed'') Voluntary Program;
Enhanced Cybersecurity Services (ECS); Regional Resiliency Assessment
Program; National Coordinating Center (Communications) (NCC) 24�7
communications infrastructure response readiness. NPPD has partially
offset these enhancements with $9 million in reductions to realign
resources to support these key EO and PPD initiatives. The following EO
and PPD initiatives in the fiscal year 2015 budget specifically enhance
cyber capabilities:
C\3\ Voluntary Program
The C\3\ Voluntary Program is a public-private partnership aligning
business enterprises as well as Federal, State, local, tribal, and
territorial (SLTT) governments to existing resources that will assist
their efforts to use the National Institute of Standards and Technology
Cybersecurity Framework to manage their cyber risks as part of an all-
hazards approach to enterprise risk management. The program emphasizes
three elements: converging CI community resources and driving
innovation and markets to support cybersecurity risk management and
resilience through use of the Cybersecurity Framework; connecting CI
stakeholders to the national resilience effort through cybersecurity
resilience advocacy, engagement and awareness; and coordinating CI
cross-sector efforts to maximize national cybersecurity resilience. The
$6 million enhancement, including 10 positions, is requested to manage
and support this program and increase the number of evaluations
completed.
Enhanced Cybersecurity Services
The ECS capability enables owners and operators of critical
infrastructure to enhance the protection of their networks from
unauthorized access, exfiltration, and exploitation by cyber threat
actors. The requested enhancement of 24 positions and $3 million allows
ECS to execute the operational processes and security oversight
required to share sensitive and classified cyber threat information
with qualified Commercial Service Providers that will enable them to
better protect their customers who are critical infrastructure
entities.
Regional Resiliency Assessment Program (RRAP)
The $5 million, including 11 positions, is requested to complete
five additional cyber-centric RRAPs. Through these RRAPs, NPPD will
identify cross-sector physical and cyber interdependencies and better
understand the consequences of disruptions to lifeline sectors. We
often observe that physical consequences can have cyber origins and
anticipate that the findings will provide valuable data about the
energy, water, and transportation sectors and their reliance on cyber
infrastructure.
National Coordinating Center for Communications Operations
The proposed increase of three positions and $1 million in funding
to the NCC will maintain 24�7 communications infrastructure response
readiness and requirements coordination between FSLTT and industry
responders. Due to the loss of staff previously provided to DHS from
the Department of Defense on a non-reimbursable basis, the NCC will no
longer be able to provide 24�7 readiness without these additional
resources.
heartbleed
The Department recently responded to a serious vulnerability, known
as ``Heartbleed,'' in the widely used OpenSSL encryption software that
protects the electronic traffic on a large number of Web sites and
devices. Although new computer ``bugs'' and malware crop up almost
daily, this vulnerability is unusual in its pervasiveness across our
infrastructure, its simplicity to exploit, and the depth of information
it compromises.
While the Federal Government was not aware of the vulnerability
until April 7th, DHS responded in less than 24 hours, utilizing the
National Cybersecurity and Communications Integration Center (NCCIC) to
release alert and mitigation information to the public, create
compromise detection signatures for the EINSTEIN system, and reach out
to critical infrastructure sectors, Federal departments and agencies,
SLTT governments, and international partners. Once in place, DHS also
began notifying agencies that EINSTEIN signatures had detected possible
activity, and immediately provided mitigation guidance and technical
assistance. Additionally, DHS worked with civilian agencies to scan
their .gov Web sites and networks for Heartbleed vulnerabilities, and
provided technical assistance for issues of concern identified through
this process.
Of note, the Administration's May 2011 Cybersecurity Legislative
Proposal called for Congress to provide DHS with clear statutory
authority to carry out this operational mission, while reinforcing the
fundamental responsibilities of individual agencies to secure their
networks, and preserving the policy and budgetary coordination
oversight of OMB and the EOP. Even with the rapid and coordinated
Federal Government response to Heartbleed, the lack of clear and
updated laws reflecting the roles and responsibilities of civilian
network security caused unnecessary delays in the incident response.
integrated cybersecurity operations
Along with our operational assistance, DHS has several programs
that directly support Federal civilian departments and agencies in
developing capabilities that will improve their own cybersecurity
posture. Through the Continuous Diagnostics and Mitigation (CDM)
program, led by the NPPD Federal Network Resilience Branch, DHS enables
Federal agencies to more readily identify network security issues,
including unauthorized and unmanaged hardware and software; known
vulnerabilities; weak configuration settings; and potential insider
attacks. Agencies can then prioritize mitigation of these issues based
upon potential consequences or likelihood of exploitation by
adversaries.
Available to all Federal civilian agencies, the CDM program
provides diagnostic sensors, tools, and dashboards that provide
situational awareness to individual agencies and at a summary Federal
level. This allows agencies to target their cybersecurity resources
toward the most significant problems, and enables comparison of
relative cybersecurity posture between agencies based upon common and
standardized information. The CDM contract can also be accessed by
defense and intelligence agencies, as well as by State, local, tribal,
and territorial (SLTT) governments. 108 departments and agencies are
currently covered by Memoranda of Agreement with the CDM program,
encompassing over 97 percent of all Federal civilian personnel. In
fiscal year 2014, DHS issued the first delivery order for CDM sensors
and awarded a contract for the CDM dashboard. The $143 million and 15
staff requested in fiscal year 2015 will support deployment of the
Federal dashboard and capabilities to Federal agencies.
In addition, the National Cybersecurity Protection System (NCPS), a
key component of which is referred to as EINSTEIN, is an integrated
intrusion detection, analytics, information sharing, and intrusion-
prevention system utilizing hardware, software, and other components to
support DHS responsibilities for protecting Federal civilian agency
networks. In fiscal year 2015, the program will expand intrusion
prevention, information sharing, and cyber analytic capabilities at
Federal agencies, marking a critical shift from a passive to an active
role in cyber defense and the delivery of enterprise cybersecurity
services to decision-makers across cybersecurity communities.
In July 2013, EINSTEIN 3 Accelerated (E3A) became operational and
provided services to the first Federal Agency. As of February 2014,
Domain Name System and/or email protection services are being provided
to a total of seven departments and agencies. Full Operational
Capability is planned for fiscal year 2016. With the adoption of E3A,
DHS will assume an active role in defending .gov network traffic and
significantly reduce the threat vectors available to malicious actors
seeking to harm Federal networks. In fiscal year 2015, $378 million is
requested for NCPS. We will continue working with the Internet Service
Providers to deploy intrusion prevention capabilities, allowing DHS to
provide active, in-line defense for all Federal network traffic
protocols.
It is important to note that the Department has strong privacy,
civil rights, and civil liberties standards implemented across its
cybersecurity programs. DHS integrates privacy protections throughout
its cybersecurity programs to ensure public trust and confidence. DHS
is fully responsible and transparent in the way it collects, maintains,
and uses personally identifiable information.
Operational Response
Increased connectivity has led to significant transformations and
advances across our country and around the world. It has also increased
complexity and exposed us to new vulnerabilities that can only be
addressed by timely action and shared responsibility. Successful
responses to dynamic cyber intrusions require coordination among DHS,
the Departments of Justice (DOJ), State (DOS) and Defense (DOD), the
Intelligence Community, the specialized expertise of sector specific
agencies such as the Department of the Treasury, private sector
partners--who are critical to these efforts--and SLTT, as well as
international partners, each of which has a unique role to play.
DHS is home to the National Cybersecurity and Communications
Integration Center (NCCIC), a national nexus of cyber and
communications integration. A 24�7 cyber situational awareness,
incident response, and management center, NCCIC partners with all
Federal departments and agencies, SLTT governments, private sector and,
critical infrastructure owners and operators, and international
entities. The NCCIC disseminates cyber threat and vulnerability
analysis information and assists in initiating, coordinating,
restoring, and reconstituting national security/emergency preparedness
(NS/EP) telecommunications services and operates under all conditions,
crises, or emergencies, including executing Emergency Support Function
#2--Communications Annex responsibilities under the National Response
Framework.
The NCCIC also provides strategic cyber-threat analysis, through
its United States Computer Emergency Readiness Team (US-CERT) and the
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in
conjunction with the National Infrastructure Coordinating Center
(NICC), to reduce malicious actors exploiting vulnerabilities. Threat
management decisions must incorporate cyber threats based on
technological as well as non-technological factors, and consider the
varying levels of security required by different activities. Since its
inception in 2009, the NCCIC has responded to nearly a half million
incident reports and released more than 37,000 actionable cybersecurity
alerts to our public and private sector partners. In fiscal year 2013,
NCCIC received 228,244 public and private sector cyber incident
reports, a 41-percent increase from 2012, and deployed 23 response
teams to provide onsite forensic analysis and mitigation techniques to
its partners. NCCIC issued more than 14,000 actionable cyber alerts in
2013, used by private sector and government agencies to protect their
systems, and had more than 7,000 partners subscribe to the NCCIC/US-
CERT portal to engage in information sharing and receive cyber threat
warning information.
Further demonstrating NPPD's commitment to greater unity of effort
in strengthening and maintaining secure and resilient critical
infrastructure against both physical and cyber threats, the NICC has
moved its watch operations center to collocate with the NCCIC. The NICC
is the information and coordination hub of a national network dedicated
to protecting critical infrastructure essential to the Nation's
security, health and safety, and economic vitality. In accordance with
and supporting the physical-cyber integration directives of PPD-21,
this new integration will enhance effective information exchange, and
improve the alacrity of protection with real-time indicator sharing.
Concurrently, the NCCIC will refine and clarify the NICC-NCCIC
relationship to advance national unity of effort within NPPD and the
Federal Government.
Data Security Breaches
On December 19, 2013, a major retailer publicly announced it had
experienced unauthorized access to payment card data from the
retailer's U.S. stores. The information involved in this incident
included customer names, credit and debit card numbers, and the cards'
expiration dates and card verification-value security codes. Another
retailer also reported a malware incident involving its point of sale
system on January 11, 2014, that resulted in the apparent compromise of
credit card and payment information. A direct connection between these
two incidents has not been established.
During both incidents, NPPD's NCCIC utilized its unique
cybersecurity, information sharing and mitigation capabilities to help
retailers across the country secure their systems to prevent similar
attacks while simultaneously providing timely analysis to the United
States Secret Service (USSS). DHS's ability to provide a cross-
component response during this incident underscores the importance of
leveraging complementary missions at the Department. Working closely
together, elements with cyber capabilities such as the USSS, U.S. Coast
Guard, Immigrations and Customs Enforcement's office of Homeland
Security Investigations, Office of the Chief Information Officer, and
NPPD are able to increase focus on not just responding to incidents but
also reducing vulnerabilities, protecting against future attacks, and
mitigating consequences.
In response to this incident, NCCIC/US-CERT analyzed the malware
identified by the USSS as well as other relevant technical data and
used those findings, in part, to create two information sharing
products. The first product, which is publicly available and can be
found on US-CERT's Web site, provides a non-technical overview of risks
to point of sale systems, along with recommendations for how businesses
and individuals can better protect themselves and mitigate their losses
in the event an incident has already occurred. The second product
provides more detailed technical analysis and mitigation
recommendations, and has been securely shared with industry partners to
enable their protection efforts. NCCIC's goal is always to share
information as broadly as possible, including by producing actionable
products tailored to specific audiences.
While the criminal investigation into the these activities is on-
going, NPPD, through the NCCIC and other organizations, continues to
build shared situational awareness of similar threats among our private
sector and government partners and the American public at large. At
every opportunity, the NCCIC and our private sector outreach program
publish technical and non-technical products on best practices for
protecting businesses and customers against cyber threats and provide
the information sharing and technical assistance necessary to address
cyber threats as quickly as possible. DHS remains committed to ensuring
cyberspace is supported by a secure and resilient infrastructure that
enables open communication, innovation, and prosperity while protecting
privacy, confidentiality, and civil rights and civil liberties by
design.
understanding cyber and physical critical infrastructure
interdependencies
One of NPPD's top priorities is providing our government and
private sector partners with the information, analysis, and tools they
need to protect our Nation's critical infrastructure in the face of
physical and cyber risks. Key to this effort is understanding the
consequences of potential disruptions to critical infrastructure,
including interdependencies and cascading impacts, from all hazards to
better equip and prepare our partners and stakeholders. Understanding
consequences helps identify potential mitigation measures and
prioritize the allocation of limited resources for both government and
private sector.
In February of 2014, NPPD established the Office of Cyber and
Infrastructure Analysis to implement elements of PPD-21, which calls
for integrated analysis of critical infrastructure, and EO 13636,
identifying critical infrastructure where cyber incidents could have
catastrophic impacts to public health and safety, the economy, and
national security. An Integrated Analysis Cell was established to
provide near real-time information to NPPD's two operational centers:
the National Infrastructure Coordinating Center (NICC) and National
Cybersecurity and Communications Integration Center (NCCIC). Similarly
the work that has been done to implement section 9 of EO 13636 through
the Cyber-Dependent Infrastructure Identification Working Group
exemplifies how the skills that have been developed in NPPD over the
years focused on critical infrastructure can similarly be applied to
the analyzing cyber infrastructure. $33 million is requested in fiscal
year 2015 to support these efforts.
Engaging with Federal, SLTT, and Private Sector Entities
NPPD is committed to engaging with Federal, SLTT, and private
sector stakeholders. More than 1,100 participants were involved in the
development of NIPP 2013, providing thousands of comments reflecting
our partners' input and expertise. NPPD has become increasingly focused
on engaging stakeholders at the executive level, and working with the
DOE, will implement a sustained outreach strategy to energy sector
Chief Executive Officers to elevate risk management of evolving
physical and cyber threats to the enterprise level. NPPD will also
explore similar efforts across the critical infrastructure community.
NPPD serves as a principal coordination point for stakeholder
engagement for Cybersecurity through the Cyber Security Evaluation
Program (CSEP). CSEP which provides voluntary evaluations intended to
enhance cybersecurity capacities and capabilities across all 16
Critical Infrastructure Owner/Operators, as well as SLTT governments
through its Cyber Resilience Review (CRR) process. The goal of the CRR
is to develop an understanding and measurement of key cybersecurity
capabilities and provide meaningful maturity indicators to an
organization's operational resilience and ability to manage risk to its
critical services during normal operations and times of operational
stress and crisis.
vision for the future
DHS has a solid foundation upon which to build and enhance future
cybersecurity capabilities to ensure information resilience against an
adversary that leverages the best of technology and doesn't lack for
funding. DHS continues to strengthen trust and public confidence in the
Department through the foundations of partnership, transparency, and
protections for privacy and civil liberties, which is built in to all
that we do. Our Department is the lead civilian agency responsible for
coordinating the national protection, prevention, mitigation, and
recovery from cyber incidents across civilian government, State, local,
tribal, territorial (SLTT) and private sector entities of all sizes.
DHS leverages our interagency and industry partnerships as well as the
breadth of our cyber capabilities extending from NPPD, Immigration and
Customs Enforcement's Homeland Security Investigations, U.S. Coast
Guard and U.S. Secret Service, to make our NCCIC the source for dynamic
data aggregation of for global cyber indicators and activity.
We are working to further enable the NCCIC to receive and
disseminate information at ``machine speed.'' \1\ This enhanced
capability will enable networks to be more self-healing, as they use
mathematics and analytics to mimic restorative processes that are
currently done manually. Ultimately, this will enable us and our
partners to better recognize and block threats before they reach their
targets, thus deflating the goals for success of cyber adversaries and
taking botnet response from hours to seconds in certain cases. We are
working with the DHS Science & Technology Directorate in many areas to
develop and support these capabilities for NCCIC. The science of
decisionmaking is about seeing enough behavior to differentiate the
good from the bad, and that comes from the collective information of
industry and Government. That is voluntarily provided to us because of
underlying trust. This effort is currently being built in our
Structured Threat Information Expression (STIX) and Trusted Automated
eXchange of Indicator Information (TAXII TM) programs that
we have begun offering as a free method for machine-to-machine sharing
of cyber threat indicators to others in the Government and private
sector.
---------------------------------------------------------------------------
\1\ Automatically sending and receiving cyber information as it is
consumed and augmented based on current threat conditions, creating a
process of automated learning that emulates a human immune system and
gets smarter as it is exposed to new threats.
---------------------------------------------------------------------------
We must increase data exchange and information flow with industry
through stakeholder engagement to optimize the information shared
voluntarily. This must be done in a manner that promotes privacy and
civil liberties protections, focusing on the sharing of cyber threat
information that is non-attributable and anonymized to the greatest
extent feasible.
DHS's extensive visibility into attacks on government networks must
be fully leveraged to protect all government networks as well as our
critical infrastructure and local entities, in a way that is consistent
with our laws while preserving the privacy and individual rights of
those we protect. Legislation providing a single clear expression of
DHS cybersecurity authority would greatly enhance and speed up the
Department's ability to engage with affected entities during a major
cyber incident and dramatically improve the cybersecurity posture of
Federal agencies and critical infrastructure.
conclusion
Infrastructure is the backbone of our Nation's economy, security
and health. We know it as the power we use in our homes, the water we
drink, the transportation that moves us, and the communication systems
we rely on for business and everyday life. We have an extremely
dedicated and talented workforce engaged in activities that advance our
mission to protect that information and their innovation will continue
to propel NPPD and DHS forward in fiscal year 2015 and beyond. Each
employee is dedicated to a safe, secure, and resilient infrastructure
that enables our way of life to thrive.
Chairwoman Landrieu, Ranking Member Coats, and distinguished
members of the subcommittee, thank you all for your leadership in
cybersecurity and for the opportunity to discuss the fiscal year 2015
President's budget request for NPPD's cybersecurity efforts. I look
forward to any questions you may have.
Senator Landrieu. Thank you very much.
Mr. Edge.
STATEMENT OF PETER T. EDGE, EXECUTIVE ASSOCIATE
DIRECTOR, HOMELAND SECURITY INVESTIGATIONS,
IMMIGRATION AND CUSTOMS ENFORCEMENT,
DEPARTMENT OF HOMELAND SECURITY
Mr. Edge. Good afternoon, Chairwoman Landrieu, Ranking
Member Coats, and Senator Coons. Thank you for the opportunity
to appear before you today to discuss the risks of cyber crime
and the impact of U.S. Immigration and Customs Enforcement's
Homeland Security Investigations' role with respect to
conducting investigations and building capabilities to protect
our Nation's borders and enhance public safety for the future.
The Internet poses a significant challenge to law
enforcement. When a criminal never has to meet his victim face-
to-face, but can hide behind what appears to be a legitimate
Web site, consumer fraud runs rampant. When criminal
organizations can employ technical means to steal intellectual
property, American ingenuity is stymied. When money-launderers
can utilize non-traditional Internet-based financial services,
circumventing regulatory safeguards and public safety, that's a
detriment and a danger to our country.
Criminal networks are becoming increasingly sophisticated
in taking advantage of the many ways in which the Internet can
streamline communications, financing, and logistics, just as it
does for legal enterprise. As a consequence, law enforcement
agencies must respond by properly preparing investigators for
work in cyber space. As information systems and computer
networks become increasingly prolific, the technical challenges
facing law enforcement investigations of criminals operating
through the Internet grow daunting, and the considerations in
collecting electronic evidence become increasingly complex.
Our Cyber Crime Center, which was established in 1997,
brings the full range of Homeland Security Investigations cyber
investigations and computer forensics assets together in a
single location to coordinate global investigations and to
provide to our field offices in their efforts to combat cyber-
enabled crime. The scope of these investigations includes any
instance where information technology or computer networks are
substantially employed to facilitate international smuggling,
money-laundering, and Internet-based financial frauds or
identity theft, even proliferation of strategic commodities or
the digital theft of intellectual property or export-controlled
technical data. Trafficking in child pornography and other
child exploitation crimes are also a significant focus for us.
The Cyber Crime Center further works to develop tools and
capabilities to conduct online cyber investigations, focusing
on collaborative relationships with other Government agencies,
to include DHS's Science and Technology, our friends at NPPD,
National Cybersecurity Communications Integration Center, and
our domestic and international law enforcement partners,
especially our DHS counterpart, the United States Secret
Service, as well as EUROPOL.
The Cyber Crime Center's budget has increased by more than
$30 million since 2011, expending $137 million in fiscal year
2013. This growth underscores the increasing role the Internet
plays in criminal activity and the need for skill and diligence
to thwart crime in cyber space.
U.S. Immigration and Customs Enforcement has recognized the
potential for criminal exploitation and the money-laundering
threat posed by virtual currency. We therefore strategically
deployed a multi-pronged investigative strategy designed to
target illicit virtual currency, currency exchangers, and
underground black markets, such as carding, illegal drugs,
illegal firearms, and child pornography forums.
HSI has established itself as a world leader in online
exploitation investigations because of the breath of its
authorities and presence throughout the world. In fiscal year
2013 alone, our agency was responsible for more than 2,000
criminal arrests relating to child exploitation, while
launching in excess of 4,000 child exploitation investigations
worldwide. Both are new records for Homeland Security
Investigations and the Department of Homeland Security.
In 2013 there were 927 children identified as victims
during the course of Immigration and Customs Enforcement (ICE)
HSI-led joint online child exploitation investigative work.
The Cyber Crime Center oversees the agency's computer
forensics program, which comprises approximately 250 computer
forensics agents and analysts. Our computer forensics agents
jointly train with the Secret Service and Internal Revenue
Service (IRS) Criminal Investigations. Homeland Security
Investigations' computer forensics agents (CFAs) also support
investigations in the use of digital media as well as support
to Federal, State, and local law enforcement upon request.
In fiscal year 2013, HSI-CFA has encountered approximately
3.9 petabytes of data, equal to approximately 62 billion pages
of image files or 71 billion pages of Powerpoint files. In
April 2013, we engaged in a relationship with the National
Association to Protect Children (PROTECT) to launch the Human
Exploitation Rescue Operative (HERO), Child Rescue Corps.
During the 12-month internship, we hired wounded warriors who
were integral in conducting computer forensics law enforcement-
based investigations.
Senator Landrieu. You have to try to wrap up if you would.
Mr. Edge. The Cyber Center will continue to evaluate its
cyber capabilities, programs, and training, and will make sure
the agency can effectively continue combating this ever-
changing landscape in the future.
Thanks again for the opportunity to appear before you, and
I look forward to answering any questions you may have.
