[Senate Hearing 113-790] [From the U.S. Government Publishing Office] S. Hrg. 113-790 CYBER SECURITY ======================================================================= HEARING before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED THIRTEENTH CONGRESS SECOND SESSION ---------- STRENGTHENING PUBLIC-PRIVATE PARTNERSHIPS TO REDUCE CYBER RISKS TO OUR NATION'S CRITICAL INFRASTRUCTURE, MARCH 26, 2014 DATA BREACH ON THE RISE: PROTECTING PERSONAL INFORMATION FROM HARM, APRIL 2, 2014 ---------- Available via the World Wide Web: http://www.fdsys.gov/ Printed for the use of the Committee on Homeland Security and Governmental Affairs [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] S. Hrg. 113-790 CYBER SECURITY ======================================================================= HEARING before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED THIRTEENTH CONGRESS SECOND SESSION __________ STRENGTHENING PUBLIC-PRIVATE PARTNERSHIPS TO REDUCE CYBER RISKS TO OUR NATION'S CRITICAL INFRASTRUCTURE, MARCH 26, 2014 DATA BREACH ON THE RISE: PROTECTING PERSONAL INFORMATION FROM HARM, APRIL 2, 2014 __________ Available via the World Wide Web: http://www.fdsys.gov/ Printed for the use of the Committee on Homeland Security and Governmental Affairs [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] ______ U.S. GOVERNMENT PUBLISHING OFFICE 89-521 PDF WASHINGTON : 2016 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS THOMAS R. CARPER, Delaware Chairman CARL LEVIN, Michigan TOM COBURN, Oklahoma MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio JON TESTER, Montana RAND PAUL, Kentucky MARK BEGICH, Alaska MICHAEL B. ENZI, Wyoming TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire HEIDI HEITKAMP, North Dakota Gabrielle A. Batkin, Staff Director John P. Kilvington, Deputy Staff Director Mary Beth Schultz, Chief Counsel for Homeland Security Stephen R. Vina, Deputy Counsel for Homeland Security Matthew R. Grote, Senior Professional Staff Member Amanda Slater, Legislative Assistant, Office of Senator Carper Keith B. Ashdown, Minority Staff Director Christopher J. Barkley, Minority Deputy Staff Director Andrew C. Dockham, Minority Chief Counsel Daniel P. Lips, Minority Director of Homeland Security William H.W. McKenna, Minority Investigative Counsel Justin Rood, Minority Director of Investigations Cory P. Wilson, U.S. Secret Service Detailee Laura W. Kilbride, Chief Clerk Lauren M. Corcoran, Hearing Clerk C O N T E N T S ------ Opening statements: Page Senator Carper...............................................1, 175 Senator Coburn...............................................3, 179 Senator McCain............................................... 188 Prepared statements: Senator Carper..............................................43, 215 Senator Coburn..............................................46, 217 WITNESSES Wednesday, March 26, 2014 Phyllis Schneck, Ph.D., Deputy Under Secretary for Cybersecurity, National Protection and Programs Directorate, U.S. Department of Homeland Security........................................... 5 Donna F. Dodson, Chief Cybersecurity Advisor, National Institute of Standards and Technology, U.S. Department of Commerce....... 7 Stephen L. Caldwell, Director, Homeland Security and Justice Issues, U.S. Government Accountability Office; accompanied by Gregory C. Wilshusen, Director, Information Security Issues, U.S. Government Accountability Office.......................... 9 Elayne M. Starkey, Chief Security Officer, Delaware Department of Technology and Information..................................... 27 Steven R. Chabinsky, Chief Risk Officer, CrowdStrike, Inc. (testifying in his personal capacity).......................... 29 Doug Johnson, Vice Chairman, Financial Services Sector Coordinating Council........................................... 31 David Velazquez, Executive Vice President for Power Delivery, Pepco Holdings, Inc............................................ 33 Alphabetical List of Witnesses Caldwell, Stephen L.: Testimony.................................................... 9 Prepared statement........................................... 63 Chabinsky, Steven R.: Testimony.................................................... 29 Prepared statement........................................... 93 Dodson, Donna F.: Testimony.................................................... 7 Prepared statement........................................... 55 Johnson, Doug: Testimony.................................................... 31 Prepared statement........................................... 103 Schneck, Phyllis, Ph.D.: Testimony.................................................... 5 Prepared statement........................................... 49 Starkey, Elayne M.: Testimony.................................................... 27 Prepared statement........................................... 85 Velazquez, David: Testimony.................................................... 33 Prepared statement........................................... 113 APPENDIX HSGAC minority report............................................ 119 ETA statement submitted by Senator Johnson....................... 138 Responses for post-hearing questions for the Record from: Ms. Schneck.................................................. 144 Ms. Dodson................................................... 156 Mr. Caldwell................................................. 157 Mr. Chabinsky................................................ 165 Mr. Johnson.................................................. 169 Mr. Velazquez................................................ 172 Wednesday, April 2, 2014 Hon. Roy Blunt, United States Senator from the State of Missouri. 178 Hon. Edith Ramirez, Chairwoman, Federal Trade Commission......... 181 William Noonan, Deputy Special Agent in Charge, Criminal Investigative Division, Cyber Operations Branch, U.S. Secret Service, U.S. Department of Homeland Security.................. 183 Gregory C. Wilshusen, Director, Information Security Issues, U.S. Government Accountability Office............................... 185 Hon. Tim Pawlenty, Chief Executive Officer, Financial Services Roundtable..................................................... 198 Sandra L. Kennedy, President, Retail Industry Leaders Association 200 Tiffany O. Jones, Senior Vice President and Chief Revenue Officer, iSIGHT Partners, Inc.................................. 201 Alphabetical List of Witnesses Blunt, Hon. Roy: Testimony.................................................... 178 Prepared statement........................................... 220 Jones, Tiffany O.: Testimony.................................................... 201 Prepared statement........................................... 278 Kennedy, Sandra L.: Testimony.................................................... 200 Prepared statement........................................... 273 Noonan, William: Testimony.................................................... 183 Prepared statement........................................... 239 Pawlenty, Hon. Tim: Testimony.................................................... 198 Prepared statement........................................... 267 Ramirez, Hon. Edith: Testimony.................................................... 181 Prepared statement........................................... 227 Wilshusen, Gregory C.: Testimony.................................................... 185 Prepared statement........................................... 250 APPENDIX Additional statements for the Record from: Food Marketing Institute..................................... 282 Independent Community Bankers of America..................... 284 National Association of Federal Credit Unions................ 286 National Retail Federation................................... 290 Responses for post-hearing questions for the Record from: Ms. Ramirez.................................................. 317 Mr. Noonan................................................... 320 Mr. Wilshusen................................................ 328 Mr. Pawlenty................................................. 332 Ms. Kennedy.................................................. 339 Ms. Jones.................................................... 342 STRENGTHENING PUBLIC-PRIVATE PARTNERSHIPS TO REDUCE CYBER RISKS TO OUR NATION'S CRITICAL INFRASTRUCTURE ---------- WEDNESDAY, MARCH 26, 2014 U.S. Senate, Committee on Homeland Security and Governmental Affairs, Washington, DC. The Committee met, pursuant to notice, at 10 a.m., in room SD-342, Dirksen Senate Office Building, Hon. Thomas R. Carper, Chairman of the Committee, presiding. Present: Senators Carper, Coburn, McCain, and Johnson. OPENING STATEMENT OF CHAIRMAN CARPER Chairman Carper. This hearing will come to order. Welcome, everyone. This is a day that I would describe for us here in the Senate, I suspect for Dr. Coburn and me as well, it is like fitting a size 13 foot into a size 10 shoe, how we are going to make all this work. We just had a bunch of votes added this morning and this afternoon, and somehow we are going to do our best to get everything done. But thank you very much for joining us. This is an important hearing, and we are delighted that you have come. A little more than a year ago, President Obama signed an Executive Order (EO) which put into place a number of efforts intended to enhance our Nation's cybersecurity, and we are here today to see what kind of progress has been made in implementing the Order and to gather other ideas about better securing our critical infrastructure from cyber attacks. Every day, sophisticated criminals, hackers, and even nation states are probing our government agencies, universities, major retailers, and critical infrastructure, and they are looking for weak spots in our defenses. They want to exploit these weaknesses to cause disruptions, steal our personal information and trade secrets, or even worse, to cause us physical harm. While we have been able to hold off some of these cyber attacks, anyone who has examined this issue even casually will tell you that our adversaries are getting into our systems every day. Earlier this week, for instance, the Washington Post reported that Federal agents notified more than 3,000 U.S. companies last year that their computer systems had been hacked. One of the most significant accomplishments over the last year though, was the release of a voluntary Cybersecurity Framework. This framework provides those who choose to implement it--whether they be government entities, utilities, or businesses large and small--with a common but flexible set of best practices and standards they can use to better secure their systems. I tend to think of the framework as a ``blueprint'' or ``road map'' to lead us toward stronger cybersecurity. The President's Executive Order called on the National Institute of Standards Technology (NIST) including Ms. Dodson here today, to work hand-in-hand with industry to develop the framework. It is a living document, dynamic, so NIST, working with industry, will continue to update the framework to include lessons learned and to address the latest cyber threats. From what I understand, the development of the framework ran very smoothly, and the end result is a product that has been well received by many stakeholders, some who were quite critical of our efforts in these venues previously. In fact, just last week in Delaware, I sat down with a group of cybersecurity experts at DuPont Company who were all extremely appreciative of the public-private collaboration that went into the development of the framework. To NIST and all the partners that have worked on this framework together, I just want to say ``Bravo Zulu.'' But I think that we can all agree that we have not yet crossed the finish line. This is not the finish line. Right now, many organizations across our Nation are actively analyzing the framework to determine how they can use it and incorporate it into their own cyber practices. I commend those efforts, and I am pleased that we have several witnesses with us today who will share their thoughts on using the framework. Naturally, not every company or State is ready to use the framework. Some may not even really understand what it is all about. To those organizations, I can say that help is around the corner. If you want it, we are there to help. Under the leadership of the very talented Dr. Phyllis Schneck, the Department of Homeland Security (DHS) has launched a new voluntary program to assist organizations in adopting the framework. This program will be incredibly important to the success of the framework, and we will be closely monitoring its progress to ensure it is providing the right tools and information to stakeholders. For instance, we need to make sure our Nation's small and medium-sized businesses are getting the attention that they need to really drill down on the framework. At the end of the day, though, I think the question that we are all asking is whether or not the framework will help improve our Nation's cybersecurity. While it might be too early to answer that key question, I do believe that the framework itself provides a much needed road map for companies that want to improve their cybersecurity, and this is a very good first step. Of course, the framework will only be successful if companies actually use it, so it is time for industry to roll up their sleeves and put this roadmap to use to help us make it better. It makes business sense, too. In the words of Dr. Pat Gallagher, whom I think Donna knows pretty well, the head of NIST and now the Acting Deputy Secretary of Commerce, who sat right here, Donna, where you are sitting today, and said, ``good cybersecurity is good business.'' When those two become synonymous, we know we have gotten to a very good place. When you consider the threats that we are up against, however, I think we can all agree that there is much more that needs to be done, and that is why we continue to believe that bipartisan legislation is the best long-term solution to address this growing concern. We have been working hard with our Ranking Member, Dr. Coburn, and our staffs, the folks at DHS, and others in an attempt to produce such legislation. For example, I think we need to modernize the way we protect our Federal networks from cyber attacks. There is not much argument about that. We also need to clarify and strengthen the public-private partnership that we want the Department of Homeland Security and industry to have regarding cybersecurity. And we need to make information sharing easier so that companies can freely share best practices and threat information with each other and with the Federal Government. And, finally, we need to continue to develop the next generation of cyber professionals and enhance our cyber research and development efforts right here at home. Last week, I had the privilege of visiting a new cybersecurity class and program at the University of Delaware. I was very impressed with the students and was even told--they were from not only all over Delaware but all over the country and from around the world. But I was told that the class was ``oversubscribed to both,'' undergraduate and graduate students. I think that is a good problem to have. The students at the University of Delaware, they get it. They understand what cybersecurity means and how important it is for our economic and national security. Our friends with us today understand it, too. But for some other folks, this is just a hard issue to grasp. It is my hope that the framework can help us jumpstart a new conversation about cybersecurity in this country. And it is my hope that we can come together as a government and industry, Democrat and Republican--and work together to tackle this growing threat that we face. With that, let me turn to Dr. Coburn for any remarks that he might want to add. Dr. Coburn. OPENING STATEMENT OF SENATOR COBURN Senator Coburn. Thank you, Mr. Chairman, and thank you for this hearing. I cannot let you get away with mentioning Delaware without mentioning the University of Tulsa, one of the leaders in cybersecurity in the country, and they are doing phenomenal work. I also want to praise the administration for the Executive Order. I have done it before, but it shows what happens when government actually goes out to listen to industry and then works with industry to try to solve problems. And the whole framework for the Executive Order came out of this meeting of minds of what is the problem, what are the potential solutions, how do we get about that. And so this hearing today is an important hearing for us in terms of critical infrastructure and cybersecurity. But we also have tremendous weaknesses. Dr. Schneck, this is the first time I have gotten to meet you. Everything I hear is great. I hope to come back out there and