[The statement follows:]
Prepared Statement of Peter T. Edge
introduction
On behalf of the men and women of U.S. Immigration and Customs
Enforcement (ICE), thank you for the opportunity to appear before you
today to discuss cybersecurity and the impact ICE's Cyber Crime Center
(C\3\) makes with respect to protecting our Nation's borders and
enhancing public safety. C\3\ has been in existence since 1997 and was
created to support the investigative mission of the U.S. Customs
Service. Now, 17 years later, C\3\ is recognized worldwide as a center
of excellence in cyber law enforcement. ICE expenditures for cyber
crime investigations have increased 39 percent since fiscal year 2010.
Additionally, cyber crimes investigations account for 9 percent of
total Domestic Investigations expenditures compared to 6.5 percent in
fiscal year 2010.
----------------------------------------------------------------------------------------------------------------
Fiscal year
2010 to fiscal
Fiscal year: 2010 2011 2012 2013 year 2013
variance
----------------------------------------------------------------------------------------------------------------
Cyber Crime & Child Pornography Investigations............. $92 $98 $109 $119 $28
Cyber Crimes Center........................................ 16 17 11 18 2
----------------------------------------------------
Total Cyber Crimes Expenditures...................... 108 115 120 137 30
====================================================
Percent of Total Expenditures.............................. 6.5% 6.8% 7.0% 8.6% 27.4%
----------------------------------------------------
Total HSI Domestic Expenditures...................... $1,648 $1,701 $1,723 $1,596 $(52)
----------------------------------------------------------------------------------------------------------------
ICE Homeland Security Investigations (HSI) is the principal
investigative arm of the U.S. Department of Homeland Security (DHS) and
the second largest Federal criminal investigative agency, with broad
legal authority to enforce more than 400 Federal statutes. HSI has
taken a leading role in coordinating domestic and international law
enforcement actions among our law enforcement partners through several
centers of excellence that we lead--including C\3\.
The Internet poses a significant challenge to law enforcement. When
a criminal never has to meet his victim face to face, but can hide
behind what appears to be a legitimate Web site, consumer fraud runs
rampant. When transnational criminal organizations employ technical
means to steal intellectual property, American ingenuity is stymied.
When money launderers utilize non-traditional, Internet-based financial
services, circumventing regulatory safeguards, public safety is further
threatened. Criminal networks are becoming increasingly sophisticated
in taking advantage of the many ways in which the Internet can
streamline communications, financing, and logistics--just as it does
for legal enterprise. As a consequence, law enforcement agencies must
respond by properly preparing investigators for work in cyberspace. As
information systems and computer networks become increasingly prolific,
the technical challenges facing law enforcement investigations of
criminals operating on, or through, the Internet grow daunting, and the
considerations in collecting electronic evidence become increasingly
complex. A recent HSI enforcement action targeting intellectual
property violations saw the deployment of 5 percent of HSI's Computer
Forensics Agents (CFAs) in a single day. These CFAs were tasked with
securing the electronic evidence from nine Web sites, and they will be
heavily involved in sorting through the evidence for potential
prosecutions.
cyber crimes center
C\3\ brings the full range of ICE cyber investigations and computer
forensic assets together in a single location to coordinate global
investigations and to provide support to our field offices in their
efforts combat cyber-enabled crime. C\3\ is comprised of three units:
the Cyber Crimes Unit, the Computer Forensics Unit, and the Child
Exploitation Investigations. The C\3\ facility houses a cyber
investigations training room and a computer forensics laboratory. The
Center is staffed by special agents, intelligence research specialists,
computer forensics analysts, and mission support personnel. Each of
C\3\'s units plays an integral role in supporting investigations of
cybercrime and cyber-enabled crime. The scope of these investigations
includes any instance where information technology, or computer
networks are substantially employed to facilitate international
smuggling, money laundering, Internet-based financial frauds or
identity theft, proliferation of strategic commodities or the theft of
export controlled technical data, and trafficking in child pornography
and other child exploitation crimes. The Cyber Crimes Unit and Child
Exploitation Investigations Unit provide coordination, de-confliction,
resources, training, and subject matter expertise in these
investigations. The Computer Forensics Unit oversees the agency's
computer forensics program, including the agency's participation in,
and contributions to, the Treasury Computer Forensics Training Program.
Cyber Crimes Unit
The Cyber Crimes Unit supports HSI investigations of cyber enabled
criminal activities. The Cyber Crimes Unit provides oversight,
coordination, de-confliction, resources, and subject matter expertise
to HSI offices in the investigation of international smuggling,
proliferation, fraud, and money laundering activities where information
systems, networks, and the Internet serve as significant facilitating
mechanisms for the crime. The Cyber Crimes Unit particularly focuses
its efforts towards cyber economic crimes involving financial fraud,
the theft of digital intellectual property and technical data
controlled under export laws, and the targeting of cross-border illicit
Internet marketplaces. The Cyber Crimes Unit also works to develop and
deliver training to HSI personnel in the investigation of cyber-enabled
crimes. The Cyber Crimes Unit further works to support HSI cyber
investigations through its Emerging Technology program which focuses on
collaborative relationships with other government agencies and academic
institutions intended toward development of technical solutions to
technical problem sets facing law enforcement.
Emerging Technologies
The Cyber Crimes Unit is also dedicated to the development of tools
and capabilities to conduct online cyber investigations. Emerging
technology, such as The Onion Router, also known as TOR, or the
utilization of virtual currencies, allow the transnational criminal
organizations to navigate in cyberspace anonymously. C\3\ has partnered
with DHS Science and Technology to collaborate with academia and other
partners to develop tools and best practices, to stay abreast of
emerging technologies and continue to lean in to prevent and deter
illegal activities.
Virtual Currency
In contrast to traditional currency, monetary instruments, or other
methods of transferring value, virtual currencies serve as mediums of
exchange, but are not accepted as legal tender in any recognized
government jurisdiction. However, virtual currencies can be used to
conduct transactions entirely within a virtual economy, transferred
between individuals, or used in lieu of a government-issued currency to
purchase goods and services.
The appeal of virtual currencies, especially ``open'' or
``convertible'' currencies that can be exchanged for traditional
currency, and vice versa, is that they may allow value to be
transferred much more rapidly and cheaply (especially internationally)
than through traditional banking payment systems, and often with
greater anonymity and reduced oversight.
ICE has recognized the potential for criminal exploitation and the
money laundering threat posed by virtual currency. ICE has, therefore,
strategically deployed a multi-prong investigative strategy designed to
target illicit virtual currency platforms, currency exchangers, and
underground black markets such as ``carding,'' illegal drugs, illegal
firearms, and child pornography forums.
ICE recognizes that our approach to combating the illicit use of
virtual currency systems must include collaboration and coordination
with our domestic and international partners. To that end, ICE works
closely with our Federal, State, local, and international law
enforcement partners, and other members of the interagency.
recent investigations
Crack99
Among HSI's broad investigative authority, we are the primary
enforcer of the Arms Export Control Act and as such has responsibility
to work with industry to safeguard this data from being exploited and
smuggled out of the country. This includes the investigation of Web
sites that offer the sale of prohibited items as well as transnational
criminal organizations that steal the data without the knowledge of
industry.
HSI Philadelphia learned during a private industry outreach
meeting, of an online company known as Crack99, believed to be involved
in the illegal sale of U.S.-manufactured software products. HSI
collaborated with Defense Criminal Investigative Services and conducted
numerous undercover purchases of stolen software from Crack99. Once
payment had been made and accepted in China, the software was posted
and received, often compressed into specialty files and then
``cracked'' to overcome the license restrictions. The software programs
were used in multiple design and engineering systems that had a broad
range of user applications to include: explosive simulation, aircraft
mission simulation, oil field management, antenna design and radio
frequency signaling.
Many of the U.S.-manufactured software programs offered by Crack99
were controlled for export and were subject to the Department of
Commerce's Export Administration Regulations. The estimated monetary
loss of these illegal software sales conducted by Crack99 was valued at
approximately $1 million. Crack99 had ``cracked'' the software of
thousands of U.S. businesses.
HSI Special Agents identified the U.S.-based servers and seized all
accounts, Web sites and domains associated with Crack99's distribution
of stolen software. Two servers and six domain names were seized. The
three main suspects were charged, convicted and sentenced for various
violations of conspiracy, fraud, smuggling and copyright infringement.
Mt. Gox
In May 2013, through an interagency taskforce led by ICE in
Baltimore, Maryland, three U.S. bank accounts associated with what was
then the world's largest Bitcoin (a specific virtual currency)
exchanger, Japan-based Mt. Gox, were seized for violations of 18 U.S.C.
section 1960, operating a money service business in the United States
without a license. Some of the funds were linked to the illicit
purchase of drugs, firearms, and child pornography. These and many
other ongoing criminal investigations have provided ICE with a better
understanding of the risks and challenges posed by virtual currencies.
Online Child Exploitation Investigations
ICE has established itself as a world leader in online child
exploitation investigations due to the breadth of its authorities and
presence throughout the world. Under the auspices Operation Predator,
HSI child exploitation investigations focuses on the enforcement,
disruption and dismantlement of individuals and groups involved in the
possession, receipt, distribution, transportation, and production of
child pornography. Since the launch of Operation Predator in 2003, HSI
has initiated more than 30,700 criminal investigations; arrested more
than 10,900 child predators; and contributed to more than 8,000
indictments and criminal convictions for child exploitation violations.
In fiscal year 2013 alone, our agency was responsible for over 2,000
criminal arrests relating to child exploitation, while launching in
excess of 4,000 child exploitation investigations worldwide, both new
records for HSI. In fiscal year 2013, there were 927 children
identified as victims during the course of ICE HSI-led or joint child
exploitation and/or child sex tourism investigations. Key to HSI's
fight against child exploitation is HSI's C\3\. C\3\ directs HSI in its
mission to investigate large-scale producers and distributors of child
pornography, as well as individuals who travel abroad for the purpose
of engaging in sex with minors, also known as Child Sex Tourism (CST).
C\3\ employs the latest technology to collect evidence of persons and
organized groups who sexually exploit children through the use of Web
sites, chat rooms, newsgroups and peer-to-peer trading. C\3\ also
provides assistance to HSI field offices, coordinates major
investigations, and conducts undercover operations throughout the world
to identify and apprehend violators.
Operation Round Table
In March 2014, HSI completed the largest online child exploitation
investigations in ICE's history, involving victims in 39 States and
five countries. Fourteen men operating a child pornography Web site on
the Darknet's Onion Router (TOR) were arrested and charged as part of a
conspiracy to operate a child exploitation enterprise, following an
extensive international investigation by HSI and the U.S. Postal
Inspection Service (USPIS).
To date, investigators have identified 251 minor victims in 39
States and five foreign countries: 228 in the United States and 23 in
the United Kingdom, Canada, New Zealand, Australia and Belgium. Eight
of the victims were female and 243 were male. The majority of victims,
159, were 13 to 15 years old; 59 victims were 16 and 17; 26 victims
were 10 to 12; four victims were 7 to 9; one victim was 4 to 6; and two
victims were 3 years old or younger. All victims have been contacted by
law enforcement and U.S. victims have been offered support services
from HSI victim assistance specialists.
Victim Identification Program
Although the traditional law enforcement goal in combating child
exploitation is normally viewed to be ``arresting and prosecuting
predators,'' the true goal is to protect children. In furtherance of
this goal, HSI launched the Victim Identification Program (VIP) in
December 2011. Its mission is to combine technological and
investigative capabilities and resources to rescue child victims of
sexual exploitation. The VIP is a simple idea that combines traditional
investigative techniques with cutting edge technology for the purposes
of rescuing child victims of sexual exploitation. The victim
identification process starts with the discovery of new child abuse
material (images, video, and/or audio) that depicts an unidentified
minor or minors being sexually abused. HSI analyzes and enhances the
material in order to identify clues that may lead to the identity of
the victim, suspect or geographic location. When enough clues come
together to form a viable lead, the lead is sent out to the appropriate
HSI field office for follow-up investigation. During its first 2 years
of operation, the VIP has been responsible for more than 180 victims
identified and/or rescued from around the country. HSI is increasingly
shifting its focus and dedicating more of its time and resources
towards identifying and rescuing the victims of child sexual
exploitation and the prevention of these crimes. This focus on victims
is not in conflict with ongoing efforts to arrest and prosecute the
perpetrators of these horrendous crimes as the identification of
victims often leads to the arrest of their abusers.
Project iGuardian
In April 2014, ICE launched an educational outreach program called
Project iGuardian, in conjunction with the National Center for Missing
and Exploited Children's NetSmartz and the Internet Crimes Against
Children (ICAC) Task Forces. Project iGuardian is an outreach awareness
program that aims to educate kids, teens, and parents about online
safety and how to stay safe from online sexual predators. HSI
recognizes the importance of education and community awareness
regarding the dangers of online activity. Project iGuardian aims to
counter a disturbing fact: many online child predators are able to find
victims online because children are not aware of how dangerous online
environments can be.
Virtual Global Taskforce
ICE is a founding member and the U.S. representative of the Virtual
Global Taskforce (VGT), an international alliance of law enforcement
agencies and private industry sector partners working together to
prevent and deter online child sexual abuse. In December 2012, HSI was
appointed chair and secretariat of the VGT. The Deputy Assistant
Director of C\3\ assumed the duties of chair for a 3-year tenure. At
the same time HSI was appointed the chair, the VGT also agreed to
include investigations of CST into its portfolio.
Operation Predator--Smartphone App
In September of 2013, HSI launched a new smartphone app, the first
of its kind in U.S. Federal law enforcement, designed to seek the
public's help with fugitive and unknown suspect child predators. All
tips can be reported anonymously through the app, by phone or online,
24 hours a day, 7 days a week. In many cases, HSI has been able to make
an arrest just hours after issuing a nationwide plea for public
assistance. These cases demonstrate the power of the press, social
media and the general public in helping solve cases.
Computer Forensics Program
C\3\ operates and maintains a robust computer forensics program.
HSI computer forensic agents/analysts (CFAs) support all HSI
investigations involving the use of digital media, as well as provide
support to Federal, State and local law enforcement upon request. The
computer forensic program is currently comprised of approximately 250
CFAs located in over 110 domestic and foreign HSI offices. The CFAs
operate in various environments, supporting investigations to include
advanced mobile device data extraction, hard drive repair, data mining
of large multi-terabyte data sets, password decryption, border search
of electronic devices and on-scene computer forensic assistance. For
example, HSI CFAs were instrumental in the seizure of closed circuit
video systems that were used in the identification of the Boston
Marathon bombing suspects and provided key support for the analysis of
suspect media related to Operation Round Table detailed above.
In fiscal year 2013, HSI CFAs encountered approximately 3.9
petabytes of data (equal to approximately 62 billion pages of image
files or 71 billion pages of power point files) and analyzed over 4,400
mobile devices; this is a 45-percent increase in the volume of data
encountered and a 35-percent increase in the number of mobile devices
analyzed from the previous fiscal year.
HSI is a founding member of the Treasury Computer Forensic Training
Program (TCFTP), which is a joint computer forensic training initiative
between HSI, the U.S. Secret Service and the Internal Revenue Service-
Criminal Investigations. Management of the training program rotates
every 2 years, with HSI responsible for administering the program for
2014 and 2015. For 2014, it is anticipated that approximately 200
individuals will receive basic or advanced computer forensic training
through the joint training program. This program was designed to
provide CFAs operating in the field with the skills necessary to
support the ever changing environment of the computer forensic
requirements for HSI's investigative mission. In addition to providing
training through the TCFTP, the computer forensic program regularly
provides computer forensic training for capacity building efforts to
foreign law enforcement.
Human Exploitation Rescue Operative Chile Rescue Corps
In April 2013, ICE, entered into a partnership with U.S. Special
Operations Command and the National Association to Protect Children
(PROTECT) to launch the ``Human Exploitation Rescue Operative (HERO)
Child Rescue Corps'' program. The 12-month internship program is a
highly competitive, highly selective non-paid internship, designed for
wounded, injured and ill Special Operations Forces to receive training
in high-tech computer forensics and law enforcement skills to assist
HSI and law enforcement in their efforts to combat child sexual
exploitation. Upon successful completion of the training, HERO
participants are embedded into computer forensic analyst positions
within HSI offices to receive on-the-job training experience. Fifteen
HERO participants of the inaugural class have successfully completed
all aspects of the program thus far and HSI in the process of extending
offers of employment to all 15 individuals under the Veterans'
Recruitment Appointment authority. The HERO program is in the process
of recruiting, interviewing and selecting candidates for the 2nd HERO
class, which is scheduled to begin in August 2014.
DHS Secretary's Honors Program--Cyber Student Initiative
The DHS Cyber Student Volunteer Initiative, introduced in 2013 by
DHS and HSI, offered college students majoring in a cybersecurity-
related field an unpaid volunteer position to gain invaluable hands-on
experience at a DHS component agency. HSI was the sole DHS component to
participate in the inaugural program, which was designed to provide
high-performing students with challenging work projects, real-life
learning scenarios, and mentoring from cybersecurity professionals at
various HSI field offices. Based on the success of the program, DHS and
HSI offered the Student Volunteer Initiative program again in 2014,
which was expanded to include new volunteer opportunities at the U.S.
Secret Service, the U.S. Coast Guard, the Transportation Security
Administration, the Office of Intelligence and Analysis, the DHS Office
of the Chief Information Officer, and State and major urban area fusion
centers.
conclusion
Thank you again for the opportunity to appear before you to
highlight ICE's Cyber Crime Center and the significant role we
contribute in combating transnational criminal organizations operating
in cyberspace and in an increasingly more complex and sophisticated
virtual reality. As the cyber world and other new virtual technologies
continue to evolve, ICE will remain vigilant and adapt its
investigative tools and techniques to dismantle those criminal
organizations that use this platform to hide illicit activity.
Senator Landrieu. Thank you so much for that excellent
testimony.
Mr. Noonan.
STATEMENT OF WILLIAM NOONAN, DEPUTY SPECIAL AGENT IN
CHARGE, CRIMINAL INVESTIGATIVE DIVISION--
CYBER OPERATIONS, SECRET SERVICE,
DEPARTMENT OF HOMELAND SECURITY
Mr. Noonan. Yes, ma'am. Good afternoon, Chairman Landrieu,
Ranking Member Coats, and Senator Coons. Thank you for the
opportunity to testify on the Department of Homeland Security's
investments to counter cyber threats and the capabilities the
Secret Service utilizes and is developing to deter cyber crime
around the world. I am honored to appear today alongside my
colleagues from Immigration and Customs Enforcement and the
National Protection and Programs Directorate.
While no single agency or department has the personnel and
resources to eliminate all cyber threats, DHS brings to the
table a strong combination of Federal law enforcement
experience, established partnerships across Federal, State, and
local governments, international law enforcement, and the
private sector, as well as a workforce that is committed to
strengthening the security and resiliency of our Nation's
critical infrastructure.
When the Secret Service was created as an investigative
division of the Department of Treasury in 1865, its sole focus
was to protect the Nation's financial system from the
proliferation of counterfeit currency. Over the past 149 years
the agency's mission has expanded to include protecting the
President, the Vice President, visiting world leaders, and
national special security events. Today our integrated mission
addresses numerous threats, including those originating in
cyber space.
The Secret Service's authorities to investigate cyber crime
date back nearly 30 years to when Congress passed the
Comprehensive Crime Control Act of 1984. That law granted the
Secret Service authority to investigate criminal offenses
related to unauthorized access to computers and the fraudulent
use or trafficking of access devices.
As the Nation's financial payments systems evolved from
paper to plastic to electronic transactions, so too has the
Secret Service's investigative priorities. Advances in computer
technology and greater Internet access to personally
identifiable information and sensitive financial data have
created online marketplaces for transnational cyber criminals
to share stolen information and criminal methodologies.
Over the past 10 years, the Secret Service has observed
marked increase in the quantity and complexity of cyber crimes
targeting private industry, in particular the financial
services sector. These crimes include network intrusions,
installation of malicious software, and account takeovers,
leading to significant data breaches affecting every sector of
the world's economy.
The widely reported data breaches of Target, Neiman Marcus,
White Lodging, and Michaels are just some of the most recent
well-publicized examples of major data breaches perpetrated by
cyber criminals who are intent on targeting our Nation's
financial payments systems. Over the past 4 years alone, the
Secret Service cyber crime investigations have resulted in more
than 4,900 arrests associated with approximately $1.4 billion
in fraud losses and the prevention of $11 billion in potential
fraud losses.
Through continued work with our key Federal, State, local,
international, and private-sector partners, we are confident we
will continue to bring domestic and transnational cyber
criminals to justice.
In support of the Secret Service's protective mission,
special agents trained through the agency's Critical Systems
Protection (CSP) program successfully completed more than 657
domestic and 5 international protective advances since 2010 in
support of the President, Vice President, and national special
security events. The incorporation of tools and specialized
training to reduce the risk associated with a viable cyber
threat during protective operations enhances the Secret
Service's ability to provide complete protective coverage.
CSP technology provides visibility into the once unknown
cyber environment, which gives our agency the tools to identify
cyber threat actors as well as mitigate potential network
attacks on the critical infrastructure that supports permanent
and temporary venues under Secret Service protection.
With the subcommittee's support, the Secret Service will
continue to focus on improving our protective investigative
capabilities and enhancing the training of our special agent
workforce through the Electronic Crimes Special Agent Program,
as well as provide training for our State and local law
enforcement partners through the National Computer Forensic
Institute. We will also continue to share actionable
information with our partners through DHS's National
Cybersecurity and Communications Integration Center and the
network of Information-Sharing and Analysis Centers (ISACs), in
particular the Financial Services and Multistate ISACs, while
aggressively investigating cases through our domestic
international field offices, as well as our network of
electronic crimes task forces.
On the basis of the Secret Service's experience with cyber
investigations and protection, I hope today's discussion
provides the subcommittee useful information on how to best
deter and mitigate the threat of these crimes in the future.
This concludes my opening remarks. I look forward to your
questions. Thank you.
[The statement follows:]
Prepared Statement of William Noonan
Good afternoon Chairman Landrieu, Ranking Member Coats, and
distinguished members of the subcommittee. I appreciate the opportunity
to testify on the investments the Department of Homeland Security (DHS)
is making in cybersecurity, and the capabilities the Secret Service has
and is developing to deter cyber-crime around the world. I am honored
to appear today alongside my colleagues from Immigration and Customs
Enforcement (ICE) and the National Protection and Programs Directorate
(NPPD). While no single agency or department has the personnel and
resources to eliminate cyber-threats, DHS brings to the table a strong
combination of Federal law enforcement experience, established
partnerships with the Department of Defense, the Department of Justice
(DOJ), State and local governments, international law enforcement and
the private sector, as well as a workforce committed to strengthening
the security and resiliency of our Nation's critical infrastructure.
Cyber-threats impact all aspects of the Secret Service's integrated
mission. When the agency was created as an investigative arm of the
Department of Treasury in 1865, its purpose was to protect the Nation's
financial system from the proliferation of counterfeit currency. No one
at the time could have foreseen that the Secret Service would one day
be responsible for the protection of the President of the United
States, let alone that protection would have to take into account the
potential for computers to affect physical security. Likewise, no one
at the time could have foreseen that financial crimes would encompass
computer-based attacks on our Nation's financial services sector and
would regularly include criminal actors working across international
borders to perpetrate complex thefts and money laundering schemes.
The Secret Service traces its investigations into cyber-crime back
nearly 30 years, when Congress authored 18 U.S.C. sections 1029 and
1030 as part of enacting the Comprehensive Crime Control Act of 1984
(Public Law 98-473). That law granted the Secret Service authority to
investigate criminal offenses \1\ related to the unauthorized access to
computers \2\ and the fraudulent use, or trafficking of, access devices
\3\--defined as any piece of information or tangible item that is a
means of account access that can be used to obtain money, goods,
services, or other thing of value.\4\ As the Nation's financial payment
systems evolved from paper to plastic to electronic transactions, so
too has the Secret Service's investigative priorities. Advances in
computer technology and greater access to personally identifiable
information (PII), including sensitive financial data, via the Internet
have created online marketplaces for transnational cyber-criminals to
share stolen information and criminal methodologies.
---------------------------------------------------------------------------
\1\ See 18 U.S.C. section 1029(d) and 1030(d)(1).
\2\ See 18 U.S.C. section 1030.
\3\ See 18 U.S.C. section 1029.
\4\ See 18 U.S.C. section 1029(e)(1).
---------------------------------------------------------------------------
Over the past 4 years alone, Secret Service cyber-crime
investigations have resulted in over 4,900 arrests, associated with
approximately $1.37 billion in fraud losses and the prevention of over
$11.24 billion in potential fraud losses. Through continued work with
our key partners at DOJ, in particular the local U.S. Attorney's
Offices, the Computer Crime and Intellectual Property Section (CCIPS),
and the International Organized Crime Intelligence and Operations
Center (IOC-2), we are confident we will continue to bring cyber-
criminals to justice.
Since 2010, in support of the Secret Service's protective mission,
special agents trained through the agency's Critical Systems Protection
(CSP) program successfully completed more than 657 domestic and five
international protective advances. The incorporation of tools and
specialized training to reduce the risks associated with a viable
cyber-threat during protective operations enhances the Secret Service's
ability to provide complete protective coverage at venues visited by
the President, Vice President and other Secret Service protectees.
CSP technology provides visibility into the once unknown cyber-
environment, which gives the Secret Service the ability to identify
cyber-threat actors, as well as mitigate the potential impact of a
network attack on a protective venue or on the critical infrastructure
that supports the venue. CSP-trained special agents also lead the
Critical Infrastructure Protection Subcommittee during National Special
Security Events (NSSEs). Through their work with Federal, State and
local law enforcement, along with the private sector, CSP-trained
special agents develop a comprehensive operational security plan to
safeguard critical infrastructure and key resources associated with
protective events and associated venues.
Based on the Secret Service's three decades of experience
investigating cyber-crime, in particular the expertise we have
developed with respect to the transnational organized cyber-crime
threat to our Nation, as well as our more recent efforts to protect the
President, Vice President, and NSSEs from a cyber-threat, I hope to
provide the subcommittee useful information on how best to deter and
mitigate the threat of these crimes in the future.
the transnational cyber-crime threat
Over the past 10 years, the Secret Service has observed a marked
increase in the quality, quantity, and complexity of cyber-crimes
targeting private industry, in particular the financial services
sector. These crimes include network intrusions, hacking attacks,
installation of malicious software, and account takeovers leading to
significant data breaches affecting every sector of the world economy.
The widely reported data breaches of Target, Neiman Marcus, White
Lodging, and Michael's are just the most recent, well-publicized
examples of this decade-long trend of major data breaches perpetrated
by cyber-criminals who are intent on targeting our Nation's banks and
financial payment systems.
In partnership with the Secret Service, Verizon published their
most recent Data Breach Investigations Report (Verizon Report) in 2014
to examine current trends and criminal tactics used to conduct data
breaches. The analysis included in the 2014 Verizon Report covered more
than 63,000 security incidents, including 1,367 confirmed data breaches
occurring in calendar year 2013. The report identified three primary
motives for the criminals committing these acts: (1) financial gain;
(2) espionage; and (3) activism.
Cyber-criminals, motivated by greed, perpetrated the majority of
the breaches studied each of the past 5 years through the Verizon
Reports. These criminals primarily use a combination of sophisticated
hacking techniques and the deployment of malicious software to
accomplish their objective of obtaining sensitive financial information
to use as part of increasingly sophisticated frauds. The victims of the
crimes studied in the 2014 Verizon Report span 95 different countries,
with 34 percent of all reported incidents affecting financial
institutions. The study revealed that point-of-sale (POS) intrusions,
like the recently reported events, are primarily attributed to
organized criminal groups operating out of Eastern Europe. More
concerning, in 88 percent of POS intrusions, the data is exfiltrated in
a matter of minutes. However, in 98 percent of the breaches it took
weeks or months to discover the crime.
The increasing level of collaboration among cyber-criminals allows
them to compartmentalize their operations, greatly increasing the
sophistication of their criminal endeavors as they develop specialized
skills to carry out cyber-attacks against the Nation's financial and
other critical infrastructures. These specialties increase both the
complexity of investigating these cases, as well as the level of
potential harm to companies and individuals. For example, illicit
underground cyber-crime marketplaces allow criminals to buy, sell and
trade malicious software, access to sensitive networks, spamming
services, payment card data, PII, bank account information, brokerage
account information, hacking services, and counterfeit identity
documents. These illicit digital marketplaces vary in size, with some
of the more popular sites boasting membership of approximately 80,000
users. Within these digital marketplaces, criminals often use various
digital currencies to conduct transactions, such as paying for stolen
information, requesting various criminal services, or laundering
illicit proceeds.
As a part of our cyber-crime investigations, the Secret Service
targets the most capable cyber-criminals and the individuals who
operate illicit infrastructure that supports transnational organized
cyber-criminals. For example, in May 2013, as part of a joint
investigation through the Global Illicit Financial Team, the Secret
Service shut down the digital currency provider Liberty Reserve.
Liberty Reserve is alleged to have had more than one million users
worldwide and to have laundered more than $6 billion in criminal
proceeds. This case is believed to be the largest money laundering case
ever prosecuted in the United States and is being jointly prosecuted by
the U.S. Attorney's Office for the Southern District of New York and
DOJ's Asset Forfeiture and Money Laundering Section. In a coordinated
action with the Department of the Treasury, Liberty Reserve was
identified as a financial institution of primary money laundering
concern under Section 311 of the USA PATRIOT Act (Public Law 107-56),
effectively cutting it off from the U.S. financial system.
The Secret Service has successfully investigated many underground
cyber-criminal marketplaces. In one such infiltration, the Secret
Service initiated and conducted a 3-year investigation that led to the
indictment of 11 perpetrators allegedly involved in hacking nine major
American retailers and the theft and sale of more than 40 million
credit and debit card numbers. The investigation revealed that
individuals from the United States, Estonia, China and Belarus
successfully obtained credit and debit card numbers by hacking into the
wireless computer networks of major retailers--including TJ Maxx, BJ's
Wholesale Club, Office Max, Boston Market, Barnes & Noble, Sports
Authority and Dave & Buster's. Once inside the networks, those
individuals installed ``sniffer'' programs \5\ that would capture card
numbers, as well as password and account information, as that
information moved through the retailers' credit and debit processing
networks.
---------------------------------------------------------------------------
\5\ Sniffers are programs that detect particular information
transiting computer networks, and can be used by criminals to acquire
sensitive information from computer systems.
---------------------------------------------------------------------------
After the data were collected, the alleged conspirators concealed
the information in encrypted computer servers they controlled in the
United States and Eastern Europe. The credit and debit card numbers
were then sold through online transactions to other criminals in the
United States and Eastern Europe. The accounts associated with the
stolen numbers were ``cashed out'' by encoding card numbers on the
magnetic strips of blank cards. The alleged perpetrators then used
these fraudulent cards to withdraw tens of thousands of dollars at a
time from ATMs. The illegal proceeds were allegedly concealed and
laundered by using anonymous Internet-based digital currencies within
the United States and abroad, and by channeling funds through bank
accounts in Eastern Europe. Card numbers were then sold through online
transactions to other criminals in the United States and Eastern
Europe. The accounts associated with the stolen numbers were ``cashed
out'' by encoding card numbers on the magnetic strips of blank cards.
The alleged perpetrators then used these fraudulent cards to withdraw
tens of thousands of dollars at a time from ATMs. The illegal proceeds
were allegedly concealed and laundered by using anonymous Internet-
based digital currencies within the United States and abroad, and by
channeling funds through bank accounts in Eastern Europe.card numbers
were then sold through online transactions to other criminals in the
United States and Eastern Europe. The accounts associated with the
stolen numbers were ``cashed out'' by encoding card numbers on the
magnetic strips of blank cards. The alleged perpetrators then used
these fraudulent cards to withdraw tens of thousands of dollars at a
time from ATMs. The illegal proceeds were allegedly concealed and
laundered by using anonymous Internet-based digital currencies within
the United States and abroad, and by channeling funds through bank
accounts in Eastern Europe.\6\
---------------------------------------------------------------------------
\6\ Additional information on the criminal use of digital
currencies can be referenced in testimony provided by U.S. Secret
Service Special Agent in Charge Edward Lowery before the Senate
Homeland Security and Governmental Affairs Committee in a hearing
titled, ``Beyond Silk Road: Potential Risks, Threats, and Promises of
Virtual Currencies'' (November 18, 2013).
---------------------------------------------------------------------------
The impact of these criminal acts extends well beyond the companies
compromised, potentially affecting millions of people. Cyber-crime
directly impacts the our economy by requiring additional investment in
implementing enhanced security measures, inflicting reputational damage
on American companies, and dealing with the financial losses from
fraud--all costs that are ultimately passed on to consumers. Proactive
and swift law enforcement action protects consumers by preventing and
limiting the fraudulent use of payment card data, stolen PII, or both.
cyber investigations
The Secret Service proactively investigates cyber-crime using a
variety of investigative means to infiltrate transnational cyber-
criminal groups. As a result of these proactive investigations, the
Secret Service is often the first to learn of planned or ongoing data
breaches and is quick to notify financial institutions and the victim
companies with actionable information to mitigate the damage from the
data breach and terminate the criminal's unauthorized access to their
networks. One of the most poorly understood facts regarding data
breaches is that it is rarely the victim company that first discovers
the criminal's unauthorized access to their network; rather it is law
enforcement, financial institutions, or other third parties that
identify and notify the likely victim company of the data breach by
identifying the common point of origin of the sensitive data being
trafficked in cyber-crime marketplaces.
When the Secret Service identifies a potential network intrusion,
the agency contacts the owner of the suspected compromised computer
system in order to assess the data breach and to stop the continued
theft of sensitive information and the exploitation of their networks.
After the victim of a data breach confirms that unauthorized access to
their networks has occurred, the Secret Service works with the local
U.S. Attorney's office, or appropriate State and local officials, to
begin a criminal investigation into the matter.
During the course of these criminal investigations, the Secret
Service identifies the malware and means of access used to acquire data
from the victim's computer network. In order to enable other companies
to mitigate their cyber-risk based on current cyber-crime methods, we
quickly share information concerning the cybersecurity incident with
the widest audience possible, while protecting grand jury information,
the integrity of ongoing criminal investigations, and the victims'
privacy and confidentiality. The Secret Service shares this
cybersecurity information through:
--DHS's National Cybersecurity & Communications Integration
Center (NCCIC);
--The Information Sharing and Analysis Centers (ISACs);
--The public, private, and academic partnerships established
through our Electronic Crimes Task Forces (ECTFs);
--The publication of joint industry notices; and
--Contributions to leading industry and academic reports like the
Verizon Report, the Trustwave Global Security Report, and the Carnegie
Mellon CERT Insider Threat Study.
As we share cybersecurity information discovered in the course of
our criminal investigations, we also continue our pursuit of the
individuals responsible for the crimes. Due to the inherent challenges
in investigating transnational crime, particularly the lack of
cooperation of some countries with law enforcement investigations, it
can take years to apprehend the top tier criminals responsible for
cyber-crimes.
collaboration with other federal agencies and international law
enforcement
While cyber-criminals operate in a world without borders, the law
enforcement community does not. The transnational nature of cyber-crime
cases has increased the time and resources needed for successful
investigation, arrest and adjudication. The partnerships developed
through our ECTFs, the support provided by our Criminal Investigative
Division, the liaison established by our 24 international offices, and
the training provided to our special agents via the Electronic Crimes
Special Agent Program (ECSAP) are all instrumental to the Secret
Service's success in these investigations.
To strengthen our ability to investigate transnational cyber-crime,
the Secret Service maintains ECTFs in London and Rome, has assigned
agents to INTERPOL and EUROPOL, and operates cyber-crime working groups
in the Netherlands, Estonia, Lithuania, Latvia, Ukraine, and Germany.
The Secret Service also trains numerous international partners on
investigating cyber-crime; in the past 3 years, the Secret Service has
trained over 500 law enforcement officials representing over 90
countries in investigating cyber-crimes.
The Secret Service's investigations of transnational crime are
facilitated by the dedicated efforts of both the Department of State
and the DOJ's Office of International Affairs to execute Mutual Legal
Assistance Treaties and other forms of international law enforcement
cooperation, in addition to the relationships that develop between
Secret Service agents and their foreign counterparts through the above-
mentioned working groups and training efforts.
Within DHS, the Secret Service benefits from a close relationship
with ICE's Homeland Security Investigations (ICE-HSI). Since 1997, the
Secret Service, ICE-HSI (and its predecessor organization, the U.S.
Customs Service), and the Internal Revenue Service have jointly trained
on computer investigations through ECSAP. ICE-HSI is also a member of
Secret Service ECTFs, and has been a valued partner on numerous cyber-
crime investigations including the recent take down of the
aforementioned digital currency, Liberty Reserve.
To further its cybersecurity information sharing efforts, the
Secret Service also has a strong relationship with NPPD, including
DHS's NCCIC. As the Secret Service identifies malware, suspicious IP
addresses and other information through its criminal investigations, it
shares information with the NCCIC which pushes actionable information
out to the broader cybersecurity community to protect their systems
from harm. The Secret Service continues to build upon its full-time
presence at NCCIC to coordinate its cyber programs with other Federal
agencies. In addition to the close partnership with the NCCIC, the
Secret Service also has an effective relationship with NPPD's
protective security advisors (PSAs) and cybersecurity advisors in
advancement of our cyber protection activities. Currently, 66 percent
of all PSAs are co-located in Secret Service field offices around the
country.
cyber protection
The Secret Service is world-renowned for the physical protection it
provides to the President and Vice President, visiting foreign heads of
state and government, the White House and other protected sites, and
NSSEs. In order to ensure a secure environment for our protectees, the
Secret Service integrates a variety of innovative technologies and
maintains a highly skilled workforce.
The Secret Service's protective mission is comprehensive and goes
well beyond surrounding a protectee with well-trained special agents
and Uniformed Division officers. Over the years, the agency's
protective methodologies have become more sophisticated, incorporating
such tools as airspace interdiction systems, and enhanced chemical,
biological, radiological, and nuclear (CBRN) detection systems through
the Operational Mission Support program. As part of the Secret
Service's continuous goal of preventing an incident before it occurs,
the agency relies on meticulous advance work and threat assessments to
identify potential risks to our protectees. Since much of our Nation's
critical infrastructure is becoming increasingly interdependent, the
threat of a cyber-attack directed toward our protective interests
cannot be ignored.
The Secret Service's CSP program identifies, assesses, and
mitigates risk posed by information systems to persons and facilities
protected by the Secret Service. The program supports a full spectrum
of protective operations to include domestic and foreign trips, as well
as NSSEs. It accomplishes its mission in support of the Presidential,
Vice Presidential and Dignitary Protective Divisions by assessing the
level of risk caused by the disruption, damage or destruction of
process control systems critical to an event or venue. The CSP program
implements preventative, detective, and corrective controls to reduce
risk from a viable cyber-threat during protective operations. The
result is situational awareness of the overall cybersecurity
environment during protective operations.
For example, since 2012, the Secret Service has deployed cyber
protection tools in support of 7 of the 16 DHS designated critical
infrastructure sectors. Most recently, during the 2014 State of the
Union Address (SOTU), the Secret Service deployed its cybersecurity
protection platform to defend critical infrastructure and key resources
in the National Capital Region.
investments in cybersecurity
The President's fiscal year 2015 budget request for DHS includes
$1.25 billion in discretionary spending for cybersecurity activities.
The Secret Service's budget request accounts for $100.4 million, or
roughly 8 percent of the total amount requested. The majority of this
funding is requested under Domestic Field Operations to support the
staffing associated with Secret Service cyber-crime investigations;
training for our State and local law enforcement partners through the
National Computer Forensics Institute (NCFI); training for special
agents through ECSAP; and funding for the operational costs associated
with our ECTFs. Within the amount requested, funding is also proposed
to enhance the CSP program through the Cyber Security Presidential
Protection Measures (CSPPM) program; support the staffing associated
with international cyber-crime investigations; and continue the
upgrades necessary to protect Secret Service data and systems from
intrusion or intercept through the multi-year Information Integration
and Technology Transformation (IITT) program. For the purposes of
today's hearing, I would like to highlight a few of these efforts in
more detail:
Cyber Protection Activities
The President's fiscal year 2015 budget request includes a total of
$21.3 million for cyber protection, which primarily supports the
staffing associated with this activity. Within this amount, the request
also includes $3.9 million to enhance the Secret Service's cyber
protection capabilities through the CSPPM program. This will enable the
Secret Service to train an additional 24 special agents in the ECSAP
network intrusion discipline. This training is a prerequisite for
special agents to advance to the CSP program to fulfill mission
critical assignments in cyber protection. The CSPPM request also
includes funding to enhance the CSP's cybersecurity protection platform
to improve cyber-resiliency at Secret Service protective venues,
including those associated with NSSEs.
National Computer Forensics Institute
The President's fiscal year 2015 budget request includes $4 million
for the NCFI, which will enable the Secret Service to train
approximately 500 State and local law enforcement officers,
prosecutors, and judges on current trends in cybersecurity and the
potential obstacles they are likely to encounter during the course of
their investigations. Located in Hoover, Alabama, the NCFI offers State
and local law enforcement officers and prosecutors the training
necessary to perform computer forensics examinations, respond to
network intrusion incidents, and conduct electronic crimes
investigations, while judges receive general education in these areas.
Since opening in 2008, the institute has held over 150 cyber
investigative and digital forensics courses in 16 separate subjects and
trained and equipped more than 3,000 State and local officials,
including more than 2,300 police investigators, 840 prosecutors, and
230 judges from all 50 States and three U.S. territories. These NCFI
graduates represent more than 1,000 agencies nationwide.
Electronic Crimes Task Forces/Electronic Crimes Special Agent Program
The President's fiscal year 2015 budget request includes $1.8
million for the training and operational costs associated with the
Secret Service's ECTF and ECSAP programs. The requested amount in
fiscal year 2015 will support equipment purchases and travel expenses
for ECTF and ECSAP personnel. In addition to these base funds, the
Secret Service usesTreasury Executive Office of Asset Forfeiture
(TEOAF) funding to support the ECTF and ECSAP programs.
The Secret Service currently operates 35 ECTFs, including two based
overseas in Rome, Italy, and London, England. Membership in our ECTFs
includes over 4,000 private sector partners; 2,500 international,
Federal, State, and local law enforcement partners; and 350 academic
partners. By joining a Secret Service ECTF, our partners benefit from
the resources, information, expertise and advanced research provided by
our international network of members while focusing on issues with
significant regional impact. For example, the New York ECTF, based in
the Nation's largest banking center, focuses heavily on safeguarding
our financial institutions and infrastructure, while the Houston ECTF
works closely with partners such as ExxonMobil, Chevron, Shell, and
Marathon Oil to protect the Nation's vital energy sector.
conclusion
Safeguarding and securing cyberspace is a top priority for DHS. As
part of that effort, the Secret Service is steadfast in its commitment
to protect the President, Vice President, and NSSEs from the threat of
cyber-attack, and to protect the Nation's financial payment systems by
investigating and dismantling transnational criminal organizations
involved in cyber-crime. Responding to the growth in these types of
crimes, and the level of sophistication these criminals employ,
requires significant resources and greater collaboration between law
enforcement and its public and private sector partners. Accordingly,
the Secret Service is focused on improving our protective and
investigative capabilities and techniques, enhancing the training of
our special agent workforce through ECSAP, providing training for our
State and local law enforcement partners through the NCFI, sharing
information with our partners and private industry through DHS's NCCIC
while actively investigating cases though our ECTFs, and raising public
awareness to deter and mitigate the cyber-threats our Nation faces
today.
CYBER EDUCATION: BUILDING WORKFORCE
Senator Landrieu. Thank you very much.
Let me begin with you, Secretary. There are many aspects of
cyber defense that we're going to try to cover in this short
period of time, and of course the time will not allow us to go
very in depth. But one of the areas that I've really been
focused on because of my general interest in education is
educating the next generation of cyber warriors or generating--
educating the next generation of professionals that can step up
and help fill this important gap.
It's been estimated, not by our committee but by others,
the Department itself has stated a goal of educating 1.7
million students by 2021. That would be approximately 200,000
students a year. The President's budget cut the funding for
cyber education by 52 percent. When we've inquired, they've
said that DHS would still meet that number, but would use other
programs and populations, et cetera, et cetera.
So I want to ask you all this question, but particularly
the Under Secretary for Homeland. Try to take a minute or two
and explain as clearly as you can how the Department of
Homeland Security is working, either with the Department of
Education or with DOD or with any partner that you might want
to identify, to actually produce the 200,000 workers,
professionals, and students at a variety of different ages, and
what are some of the more successful programs that you have and
some of the results that you have achieved?
Because I'm having a hard time getting a real handle on
this. I hear a lot about it. I just can't quite see it.