actually work with you directly at your facility. But, we run United States Computer Emergency Readiness Team (US-CERT) from Homeland Security, and they put out a notice on Windows XP. It is not going to be maintained anymore. But guess what agency has the largest number of Windows XP programs? Homeland Security. And that is not to be critical. That is to say the problems are so big, and Homeland Security was brought together, and we are just now getting to the able-bodied capability that we need there to start addressing some of these internal problems. The other thing that Senator Carper, and I have and we are working on the other side as well, is we are going to get you the capability to hire the people you need, and that is going to be on our next markup, I have been assured, and we are going to help that flow through Congress and gets to the President's desk, because one of the things you have to do is be able to compete with private industry for all these oversubscribed classes. So I look forward to our hearings. I look forward to our second panel as well. I would also note we have a vote at 11 o'clock that is going to tie us up for 45 minutes to an hour, because there is a multitude of votes. So maybe we should get with it, and I will submit a written statement\1\ for the record. --------------------------------------------------------------------------- \1\ The prepared statement of Senator Coburn appears in the Appendix on page 46. --------------------------------------------------------------------------- Chairman Carper. Sounds great. Very briefly, our witnesses: Dr. Schneck, is Deputy Under Secretary for Cybersecurity and Communications for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security. In this role, she is the chief cybersecurity official for DHS. Prior to joining DHS, Dr. Schneck worked at McAfee, Incorporated, where she was the chief technology officer for the global public sector. Our second witness is Donna Dodson. Ms. Dodson is Chief Cybersecurity Officer for the National Institute of Standards and Technology at the Department of Commerce. Ms. Dodson also serves as the Division Chief of the Computer Security Division and Acting Executive Director of the National Cybersecurity Center of Excellence. In her position, Ms. Dodson oversees research programs to develop cybersecurity standards for Federal agencies and promotes the broader adoption of cybersecurity standards through public-private collaborations. Good to see you. Our final witness is Stephen Caldwell. Mr. Caldwell is Director of Homeland Security and Justice Issues team at the Government Accountability Office (GAO). In his capacity he has worked on recent reports regarding the protection of critical infrastructure and the promotion of resiliency. Mr. Caldwell has over 30 years of experience at GAO, and we thank him and all of our witnesses for joining us today. I want to thank Senator Johnson for joining us today. Very nice to see you. Senator Coburn. I would just like unanimous consent to put into the record a report on the Federal Government's track record on cybersecurity and critical infrastructure\1\ that was from February 4, 2014. --------------------------------------------------------------------------- \1\ The report submitted by Senator Coburn appears in the Appendix on page 119. --------------------------------------------------------------------------- Chairman Carper. Without objection. All right. Dr. Schneck, you are the lead-off hitter. Swing away. TESTIMONY OF PHYLLIS SCHNECK,\2\ PH.D., DEPUTY UNDER SECRETARY FOR CYBERSECURITY, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY Ms. Schneck. Thank you, and thank you for your very kind words. Good morning, again, Chairman Carper, Ranking Member Coburn, and distinguished Members of the Committee. It is an honor and a pleasure to be here before you today to talk about the Department of Homeland Security's---- --------------------------------------------------------------------------- \2\ The prepared statement of Ms. Schneck appears in the Appendix on page 49. --------------------------------------------------------------------------- Chairman Carper. Is this the first time you have testified before a committee? Ms. Schneck. It is my first time as a government witness, sir. Chairman Carper. OK. Fair enough. Ms. Schneck. Which I have heard is a bit different. But it is a pleasure to be here to talk about the Department's work in cybersecurity and critical infrastructure. We face a cyber adversary that is fast. They have no lawyers, no laws, nothing to protect, and they share information very easily. They execute when they want with an alacrity that we envy, and it is greater than ours. So in that spirit today, I will speak to you about our vision for the Department of Homeland Security, our work with the Executive Order, and with the fine people at NIST, and our implementation of the voluntary program, which we call the Critical Infrastructure Cybersecurity Community--C3 Voluntary Program. I came to DHS 6 months ago. I came for the mission. I came to bridge the public and private. I come from a technical background in the private sector, and I was the authorizing person to share information with the government. That was hard. It was based in trust, and we knew we had to do it. And now that I have been in government, I have a whole new perspective of the challenges in government, and a top priority for me at the Department will be enhancing the trust that we have with our private sector stakeholders, as well as our Federal Government, our State and local stakeholders as well. Building that public confidence, leveraging the internal sibling organizations that we have with the U.S. Secret Service cybersecurity, the Coast Guard, the TSA, the Federal Emergency Management Agency (FEMA), our research and development, and, of course, our homeland security investigations, our internal law enforcement as well as our external partners with the Federal Bureau of Investigations (FBI) and the intelligence community, it is vital. What we need to really improve our infrastructure resilience is speed. It is how do we increase that alacrity, and in that process I envision our National Cybersecurity and Communications Integration Center (NCCIC), as the core of that. How we have the government indicators that we get from our programs, such as EINSTEIN, Continuous Diagnostics and Mitigation, how we pull those together that only we can see because it is government, how we leverage our strengths and privacy and civil liberties, our ability to show the world everything that we do, full transparency, and work with the private sector through that trust that we need to build better partnerships, to create that common operating picture that the President requested. We are already partway there in creating indicators, what I call a weather map. This is what the adversary cannot do, that situational awareness to turn our networks into more self- healing. Your body does not have a meeting to fight a cold. In the same way, our networks should not pass bad traffic. Right now we are passing malicious traffic at 320 gigs per second on world-class carrier grade routers to good people, and we need to work together in partnership. And one way we do that is with this framework. I was on the first 6 months of this process with the great people at NIST as the private sector where all of our companies put our finest scientists to work with the government to create this broad set of guidelines for cybersecurity so that large companies could take what they know and put good practices into their suppliers, into their customers, and help raise the level of all cybersecurity to make our country safer. One of the first things I did when I got to the Department is work with a team to take money to pay for Managed Security Services for State and local governments when they adopt the framework, logic being that in a year or so, when they are protected, because they sit on critical infrastructure information, private citizen information, and they know how much they have to protect but they are woefully underbudgeted. We will be protecting them while they use the concepts in the framework and the voluntary program and all the resources of DHS that come with adopting the framework--cyber resilience reviews, technical assistance--they will now be able to take that cybersecurity discussion to a level of risk-consequence, and likely have