Dr. Schneck. Thank you. First and foremost----
Senator Landrieu. You can pull that closer to you so you
don't have to lean. I think it'll come closer to you. I feel
like you're going to fall off that chair in just a minute. Or
push yourself a little that way, whatever.
Dr. Schneck. The chair's nice and short. I can't fall off.
This is good.
So thank you. First of all, thanks again for the support,
and we look forward to working with you on this. This is a big
challenge. As I mentioned, the Secretary has stated his
emphasis on education and on building the next cyber workforce.
One of the first things that he did was take me down to two
universities and have us talk with students----
Senator Landrieu. Which two were they?
Dr. Schneck. We went to Georgia Tech and Morehouse. And he
said we will do this again, and we have a program rolling out
that looks at what universities we'll be going to. But that's
one of many.
We are bucketing our efforts at this point sort of in three
different areas, and then I can also go through some of the
other types of programs we have. I'm going to want to follow up
with you with a comprehensive readout. But our buckets simply
are the following:
One is to identify the skill sets that we need. A lot of
times when I go out and talk to students--and I do this a lot,
of all ages, and leadership at all levels goes out and speaks
as much as we can to students of all ages, from K through 12
actually through the graduate programs. We need them to know
the skill sets they need to have, what is a cyber workforce.
It's not someone who just operates a firewall. It can be
anything from policy to highly technical or a combination.
The second bucket is to actively get out there and find out
what they're studying, talk to the professors, influence the
curricula in the universities, which is one of the things we're
starting to do as we speak to the universities.
And third is, for example, to award scholarships for
service, get involved in helping fund their education, give
them a chance then back. They come and work in our labs.
Especially at NPPD, we've had interns in cybersecurity and
communications, in that component. And then we give them a
taste of what it's like to serve in Government. They get those
skills from us as well.
Then we have several other programs----
Senator Landrieu. I think that sounds good, but it's so
general. What I'm going to continue to press you on is some
specifics. Like I asked for the purposes of this hearing to get
the document from DOD about what a cyber warrior must have,
literally the levels of education and specific skill set that
DOD is requiring. It is 100 pages or more of very, very
specific requirements. I'm going to submit this all to the
record. It's not classified in any way, of course.
[The information follows:]
The proposed funding reduction to National Protection and Programs
Directorate (NPPD) Cybersecurity Education in fiscal year 2015 impacts
the long-term goal of affecting 1.7 million students in 10 years
through the Integrated Cybersecurity Education Communities (ICEC)
project. However, NPPD leads several cybersecurity education projects
serving a wide audience of students across the Nation, providing
cybersecurity education programs as flexible and responsive as the
rapidly changing cybersecurity environment. Each of these projects is
an integral factor in strengthening the national cyber workforce
pipeline and building a robust national cybersecurity workforce,
ensuring we may sustain a safe, secure and resilient cyberspace. As
such, NPPD proposes these additional projects be applied towards the
1.7 million student goal, one that can be reached within the 10-year
timeframe.
1. Identify the Skill Sets Needed for a Cyber Workforce
In 2012, the Department of Homeland Security (DHS) conducted the
Information Technology Workforce Assessment for Cybersecurity (ITWAC)
in partnership with the Federal Chief Information Officers (CIO)
Council. The ITWAC collected workforce data that identified the
composition and capabilities of the Federal civilian cybersecurity
workforce.
In 2014, DHS has partnered with academic institutions and the
Department of Defense (DOD) to conduct the National Cybersecurity
Workforce Assessment (NCWA). The NCWA is gathering data on the U.S.
non-Federal cybersecurity workforce. Like the ITWAC, the NCWA will
identify gaps and deficiencies in both the size and capability of the
cybersecurity workforce. However, the NCWA will go beyond the ITWAC to
define specific occupational categories aligned to the National
Cybersecurity Workforce Framework and the role that government can play
to remedy the identified deficiencies.
DHS also leads the development of the National Cybersecurity
Workforce Framework. The Cybersecurity Framework is a national resource
providing employers, employees, students, educators, trainers, and
policy makers with a common language for describing cybersecurity work.
The Cybersecurity Framework includes a detailed listing of knowledge,
skills, and abilities (KSAs) required for specific cybersecurity
positions. The KSAs are associated with Specialty Areas included in the
Cybersecurity Framework to clearly define the qualifying service,
education, or training needed to successfully perform tasks or
functions associated with that specialty. A detailed listing of all of
the KSAs included in the Cybersecurity Framework can be found at http:/
/niccs.us-cert.gov/training/tc/framework/ksas.
2. Explore the Cyber Curricula in Universities
The National Security Agency (NSA) and DHS jointly sponsor the
National Centers of Academic Excellence in Information Assurance
Education (CAE/IAE), IA 2-Year Education (CAE/2Y), and IA Research
(CAE/R) programs. The goal of these programs is to reduce vulnerability
in our national information infrastructure by promoting higher
education and research in IA and producing a growing number of
professionals with IA expertise in various disciplines. There are 181
schools (in 43 States, DC, and Puerto Rico) with one or more CAE
designations. Working with these schools through the CAE program
provides DHS with an opportunity to influence cybersecurity curricula
across the Nation. Each cybersecurity academic program has about 100
students, and therefore approximately 18,100 students annually are
studying cybersecurity through the CAEs. More information on CAEs can
be found at http://www.nsa.gov/ia/academic_outreach/nat_cae/
index.shtml.
Note that DHS is deploying new criteria for designation as a CAE,
revised in order to meet the cybersecurity demands of the Nation. The
new criteria will rely on knowledge units (an academically oriented
approach), moving away from the previous information assurance training
standards.
3. Provide Scholarships for Service
DHS participates in the Scholarship for Service (SFS) program,
designed to increase and strengthen the cadre of Federal IA
professionals protecting the Government's critical information
infrastructure. SFS (through the National Science Foundation) provides
scholarships that may cover the typical costs to attend a participating
institution, including tuition and education and related fees. In
exchange, students agree to serve in a cybersecurity role in the
Government for a period equivalent to the length of their scholarship
(e.g., 2 academic years = 2 calendar years). The U.S. Office of
Personnel Management (OPM) manages and tracks SFS placements within
government. CAE-designated academic institutions may apply to receive
SFS awards. A total of 51 institutions in 26 States and DC currently
receive SFS scholarship awards. Over 450 students receive SFS
scholarships each year. DHS sponsors the annual in-person SFS Job Fair
(January in the DC area). SFS has also held virtual job fairs with DHS
support. More information on the SFS program can be found at https://
www.sfs.opm.gov/.
The Secretary's Honors Program for Cybersecurity (SHPC) is designed
to develop technically skilled cyber professionals across DHS. Since
the Program began in January 2012, there have been 11 participants who
have had the opportunity to put their academic achievements to use in a
hands-on environment while playing a vital role in protecting our
Nation. Through rotational assignments, Honors Program participants
observe how each component collaborates on cyber-related issues and
work first-hand on critical issues or incidents in a fast-paced,
growing environment. Participants, from SFS or CAE schools, spend 2
years in the program, and then have the opportunity to attain a
permanent position at DHS.
4. Integrated Cybersecurity Education Communities Project
In fiscal year 2013, DHS/Cybersecurity Education and Awareness
(CE&A) issued the competitive Cybersecurity Education and Training
Assistance Program (CETAP) grant in the amount of $5 million to fund
the Integrated Cybersecurity Education Communities (ICEC) project. In
support of the National Initiative for Cybersecurity Education (NICE),
the ICEC project holds cyber education summer camps in communities
around the country, with the primary goal of educating high school
teachers who will then return to their schools and affect numerous
students each year, as well as integrate cyber content into their
existing course curricula across multiple academic disciplines. As a
result, four communities across the country will hold cyber education
camps in the summer of 2014, with at least 36 high schools
participating. Each high school will send six students and two teachers
and each teacher will affect approximately 120 students over a year.
Therefore, the anticipated impact will be nearly 9,000 students this
summer.
5. Cyber Competitions
DHS/CE&A supports cyber competitions, sponsoring CyberPatriot,
which affects numerous middle and high school students each year and
steers them toward cybersecurity careers and studies. The expansion of
the CyberPatriot program exposes cybersecurity to 12,000 students
annually.
6. National Initiative for Cybersecurity Career Studies Portal
DHS/CE&A developed the National Initiative for Cybersecurity
Careers and Studies (NICCS) portal, an online resource for government,
industry, academia, and the general public to learn about cybersecurity
awareness, education, careers, and workforce development opportunities.
An ongoing success for DHS, the NICCS portal is available to the
American public, assisting users of all ages in locating cybersecurity
learning opportunities and careers. The NICCS portal also hosts the
Cybersecurity Training Catalogue, providing a list of all cybersecurity
or cybersecurity-related education and training courses offered in the
United States.
NICCS Web traffic continues to show steady improvement. In May
2014, 6,280 unique users accessed NICCS, leading to just over 33,090
unique users seeking cybersecurity training this calendar year. Since
its inception, NICCS has had close to 90,000 unique visitors.
7. Federal Virtual Training Environment (FedVTE) and Federal
Cybersecurity Training Exercise (FedCTE)
DHS/CE&A continues to support training efforts for Federal and
critical infrastructure cybersecurity professionals. The FedVTE is an
online training platform, providing Federal cybersecurity and IT
professionals with hands-on labs and training courses. The environment
is accessible from any Internet-enabled computer and is free to users
and their organizations. The FedVTE content library includes more than
800 hours of training, 150 demos, and 3,000+ pieces of content. The
FedCTE provides training, labs, and competitions for Federal
cybersecurity professionals. DHS is also piloting courses for State
government cybersecurity professionals. Classes range from one to three
days and are conducted both live and virtually on a variety of
cybersecurity topics providing training, hands-on experiences,
knowledge of best practices, and network opportunities. The FedVTE and
FedCTE are each available to 125,000 Federal/critical infrastructure
cybersecurity professionals per year.
In fiscal year 2014, DHS/CE&A will continue these major efforts and
initiate several enhancements, all contributing to the effort to
promote cybersecurity education across the Nation. DHS/CE&A plans to
apply $5 million to the CETAP grant in fiscal year 2014, enabling the
same four communities holding cyber education summer camps in the
summer of 2014 to continue the camps in the summer of 2015 leading to
an effect of nearly 10,000 students that is a combined total of 19,000.
DHS/CE&A estimates 60 percent of the 9,000 students reached the summer
of 2014 (5,400 students), plus potentially another 10,000 students will
be reached outside of the summer camp, resulting in 34,400 students
reached by the end of 2015. The grant also supports development of
cybersecurity-integrated high school curricula, which high schools
across the country can adopt and offer to numerous students each year.
Further, DHS/CE&A will develop additional and continued interest in
cybersecurity careers and studies following the summer camps by
promoting participation in cyber competitions and in virtual
mentorships and internships. DHS/CE&A will continue participation in
the CAE and SFS programs, reaching thousands of community college, 4-
year school, and graduate students annually. DHS/CE&A will also launch
a course intended to help professors and students in designated CAE
schools understand the National Cybersecurity Workforce Framework and
its relevance to CAEs. Further, DHS/CE&A will release Workforce
Framework 2.0, codifying cybersecurity workforce roles. Finally, DHS/
CE&A plans to add a search function to the Training Catalogue, so users
seeking cybersecurity training on the NICCS portal will be able to
browse courses based on their individual needs, thereby facilitating
access to cybersecurity training for countless American students of all
ages and their pursuit of cybersecurity certifications.
In summary, DHS/CE&A's programs focus on the cybersecurity
education and awareness of the Nation, including students. When
combined, the existing DHS/CE&A activities enable DHS to reach, and
potentially exceed its goal of educating 1.7 million students in
cybersecurity in 10 years. America's students are pursuing various
levels of education and DHS/CE&A has made great strides in facilitating
these students' pursuit of cybersecurity education and careers;
redefining the goal of training 1.7 million students to include all of
CE&A's activities accurately captures the reach of the program, its
impact on the Nation, and the goal of DHS.
Senator Landrieu. But just one page, page 25, it says a
person must normally have 1 to 5 years or more experience in IA
technology in a related field. You have to have a systems
environment, a computing environment. Knowledge applies, basic
knowledge of IA concepts, practices, procedures, et cetera, et
cetera.
I still think it would be really important for Homeland
Security, probably in conjunction with DOD since they've
already done it, and the Department of Education, to come up
with a basic framework or a specific certification. Maybe we
should do this, Senator Coats, with the private sector as well.
I'm not sure. But I think at least in my experience, if the
goal is to actually educate whatever, 1.5, 1.7, 2.5, you've got
to measure it, have a way to measure it, to know if you're
achieving it.
I can tell you as chair of this committee, as strongly as I
feel in investing in education, I'm not going to invest money
in programs that I'm not sure get a result. And I'm going to be
holding through the whole Appropriations Committee the other
subcommittees responsible, not holding but pressing them to be
responsible, for allocating funding in a way that we can have
some confidence that after we've allocated it we're actually
producing, in partnership with universities, with the private
sector, the kind of workforce and warriors we need to protect
this country.
So I've run out of my time. I do have many more questions,
but since that's been my emphasis I'm going to stay with it.
There are other things I want to ask. But I'm going to turn it
over to Senator Coats, and we may get a second round of
questioning.
CREDIBILITY
Senator Coats. Dr. Schneck, as you know, DHS has been
fighting some credibility issues in terms of capability. I was
very impressed when I visited the center. You gave a terrific
tour relative to what you've been able to accomplish. I think
it looks like DHS has turned the corner on this, gaining
credibility.
My understanding is that the strategy pretty much involves
three things: one, limiting the Internet touch points to
trusted Internet connections; establishing an effective
perimeter capability; and deploying continuous diagnostics for
managing the Federal system activity.
So my question is, generally where do we now stand today
with the dot-gov domain relative to meeting these, implementing
this strategy?
Dr. Schneck. Thank you again for your visit that day. We
appreciate that.
On the perimeter side, we are now supporting not just
intrusion detection, which is the system, see something come in
and notify us; we're now supporting intrusion prevention under
the term you may have heard, E3A, to about a quarter of the
seats across the U.S. Government. That number will go up as our
new service providers come online. For example, the one that
supports DHS is just about to come on and will actually be
engaging DHS in our own program, drinking our own champagne, as
the team likes to say.
And then, continuous diagnostics and mitigation, which I
did not have time to mention in my opening remarks, is a way of
turning every network into its own ecosystem. So instead of
having the team build a binder, a heavy binder every year, to
talk about how secure it is, the system constantly measures how
healed up it is and how secure it is, so you always know and
you're always aware of behavior that's different.
As we grow that system, it'll become more and more like
your body's immune system. You don't need to have a conference
call to fight a cold. You always know something coming in and
you'll be able to see. Because we see, even across the
perimeter defense, different behaviors across all of the U.S.
Government that can in the future help inform the networks,
other agencies that are being protected by the external
defense, as well as these internal immune systems, can learn to
recognize bad behaviors.
So our vision is not only operational both in the internal,
watching the network behavior, and the internal prevention, but
also in using that core that makes DHS unique in NPPD, not only
our core ability to work with our partners in the Secret
Service and research and development and HSI and Coast Guard
and others, but our ability to bring in inputs from other
partners, from trusts through the private sector, to understand
what companies are seeing, and to use all that and get it
widely disseminated to protect others across the Government and
the private sector in real time.
I feel that across the Government we are very much
operational. We very much have turned a corner. If I could have
one wish, it would be to have been able to act faster on
Heartbleed, and that would have been for the statutory
clarification so that we wouldn't have had to get letters of
authorization for every unique organization that we scan.
RESOURCES NEEDED
Senator Coats. Well, you just began to answer my second
question, and that was what resources do you need to get to the
point where--I know it's a constantly evolving challenge here
from a technological standpoint. But are there resources you
need now that could accelerate the process of getting this
whole domain in place relative to meeting all these strategies?
Dr. Schneck. There are always resources that we could use.
So we have made, of course, cuts across all of our high-value
programs and, unfortunately, even in education, given the
budget picture we were given, to fit that. However, that
statutory clarification would help us because it reduces the
amount of time it takes us to act. It makes it very clear what
our authorities are to help with the information-sharing across
the private sector that narrowly targeted liability protection.
I came from industry 8 months ago and that's very helpful
to a company because it speaks to the general counsel and says:
This is okay to share with Government and protect others, and
the company won't get hurt, the breach notification.
But this is the area on the congressional side. On the
resource side, we do need more talented people and that means
manufacturing them and training and educating them. I'm very,
very passionate about that as well. I'm a product of that. And
it also means the ability to hire people faster, on-board them
with the competitiveness that some other agencies have, that we
do not yet; and certainly to engage with the whole unity of
effort with the DHS and put more money to this. If we didn't
have to cut as much, we'd be able to grow a lot faster, and
this is an urgent environment.
DATA BREACHES: GOVERNMENT, PRIVATE-SECTOR RESPONSIBILITIES
Senator Coats. I'm going to ask the second panel this also,
but I'd just like to get your take. Relative to--there's been
some very high-profile data breaches among retail sellers and
the business community. Has that resulted in a significant
uptick in terms of inquiries and outreach and willingness to be
more engaged in partnership with the Federal Government that
you've noticed as a result of those high-profile breaches?
Dr. Schneck. I would say absolutely. Number one, the
American public is scared. And number two, I met even
yesterday--I meet all the time with our sector representatives,
our partners in the private sector. I met yesterday with some
executives from the financial community, and they want to know
how to help; they want to know how to contribute their
resources and their knowledge. It's the same across all
sectors.
So absolutely, this is the time to get this done.
Senator Coats. My time has expired. Madam Chairman, I just
think that's so critical as we move forward, and to my other
colleagues also. What we got hung up on before was the
reluctance of the private sector to, quote, ``trust'' that they
could coordinate with the Federal Government in a way that
would protect their privacy and all that. Now they've seen, I
think, the capabilities and the necessity of having that
interaction between the Federal and the private sector. I'm
glad to hear your answer on that one.
Senator Landrieu. Thank you, Senator Coats, for your
leadership. You've been working with members of both sides and
we think we're making progress, and thank you.
But I do want to come back after Senator Coons and ask you
to restate the specific authorization that you lacked, that you
said you were able to cobble together, but if you had the
authorization, at least in dot-gov, you would have been able to
move more quickly. I'll come back to you in just a minute.
Senator Coons.
Senator Coons. Thank you, Madam Chair.
Senator Coats, that is an area of interest for me as well,
as a former in-house counsel for a private sector company that
faced security challenges much like the ones you've described.
I do think we still have undone work in terms of delivering
clarity.
Let me focus on that first, if I might. Jurisdictional
clarity seems to me particularly important for a cyber event
because, unlike a natural disaster, a cyber event could be a
crime, a national security event, an act of war. It could
possibly be all three at the same time. And governmental
objectives might be in conflict, one agency trying to restore
power, for instance in an attack on the grid, while another
agency is trying to preserve evidence needed to catch the
perpetrators and investigate and prosecute the perpetrators.
I am concerned about whether we have clear protocols for
industry and Government for that response and clear lines of
responsibility so that we can do the restoration work that's
needed, but without destroying the Government's capacity to
investigate and prosecute. So I'd be interested in whether you
feel you have the authority you need to do that today and
whether we should be considering some legislation that
clarifies Federal roles and responsibilities to grant authority
for lead during a cyber attack.
I'm going to ask my questions first and then see if we've
got enough time for an answer.
And then second, Dr. Schneck, I just wanted to commend you
for your engagement with the workforce and your commitment to
being a great role model and leader. I think we're going to
hear in the second panel from the University of Maryland.
They're doing great work in preparing the cyber workforce. The
University of Delaware is also working, as are many other
universities.
I do want to hear how you think targeted investments in
cyber education are furthering national security and what more
we need to do.
Last, the National Guard is a remarkable, nearly unique
asset that crosses the civilian and military divides and allows
us access for national security and homeland security purposes
to a world-class workforce that is trained and funded by the
private sector, but because of their either Guard or Reserve
role can be accessed in times of emergency or on an ongoing
basis. I wondered if you had any comment, Dr. Schneck, as to
whether there are initiatives in place to enhance that
relationship.
So there are three questions. And, Special Agent Noonan, if
we have a moment to talk about IP theft and trade secrets theft
in the finish, that would be great as well.
Please, Dr. Schneck.
Dr. Schneck. I'm going to talk very fast because my
colleagues have very interesting work and I want you to hear
that. So very quickly, statutory clarification. We currently
have the authority. We work from a patchwork of different laws,
including the Homeland Security Act of 2002, that tells us that
our response is response and mitigation. That's our role--
response and mitigation of cyber threats across Federal,
civilian, government, State, local tribal, territorial, and
critical infrastructure private sector.
The problem--and I knew this from the other side in the
private sector--is that when the lawyers get involved, and to
their credit they're protecting the company, and they don't
really know if we're supposed to be scanning. This even
happened with the Cabinet agencies that we had to scan for
Heartbleed to ensure that our citizens who use external-facing
Web sites, who use a highly credible piece of software called
Open SSL that happened to have a defect--we didn't want them to
get hurt.
So as fast as we could, we went door to door and got a
letter of authorization from each agency, working with each
lawyer, to make sure that we could scan it. That cost us 5 to 6
precious days in some cases, because the whole world knew about
this vulnerability and all the information that it could
capture while we were lawyering. So had we had the
clarification in the law that this was our role, we would have
gotten started a lot faster.
CYBER EDUCATION: TARGETED INVESTMENTS
On your second question, I'm happy to follow up after in
writing. I just want to leave time for my colleagues. Targeted
investments in cybersecurity. I am a big believer in
innovation. It's not just that I worked for a Silicon Valley
company. It's that my father was a scientist and I like to
learn. If we can enable other students to have that and to take
on cybersecurity as something that is fun, we get our national
and our global leadership back as a country. You target that
innovation.
I've spent a lot of time in Silicon Valley talking to
venture capitalists and others about the importance of
protecting your investment. But if we could target that toward
the universities, target our research toward that, as we do
with our partners in science and technology and R and D, if we
could advance a lot of that, I think that we would move forward
both as a country and in cybersecurity.
NATIONAL GUARD
Finally, on the National Guard, that's a DOD asset.
However, we believe in collaboration, so we welcome that. As
you and I talked before, homeland security is local; the
response needs to be local. What we can add is the
collaboration. Let them plug into the other areas, whether it's
us or Secret Service or HSI or Coast Guard, the other
responses. Let that be plug and play. Let us all work together.
The added energy will do nothing but help us, and we can learn
from them. So it's a welcome asset. It's not one we control,
but it's certainly one that could fit right into our input of
threat information and certainly those that we would output to
and welcome to work with.
Senator Landrieu. Senator Coons, thank you so much. You and
I think are co-sponsoring a bill related to the role of the
National Guard, and I would describe the National Guard as well
positioned to be of great help to our country in this
particular line of defense, because they have the expertise of
the military, but their base is homeland, and they draw from a
wide variety of industry by their nature. It's part-time
warrior. That is very interesting.
So I look forward, Senator Coons, to continuing to work
with you on that possible enhanced partnership.
Senator Cochran.
STATEMENT OF SENATOR THAD COCHRAN
Senator Cochran. Madam Chair, I got in a little late, but
I'm glad I was here to at least express the appreciation of
this committee to our witnesses for helping us better
understand what the limitations are and what the opportunities
are that we have in Congress for making good quality decisions
about Federal regulation, rules, laws, how do you protect
privacy. Is there a privacy any more? I guess not.
So it's kind of scary. So you're all we've got. What I'm
talking about is that the Federal Government's agencies aren't
prepared to police the use of assets and equipment and
knowledge and information, and would we want that anyway? These
are all big questions, and we thank you very much for coming
here and helping us understand that.
DATA BREACHES: DISCOVERY
Senator Landrieu. Senator Cochran, thank you for your
leadership.
Let me ask, if you don't mind--and if you have an
additional question, our time will allow it. The votes have
been pushed back slightly.
But I do have a question for Mr. Noonan. One of the most
poorly understood facts regarding data breaches is that it's
rarely the victim company that first discovers the criminal, in
the case that it is criminal--let's assume and I think, Senator
Coons, it could be all the above--but a criminal unauthorized
access to their networks. Rather, it's law enforcement,
financial institutions, or third parties that identify and
notify the victim company of the data breach.
Without going into any specifics, this speaks to the
importance of timely and trusted information shared between law
enforcement and the private sector. We've touched on this, but
everyone is now aware, or most everyone, of the situation at
Target and what happened when the third party, hired by Target,
notified them their systems had been breached, what happened
internally in Target. I think just this week someone has
stepped aside, because that is still going on.
So could you explain right now in America, who is the one
that normally finds out the breach has occurred? And it's
usually not the victim, as in this case. It's usually who, a
third party, an Internet provider, you guys, ICE, FBI, Secret
Service? Who wants to take that?
Mr. Noonan. Yes, ma'am. From the Secret Service's approach,
we have a proactive approach to going after cyber criminals.
It's generally a source of information that we're able to
obtain, and we obtain it in a number of different ways, whether
it's through confidential informants, other sources, undercover
operations, or trusted partners within the industry.
We're able to take those data, we're able to crunch those
data, and determine where there's a vulnerability and who
potentially has been victimized. In many cases, in just this
year, we've made notifications to actually two other financial
institutions about their compromise. And I'm telling you that
if it were not for that notification by law enforcement, the
Secret Service, to those two financial institutions, they would
not be in business today.
So when we talk about potential----
Senator Landrieu. Can you repeat that, please?
Mr. Noonan. Yes, ma'am. We've made notification to two
financial institutions in this year, at which time they didn't
know that they had an intrusion. We believe that those
institutions would have gone under if it were not for
notification to those institutions. They did not lose a single
dollar because of that advance warning.
Senator Landrieu. And if some of these institutions that
would go, could potentially go under, are big enough, you could
assume lots of other companies and individuals they could take
down with them, correct?
Mr. Noonan. Yes. The people who we're talking about the
cyber criminals, the transnational cyber criminals who have the
capability to do this, they're very advanced cyber criminals.
They're going after financial institutions. Their motivation is
greed. So whatever they can get their hands on to monetize in
the criminal underground, that's what they're attacking.
In this particular case--I'm just giving you those two
particular examples. There are many other examples. There are
other retailers that we've made notification to this year as
well that they had potential issues, and we were able to--and
you've got to understand, that's an advantage because we're
going out ahead of them losing anything and we're allowing them
to see and look closer at their systems by information and
evidence that we're learning in our other cases to say, ``Hey,
institution, you have a problem, please look in this arena.''
That's where the advantage of law enforcement is in this
fight against cyber crime. Law enforcement has a way to go
outside the fence, if you will, to determine what the criminal
actors are doing. We're able to look at their criminal network.
We're able to look at their criminal infrastructure, and
sometimes ahead of time determine what they're going to do or
what actions they may take, and in doing so we do make
notifications to those trusted partners.
Senator Landrieu. Does ICE want to have anything to answer
or comment on, Mr. Edge?
Mr. Edge. With regard to the intrusions that we're
discussing here, we don't duplicate the efforts that the Secret
Service initiates. In fact, if we were to discover such an
intrusion, we would contact our counterparts at Secret Service
and work with them on the investigative effort that would take
place.
We also would assist in the computer forensics analytic
portion of it as well. So it's a total team effort here. Most
of the work that we're doing in the cyber space is pursuant to
the investigative areas in which we work--child exploitation,
counterproliferation--where we work very closely with DOD and
we communicate very closely with DOD and try to disrupt and
dismantle those organizations that are off of our shores, where
we can certainly make a difference and prevent them from
continuing to affect our country.
Senator Landrieu. Okay, thank you all.
I think we're going to move to our second panel. I just
want to underscore one additional item. To you, Dr. Schneck: I
know that you're aware of the extraordinary contribution
Louisiana Tech has played in developing an education program
for middle and high schools, also with their college level as
well. We were one of the universities that received one of the
first grants in the country, and I look forward to continuing
to work with you on developing and network of universities and
programs that are actually meeting the need that's been
expressed.
I thank you, Mr. Edge, for recognizing the HERO Child
Rescue Corps Program, very innovative, that U.S. Immigration
and Customs is working with Special Operations to use wounded
warriors while they are convalescing and are unable to perform
their primary function. They're well trained and suited to be
warriors on the Internet, and I really think that's using our
assets really well and I look forward to continuing to support
that effort.
I thank you all and we'll move to our second panel.
NONDEPARTMENTAL WITNESSES
Senator Landrieu. As the panel is getting situated and the
Clerk is helping to seat them, I wanted to let the members know
that Senator Coats and I thought it would be a good idea to
have some independent voices at the table to give some critique
and some different perspective to the Government agencies and
entities. We really want to know if our agencies and entities
that we're funding are doing the kind of job that you as
experts in the field believe they should be doing.
We know that sometimes you work with these agencies, so
sometimes it is difficult to criticize them. But we hope that
you will do it constructively, and we hope that you will do so.
We want to know what's working in your view, what's not
working, what progress we're making in these fields, and what
we're not.
We've got I think a very excellent panel. First we have Mr.
Mahon, vice president and chief security officer of
CenturyLink. I think it's the third largest Internet provider
in the country, and I'm very proud that it actually is located
in Monroe, Louisiana, and is growing. It started out as a very
small telephone company maybe 45, 50 years ago with a handful
of employees and now it's multi-thousands and just really an
extraordinary success story.
Scott Bowers, vice president, government relations, Indiana
Statewide Rural Electric. Scott, welcome. Mr. Bowers, welcome,
and we look forward to hearing from you representing the
hundreds and thousands of coops in this country that are part
of this effort.
Christopher Peters, vice president of North American
Electric Reliability Corporation (NERC)-Critical Infrastructure
Protection Compliance, Entergy Corporation. Then I think we
have Dr. Katz from UMD Cybersecurity Center. Thank you all very
much.
Why don't we start with you, Mr. Mahon, with CenturyLink.
But, Dan, did you want to say anything particularly about your
witness?
Senator Coats. Well, you talked about his credentials.
Scott is just someone that comes from the private sector, but
clearly part of the private sector that deals with critical
infrastructure. We have these coops all over the United States,
as you know. I'm sure you have many in Louisiana. We talk about
Duke Energy and we talk about AEP and so forth and so on, but
in reaching out to particularly smaller town America and rural
America, these coops are absolutely essential, and they're very
much part of the grid.
So we need to not only be thinking of the big guys, but
also the little guys. That applies on the retail side and the
commercial side also. We read about Neiman Marcus and Target
and so forth. There are thousands, of not hundreds of
thousands, of smaller businesses out there that are providing
very necessary services and they are also vulnerable to these
kind of intrusions.
So I want to make sure that we cover the whole gamut and
not just focus on the people at the top.
Senator Landrieu. Thank you so much.
We'll start with CenturyLink.
STATEMENT OF R. DAVID MAHON, VICE PRESIDENT AND CHIEF
SECURITY OFFICER, CENTURYLINK
Mr. Mahon. Thank you, Chairman Landrieu, Ranking Member
Coats----
Senator Landrieu. You have to lean into the microphone and
push it right close to you. There you go.
Mr. Mahon. Chairman Landrieu, Ranking Member Coats, and
Senator Cochran, thank you for this opportunity to testify
before you today.
My way of background, CenturyLink has grown through
acquisition and innovation over the course of their history and
today is a commercial entity with $18.3 billion in revenue, 13
million customers, 47,000 employees. We are a tier one backbone
provider and we have 55 data centers around the world.
It's within this context that I would like to speak to you
about cybersecurity risks, and I would like to talk to you in
three specific areas. First is the adversary; second, DHS
programs that have been successful; and third, developing the
next generation workforce.
If I can leave you with one thing today, what I would like
to tell you is: Do not think about cybersecurity risks within
the context of malware, viruses, or other tactics. What I would
ask you to think about is the adversary, the people behind the
computers that are breaching our networks and stealing our
data.
The CenturyLink security team divides these groups into
five very specific areas: nation-state-sponsored; criminal
enterprises; hactivists; terrorists and sabotage; as well as
the insider threat. It's important to understand this within
the context of their objectives and their tactics. Each can
vary very differently.
For example, a criminal enterprise that is interested in
stealing credit cards will attack point of sale systems with a
particular type of malware. That is quite different to
defending against a nation-state that is interested in stealing
intellectual property, maybe about a smartphone operating
system.
The reason that this is important is we at CenturyLink are
tasked with protecting our network, our data, and our customers
from all of these adversaries, and each one is very different
and we require very specific information to develop our
protections and countermeasures. What has happened is the
context in which we conduct our risk assessments allows us to
access open source information to better inform our risk
assessments, to help us deploy our capital as we expand and
protect our network. But our risk assessments are only as good
as the information that is available to us.
The Federal Government is in possession of very sensitive
and frequently classified information that could be very
helpful to us in our risk assessments as we defend against
these bad actors. Two of the programs that at the Department of
Homeland Security I feel have become very successful are the
Enhanced Cybersecurity Services (ECS) program and the Einstein
3A (E3A) program. In each of these programs DHS came together
with corporate America and resolved the traditional hurdles
that one encounters, whether they be legal, technical,
operational, and most importantly, cultural.
It became very difficult in the early days of developing
information-sharing programs to acquire information from the
Federal Government because of the context or the fear that they
had that corporate America would not be able to protect
classified information. On the corporate side, there's always
the concern that if we discuss our vulnerabilities with the
Federal Government there would be some type of regulatory
response to our answers.
Therefore, I believe the value of ECS and E3A has been to
bring together the private industry and the Department of
Homeland Security and the representative agencies within the
Department of Homeland Security to effectively begin to combat
cyber crime. I do believe it has to go much further. There is
additional information that the Federal Government frequently
has around the strategy of these organizations, these nation-
states, and even independent actors, that would be very helpful
to know if we are going to better protect our networks, our
data, and our customers.
Regarding the next generation cyber workforce
professionals, I believe it is very important to encourage the
Department of Homeland Security to begin with the K-12
educational programs that you may have heard about throughout
the country in various capacities. But specifically the STEM
programs and other technical programs that first generate the
interest is what we need. I think CenturyLink, Louisiana Tech,
and the Cyber Innovation Center in Bossier City have become an
example of what we can do to better protect the corporate
infrastructures as well as the Government infrastructures.
I thank you for your determination to lead DHS in its
mission and we look forward to supporting you. Thank you.
[The statement follows:]
Prepared Statement of R. David Mahon
Chairwoman Landrieu, Ranking Member Coats and members of the
committee, thank you for the opportunity to testify today on an issue
that is of critical importance to national security, the U.S. economy
and homeland security. CenturyLink appreciates the leadership role the
Department of Homeland Security plays in facilitating the cybersecurity
of the nation's critical infrastructure, with the oversight and
guidance of this Committee. In today's testimony, I would like to cover
three key areas where the fiscal year 2015 budget offers worthwhile
opportunities to strengthen the nation's cyber defenses:
--Further improving the quality of public-private information
sharing related to cybersecurity;
--Leveraging classified cyber threat information to protect
critical infrastructure and the networks of Federal, State and local
governments through the Einstein 3 Accelerated and Enhanced
Cybersecurity Service programs; and
--Investing in our cybersecurity workforce.
CenturyLink was founded nearly 85 years ago as a small rural
telephone company with just 75 paid subscribers and a manual switch in
the front parlor of the Williams family home in Oak Ridge, Louisiana.
Our recent and rapid evolution through acquisition and innovation to
become an $18.3 billion communications, data and cloud company with
47,000 employees, 13 million customers, a Tier 1 Internet backbone, and
55 data centers around the world makes us a prime example of how
technology and communications infrastructure are driving our economy.
Effective cybersecurity is now central to everything we do, not
only as a provider, but also as a customer of others. That includes our
residential and enterprise broadband service, the secure communications
services we provide to the Department of Defense, U.S. embassies and
Federal Communications Commission, our cloud computing platforms, and
the managed security services we provide to critical infrastructure
owners.
As the company has grown, we've benefited from excellent State and
local support, enabling us to cultivate talent in northern Louisiana
and the many local markets we serve in almost every State. This
includes developing partnerships with the University of Louisiana--
Monroe (ULM), Louisiana Tech University, the Cyber Innovation Center in
Bossier City and other institutions. In fact, we are nearing completion
of a 250,000-square-foot Technology Center of Excellence on our Monroe
headquarters campus that will house an additional 800 innovation
professionals devoted to network monitoring, research and development,
as well as IT and engineering support to our international service
footprint.
In addition to our company-specific cybersecurity and risk
management programs, CenturyLink has had a productive experience
participating in the public-private partnerships established to share
information and work collaboratively on industry-wide security
challenges. Our executives serve on the President's National Security
Telecommunications Advisory Committee (NSTAC), the Communications
Sector Coordinating Council (CSCC), the Communications Information
Sharing and Analysis Center (ISAC), and the FCC's Communications
Security, Reliability and Interoperability Council (CSRIC), among
others. Through these efforts, we supported DHS in the creation of the
National Cybersecurity and Communications Integration Center (NCCIC)
and CenturyLink maintains a permanent presence on the NCCIC floor.
We support the voluntary, industry-led approach to protecting the
security of critical infrastructure networks operated by the private
sector, and appreciate the work the National Institute of Standards and
Technology (NIST) has undertaken to create the Cybersecurity Framework,
as well as DHS's Critical Infrastructure Cyber Community (C\3\)
Voluntary Program to educate stakeholders and promote the framework's
use. CenturyLink has found the Framework useful in affirming many of
the practices that we and other larger carriers already had in place.
We are also using the Framework as a tool to help our enterprise
clients assess their own threat level and implement risk-based
cybersecurity protections.
the cybersecurity threat and information sharing
If I could leave the Committee with one thought about cybersecurity
risks, it is this: Don't limit your thinking to only addressing the
issues of malware, viruses, denial of service attacks, social
engineering, botnets or any of the other tactics used. Instead, think
of cybersecurity in terms of the adversaries--the people on the other
side of the computer, wherever they may be, who conceive and execute
the breaches.
Especially where critical infrastructure is concerned, our
adversaries are constantly studying their targets, probing networks,
paying attention to the defenses we put up, and searching for the
weakest link in the chain--even tracking Federal efforts to promote
security. Whether it's hacking the Web site of a technical conference
so targeted employees will download malware when they register, or
using the compromised systems of an HVAC contractor as an attack
vector, they are adaptable. This makes the threat more formidable, but
also offers a clue about how to build our cyber defenses.
As a general matter, CenturyLink's security team divides cyber
threats into several key groups, each with varying levels of
sophistication:
--Nation-State-Sponsored.--Which are often the most
sophisticated, and generally motivated by economic and political
espionage. Combating government-sponsored adversaries requires an
advanced information security program. These data breaches can go
completely undetected by the victim organization.
--Criminal Activity, Including Organized Crime.--These attacks
have a wide range of sophistication, and are generally focused on
capturing information that can be monetized.
--Terrorism and Sabotage.--These are most concerned with doing
damage, including physical damage, to the target entities.
--Hacktivism.--Generally less sophisticated, these groups will
use ``soft targets'' with less sophisticated information security
practices to garner publicity and make their political points.
--Insider Threats.--These can be the toughest to guard against
because they are ``inside the perimeter'' of the target itself.
Adversaries tend to cluster around an industry sector, based on the
goals they want to achieve. For example, a criminal cartel that wants
to exploit consumer credit card information will, perhaps, stand up a
network of infected computers and launch a particular type of attack on
point-of-sale systems across numerous retailers, using similar malware,
attack vectors and tactics for covering their tracks. But a nation-
state that wants to exfiltrate confidential technical specs about a
smartphone operating system will use a completely different strategy.
Especially for the more sophisticated adversaries, the best long-run
defense is to build closely coordinated defensive alliances around the
targeted industries and our partners in government, and to study our
adversaries as closely as they study us.
To draw an analogy, the cat-and-mouse nature of cybersecurity
resembles offensive and defensive schemes in the National Football
League. Every season, coaches devise new ``attacks'' to move the ball
down the field, whether it's the old ``west coast offense'' or last
year's ``read option.'' If they're successful, defenses that rely on
the comfort of understanding past, predictable plays won't be prepared
to stop them, at least for a while. But the minute a new offensive
scheme succeeds, every defensive coordinator in the league starts
working on countermeasures to shut it down. And while the short-term
countermeasure might be a zone blitz or a few tough hits on the
quarterback, the long-term solution has everything to do with
continually studying the game tapes and evolving the defense.
In the world of cybersecurity, we don't have the luxury of watching
the ``game'' every Sunday, but the never-ending need to study the
opposition and update defenses is the same. For DHS and the nation's
critical infrastructure providers, this means continuously refining the
information sharing relationships to get actionable, tailored
information to the targeted sectors in as close to real time as
possible. This will ultimately lead to automating the information
sharing mechanisms that will allow a targeted entity to use the cyber
threat information to defend itself without compromising the sources
and methods of the information provider. This is as much a cultural
challenge as it is a technical one, because the information at issue is
so sensitive and the teams are not accustomed to sharing their
proverbial playbooks.
In our experience, the DHS leaders are fully aware of the challenge
and committed to strengthening the partnerships, but doing so is often
an iterative, painstaking process that involves continuously building
trust, sophistication and technological capabilities, and we appreciate
the Committee's continued support for that mission. In the words of
Bear Bryant, ``defense wins championships.''
enhanced cybersecurity services (ecs) and einstein 3 accelerated (e3a)
One of the most critical roles the Department of Homeland Security
can play is to leverage the classified cyber threat indicators the
Federal Government gathers through law enforcement, intelligence
collection and other Government-specific functions to protect private
sector critical infrastructure and government networks. This is no
small task because the cyber indicators themselves must be protected
from our adversaries in an end-to-end secure environment and put to use
in the field without compromising the sources and methods that yielded
them in the first pace. To do this, DHS has developed two programs:
--Enhanced Cybersecurity Services (ECS) for private sector
critical infrastructure providers as well as State and local
governments, and
--Einstein 3 Accelerated (E3A) for Federal civilian networks.
With both programs, Internet service providers like CenturyLink,
under the direction of DHS personnel, administer intrusion prevention
and threat-based protections on traffic entering and leaving the
networks of participating organizations. Participation is voluntary,
and non-Federal participants in ECS must first be validated by DHS, but
those who do participate receive an elevated level of protection from
the most sophisticated cyber intruders.
CenturyLink has worked extensively with the Federal Government to
develop these programs, and provide important protections against the
most advanced threats while educating the Government on practical
aspects of providing such services to private industry. Expanding the
scale and automating the information gleaned within ``circles of
trust'' is the next critical step in providing effective and time
critical cybersecurity protections to Government and critical
infrastructure providers.
State and local governments administer many functions that are
important to public safety and the protection of critical
infrastructure, however, they continue to lag in funding mechanisms.
DHS has taken the lead to fill this gap temporarily in their support
for MS-ISAC services, but additional funding for additional services
such as ECS would help State governments avoid becoming the ``weak
link'' with their Federal partners.
developing the cybersecurity workforce
CenturyLink appreciates the Department of Homeland Security's
leadership on developing the nation's cybersecurity workforce,
including its support for teacher training and university research and
curriculum development in Louisiana. Especially in the last year,
CenturyLink has focused on developing and attracting a broad range of
innovation professionals, including engineers, senior IT personnel,
product managers, researchers and others to help staff our Technology
Center of Excellence, which will open early next year.
Our headquarters are located along the I-20 Corridor that spans
northern Louisiana and is home to a number of innovation hubs,
including the National Center for Academic in Information Assurance
Education at Louisiana Tech University, the Cyber Information
Technology program at Bossier Parish Community College, and the Cyber
Innovation Center, a research park and nonprofit organization devoted
to building the knowledge-based workforce in the region. Computer
Sciences Corporation recently announced plans to bring 800 new jobs to
the Cyber Innovation Center, and we are hopeful that as businesses step
up investment in the region, we can work together to cultivate a world
class cyber workforce. We would encourage this Committee and DHS to
place a renewed emphasis on workforce development in the cyber arena by
addressing the potential shortage of qualified and skilled employees
that will be needed.
We also support the National Integrated Cyber Education Research
Center (NICERC) at the Cyber Innovation Center, which focuses on
curriculum design, professional development, and collaboration in K-12
and college education. NICERC has organized programs to give teachers
the training and tools to prepare students for a career in
cybersecurity, including problem-solving, critical thinking and
communication skills. Of special note, NICERC is the lead technical
institution for DHS's Cybersecurity Education and Training Assistance
Program (CETAP)--so the teacher-focused cybersecurity education model
first developed and implemented by NICERC in Louisiana can benefit
school districts across the nation.
conclusion
While the challenge of building a cyber workforce and protecting
the nation's critical infrastructure from growing threats is a daunting
and multifaceted one, we are encouraged by the commitment of the White
House, DHS and this Committee to bring the right resources to bear. We
appreciate the determination and attention that Chairwoman Landrieu and
the committee members have brought to the issue and look forward to
working with you and the authorizing committees as you support and
guide DHS in its mission.