better budgeting decisions. Same with small to medium businesses to whom we have released a request for information saying how can you go forth and innovate, do what our country does best, take leadership and make elite security, new security products, services, things that protect us, but things that are affordable to those small to medium businesses, so that we all raise our level of security together. We look forward to having that tie back to our vision because in that partnership, as we look at security holistically, as part of keeping the lights on and maintaining our way of life, part of infrastructure resilience, we build that trust and partnership across all sectors, that NCCIC continues to get information, that we cannot only provide in a weather map picture, which we already do, but also put out in real time so that when traffic is passed, networks know whether or not they should accept it. That is where we outdo the current alacrity of our adversary. We have enjoyed the support of you and your Committee. We thank you for the confirmation of our Under Secretary Suzanne Spaulding. What we need is some statutory clarification of our role. To react more proactively and with greater alacrity, we need to spend less time proving through a patchwork of legislation to our partners what our role actually is and more time just getting to it more quickly. That would help a lot, and also thank you for your kind words in the beginning about our workforce. I have had the opportunity and the honor to visit with Secretary Johnson some universities and some students. There is fine talent out there, and I know with our mission we could actually use our mission and outdo some of those salaries they are offered. But we have to have the flexibility and some additional competitiveness to bring them inside and see what we do and get them on board. That is our future. So I thank you for the opportunity to briefly share our vision, to talk about the Executive Order, and I look forward to working more with you to make our country safer and more resilient. Thank you. Chairman Carper. That was an impressive debut. Ms. Schneck. Thank you. Chairman Carper. Thank you. Ms. Dodson, very nice to see you. Welcome. Please proceed. TESTIMONY OF DONNA F. DODSON,\1\ CHIEF CYBERSECURITY ADVISOR, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE Ms. Dodson. Thank you. Chairman Carper, Ranking Member Coburn, and Senator Johnson, thank you for this opportunity to testify today on the National Institute of Standards and Technology's work through public-private partnerships in the area of cybersecurity. --------------------------------------------------------------------------- \1\ The prepared statement of Ms. Dodson appears in the Appendix on page 55. --------------------------------------------------------------------------- As a scientific organization focused on promoting U.S. innovation and industrial competitiveness, we at NIST see ourselves as industry's laboratory with strong partnerships with the private sector driving all that we do. As this Committee is well aware, NIST has spent the last year convening critical infrastructure sectors and relevant stakeholders to develop the Cybersecurity Framework. On February 12, Version 1.0 was released, along with a road map for future work in support of this effort. From the start, NIST saw the framework as a tool that any organization in any one of the very critical infrastructure sectors could use to build strong cybersecurity programs. The intent was to assess the current capability of the market while offering a common language to address and manage cybersecurity risks. The voluntary nature of the program and the extensive private sector engagement has encouraged the widest set of stakeholders to come to the table and work collaboratively. This approach, with its reliance on consensus standards, has a proven track record. When industries and other private sector stakeholders get together and determine for themselves what standards are needed to ensure confidence and quality, those standards are much more likely to be adopted and implemented. NIST began the framework development process with a request for information and received hundreds of submissions. Those submissions provided a foundation for the framework. We followed this request with five workshops around the country with thousands of participants. Our approach was to gather feedback from participants, conduct analysis, and present those findings back to the community for additional refinement. Even the fundamental structure of the framework came from this engagement as an initial outline, was presented to the stakeholders, and then that outline was filled in at our workshops. The result of this effort is a document that lays out critical elements of any cybersecurity program and then links those elements to proven best practices and protections for organizations to consider using while factoring in privacy and civil liberty needs. The framework consists of three parts: the Framework Core, the body of existing practices that can help an organization answer fundamental questions, including how we are doing; the Framework Tiers that help to provide context on how an organization views cybersecurity risks; and the Framework Profiles that can be used to identify opportunities for improving cybersecurity posture by comparing a current state with a desired or target state. My written testimony has additional details on each of these pieces. The framework structure will enable organizations to tailor plans to their specific needs and communicate them throughout their organization. Some companies may discover that an entire cybersecurity effort consists only of passwords and antivirus software with no real-time detection capability, and other companies may find the framework a useful tool for holding their key suppliers accountable for their practices. As organizations use the framework, their experiences can then be reflected back to keep pace with changes in technology, threats, and other factors, and to incorporate lessons learned from its use and to ensure it is meeting national priorities. Moving forward, NIST will continue to work with industry, DHS, and other government agencies to help organizations understand, use, and improve the framework. Only 6 weeks in, we are aware of many organizations that are already using the framework and providing feedback to DHS and NIST. Phyllis has already discussed the great strides that DHS is making in working with sectors on more detailed operational guidance, which we will work with them to support. We recognize that the cybersecurity challenge facing this Nation is greater than it has ever been. We are committed to working as part of the private-public sector team to address this challenge. In particular, NIST will continue to support a comprehensive set of technical solutions, standards, guidelines, and best practices that are necessary to address this challenge. Some of NIST's work will be conducted through other programs, including our work under the Federal Information Security and Management Act, the National Strategy for Trusted Identities in Cyberspace, and the National Cybersecurity Center of Excellence, as well as our research and development work. Thank you for this opportunity to testify today, and I would be happy to answer any questions you may have. Chairman Carper. Ms. Dodson, thanks so much for your testimony and for being with us. Mr. Caldwell. TESTIMONY OF STEPHEN L. CALDWELL,\1\ DIRECTOR, HOMELAND SECURITY AND JUSTICE ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; ACCOMPANIED BY GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Mr. Caldwell. Chairman Carper, Dr. Coburn, and Senator Johnson, thank you very much for asking GAO to come here today. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Caldwell appears in the Appendix on page 63. --------------------------------------------------------------------------- Chairman Carper. How about Senator McCain over here? Mr. Caldwell. Oh, sorry, Senator McCain. I did not see you slip into the---- Chairman Carper. He slipped in a little late, but he is here. Senator Coburn. He is hard to miss. Senator McCain. I am insulted. [Laughter.] Mr. Caldwell. I am Steve Caldwell, and I am from GAO's Homeland Security Team, and I am in charge of our work on the physical protection of infrastructure. I am accompanied by Greg Wilshusen here, whom I think you know. He has testified before this Committee previously. He is in charge of GAO's work on cybersecurity. The reason both of us are here is we are bringing together some of our work on both the physical and the cybersecurity areas that deal with the partnership that we are talking about our report is here in the broader sense of trying to pull up some more generic lessons learned perhaps as we move forward with the new C3 initiative. Since 2003, GAO has listed cybersecurity of critical infrastructure as a high-risk issue. There are several reasons for that. One of these is the importance of cybersecurity, as our dependence on it continues to grow and evolve. Also, cyber incidents continue to rise at a very quick pace, at least the ones we know about. Then the Federal Government continues to have a number of challenges in trying to deal with these incidents. As noted, in the wake of the Presidential directives and the Executive Order last year, there is a new program, the C3 Voluntary Program here. So today I am going to discuss key factors related to the partnership between the private sector and government that may provide lessons, moving forward. My statement is based on a broad body of GAO work that has included all 16 sectors of critical infrastructure. It has looked at protection against all hazards, both cyber and physical. It has looked at infrastructure largely owned by the private sector and programs that have used both a voluntary and a regulatory approach. As a whole, the DHS partnership has made a lot of progress in terms of sharing threat, protection, and resiliency information with a wide variety of partners. These include other Federal agencies, State and local governments, and most importantly, with industry. However, there have been many challenges, and we have noted these in our written statement. My written statement goes into both progress made in both the physical and cyber partnerships as well as several examples. For example, our recommendations have asked DHS to seek better understanding and focus on what the expectations are of industry. We have asked DHS to identify and, where possible, clear some of the barriers to information sharing that we have found. We have asked DHS to determine why industry does not participate in some of the programs DHS runs so it has to go beyond those that participate to those that do not participate to find out why. We have also asked them to share information more broadly at the sector level and at the regional level. It should share information, not just with individual companies but in the broader sense of the grouping of companies. And we have also asked DHS to evaluate whether and how industry is actually using some of the assessments that DHS has provided, particularly in the voluntary programs. And then, finally, we are asking DHS to systematically assess the performance of the outreach efforts that they have to industry. In closing, DHS has taken a number of steps to develop these partnerships, and these are critical for protection against both physical and cyber attacks. However, a lot more work remains, and we have kept the cybersecurity of infrastructure on our high-risk list in our last iteration of the list and anticipate that it will remain so as we move forward. So until the Nation's most critical infrastructure systems have a better partnership with DHS these systems remain at risk. That concludes my remarks. Mr. Wilshusen and I will be happy to answer any questions you may have. Thank you. Chairman Carper. Thank you very much. Dr. Schneck, we just heard from Mr. Caldwell a series of, I will call them, ``asks'' from GAO. He says we have asked DHS to do this, and I think about a half dozen or so. Are you aware of those asks? And would you care to respond to what DHS is doing in light of them? Ms. Schneck. Absolutely. And, first of all, thank you. We do a lot of work--again, my first 6 months with government, I am learning a lot, and I really appreciate the work of the GAO. Chairman Carper. They are good people. Ms. Schneck. Absolutely, and I had the opportunity to work with them before. So there are many asks, some of which I have known a little of and some not, but we are in the first phase of, as Donna mentioned, an evolving program with the framework. So this is Phase 1. We are now into Phase 2. This is a living document. It will adapt and we will adapt to how industry and government need to raise the level of our security, evolve with our guidelines, and these metrics will evolve. I think we are assessing right now our outreach. We are 2\1/2\ months in. We already have actually a checklist for our State and local as to who has adopted what parts of the framework, who is actually using services, who was before. We will be looking at doing something similar for the private sector, and certainly on the government side, absolutely. So we are very much on top of that, but also tracking in partnership, because the success of this, as I saw in the first phase as the private sector, comes from the fact that the private sector is very bought in. They know that they designed this thing with us, with NIST, and they have a lot of trust in that. So we want to maintain their input as we build how we rate the success. Chairman Carper. Could you just describe for us in your own words the role--we have the framework, we have the blueprint, the road map. It has been well received in a lot of circles. What are some of the criticisms you have heard of it? This is for anybody. What are the criticisms we have heard of the process and the product to date? I have not heard any, and there must be some. Ms. Dodson. So as we were beginning the development of the framework, I think people were concerned if this would truly be a private-public partnership, or did the government have the answer in its back pocket that it was going to put out and put forward. Through the process that we put together with industry and the iterative and the constant communication from one workshop to the next workshop, they could see the development of the framework and the inputs that we received and how we got to the end stage. People are always concerned about cost, and so as you look at the framework development, we took a risk management approach so that it is integrated in with your entire business. And really that work with the private industry on the appropriate set of standards and best practices to put in there, there is an element of cost there, and they can balance that with the risks that they see and the need to protect their information. So those are two of the major concerns that we heard during the development process of the framework and how we addressed those collectively across the government. Chairman Carper. All right. Thank you. Dr. Schneck, talk to us a little bit about the role of DHS going forward in terms of implementing the framework and figuring out who needs some help in implementing maybe small and mid-sized businesses, maybe even some larger ones. How do you identify them? Do they just step forward and say, ``Well, we need some help. What can you do for us? and then you have a conversation?'' How does that work? Also, in terms of what you need at DHS to do that job, the kind of resources that you need, be they people, the kind of people skills that Dr. Coburn talked about, technology, authorization, maybe things you need from us, talk about those, what your needs are to be able to meet your responsibilities in implementing the framework. Ms. Schneck. OK. I will start with DHS' role, the response and mitigation to cyber attacks focused on critical infrastructure resilience, basically to protect that holistic all-hazards approach, and really looking at cyber discussion as that risk-consequence equation. Going back to what Dr. Gallagher said about equating cybersecurity and business practice, when are we going to get there? And I think our role is twofold. One is on the people side really engaging those partnerships. To Donna's point, there was a lot of skepticism. Will this really be a partnership? And part of our role in working with NIST and others is to make sure that the private sector is at the table in helping those discussions and taking their lead on what it is going to take to, No. 1, help the providers make better technology, to help us innovate and drive those markets economically; and the other is how do--to your other point on small to medium business, that is a huge risk. I testified on that in another capacity some years ago. These are companies that have no idea in many cases that they have something to protect, and yet they are connecting to everybody else, making the rest of us not secure, with very small budgets. I went to Silicon Valley 2 weeks ago to talk to our venture capital community, to talk to our innovators out there about how they can protect those assets they are funding and growing. So our role in DHS on the people side is really to engage, to partner, to build that trust, and to use those qualities that we leverage most--the privacy, the civil liberties, the transparency--so that when we bring people and information together, we can push it out as fast as possible to help stop bad things getting to good people. But we can also be a resource for people to learn. On your next question about implementing the framework, we have a very aggressive schedule on helping. We are reaching out to small to medium business through the Chamber, through other organizations, obviously reaching out to the larger businesses through our Conservative Political Action Committee (CPAC) partnerships with all 18 critical infrastructures, certainly on our Federal civilian side working with all of the agencies and with the State and local through the Multi-State Information Sharing and Analysis Center (MS-ISAC), so certainly reaching everybody. Everybody has different sensitivities. Everybody has different things they need to see. And working through all of that through different teams that are joined together. And quickly to cover on the workforce, there is great talent out there. We need everything from technical---- Chairman Carper. When you say ``out there,'' out where? Ms. Schneck. The universities that---- Chairman Carper. Within DHS or outside? Ms. Schneck. Both. Chairman Carper. OK. Ms. Schneck. And I will say for all the skeptics, I walked into one of the finest teams on the planet. Chairman Carper. Really? Ms. Schneck. So those who think that government is not smart, they are wrong. What we need is more people like the ones we have, some more technical resources like we have in our US-CERT, because more and more we have those teams that fly off and help people respond to attacks. We need to have more of that. And there is a spectrum of skill sets. We need the cybersecurity experts. We also need folks that are skilled in analytics. We need policy people. And that combination of talent and people that work with us, with our Science and Technology Directorate, through Research and Development (R&D), need to look at a holistic view of what we can do with our partnerships, what we can do across cybersecurity across DHS, and have a mind-set of where we can go next. This is how we get faster from our adversary, and I have had the opportunity, as I mentioned, with Secretary Johnson to meet some people that I believe fit that bill. And I believe our mission can meet what their other salary offers can meet in a different way. Chairman Carper. How can we help? Dr. Coburn mentioned briefly one idea, and that is to make sure you are able to attract and retain the kind of talent that you need in this arena. But whether it is in that regard or some other regard, how can we help you meet the responsibilities that you are facing? Ms. Schneck. The onboarding process, if we could make that easier, give us a little bit more money to hire, a little bit stronger hiring authorities to make things more competitive for us, because our mission meets the salary. People say that good talent does not come because we cannot pay them. Sometimes we can make up some of that gap with our mission, but the rest of the gap and the long process and what it takes to come work for government, if you could help us make that easier, give us some additional authorities to bring great people on, that will help our overall partnership. And I believe that goes to the safety of our Nation. Chairman Carper. Good. Thanks so much. Dr. Coburn. Senator Coburn. One of the words that you spoke a minute ago was maintain input from the private sector. And what I hear from the private sector is this inherent worry that we get to the implementation phase and this is no longer a voluntary program but a mandatory program. Talk to us about that. Ms. Schneck. Thank you for that question because it is something that we work with every day, because we heard it every day from our stakeholders. The main goal of this framework was to engage the private sector to drive this with their innovation, with their picture, and to get us as a country together, public and private. There is no better incentive than actual security and safety. At the White House anniversary of the framework on February 12 of this year as well as the day of the beginning of the launch of the voluntary program to adopt the framework, we had several CEOs in attendance of some of the major large companies, and one actually said his major incentive was fear and that he would be helping us to implement this. So other ways that we are looking at this is how do we continually in a phased approach maintain the private sector's involvement as we do the adoption. We will learn. We are putting all of our resources out to the private sector. We are not asking them to report to us if they have used it or not. We want to look at our outreach. We want to study our metrics, stay involved with the large companies that are--and this is very key to me--asking their suppliers to be more secure so that when you connect to a smaller company, you do not endanger the larger company, and requiring of their customers, same with the State and local. And a lot of basic cyber hygiene and guidelines that are mentioned in this framework could have prevented a lot of the attacks that we have seen thus far. Senator Coburn. Thank you. Talking a little bit about government, hygiene in the government, it is a big problem, isn't it? How do we solve that? Ms. Schneck. Wow. So one approach that I would look at--and you mentioned the Windows XP, so that is a great example. This is a critical issue that is affecting everybody. DHS has worked with Federal agencies to get this awareness out. We have a great partnership between the National Protection and Programs Directorate, where I sit, and our Chief Information Officer (CIO). Our great new Chief Information Security Officer (CISO) Jeff Eisensmith, and CIO Luke McCormack and I talk all the time, because, candidly, there is no sweeter network than DHS.gov to learn from who is trying to attack us. And then we put that knowledge into how we protect everybody else. On the XP issue, the migration to Windows 7 for us is expected to be complete before the end of the security updates for XP, and I know that DHS long before I got here put that warning out to all other agencies. So that is one way I think DHS protects our other agencies. The other is in programs such as EINSTEIN, with simple network protection intrusion, prevention and detection. But the ability to understand with our information--again, we see all the networks we protect, so all that information that large view in the Concept of Operations (CONOPS) for cyber from that NCCIC goes into the protection of every single agency that we protect. And then every time we see something, we learn something from it, and that goes to protect everyone else, and we can push that information out as well to State and local. So that hygiene in government can come back to our programs. I also want to call out on that same note Continuous Diagnostics and Mitigation. That is near and dear to me because it takes the 3-year book of compliance that I called a ``doorstop'' when I was in the private sector; it takes people's resources to build this one book of compliance that says at this moment in time this is how my network looked. Continuous Diagnostics and Mitigation changes your network into an immune system. At any given moment, it will understand, detect, and attack something that is bad and report on it. So you can save your strongest minds to hunt for the most malicious actors. So in government, we are taking large strides toward that hygiene. All of that fits within the guidelines of the framework. And then certainly taking that data from Government that we learn and pushing it out to private sector. So we think Government hygiene will uplift everybody else, and we certainly hold ourselves to higher standards than others at DHS. Senator Coburn. There has