Senator Landrieu. Thank you very much.
Let's go to you now, Dr. Katz, from the University of
Maryland, that's played quite a leadership role in all of this.
STATEMENT OF DR. JONATHAN KATZ, PH.D., DIRECTOR,
MARYLAND CYBERSECURITY CENTER, UNIVERSITY
OF MARYLAND
Dr. Katz. Chairman Landrieu, Ranking Member Coats, Senator
Cochran: I'm going to talk about workforce development and
specifically efforts under way within the University System of
Maryland. Developing an adequately prepared cybersecurity
workforce is a daunting challenge. Put simply, demand is far
outstripping supply. Actually, a great statistic came up
earlier with mention of the need to educate 200,000 cyber
professionals each year.
Now, a critical question is what is meant by cybersecurity
education. From my point of view and broadly speaking, there
are really two aspects to be considered here. The first is a
general cybersecurity education, not just for computer and
technical students, but for everyone. The same way people come
in and take English comp or introductory math courses, college
students need to be exposed to the basics of cybersecurity and
good cyber hygiene.
Second, of course, is to grow a dedicated cybersecurity
workforce, professionals that have deep technical knowledge, as
well as those with the technical knowledge in core computer
science and electrical engineering skills, but also with
expertise in the, quote unquote, ``softer'' areas like
economics, policy, and psychology.
I think it's important to keep this in mind when we're
talking about numbers of cybersecurity professionals needed, to
keep clear that not every cyber professional is going to be the
same and not everyone is going to need the exact same
background in cybersecurity courses.
Now, the University System of Maryland (USM) has a number
of programs in place to augment the existing pipeline of future
cybersecurity professionals. University of Maryland
institutions are playing their part by not only training
dedicated cybersecurity professionals, but also educating the
general public on good cybersecurity practices and policies.
I'll just mention a few key ways in which USM institutions are
helping to combat the shortage in our Nation's cybersecurity
workforce. I'll only be able to touch on a few here.
USM institutions awarded approximately 4,400 cybersecurity-
related degrees in the 2012-2013 academic year. Four USM
institutions are NSA and DHS centers of academic excellence in
information assurance education. UMD College Park, with support
from Northrop Grumman, launched the Advanced Cybersecurity
Experience for Students, or ACES, in 2013. This is the Nation's
first undergraduate honors program in cybersecurity and really
I think serves as a paragon of the way undergraduate
cybersecurity education should be done.
University of Maryland Baltimore County, the Center for
Cybersecurity Training, offers numerous courses for skill
enhancement and certification opportunities for active
professionals. And the University of Maryland College Park is
going to be offering a series of online courses on
cybersecurity beginning in the fall, again as a way to reach
out to the broader public.
In addition to these educational offerings, USM
institutions also perform outreach to the wider public to spark
interest in the field and to try to grow a pipeline of future
cybersecurity professionals. Some examples here include
cybersecurity camps for middle school girls and high school
students, as well as summer camps for high school STEM
teachers, held as part of the DHS-funded cybersecurity
education and training assistance program.
Our educational opportunities cannot be created or refined
in isolation. USM has numerous cybersecurity programs that are
developed with input from industry and Government sources.
Sharing information about current workforce knowledge gaps and
how best to address them is one of the many ways that USM
institutions benefit from our interactions with private
industry and the Federal Government.
However, as educators we not only train students in the
problems of today, but must also ensure that they can master
key fundamentals that will provide the foundation for
understanding and remediating the cybersecurity threats of
tomorrow.
Federal and private support to continue to grow the future
cybersecurity workforce is essential to closing the demand gap
for those professionals. Continued or perhaps expanded
investment from Federal agencies like the Department of
Homeland Security, the National Science Foundation, and the
National Security Agency, for example, is critical to
sustaining the progress that we've already been making.
Thank you for the opportunity to appear before the
subcommittee and I look forward to answering your questions.
[The statement follows:]
Prepared Statement of Dr. Jonathan Katz
Chairman Landrieu, Ranking Member Coats: Thank you for the
invitation, and the opportunity to speak to the subcommittee. It is an
honor to be here.
As the committee has previously noted, we are continually faced
with numerous cybersecurity threats. These threats are not static--in
fact, the sophistication of attacks cybersecurity seems to change on a
daily basis. New vulnerabilities are uncovered, different attack
vectors are employed to exploit a system or a program, and patches for
critical operating systems are deployed on a near-constant basis. As
director of the Maryland Cybersecurity Center (MC2), I am extremely
familiar with the rapidity with which cybersecurity threats continue to
evolve, and the challenges that these threats present to the Federal
Government, the private sector, and our Nation's academic institutions.
Developing an adequately prepared cybersecurity workforce is a
daunting challenge. Put simply, demand for talented cybersecurity
professionals is far outpacing the supply. A 2013 (ISC)\2\ Global
Information Security Workforce Study claims that 56 percent of
companies nationwide report a workforce shortage. Maryland alone had
more than 18,000 vacancies for cybersecurity jobs, according to a
recent Abell Foundation report. And Federal agencies are having
difficulty filling cybersecurity roles as well, something highlighted
in 2008 and 2010 by the CSIS Commission on Cybersecurity for the 44th
Presidency.
The University System of Maryland (USM), which includes 12
campuses, has a number of programs in place to augment the existing
pipeline of future cybersecurity professionals. Maryland institutions
are playing their part by not only training dedicated cybersecurity
professionals, but also educating the general public on good
cybersecurity practices and policies.
Below are some key ways in which USM institutions are helping to
combat the shortage in our Nation's cybersecurity workforce:
--USM institutions offer a broad range of degrees in
cybersecurity-related fields, and approximately 4,400 cybersecurity-
related degrees (BS, MS, and PhD combined) were awarded in the 2012-
2013 academic year.
--Four USM institutions (UMD, UMUC, UMBC, and Bowie State) are
NSA and DHS Centers of Academic Excellence in Information Assurance
Education.
--UMD College Park, with support from Northrop Grumman, launched
the Advanced Cybersecurity Experience for Students (ACES) in 2013. This
is the Nation's first undergraduate honors program in cybersecurity.
--UMBC's Center for Cybersecurity Training offers numerous
courses for skill enhancement and certification opportunities.
--Multiple USM campuses offer MS programs in cybersecurity, cyber
policy, and/or digital forensics.
In addition to our current educational offerings, USM institutions
also perform outreach to the general public to spark interest in the
field and communicate cybersecurity best practices. Examples include:
--Cybersecurity camps for middle-school girls and high-school
students at UMCP.
--Summer camps for high-school STEM teachers held at UB as part
of the DHS-funded Cybersecurity Education and Training Program.
--``Tech talks'' given by undergraduate cybersecurity-club
members to the broader undergraduate student body.
Educational opportunities cannot be created or refined in
isolation. USM has numerous cybersecurity programs that are developed
with input from industry and government sources. Sharing information
about current workforce knowledge gaps, and how to best address them,
is one of the many ways that USM institutions benefit from our
sustained and regular interactions with private industry and the
Federal Government. However, as educators, we must not only train
students in the problems of today, but must also ensure that they
master key fundamentals that will provide the foundation for
understanding and remediating cybersecurity threats of tomorrow.
Federal and private support to continue to grow the future
cybersecurity workforce is essential to closing the ``demand gap'' for
those professionals. Continued--and perhaps expanded--investment from
Federal agencies, like the Department of Homeland Security, the
National Science Foundation, and the National Security Agency, for
example, is critical to sustaining the progress that has already been
made.
Again, thank you for the opportunity to appear before the
subcommittee. I look forward to answering your questions.
Senator Landrieu. Thank you very much.
Mr. Bowers.
STATEMENT OF SCOTT R. BOWERS, VICE PRESIDENT OF
GOVERNMENT RELATIONS, INDIANA STATEWIDE
ASSOCIATION OF RURAL
ELECTRIC COOPERATIVES
Mr. Bowers. Madam Chair, Senator Coats: Thank you for the
opportunity to address you regarding cybersecurity. I'm here on
behalf of Indiana Electric Cooperatives (IEC). Currently, IEC
represents 39 electric distribution cooperatives that serve
over 1.3 million Hoosiers in 89 of the State's 92 counties.
Collectively, our member cooperatives employ more than 1,500
individuals and represent the second largest electric provider
in Indiana.
Indiana's electric cooperatives recognize your concerns
related to cybersecurity. We have taken steps, often
independent of Government regulation, to provide the security
and reliability required for our consumers. Due to our
construct and the areas we serve, most people do not recognize
the leadership role electric cooperative assumed, specifically
in the areas of renewable energy sources, energy efficiency,
and cybersecurity.
Our 39 distribution cooperatives generally do not own bulk
electric system assets. Therefore they focus largely on the
reliability and security of their distribution systems,
protecting member data, and their data business systems where
data is processed and stored.
IEC also represents two generation and transmission
cooperatives, or G&Ts, Hoover Energy Rural Electric Cooperative
and Wabash Valley Power Association. Both are fully integrated
on the NERC compliance registry by applicable function. As
such, each G&T is required to comply with approved reliability
standards related to cybersecurity, operations, and system
reliability.
Today I'd like to specifically recognize the cybersecurity
efforts of our two G&Ts. Hoosier Energy maintains a thorough
cybersecurity program that protects facilities critical to the
reliability of the bulk electric system against a myriad of
vulnerabilities. Most notably, Hoosier Energy developed an in-
house scanning utility called the Windows Configuration
Management Utility (WinCMU) that gives Hoosier Energy complete
visibility into its systems and reports any unexpected changes
to its security team.
Knowing what is on a system is the most important step in
maintaining a secure environment. During a recent audit by
NERC, auditors acknowledge this and praised WinCMU and Hoosier
Energy for going above and beyond the requirements in NERC's
cybersecurity standards. Compliance with these standards is
enforced by NERC and the Federal Energy Regulatory Commission
(FERC).
In addition to complying with such standards, Hoosier
Energy's cybersecurity program mitigates and protects against a
wide range of vulnerabilities, including: one, ignorance,
indifference, and lack of knowledge of cyber threat protection;
two, information exfiltration; three, network-based cyber
attacks; four, unmanaged changes to cyber assets and protective
systems; and five, direct attacks on cyber assets.
Wabash Valley, IEC's second G&T, has a strong cybersecurity
program in place as well. Wabash Valley firmly believes it
takes every employee being vigilant to ensure the safety of
their people and their assets. Relative to cybersecurity
standards, Wabash Valley awaits the implementation of NERC's
updated Critical Infrastructure Protection (CIP) Standards
Version 5. Wabash Valley worked proactively to develop its
cybersecurity plan although it was not required by previous
versions of the standards.
Additionally, Wabash Valley engaged an external consultant
to assess its CIP program and systems. The consultant
determined Wabash Valley's CIP program was thorough and
indicated that no changes to its systems were required.
Under previous NERC reporting standards, Wabash Valley
established reporting relationships with FBI offices in the
four States where it has member cooperatives or facilities.
Although no longer required, Wabash Valley continues to keep
the FBI or the Joint Terrorism Task Force in the reporting
chain for cybersecurity events.
Last, Wabash Valley has established procedures in place for
NERC alert system and energy sector ISAC-provided
communications and alerts. These communications are reviewed by
compliance and technical service personnel to assess a
potential threat to the G&T. If applicable, systems are
reviewed and, as appropriate, preventive actions implemented.
Moving forward, IEC sees several actions and opportunities
where additional focus and improvement benefit access to power.
Those include: continued improvement in information-sharing to
ensure timeliness and actionability to cyber threats; expanding
the number of clearances permitted for cooperative staff and
allowing for top secret clearance for select senior-level
executive staff; avoiding one size fits all solutions, while
also encouraging flexibility; encouraging the continuation and
creation of additional partnership opportunities; and improving
consistency with the Federal standards application and
compliance process.
In closing, IEC believe we are on a good path, but
opportunities to improve still exist. Each of us, not just the
respective Federal agencies, must assume our individual
responsibilities to work constructively, effectively, and, most
importantly, in partnership to address both current and future
cyber-related threats to the reliability and security of our
Nation's electric grid.
Thank you.
[The statement follows:]
Prepared Statement of Scott R. Bowers
Indiana Electric Cooperatives (IEC), the Nation's first electric
cooperative service organization, represents 39 electric distribution
cooperatives that serve over 1.3 million Hoosiers in 89 of the State's
92 counties. Collectively, our members employ more than 1,500
individuals and represent the second-largest electric power provider in
Indiana. We serve a diverse expanse of Indiana communities, from rural
and farming areas, industrial parks and employment zones to burgeoning
suburbs. IEC appreciates the opportunity to provide the following
testimony before the Senate Appropriations Homeland Security
Subcommittee regarding ``Investing in Cybersecurity: Understanding
Risks and Building Capabilities for the Future.''
Indiana's electric cooperatives played a foundational role in
delivering electricity to communities across Indiana 80 years ago.
Today, we fuel progress by delivering more than electricity to the
communities we serve. We contribute to economic development, community
development and youth and education programs across Indiana. We
continue to deliver safe, secure, reliable and affordable electric
power across the State, including hard-to-reach rural areas. These same
electric cooperatives are at the forefront in the promotion of
renewable energy sources, energy efficiency programs and technology,
ensuring electric power sources for future generations.
introduction
IEC recognizes your concerns related to the issue of cybersecurity.
We have taken steps, sometimes independent of government regulation, to
provide the security and reliability required and necessary for our
consumers. Due to our construct and the areas we generally serve, most
people do not recognize the leadership role electric cooperatives have
assumed--specifically in the areas of renewable energy sources, energy
efficiency and cybersecurity.
IEC has two generation and transmission cooperative (G&Ts) members,
Hoosier Energy Rural Electric Cooperative (Hoosier Energy) and Wabash
Valley Power Association (Wabash Valley), who provide Indiana
distribution cooperatives with wholesale electric power from coal,
natural gas and renewable energy sources. Both G&Ts are fully
integrated and registered on the North American Electric Reliability
Corporation (NERC) Compliance Registry by applicable function. As such,
each of Indiana's G&T cooperatives are required to comply with approved
Reliability Standards related to cybersecurity, operations and system
reliability.
Our 39 distribution cooperatives generally do not own Bulk Electric
System (BES) assets. Therefore, they focus largely on the reliability
and security of their distribution systems, which brings electricity to
homes and businesses, protecting member data and their business systems
where the data is processed and stored.
This afternoon, I would like to specifically recognize the
cybersecurity efforts of our two G&Ts. I will start by discussing
Hoosier Energy's efforts to address the cybersecurity threat.
hoosier energy
Hoosier Energy maintains a thorough cybersecurity program that
protects facilities that are critical to the reliability of the BES
against a myriad of cyber vulnerabilities. Most notably, Hoosier Energy
developed an in-house scanning utility called the Windows Configuration
Management Utility (WinCMU) which gives Hoosier Energy complete
visibility into its systems and reports any unexpected changes to its
security team. Knowing what is on a system is the most important step
in maintaining a secure environment. During a recent audit by NERC,
auditors acknowledged this and praised WinCMU and Hoosier Energy for
going above and beyond the requirements in NERC's cybersecurity
standards. Compliance with these standards is enforced by NERC and the
Federal Energy Regulatory Commission (FERC).
In addition to complying with such standards, Hoosier Energy's
cybersecurity program mitigates and protects against a wide range of
vulnerabilities including:
--Ignorance, Indifference and Lack of Knowledge of Cyber Threat
Protection;
--Information Exfiltration;
--Network Based Cyber Attacks;
--Unmanaged Changes to Cyber Assets and Protective Systems;
--Direct Attack on Cyber Assets; and
--Physical Attack on Cyber Assets.
(See Appendix A for description of these vulnerabilities.)
IEC's other G&T, Wabash Valley, also has a cybersecurity program
which includes some similar elements to Hoosier Energy's program. Next,
I would like to highlight Wabash Valley's efforts to address the issue
of cybersecurity.
wabash valley
The protection of people and assets are top priorities for Wabash
Valley. As technology continues to evolve, cybersecurity threats become
more advanced and increasingly difficult to detect and prevent. Wabash
Valley firmly believes it takes every employee being vigilant to ensure
their personal safety and the safety of Wabash Valley's assets (both
physical safety and cybersecurity).
Relative to cybersecurity standards, Wabash Valley, along with
other small entities, awaits the implementation of NERC's Critical
Infrastructure Protection (CIP) standards, Version 5 (cybersecurity
standards). Although not required by previous versions of the CIP
standards, Wabash Valley has already developed a cybersecurity plan. In
addition, an external consultant was hired by Wabash Valley to perform
an assessment on its CIP program and systems. The consultant determined
its CIP program was thorough for a small entity and that no changes to
systems were required at that point in time.
Under NERC's event reporting standards, applicable entities were
required to establish a reporting relationship with the Federal Bureau
of Investigation (FBI). Wabash Valley established reporting
relationships with FBI offices in all States and cities where it has
member cooperatives or plant facilities (Indiana, Ohio, Illinois and
Missouri). Although direct reporting of events to the FBI is no longer
required by the NERC standard, Wabash Valley feels it is important to
continue to keep the FBI or the Joint Terrorism Task Force (JTTF) in
the reporting chain for cybersecurity (and other) events. Wabash Valley
is part of the FBI's Strategic Partnership with businesses. As such,
Wabash Valley receives regular bulletins and communications from the
FBI to keep them informed about various situations/threats that could
affect the safety and security of company assets and/or personnel.
Through the NERC Alert System and the Electric Sector Information
Sharing and Analysis Center (ES-ISAC) housed within NERC,
communications and alerts related to various potential threats are
provided to our industry. It is part of Wabash Valley's established
procedures for these communications to be reviewed by compliance and
technical services personnel to assess a potential threat to the G&T.
If the threat has potential applicability to Wabash Valley, then
systems are reviewed and, as appropriate, preventive actions
implemented. If the threat, such as HEARTBLEED, has potential impact
for company employees on their computer systems at home, information is
communicated to Wabash Valley employees. On a regular basis, the Wabash
Valley security officer emails pertinent security topics to staff.
Wabash Valley welcomes the finalization of the cyber and physical
security standards in the near future. In the meantime, they will
continue to seek proactive measures to ensure the security of all G&T
personnel and assets.
So where do we go from here? Beyond just the updating of the CIP
standards, there are other actions that can assist us, the owners and
operators, in assuring access to power. In talking with both our G&Ts,
they shared concerns regarding some areas where they see opportunity
for improvement.
information sharing
While we recognize and appreciate that improvement has been made by
the Federal Government in the flow and sharing of cyber and physical
security related information over time, the need for continued
improvement still exists. Our ability to receive timely and actionable
information remains a work in progress. The media remains our primary
source of threat-related information. By the time information is shared
with us from the Federal agencies, it can be too late for us to address
the threat. Under our current situation, the damage is already done and
we have moved into mitigation mode if we were impacted by the threat.
Improving the timeliness of the threat communication would also better
position us to take preventive actions on the front end in hopes to
fend off or, if penetrated, minimize the impact to our system.
Additionally, expanding the number of ``secret'' clearances
permitted for cooperative staff and allowing for ``top secret''
clearance for select senior-level executive staff would also be
beneficial. This adjustment in security clearance procedures, along
with liability protections for information sharing with the Government,
would allow for more real-time and actionable information to be shared.
flexibility
IEC would strongly encourage Congress and the Federal agencies to
avoid enacting ``one-size-fits-all'' solutions for cyber and physical
security. Our member cooperatives share a common mission, core
principles and similarities in structure, but they are each independent
and unique in the tactics, processes and protocols they utilize to
serve their members. By affording Indiana's electric cooperatives that
flexibility, each of our member cooperatives would be positioned to
deploy the measures, technologies and systems that best fit their
operations, assets and efforts to combat cyber and physical threats. In
addition, each cooperative would be able to account for implementation
costs, which helps maintain affordability, without compromising the
security measures.
partnerships
Partnerships have been one of the most beneficial and productive
tools used by Indiana's electric cooperatives in addressing the
cybersecurity issue. The partnerships that have been most successful
for us have generally been cooperative to cooperative based. Indiana's
electric cooperatives have also benefited from their relationships with
other private organizations, i.e. ACES, through their interactions with
their Regional Transmission Organizations (RTO) as well as our national
association, the National Rural Electric Cooperative Association
(NRECA). While electric cooperatives were born with the assistance of
the Federal Government in the 1930s, our approach has generally been to
work within the cooperative community or the private sector to find
cost effective solutions to the issues facing our industry. These types
of partnerships, along with finding additional opportunities to enhance
the working relationship between the responsible Federal agencies and
our member cooperatives through our members and through the NRECA,
should be encouraged as well. The Electricity Sector Coordinating
Council (ESCC) is a great example of one of these partnerships. With
the ESCC you see individual cooperative G&Ts, as well as participants
from the Investor Owned Utilities and Municipal Electric Utilities, and
the associated trade associations at a table with the Department of
Energy (DOE), FERC, NERC and the Department of Homeland Security (DHS)
working together to identify and find solutions.
consistency
Due to the multiple levels of government oversight concerning
cybersecurity (e.g. FERC, NERC and NERC's regional entities), finding
consistency in the compliance process has had its challenges. The vague
nature of some of the cybersecurity standards coupled with
inconsistencies in the interpretation and auditing of those standards
have created challenges with cybersecurity compliance for our member
cooperatives. Refining this process to increase consistency and by
providing more clarity with the respective standards would help
streamline the process, enhance our effectiveness and provide greater
certainty to our cybersecurity initiatives.
physical security
While the focus of this hearing was specific to the issue of
cybersecurity, IEC would like to briefly address the issue of physical
security. There has been increased discussion surrounding this issue
due to recent events and IEC acknowledges the importance of protecting
our physical assets as well. The current initiative by FERC and NERC to
develop physical security standards for critical assets is viewed as a
positive step by Indiana's electric cooperatives. There is more to be
accomplished with this effort and we welcome the opportunity to engage
and provide our perspective throughout the process.
conclusion
My comments today outlining areas of opportunity should not be
viewed negatively on the interactions Indiana's electric cooperatives
have had to date with the Federal agencies engaged in the cybersecurity
arena. Our member cooperatives who work most closely with FERC, NERC,
DHS and DOE, to name a few, would agree significant improvements and
advancements have been made in all of these areas since the effort
began. Our primary message for you today is that we are on a good path,
but opportunities to improve still exist. Each of us, not just the
respective Federal agencies, must assume our individual responsibility
to work constructively, effectively and, most importantly, in
partnership to address both current and future cyber-related threats to
the reliability and security of our Nation's electric grid.
appendix a: descriptions of referenced cyber security mitigated
vulnerabilities
Ignorance, Indifference and Lack of Knowledge of Cyber Threat
Protection
Hoosier Energy's cybersecurity program ensures all levels of the
organization are appropriately engaged. Responsibilities are clearly
delineated among leadership and those responsible for direct
cybersecurity activities.
Training and awareness programs are required for all who have
access to cyber assets critical to the reliability of the BES. Training
covers why Hoosier Energy's program is important, how it protects us
and the relevant responsibilities. In addition, Hoosier performs
awareness exercises exemplified by a Spearphishing exercise in 2013
that reduced click-thru rates from 30 percent to 2 percent.
Information Exfiltration
Hoosier Energy maintains an information protection program that
identifies and classifies critical information, how it can be shared
and with whom it can be shared.
Network-Based Cyber Attacks
Hoosier Energy maintains a separate, isolated network through the
use of an electronic security perimeter (ESP) that isolates its
critical cyber assets from less secure corporate network and
neighboring utility connections. All communication is denied by
default. Allowed communications are limited to specific protocols and
approved sources from outside the ESP.
Direct Attack on Cyber Assets
Like in the ESP, communication is denied by default at each
individual cyber asset.
In addition:
--All relevant security patches are applied judiciously
--Malicious software prevention is installed and kept current
--Strong passwords are required and changed periodically
--Unnecessary physical ports are blocked or disabled
Unauthorized Access and Changes to Cyber Assets and Protective Systems
All access is provisioned on the principle of need-to-know. No
access is granted without first successfully completing a background
check.
ESP communications are monitored and logged around the clock. Any
change in configuration or any attempts at unauthorized access
automatically creates an alert.
The WinCMU creates a baseline for each protected cyber asset. The
WinCMU performs a daily comparison of the actual configuration and the
baseline to systematically identify and alert on unexpected changes.
Physical Attack on Cyber Assets
All critical cyber assets are protected within a physical security
perimeter (PSP) with access controlled using key cards, monitoring and
logging.
Senator Landrieu. Thank you very much for that excellent
testimony.
Mr. Peters with Entergy.
STATEMENT OF CHRISTOPHER PETERS, VICE PRESIDENT NERC/
CRITICAL INFRASTRUCTURE PROTECTION
COMPLIANCE, ENTERGY CORPORATION
Mr. Peters. Good afternoon, Chairwoman Landrieu, Ranking
Member Coats. Let me begin by thanking you for convening this
panel and for inviting Entergy to participate. I'm pleased to
appear here today to discuss Entergy's point of view on cyber
and physical security threats to our system, the benefits of
the public-private partnership process, and our experiences to
date interfacing with the Electricity Sector Information-
Sharing and Analysis Center (ES-ISAC).
By way of background, Entergy Corporation is an integrated
energy company engaged primarily in electric power production
and retail distribution. For some time now, Entergy has
recognized the uptick in cyber and physical threats that have
the potential to impact the reliability, safety, and security
of our operations and the Nation's power grid. We accord such
threats the same attention as we have always given the forces
of nature, including ice storms, tornadoes, hurricanes, floods,
and extreme heat, all of which can threaten the delivery of
safe, reliable power.
Entergy supports a comprehensive strategy to managing our
cyber and physical security defenses. This strategy leverages
our corporate resources to minimize impacts from intentional
and unintentional cyber or physical threats to our energy
portfolio.
Importantly, these threats have strong support at the board
of director and CEO level, which we believe is essential to
implementing an enterprise-wide security program with the right
amount of people for a security workforce and sufficient
funding of the technologies required to deal with threats and
breaches.
The threat landscape is inherently unpredictable and
evolving, which is why mastering the fundamentals of cyber and
physical security is best the best defense. In most cases
attacks exploit lapses in basic operations that have been
either ignored or which were not fully deployed.
One priority for Entergy is threat management. When a new
threat emerges, Entergy conducts an internal review of our
defense in depth plans to validate the existing security
control framework and make changes as necessary. Accordingly,
increasing physical security threats to energy delivery
infrastructures have triggered reviews and updates to our
security plans and posture, including the implementation of
additional physical security controls in key facilities.
Public-private partnership participation is a key element
in our cyber and physical security program and can be a
significant force multiplier when leveraged. To strengthen our
posture, over the past several years we have participated in a
number of public-private programs. Allow me to highlight one
program we feel is particularly helpful. Since 2008 Entergy has
received and responded to over 40 NERC alerts related to grid
security threats from the ES-ISAC. Based on the content of each
alert, we quickly assemble cross-functional teams of subject
matter experts to evaluate the highlighted vulnerabilities,
assess potential impacts, and carry out appropriate mitigation
steps.
Entergy considers the ES-ISAC a vital partner in achieving
electric sector-wide situational awareness, improving national-
level response and coordination, and fostering collaboration
among key electric sector stakeholders.
The public-private partnership model is not perfect and
will continue to evolve over time to ensure that the private
sector can realize maximum value from our federally funded
programs and technologies. Every utility must drive the daily
transformation of their own cyber and physical security
programs to defend against constantly changing threat
landscapes.
Before concluding, I'd like to add that Entergy is a strong
advocate of regulations and legislation that would bolster
information-sharing between public and private entities about
cybersecurity risks and events, allowing that the protections
are built in for confidentiality and non-recourse. We believe
access to information of this kind will help enhance the
security posture of utilities.
Thank you again for giving Entergy the opportunity to share
its views and I hope you found these comments helpful. We look
forward to continuing to work with you in the coming year to
ensure strong public-private relationships aimed at better
securing the energy sector's critical infrastructure. I'm happy
to answer any questions you may have.
[The statement follows:]
Prepared Statement of Christopher Peters
Good afternoon, Chairwoman Landrieu, Ranking Member Coats, and
distinguished members of the subcommittee. Let me begin by thanking you
for convening this panel and for inviting Entergy to participate. My
name is Chris Peters and I am Entergy's vice-president for NERC and
Critical Infrastructure Protection compliance, reporting to Entergy's
executive vice president and chief operating officer.
I am pleased to appear here today to discuss Entergy's point of
view on cyber and physical security threats to our system, the benefits
of the public-private partnership process, and our experiences to date
interfacing with the Electricity Sector-Information Sharing and
Analysis Center (ES-ISAC).
By way of background, Entergy Corporation is an integrated energy
company engaged primarily in electric power production and retail
distribution. Entergy owns and operates power plants with approximately
30,000 megawatts of electric generating capacity, including more than
10,000 megawatts of nuclear power. We deliver electricity to 2.8
million customers in Arkansas, Louisiana, Mississippi, and Texas. We
have approximately 14,000 employees.
For some time now, Entergy has recognized the uptick in cyber and
physical threats that have the potential to impact the reliability,
safety and security of our operations and the Nation's power grid. We
accord such threats the same attention as we have always given to
forces of nature, including ice storms, tornadoes, hurricanes, floods,
and extreme heat--all of which can threaten the delivery of safe,
reliable power.
Entergy supports a comprehensive strategy to managing our cyber and
physical security defenses. This strategy leverages our corporate
resources to minimize impacts from intentional and unintentional cyber
or physical threats to our energy portfolio. Importantly, these efforts
have strong support at the Board and CEO level, which we believe is
essential to implementing an enterprise-wide security program with the
right amount of people for a security workforce and sufficient funding
of the technologies required to deal with threats and breaches.
The threat landscape is inherently unpredictable and evolving,
which is mastering the fundamentals of cyber and physical security is
the best defense: In most cases successful attacks exploit lapses in
basic operations that have been either ignored or which were not fully
deployed.
One priority for Entergy is threat management. When a new threat
emerges, Entergy conducts an internal review of our defense-in-depth
plans to validate the existing security control framework and make
changes as necessary. Accordingly, increasing physical security threats
to energy delivery infrastructures have triggered reviews and updates
to our security plans and posture, including the implementation of
additional physical security controls at key facilities.
Public-private partnership participation is a key element in our
cyber and physical security program and can be a significant force
multiplier when leveraged. To strengthen our posture, over the past
several years we have participated in a number of public-private
programs:
--The Government Forum of Incident Response and Security Team
Conference;
--The FBI's Classified Cybersecurity Threat Briefings;
--NERC's GridEx and GridEx II sector-wide exercises;
--DOE's Electricity Subsector Cybersecurity Capability Maturity
Model (ES-C2M2) and the Control Systems Cybersecurity Training
delivered by Idaho National Labs;
--More than a few DHS' initiatives, including: Monthly
Unclassified Nuclear Sector Threat Teleconferences, the Control Systems
Cybersecurity Program, the Cyber Security Evaluation Tool (CSET),
Classified Nuclear Cybersecurity Threat Briefings at the National
Security Agency, the Enhanced Critical Infrastructure Protection
Initiative, and the Cyber Storm III exercise; and
--Lastly, Entergy worked closely with NIST and participated in
several workshops during the drafting of the Cybersecurity Framework in
relation to Executive Order (EO) 13636: Improving Critical
Infrastructure Cybersecurity.
Allow me to highlight one program we feel is particularly helpful.
Since 2008, Entergy has received and responded to over 40 NERC alerts
related to grid security threats from the ES-ISAC. Based on the content
of each alert, we quickly assemble cross-functional teams of subject
matter experts (SMEs) to evaluate the highlighted vulnerabilities,
assess potential impacts, and carry out appropriate mitigation steps.
Entergy considers the ES-ISAC to be a vital partner in achieving
electric sector-wide situational awareness, improving national-level
response and coordination, and fostering collaboration among key
electric sector stakeholders.
The public-private partnership model is not perfect and will
continue to evolve over time to ensure that the private sector can
realize maximum value from federally funded programs and technologies.
Every utility must drive the daily transformation of their own cyber
and physical security programs to defend against constantly changing
threat landscapes.
Before concluding, I would like to add that Entergy is a strong
advocate of regulations and legislation that would bolster information
sharing between public and private entities about cybersecurity risks
and events. Allowing that protections are built in for confidentiality
and non-recourse, we believe access to information of this kind will
help enhance the security posture of utilities.
Thank you for giving Entergy the opportunity to share its views and
I hope you've found these comments helpful. We look forward to
continuing to work with you in the coming year to ensure strong public-
private relationships aimed at better securing the energy sectors'
critical infrastructure. I am happy to answer any questions you may
have.
Senator Landrieu. Thank you all very much.
Let me begin with a question to each of you, starting with
Dr. Katz. If you could recommend in a minute or less something
for the Department of Homeland Security to focus on improving
their current operations--I agree with Senator Coats that the
Department has turned the corner. They have the appropriate, I
think, leadership in place on this issue. Lots of initial
challenges have been sorted out. But if you could give 1 minute
of testimony about what you would suggest Homeland Security do;
take the next step in a specific area, whether it's in
education, whether it's in collaboration, whether it's in
authorization, et cetera, et cetera, what would you say?
Dr. Katz. From my point of view, I think really focusing on
cybersecurity workforce development will be very helpful. I
think you hit the nail on the head in the previous panel when
you mentioned that the requirements for cybersecurity
professionals really need to be laid out precisely, because
hearing that 200,000 students a year are needed is not very
helpful unless we know precisely what kind of background those
professionals need and, really more importantly, without an
understanding of the fact that those 200,000 professionals are
not all going to be identical. They're going to be people--
you're going to need people with different needs and different
backgrounds, and breaking that out further and really
understanding that would be a big step forward and would allow
the Nation's academic institutions to better prepare to meet
that need.
Senator Landrieu. Yes, and I'm going to continue to press
my staff and other staffs and any witnesses. If there is such
an effort going on, in a comprehensive, clear way trying to
identify that specifically, I'd like to know about it, because
I keep looking and haven't found it. For instance, in your
testimony you said you've graduated 4,000 in cybersecurity-
related fields. Would that include math? Would that include
general math or economics, et cetera?
Dr. Katz. Actually, I believe it's fairly broad, so 4,000--
--
Senator Landrieu. Is very broad, and it's ``cyber-related
fields.'' Well, you know, our Nation has a great demand for
math teachers that have to go into the classroom to teach
traditional math. We can't doublecount. Those are teachers we
need for the math classroom. Where are our math graduates going
into--this is additional cyber.
I really am going to continue to press on this until I can
get a clear understanding to make sure we're moving in that
direction. But thank you for that.
What would you say at CenturyLink--and I really appreciate
understanding the role that the Internet providers--and there
are three main providers, correct, AT&T, Verizon, CenturyLink?
Who else would you put on that list?
Mr. Mahon. We would be the top three.
Senator Landrieu. Is it fair to say that everybody's
business comes through your networks, everybody's?
Mr. Mahon. At one point or another, that's an accurate
statement.
Senator Landrieu. So one thing to consider is the outward
perimeter, that you're it. If your systems can be secure and
our Government partnership with the three of you can be very
good and solid, together we could do a lot of protection for
what's inside of that perimeter, is kind of the way I'm
thinking about it. Is that how you talk with Verizon and AT&T,
and what would you say to the Department of Homeland Security
about that?
Mr. Mahon. Your assessment is correct. What I would say
about the Department of Homeland Security is, while they do
have very good programs with ECS and E3A, we do need to move it
to the next level. The majority of the Homeland Security
information-sharing model is a one-size-fits-all. They get
broad-based information from other Government agencies, they
put it in a format suitable for dissemination across all
verticals, all infrastructures, small to large corporations.
While that's very helpful, if you are a small to medium-sized
company and don't have a sophisticated information security
program it is of limited value to the larger corporations,
particularly the critical infrastructures.
The analogy that I often use is that you're invited to a
wedding and you can bring a gift to the bride. She certainly
appreciates it, but she would prefer you go to her wedding
registry and select something she really needs.
That's really where we need to go today. We have very
specific collection requirements on how to protect our network.
We do not have access to all the threat information, and I
believe the Government, whether it's through the Department of
Homeland Security or other agencies, would be of better
assistance to us if we gave them very specific requests to see
if they could be fulfilled for information.
Senator Landrieu. Thank you. That's very helpful.
Mr. Bowers, what would you say?
Mr. Bowers. I would say that our exposure to DHS has been
fairly limited. Most of what we have done has been primarily
through FERC, NERC, and the regional entities that work
underneath NERC.
Senator Landrieu. The reason for that, just to clarify--you
of course know it--is that this grid or this infrastructure is
the only mandatory regulated infrastructure, to my
understanding, the electric grid, through FERC and NERC. So the
other private sector companies that have financial
infrastructure or other energy infrastructure are not. And it's
been the problem or the challenge, as Senator Coats has pointed
out, it's hard to get the groups together to figure that out.
But you in the electric sector are working through it
fairly well. I know there have been problems, but would you say
that that's generally correct?
Mr. Bowers. Yes, I would agree with that. We've certainly
seen tremendous progress over the 7 years. I think as we've
worked with the respective Federal agencies and as they've
gotten to know us better, as we've gotten to know them better,
it's certainly created a much more productive partnership.
As it relates to funding or areas of emphasis, I'll go back
to a couple of things that I mentioned. Obviously, providing
funds to help bolster and streamline the information-sharing
process. One of the things is being able to get real-time
information that is actionable. A lot of times that's not the
situation, and I know that's not the goal. The goal is for
everyone involved to be able to try to avoid these types of
situations, and when they do occur obviously to then mitigate
them to the best of our ability.
In addition, I mentioned supporting or the expansion of
security clearances. I think that will be beneficial to the
information-sharing component. Then also, just as we've
continued to work through these various standards, bringing
that level of consistency, both in the standards, the
interpretation, as well as the auditing consistency, would be
areas of emphasis for our perspective.
Senator Landrieu. Mr. Peters, and then we'll get to Senator
Coats for his questions.
Mr. Peters. Senator, I think DHS has done a great job at
raising awareness around control system security, and it's my
understanding that 80 percent of the control systems that are
coming on line have been tested for various types of cyber
intrusions and basic security features. As we look to upgrade
our legacy control systems to next generation, that increased
funding and support for R&D for control systems that have
advanced cyber features would be very beneficial. I know
there's been a tremendous amount of success between DHS, the
Idaho National Labs, and various control systems vendors in
this area. So I would recommend championing continued support
for that area.
Senator Coats. Mr. Mahon, how do you work with the smaller
businesses, the community banks, the smaller retails, smaller
investment houses, and so forth? Obviously, the bigs--and we
just have to look at the response of Target and, say, Neiman
Marcus and others--have spent a very considerable amount of
money to upgrade their systems, to put more security in place,
at very, very considerable cost.
But the smaller entities really can't afford to do that.
Yet they have the same vulnerabilities, maybe not to as many
people, but to sizable--and Scott, I think I would ask you
also. You know, you're serving more rural communities,
customers and so forth. How do you find the resources to do
what you need to do and keep everybody on an even keel?
Mr. Mahon. Well, the small to mid-sized businesses have
concluded, Senator, exactly what you just stated, that the cost
of IT and the type of cybersecurity protections they need they
cannot afford. One of our lines of products and services is
referred to as Managed Security Services. We spend the time
with those customers explaining our information security
program, the security across our core network, and our Managed
Security Services products.
When they look at these types of products they can acquire
through companies like CenturyLink, they can frequently make
the informed decision that it is better actually to outsource
your security to companies like CenturyLink, because we can
provide them with subject matter experts and a scale model that
they could not have an equivalent model of should they decide
to build it on their own.
They are also suffering from the same shortage of
professionals in the industry. The larger corporations
obviously are able to attract them away with a little bit more
sophisticated work in some situations. So they also suffer from
workforce development issues.
Senator Coats. Scott.
Mr. Bowers. Senator, I think it ultimately comes back to
what our mission is, and our mission is to provide safe,
reliable, and affordable electricity to the members that we
serve. I would throw ``secure'' into that as well, based on the
dynamics of the last decade plus.
With that, our distribution cooperatives are our first
line. They work very closely with their two G&Ts. The G&Ts take
and have more interaction with the Federal Government as it
relates to these issues, but with the G&Ts and the distribution
cooperatives, they work very closely together to make sure that
they are making--that the distribution systems are secure.
Our distribution cooperatives obviously are very concerned
about the security of our member personal data. Those are
things as foundational of who we are and that we are member-
owned. It's very near and dear to us and ultimately to who we
are, and we have to make sure that we provide the reliability
and security and make those investments, while also trying to
balance the affordability aspect on top of that.
Senator Coats. I'll take a response from anybody on the
panel. How do you provide for security against insider access,
the equivalent of a Snowden, but within the retail sector or
the financial sector or whatever here, not the intelligence
sector? What types of security procedures and hiring procedures
and security clearances and so forth and monitoring that, of
course?
We hear today that, as has been indicated, there are just
independent actors that somehow want to cause some chaos,
whether for personal gain or whether for just the sport of it.
How do you monitor all that and ensure that you don't fall
victim to something like that?
Mr. Mahon. We have an insider threat program at
CenturyLink. It depends upon where you are in the organization.
If you're working classified work, you have security clearances
and the Government process around that, as you know, is pretty
rigorous.
But also, there are other positions within the company that
you also have to be super-vigilant around. We have some
baseline background checks we do on all employees as they enter
the organization. But really the insider threat is just the
problem, the fact that they're an insider. So really it becomes
more of a training program for your managers and your
supervisors to spot concerning behavior, so they understand
when someone is performing in a manner that is out of the norm.
These types of events that we frequently see in the media
of an insider doing extensive damage, if you were to do an
after-action on them you would learn most typically that there
were signs of behavior that came to the attention of key
supervisors, other employees, or managers. They just either
weren't trained to spot it, they didn't realize the
significance of it, or they didn't have a way to report it to
the appropriate organization that could do something about it.
So there is a very formal insider training program in a lot
of corporations like CenturyLink and they are effective. Do you
still have problems? Obviously, you can't spot everyone who's
an insider. But there are ways to manage those risks to an
acceptable level.
Senator Coats. Anybody else want to address that?
[No response.]
Senator Coats. My time has run out and our time I think has
run out. We can submit questions for further response, but I
want to thank all of you and thank the Chair for convening this
hearing, and thank all of you for participating in this. This
is a critical issue that we need to get it right, because, as
our former Homeland Security Secretary once said, the
perpetrators or the criminals, the actors, the States, et
cetera, they only have to be successful once; we have to be
successful 100 percent of the time in trying to stop all their
efforts. So it's a real challenge. I appreciate all of your
work in terms of trying to keep us safe from all these cyber
attacks and intrusions.
Thank you.
Senator Landrieu. Yes, and thank you, Senator Coats, for
your leadership. We wanted to conduct this hearing jointly and
the Senator provided a lot of background to allow us to do
that.
I thank all of our witnesses for your testimony today. I am
committed to doing all we can in this subcommittee to continue
to focus on these issues.
ADDITIONAL COMMITTEE QUESTIONS
We're going to leave the record open for 2 weeks. Questions
should be submitted to the committee staff by close of business
Wednesday, May 21.
[The following questions were not asked at the hearing, but
were submitted to the Department subsequent to the hearing:]
Questions Submitted to Dr. Phyllis Schneck
Questions Submitted by Senator Mary L. Landrieu
workforce development
Question. Deputy Under Secretary Phyllis Schneck, has the Secretary
decided to reassess all of the cybersecurity education, training, and
outreach goals of the Department--including the goal to educate 1.7
million students by 2021?
If so, in what timeframe will the reassessment be completed?
What analysis and method will be used to create a metric that meets
the nature of the threat?
Answer. The Department of Homeland Security (DHS) has conducted a
reassessment of its combined efforts to provide cybersecurity
education, training, and outreach throughout the Nation. The Department
determined that it can reach the goal of 1.7 million American students
of all ages within the original timeframe through a unity of effort
across the Department. The 1.7 million students include participants in
a number of programs:
--DHS continues the Integrated Cybersecurity Education
Communities (ICEC) project and will extend the grant that supports this
project, providing an additional $5 million to the grantee to ensure
that the project grows in the summer of 2015.
--DHS continues to support the National Centers of Academic
Excellence and Scholarship for Service programs, which collectively
reaches over 18,000 students per year.
--DHS sponsorship of cybersecurity competitions, particularly at
the high school level, increases the number of students receiving
hands-on education in cybersecurity by approximately 12,000 students
each year.
--The Federal Virtual Training Environment and Cybersecurity
Training Events are available to 125,000 students each year.
--The National Initiative for Cybersecurity Careers and Studies
(NICCS) portal directs thousands of Americans across the country to
cybersecurity education and training programs each year.