been some maybe not criticism but some questions about the efficacy of EINSTEIN. Do you feel comfortable that it is where it needs to be? Ms. Schneck. I do. So 6 months ago, when I came in, one of the first things I did was learn the history and then the current path of where we are. There were, of course, some hiccups, as in any large technology program that I have seen all my life. But now we have our second service provider on. In fact, now that that service provider is signed up to provide Einstein 3 Accelerated (E3A) accelerated services, which is used in prevention, we at DHS will be leveraging those services as well. We are finally at a point as well where we are getting enough data and protecting enough agencies--I think about a quarter now of the seats in the government--and a lot of that depends on, again, getting other service providers signed up, but I think we are at a point where we are now looking at the more interesting topic, if you will, which is how do we use the data that we are collecting from government to give it to the private sector. Senator Coburn. Sure. Ms. Schneck. For example, programs such as Enhanced Cybersecurity Services, which allow us to protect the private sector with classified information, as well as take unclassified information but that we learn from the EINSTEIN program in government and push that out in real time with regular trafficks, so that as traffic flows through the network, other parts of the network and other devices know not to accept it if it is going to hurt you. So to wrap up, government hygiene I think is important, and it affects everybody. Senator Coburn. So it is important not just to maintain the input from the private sector, but also to maintain the trust of the private sector that what you have provided to them is worth them having. Ms. Schneck. Oh, absolutely, because, again, someone like me, 6 months ago in a company, was given the ability and the authorization to use my own judgment when we should talk with government, and I was always asked what are we getting back, what are they doing. So that is in both human time, what are we going to learn from different government agencies by sharing; and then in real time, the government and I believe DHS uniquely, because of our emphasis on privacy, civil liberties, and transparency, and our NCCIC, has the ability to correlate that data and learn a lot from private sector, combine that with what we as only government can see, and push that out faster than our adversaries could hurt us. Senator Coburn. And so in your thought pattern right now, as long as you can keep the voluntary compliance and working relationship on a basis of trust and value, we are not looking at hard regs mandated by the Federal Government for this is how you will do this. Ms. Schneck. We are focused on voluntary engagement, learning as much as we can from the private sector, and pushing as much correlated data out as we can. Senator Coburn. All right. Thank you. Ms. Schneck. Thank you. Chairman Carper. Senator Johnson. Senator Johnson. Thank you, Mr. Chairman. Ms. Schneck, welcome. Let me pick up where Dr. Coburn left off there. I have been here 3 years now, and we have been talking about cybersecurity. I was actually in the meeting with a bunch of Senators trying to hammer out a cybersecurity bill. A pretty prevalent attitude in that room was that businesses, the private sector, needs to be forced into protecting their cyber assets. Is that your experience in the private sector? Ms. Schneck. So I came from a large cyber provider, so, no, we did not need to be forced to protect cyber assets. But I can tell you that our customers did not either. They had either experienced a breach or knew enough to know that they would experience a breach, and many in the field say that there are two kinds of companies and entities right now: those who know they are compromised and those who do not. So the issue is how we raise cybersecurity to a business discussion. I think that the framework and the voluntary program will get it to the board room, because it becomes part of the risk. We do not force people to lock their doors, and yet they do. So this is part of a culture of security that has been talked about for 12 years. I think Howard Schmidt is the first person to use that phrase back in 2000, 2001, or 2002. And looking at how we continue to engage that private sector innovation, drive the market. Once NIST engaged with the private sector, they sent out their best and their brightest for 3 to 4 days at a time to workshops that required long flights, and they are continuing to remain involved because they see the importance, not just for their brand reputation but for their customers and, candidly, as part of our Nation's network and our global assets. Senator Johnson. Well, it was certainly my attitude, and trust me, I was the minority view, that I really think businesses want to protect their cyber assets and actually look to government, acknowledging the fact that the government has an awful lot to offer. And so I have really been pleased with what NIST is trying to do, make this a voluntary approach. It is the way to go. If we can facilitate cybersecurity versus dictate it, I think this will work. If we try and dictate it, I think the private sector shuts down. Over these 3 years, it seems like the No. 1 component or the first priority is really to facilitate information sharing. Ms. Schneck, you talked about the need for speed. What is the greatest inhibitor to get that free flow, that rapid, the speedy information sharing that is required if we are going to detect cyber threats and try and contain them as much as possible. Ms. Schneck. I have an optimistic view of that, and there are pockets in the private sector that can already do this. That is how I know we can build it, and that is how I know how--I built one of those in my previous life--where the analysis of data can be in real time pushed out with traffic. I think our job as government, and especially with DHS as a lead civilian agency for this, with the ability, again, to do it right, with privacy experts and civil liberties, and show the world exactly how we do it, we have the ability to correlate information and get a global view of what traffic might be OK and what might not be, and to literally pass that at machine speed. Just as you send an e-mail---- Senator Johnson. But, again, businesses have to feel comfortable to share that information. Isn't liability protection a big problem in terms of businesses not being willing to share that? And isn't that something Congress needs to do? Ms. Schneck. So we look at liability protection. I can give you an anecdote from my previous life. This is something that would have helped us, because I was often in situations where, as company or country, and can you share, the lawyer will not let you, but you know that the information you have from the research you do could help a lot of people. So I know the administration is looking at targeted liability protection, and, again, my perspectives have changed a bit since I have come over to government, because I see some of the different challenges. And part of what I want to do is bridge that, and that is why I want to build that trust. And I think that the targeted liability protection that the administration is looking at right now would help us because it would protect companies in the instances defined to share information, and they would not get hurt by that and would not be held liable, nor would their shareholders, if--for example, in my case, when I did this, a sector could be exposed for having potential liabilities. But it would not be so broad that it threatens even the optics or the perception of threatening our privacy and civil liberties because we are fighting to protect, again, our way of life. So it is a balance. Senator Johnson. The devil will be in the details on that one. First of all, I am pleased to hear that you appreciate the talent that is already in your agency. That is good to hear. I am intrigued, by the way. I really appreciate the fact that you are willing to leave probably a pretty good-paying job and come in here and do work for the Federal Government, pretty important work. Ms. Schneck. Thank you. Senator Johnson. Let me just ask you, if you had to go through the confirmation process, would you have decided to make that switch? Ms. Schneck. If I had to go through the confirmation process? So