Pertaining to your question on the analysis and methods used to
create a metric that meets the nature of the threat: The cybersecurity
threat is dynamic and consists of nation-States, criminal
organizations, individual actors, and systems degradation. The
Department approaches its cybersecurity and its broader critical
infrastructure security and resilience missions from a risk management
perspective which incorporates associated threats, vulnerabilities and
consequences. Under the National Infrastructure Protection Plan (NIPP),
the critical infrastructure community evaluates the effectiveness of
risk management efforts within sectors and at national, State, local,
and regional levels by developing metrics for both direct and indirect
indicator measurement.
Within the NIPP structure, sector specific agencies work with
representatives from private industry (sector coordinating councils or
SCCs)--to bring insight to both sides in each sector. Such measures
inform the risk management efforts of partners throughout the critical
infrastructure community and help build a national picture of progress
toward the vision of the NIPP as well as the National Preparedness
Goal. Among other functions, the NIPP evaluation process also includes
the collection of performance data to assess progress in achieving
identified outputs and outcomes, and assessing progress toward
achievement of the national priorities, goals and vision.
DHS also places tremendous value on the effectiveness of our cyber
specific programs, and is continuously exploring new ways to increase
their impact. A key focus is on the future of cyber threats, and how to
quantify mitigations that must be built today in order to be in place
when needed later. For example, NPPD is studying the effectiveness of
delivering classified indicators through the Enhanced Cyber Security
Services (ECS) program to determine the appropriate balance of cost,
benefit, and impact per indicator. While this balance can be hard to
determine, it is the only technology that can defend at the network
perimeter against some of the most crippling threats, such as
destructive malware, and is priceless in an instance that could save an
entire network or organization from a crippling attack.
protection of federal networks and working with the private sector
Question. Deputy Under Secretary Schneck, what is the Department
doing specifically to look long term at the effectiveness of Einstein,
Continuous Monitoring and Diagnostics, and all the rest of the suite of
acquisitions and programs to protect networks and plan for major
procurements?
How do you know programs are continuing to be innovative?
How is the Department including industry in this planning so that
they can also plan long term for investments in solutions?
Answer. Effectiveness of the Continuous Diagnostics and Mitigation
(CDM) program is monitored through annual performance targets,
performance measures, and quarterly reports. Once the program has
entered the operations and maintenance phase, it will conduct annual
operational assessments, consistent with applicable DHS requirements
and OMB Guidance for Information Technology Business Cases (formerly
known as Exhibit 300s).
The National Cybersecurity Protection System (NCPS) program office
tracks effectiveness of the ENSTIEN system and the protection it offers
through a number of different means. By analyzing intrusion prevention
alerts that are generated based on both commercial and Government-
provided classified cyber indicators the program office is able to
better understand the effectiveness of the information that is being
used to take action on malicious traffic. The Cyber Pilot Program (CPP)
also works to identify gaps in current capabilities and initiates pilot
programs that may bring new value. For example, while signature-based
systems will continue to have a place in cyber defense for the
foreseeable future, there is recognition that behavioral-based systems
are also required as part of defense in-depth. The NCPS Program Office
is currently in the process of planning a CPP pilot that is analyzing a
behavior-based system in a real-world Department/Agency Security
Operations Center (SOC).
As EINSTEIN and Continuous Diagnostics and Mitigation capabilities
are deployed across Federal Executive Branch civilian agencies, the
Department will continue to measure the impacts of these capabilities
on the security posture of Federal agencies. Even facing increased
threats, impacts can be reduced using real-time action and the ability
to leverage what was learned in each event to protect ourselves and
others from future attempts. Furthermore, over the long term, the
Department recognizes that the cyber threat landscape evolve quickly
and, as such, it will identify pursue cybersecurity solutions that
quickly close gaps in network protection.
Overall, CDM and EINSTEIN are designed to fuse together in the
future, to create a presence within the .gov for detection of threats
at the perimeter and inside each network. That presence manifests in
intrusion detection/prevention and CDM capabilities, but also serves as
information collection across the .gov. This situational awareness can
leverage the power of the fastest computers to correlate events seen on
different networks and form intelligence that can mitigate threats that
previously would have gone unnoticed.
Pertaining to your question on knowing the programs will continue
being innovative: The NCPS and the CDM program are deeply committed to
continued innovation. They are structured to be responsive to the
constantly evolving and dynamic threat environment by taking advantage
of the private sector's business imperative to remain innovative for
competitive purposes. Within NCPS, EINSTEIN's Intrusion Prevention
Security Service (IPSS) will be deployed as a managed commercial
service provided by the major Tier 1 Internet Service Providers.
Deploying IPSS as a managed service allows those services to evolve at
industry speed based on best commercial practices.
At its inception, the CDM program decided in the interest of
efficiency, expediency and effectiveness to pursue commercial best fit
in acquiring necessary tools for continuous diagnostics and mitigation.
The CDM Tools/Continuous Monitoring as a Service (CMaaS) blanket
purchase agreement (BPA) is based on General Services Administration
Schedule 70 and includes a process by which the BPA can be updated as
new commercial off-the-shelf products become available and are judged
to be technically acceptable to meet the requirements of the CDM
program. Furthermore, a feature of the BPA requires each of the vendor
companies to regularly perform technology refresh of solutions that are
proposed and delivered to departments and agencies.
In an effort to ensure that the program has the ability to evolve
and adapt to emerging technologies, the NCPS program office has ensured
that it has a flexible infrastructure that can accommodate a range of
technologies and scale them to meet real world scenarios. For example,
in support of the NCPS Block 2.2 Information Sharing capability, the
program office has focused initial efforts on deploying the key
infrastructure components necessary to support information sharing such
as Identity, Credential & Access Management (ICAM), a secure portal to
provide a user interface, an enterprise service bus to support data
translation between applications, and a Cross-Domain Solution (CDS) to
support data exchanges at different classification levels.
Additionally, as the number of incidents increase, more data is
collected from the incidents themselves and is then correlated and
disseminated. This information sharing will reduce impacts due to
better real time detection, and our ability to use each event to
protect the larger ecosystem.
Information sharing takes two forms: human and machine. Human
information sharing includes personal relationships, as well as reports
generated from data collected and correlated by NPPD programs that is
formed into a human-informative visualization or reports. Information
in the form of cyber threat indicators can be sent between machines at
Internet speed, so that when a threat targets a site, that site already
knows of the threat as it was alerted by an indicator.
Overall, CDM and EINSTEIN are designed to fuse together in the
future, to create a presence within the .gov for detection of threats
at the perimeter and inside each network. That presence manifests in
intrusion detection/prevention and CDM capabilities, but also serves as
information collection across the .gov. This situational awareness can
leverage the power of the fastest computers to correlate events seen on
different networks and form intelligence that can mitigate threats that
previously would have gone unnoticed.
Pertaining to your question on how the Department is including
industry in the planning: CDM has a long history of collaboration with
industry, using technologies developed in private sector and
continually reconnecting with their private sector vendors to ensure
that the CDM leverages the latest private sector innovations.
Prior to release of the original Blanket Purchase Agreement (BPA),
in June and August 2012, the program held industry days to provide
insight into the program's upcoming solicitation approach. Once the BPA
was established in August 2013, the program conducted additional
Industry Days (regarding the next set of solicitations for CDM tools
and integration services for up to 60 agencies), training (both
overview and hardware asset management), special notices, advanced
notices, Web sites and considering other means to ensure active
collaboration with industry.
The CDM program actively collaborates with its Agency stakeholders,
as well as the 17 vendor companies that hold prime contracts under the
BPA. The program has an established Leap Ahead technologies program
that conducts outreach with industry to be kept apprised of
technological developments as they are made available commercially. The
Program is budgeted to manage the procurement and program lifecycle
activities to include a BPA recompete starting in fiscal year 2017.
The NCPS Program Office utilizes Requests for Information (RFI) and
actively participates in Industry Days at both the Department and
program level to keep industry informed. Additionally, NSD's Cyber
Pilot Program conducts market research as part of its gap analysis
process.
______
Questions Submitted by Senator Thad Cochran
Question. I think we understand the importance of traditional
ranges for testing and exercising with conventional weapons like
aircraft, guns, or missiles.
Could you explain to the subcommittee the function and value of
developing and utilizing ranges in the cyber domain? Are there ongoing
efforts to connect the cyber ranges so that we can test cyber tools on
more realistic virtual ranges and perform larger, more high fidelity
exercises in the cyber domain?
Answer. Ranges in the cyber domain allow cyber professionals to
test system operations and their own skills and abilities. Overall,
ranges directly contribute to DHS's commitment to ensuring that
operational software and/or hardware systems are validated against both
best practices and the systems' compliance with Government
requirements. NPPD leads the Federal Government's effort to secure
civilian Government computer systems, and work with industry and State,
local, tribal, and territorial governments to secure critical
infrastructure and information systems. DHS must validate information
system security configurations both prior to and after deploying the
system in an operational environment. With these requirements in mind,
cyber ranges provide a controlled, predictable environment where
operational systems can be tested and evaluated against known stressors
such as cyber attacks or improper configuration. For example, a
simulated environment could be used to conduct user acceptance training
and to complete performance and load testing of the National
Cybersecurity Protection System (NCPS) applications. This type of
environment would inject real-world threat data and measurement
instruments, offering a valuable realistic training experience for
personnel.
In addition to NPPD programs, operational elements across the DHS
enterprise could also leverage a range to validate and test the
capabilities of present and future security and forensics products. A
range that allows for large-scale testing within an adaptable
environment would provide the capability to verify the potential
benefits of products and tools before purchase, test tools against new
threats, and allow personnel to familiarize themselves with innovative
tools.
Pertaining to your question on ongoing efforts to connect to cyber
ranges: Yes, the DOD Enterprise Cyber Range Environment Forum has
developed a charter to federate the cyber ranges across the DOD
enterprise so that tools testing capability can be integrated with the
ability to conduct exercises.
Question. There has been much discussion about how involved the
Federal Government should be in defending infrastructure owned by non-
Federal entities.
How would you define the threshold for what types of non-Federal
infrastructure might qualify as ``critical'' for these purposes?
Answer. The Federal Government does not have thresholds for when it
would defend non-Federal infrastructure from cyber attacks. The
Department, working with public and private sector partners, has
identified infrastructure--both public and private--where a
cybersecurity incident could reasonably result in catastrophic regional
or national effects on public health or safety, economic security, or
national security. The resulting list of entities, identified under
Executive Order 13636, has been briefed to relevant Congressional
Committees and the entities themselves have been notified of their
designation.
The statutory definition of critical infrastructure is, ``Systems
and assets, whether physical or virtual, so vital to the United States
that the incapacity or destruction of such systems and assets would
have a debilitating impact on security, national economic security,
national public health or safety, or any combination of those
matters.'' 42 U.S.C. section 5195c(e). Cooperation with these entities
and clearly defining lanes of responsibility across the Federal
Government are vitally important for our engagement with these
entities.
We have heard about the importance of cooperation and clearly
defined lanes of responsibility across the Federal Government for our
cybersecurity efforts.
Question. What are your respective roles in receiving and sharing
threat information with the private sector?
Answer. DHS shares timely and actionable cybersecurity information
across its partners and constituents to establish and maintain shared
situational awareness. The types of cyber information DHS shares most
often include alerts and warnings, analysis of actor tactics,
techniques and procedures to aid in incident detection, indicators of
malicious activity and supporting contextual information, best
practices, vulnerability information and assessments, and trend
analysis.
Working across the department with our cyber capabilities housed in
the U.S. Secret Service, Coast Guard, CBP, ICE, and others, DHS has
several programs in place to help facilitate the sharing of timely,
actionable information to and from the private sector:
--The National Cybersecurity and Communications Integration
Center (NCCIC) is a 24�7 center responsible for providing a common
operating picture for cyber and communications across the Federal,
State, and local government, intelligence and law enforcement
communities, and the private sector. The NCCIC is based in DHS's Office
of Cybersecurity and Communications (CS&C), a component of the National
Protection & Programs Directorate (NPPD). On both a steady-state and
emergency basis, it fuses, coordinates, and shares information from its
operational elements, including the:
--The U.S. Computer Emergency Readiness Team (US-CERT), which
responds to cybersecurity incidents and analyzes information from
multiple sources to develop timely and actionable alert and warning
products for public and private sector partners.
--The Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT), which works to reduce risk to the Nation's critical
infrastructure through public-private partnerships and by providing
onsite support to private sector industrial control systems owners and
operators for protection against and response to cyber threats,
including incident response, forensic analysis, and site assessments.
--The National Coordinating Center for Telecommunications
(NCC), which leads and coordinates the initiation, restoration, and
reconstitution of National Security/Emergency Preparedness (NS/EP)
telecommunications services or facilities under all conditions.
--NCCIC Operations and Integration (NO&I), which leverages
planning, coordination, and integration capabilities to synchronize
analysis, information sharing, and incident response efforts to ensure
effective synchronization across capabilities.
--Integrating information from all partners--private and public
sectors, including State, local, tribal and Federal, in both the cyber
and communications arenas--the NCCIC creates and shares a common
operational picture, coordinates response activities, and protects our
Nation's critical networks.
--Through the Cybersecurity Information Sharing and Collaboration
Program (CISCP), DHS has established a systematic approach to cyber
threat information sharing and collaboration between DHS and the 16
critical infrastructure sectors.
--By sharing unclassified cyber threat indicators, DHS enables
the detection, prevention, and mitigation of threats. This builds a
more holistic understanding of cyber threat activity occurring across
the 16 critical infrastructure sectors and across the Federal
Government.
--Through these partnerships, CISCP enables information sharing
and collaboration with our critical infrastructure partners to share
new cyber threat, incident, and vulnerability information This exchange
is conducted in near-real time to enhance collaboration and to better
understand the threat and improve network defense for the entire
community.
--A key aspect of CISCP is its bi-directional information
sharing construct. CICSP participants submit indicators of cyber threat
activity on their network to DHS that can be shared with other CISCP
participants in an anonymized, aggregated fashion. Furthermore, the
NCCIC allow cleared sector participants onto the NCCIC floor to ensure
close coordination and communication when an event occurs.
______
Questions Submitted by Senator Lisa Murkowski
Question. The President's Executive Order (EO) 13636 on
cybersecurity and its accompanying Presidential Policy Directive (PPD)
21 directed the National Institute of Standards and Technology to
develop a voluntary cybersecurity framework in partnership with private
industry. As you know, the Energy Policy Act of 2005 established
mandatory cyber and physical security standards for the electric
industry through the Federal Energy Regulatory Commission/North
American Electric Reliability Corporation (FERC/NERC) stakeholder
process. Via the FERC/NERC stakeholder process these cybersecurity
standards have been continuously updated and revised since the law's
enactment to reflect ever-changing cyber threats. The industry is now
on CIP Version 5 which includes 12 new requirements and also
prioritizes cyber assets.
How does the voluntary framework called for in EO 13636 and PPD-21
interface with the mandatory standards already in place for the
electric industry? For example, what if a voluntary measure under the
NIST framework conflicts with a mandatory standard?
Answer. Because the Cybersecurity Framework is a voluntary
approach, organizations can determine how to best use the Framework so
that it meets their business requirements. It is designed to be
supplemental, not a replacement for industry regulations. If utilities
are currently regulated, or become subject to regulation, then
regulations would take compliance precedence and the Framework could be
used to supplement these requirements.
Question. What actions are DHS either currently undertaking or
planning to undertake to protect the grid (at both the transmission and
distribution level) from cyber threats? To what extent is DHS
duplicating ongoing grid-protection efforts by FERC, NERC and State
public utility commissions?
Answer. The Department's National Protection and Programs
Directorate (NPPD) supports critical infrastructure owners and
operators in preparing for, preventing, protecting against, mitigating
from, responding to, and recovering from all-hazards events, such as
cyber incidents, terrorist attacks, and natural disasters. The National
Infrastructure Coordinating Center (NICC) and the National
Cybersecurity and Communications Integration Center (NCCIC) fulfill
this DHS responsibility within the critical infrastructure partnership.
Stakeholders throughout the critical infrastructure community--
owners and operators; Federal partners; regional consortia; and State,
local, tribal, and territorial governments--can, and do, connect to the
NICC and NCCIC. In turn, these centers, along with an integrated
analysis function, build situational awareness across critical
infrastructure sectors based on partner input and provide information
with greater depth, breadth, and context than information from any
individual partner or sector.
As a part of the NCCIC's overall cyber coordination and response
capabilities, NCCIC operates the Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT). ICS-CERT coordinates control
systems-related security incidents and information sharing with
government, and private sector constituents, including vendors, owners
and operators, and international and private sector CERTs. The focus on
control systems cybersecurity provides a direct path for coordination
of activities among all members of the critical infrastructure
stakeholder community as well as representatives from law enforcement.
This effort spans all phases of electric power and includes:
--Standards Development.--In 2010, ICS-CERT was a key member of
the Smart Grid Interoperability Panel, Cyber Security Working Group
which helped develop and issue the NIST Guidelines for Smart Grid Cyber
Security (NISTIR 7628, September 2010).
--Cybersecurity Assessments.--To date, ICS-CERT has directly
assisted 50 asset owners in the electric subsector by performing these
assessments and providing strategies for improving their defensive
posture.
--Vulnerability Handling and Dissemination of Mitigation
Strategies.--To date, ICS-CERT has addressed over 600 vulnerabilities,
many of which affect devices and software used in electric grid control
systems.
--Incident Response Services.--To date, ICS-CERT has provided
incident response services to 114 electric sector organizations by
analyzing malware, reviewing digital media from hard drives and log
files, and recommending strategies for recovery and preventing future
intrusions.
--Training to improve asset owners' cybersecurity skills and
practices:
--ICS-CERT provides cybersecurity training to network
administrators and control system professionals. Courses in
cybersecurity principles and best practices are offered through on-line
courses and instructor-led classes.
--Situational Awareness.--ICS-CERT provides actionable
situational awareness through briefings, alerts, advisories, and
indicator bulletins. ICS-CERT conducts both unclassified and classified
briefings and disseminates information on the Secure Portal and on its
Web site.
Pertaining to your question on the extent DHS is duplicating
ongoing efforts by FERC, NERC, and State public utility commissions:
DHS is not duplicating efforts with the Federal Energy Regulatory
Commission (FERC), the North American Electric Reliability Corporation
(NERC), or the State public utility commissions but rather ensuring
coordination of efforts. As instructed by Presidential Policy Directive
21, among other authorities, DHS provides cybersecurity information
sharing, technical assistance and national coordination to enhance the
security resilience of U.S. critical infrastructure. DHS does not
directly provide the protection but assists critical infrastructure
owners and operators in securing their own systems and coordinating
their information sharing across sectors and between different
partners.
NCCIC/ICS-CERT coordinates regularly with NERC via the Electricity
Sector Information Sharing and Analysis Center (ES-ISAC) to ensure
sharing of incident related information and dissemination of
information products. This eliminates duplication of effort when
triaging threat and vulnerability information. ICS-CERT also partners
with FERC to conduct assessments at utilities to ensure consistent
messaging and a unified methodology for assessing cybersecurity. In
addition, ICS-CERT hosts weekly Secure Video Teleconferences, and
conducts monthly information sharing sessions with energy sector
stakeholders via both classified and unclassified means, that are
attended by the Department of Energy, the non-regulatory Office of
Energy Infrastructure Security (OEIS) within the Federal Energy
Regulatory Commission (FERC), the Nuclear Regulatory Commission (NRC),
the Federal Bureau of Investigation (FBI), NERC and the ES-ISAC.
Question. You testified that NPPD is working with DOE to implement
a sustained outreach strategy to energy sector chief executive officers
to elevate risk management of evolving physical and cyber threats to
the enterprise level.
Please explain more fully. What other sectors has DHS undertaken
such an outreach effort with?
Answer. In addition to incident response activities, ICS-CERT and
the FBI, in coordination with the Department of Energy (DOE), the
Electricity Sector Information Sharing and Analysis Center (ES-ISAC),
Transportation Security Administration (TSA), the Oil and Natural Gas
and Pipelines Sector Coordinating Council's Cyber Security Working
Group, and other partners conducted a series of ``Action Campaign''
briefings at both the Secret and Unclassified levels to provide further
context of a specific threat and to highlight mitigation strategies.
The briefing campaign began in June 2013 and covered major markets
across the United States. These classified briefings have reached over
750 private sector attendees, many of whom were directly associated
with power grid operations. Outreach activities in the form of risk and
mitigation briefings play a key role in mitigating risks to critical
infrastructure.
While the energy sector was the focus for the action campaign
briefings, NCCIC/ICS-CERT has always allowed other cleared sector
participants to join these briefings. In addition, ICS-CERT holds
regular monthly and quarterly classified and unclassified briefings for
the nuclear, manufacturing, chemical, dams, water, transportation
sectors.
Question. You testified that ``[l]egislation providing a single
clear expression of DHS cybersecurity authority would greatly enhance
and speed up the Department's ability to engage with affected entities
during a major cyber incident and dramatically improve the
cybersecurity posture of Federal agencies and critical
infrastructure.'' Such legislation, however, could undermine the
mandatory cybersecurity standards we already have in place for the
electricity industry as a result of the 2005 Energy Policy Act.
Please comment. Is DHS proposing to usurp the grid protection
authorities already granted by Congress to FERC and NERC?
Answer. NERC and FERC have clear functions--one is to increase the
functionality and reliability through standards for grid operations and
the other is the U.S. regulator of grid owners and operators. The
Administration is not seeking to supplant these efforts. Rather it has
asked the Congress to codify the existing voluntary cybersecurity
technical assistance and mitigation role the Department of Homeland
Security (DHS) plays in supporting critical infrastructure.
DHS is neither a regulator nor a standards body for the electric
sector, but provides cybersecurity assistance through information
sharing and technical assistance on a voluntary basis when requested.
DHS, under PPD-21, is responsible for leading and coordinating the
national effort to protect critical infrastructure from all hazards,
including cyber incidents, by managing risk and enhancing resilience
through collaboration with the critical infrastructure community. To
achieve this end, DHS works with public and private sector partners,
including the Department of Energy, FERC, and NERC, to identify and
promote effective solutions for security and resilience to manage the
evolving risk environment.
CONCLUSION OF HEARING
Senator Landrieu. Without further business, the
subcommittee is adjourned. Thank you.
[Whereupon, at 3:30 p.m., Wednesday, May 7, the hearing was
concluded, and the subcommittee was recessed, to reconvene
subject to the call of the Chair.]