when---- Senator Johnson. Did you go through the confirmation process? My information is you did not. Ms. Schneck. Not the Senate confirmation, no, sir. Senator Johnson. Correct. But if you---- Ms. Schneck. But I would have done it anyway. Senator Johnson. But had you gone through the confirmation process, would that have prevented you from considering a position here in the administration? Ms. Schneck. No. Senator Johnson. OK. In terms of attracting other people into government, into these high-tech positions, certainly there is kind of the mission challenge that is attractive, but, again, there are a lot of good-paying jobs out in the private sector. Can you speak to what kind of dollar differences we are talking about? Ms. Schneck. Oh, wow. So, again, all of that, it depends on---- Senator Johnson. I am a business guy, so I focus in on some of those practical concerns. Ms. Schneck. So in many cases, sir, there are six-figure differences, and that is before the stock. However, I think there is a much more important--it is not always that way, but there is a much bigger, I think, calling, if you will, and that is that when you get to government and you can--and I only learned this 6 months ago, but how much people in government do so that someone in my position never knew it got done and just felt safe every day. I think that having that other piece of knowledge helps bridge the gaps that we need to bridge to keep our economy--to let our private sector drive innovation to keep our country in leadership in science, and all of that will make us more secure. And so what I would love to do is be able to pull some more people from the private sector and say, ``Come see what I learned, and come join our team and help us.'' I know that our mission can pull them. From what I am told, the hiring process is very difficult, and, if, again, we could get that help from Dr. Coburn and from the Committee---- Senator Johnson. OK. That is really the point I am trying to make. Having come from the private sector, which obviously has bureaucratic problems as well, can you just compare and contrast a little bit in terms of what you see, what your viewpoint is, comparing bureaucracy in the private sector versus bureaucracy here in government? Because, again, this has been an urgent need since I have been here, and even before that. This is 3 years. We are still moving forward. We are still talking pretty much about the same issues, although there has been some real advancements because of the Executive Order and NIST, and I appreciate that. But we are still, it seems like we certainly have a ways to go. Ms. Schneck. So do you mean in the hiring or in the technology? Senator Johnson. I am talking about just in terms of moving a process forward and the bureaucracy versus the private sector versus government. Ms. Schneck. So in my short 6 months here, I have learned that working with our partners across the Department as well as across agencies and certainly with committees such as this is the best way to get things done because you build support for what needs to get done, you target your budget, your blueprints and your outlook, your strategic plan toward what you feel needs to get done. In a company, I think that sometimes things move a little bit faster. But bringing that together--and that is what companies can do best. That is why they can innovate so quickly. But then, again, there are rules and reasons why we have government processes. I have had the opportunity and honor to start to understand some of that. It keeps government honest. And we do have a lot of information and deal with very large budgets. I think that is fair. But, again, bridging that, building that partnership, building that balance, I have seen both bureaucracies, and I know we can work together, and I plan to get that done with your help. We need your help. Senator Johnson. OK. Thank you. Thanks, Mr. Chairman. Chairman Carper. Thank you, Senator Johnson. Senator McCain. Senator McCain. Well, thank you, and I thank the witnesses. Ms. Schneck, you said that would not have deterred you, having to go through the confirmation process, but I guarantee you are just as happy you did not. [Laughter.] Let me ask all three witnesses, isn't it true that current trends indicate that the incidence of cyber attacks and incidence of breaches of cybersecurity will continue to increase in terms of frequency and gravity for the next 3 years and the costs will increase more quickly than the benefits? Would you agree with that assessment? Ms. Schneck. So I have not seen those numbers or the source. I do think cyber attacks are increasing. I do think the gravity is increasing. And we see everything on the spectrum from making noise to preventing business to actual destruction. Senator McCain. Ms. Dodson. Ms. Dodson. So when we started the development of the framework---- Senator McCain. My question is: Do you believe that they are increasing? Ms. Dodson. So yes, we do believe that they are increasing, and that is why the framework addresses resiliency, not just stopping the attacks but that protect, detect, respond, and recover capability that are outlined in the framework, because that resiliency is very important. Senator McCain. Thank you. Mr. Caldwell. Mr. Caldwell. Senator McCain, hopefully I can make up for my omission at the beginning---- Senator McCain. Inexcusable. [Laughter.] Mr. Caldwell. The data that we use, which is from CERT, certainly shows a striking increase in incident numbers. Senator McCain. And more than 100 countries are cyber capable. And if you put it into different categories--and there are different ways of doing that, but let me try this: Political activism, organized crime, intellectual property theft, espionage, disruption of service, and destruction of property--which of those are our highest priorities, would you say, Dr. Schneck? Ms. Schneck. I believe that resilience against all of them. They are all happening. If we prioritize toward one, the adversary will go after---- Senator McCain. One or two is fine. Ms. Schneck. So the ones that harm our way of life, the destruction for me, and certainly for the business. Ms. Dodson. So I agree with Phyllis that look at resiliency is critical, and those things that really affect our way of life and those things that touch our life, and it is a big challenge as we look at the explosion of information technology across all aspects of our life. Mr. Caldwell. Senator McCain, really the priorities on those threats would vary a lot. Obviously, in government you have to worry about espionage of national secrets. If you are big company, you are worried about data breaches, dealing with your consumers and your clients. If your business is dependent on the innovation end, you are worried about the stealing of your intellectual property. Senator McCain. And I think we all conclude that the cybersecurity is an issue of transcendent importance. Mr. Caldwell, the cybersecurity budget is about $1.5 billion. It is less than 5 percent of the total DHS budget. We do not like to talk just in terms of money, but money is a very significant factor. Do you think that that is sufficient priority of cybersecurity, that amount of money? Mr. Caldwell. I am going to ask Greg Wilshusen to address that. He does most of our cyber work within GAO. Mr. Wilshusen. Good morning. I would say that, we did not address the budget per se, whether that particular amount is enough. One of the things that governmentwide has been reported is that government spending toward information security has been around $13 to $15 billion out of about $70 to $80 billion spent on information technology (IT). So it has been about 18 percent, as has been reported by the Office of Management and Budget (OMB). Within the Department of Homeland Security, I do not know if I could actually say that that is the accurate amount or the total amount that should be spent. Clearly, the Department has many responsibilities and needs to do a better job in certain areas in terms of providing better support to the Federal agencies as well as to critical infrastructure. If that is a matter of budget, I think we talked earlier about there are some needs for top talented people to continue to come to the Department. Senator McCain. Thank you. I, like Senator Carper and Senator Johnson, have spent many hours in meetings trying to formulate cybersecurity legislation. We bump up into various problem areas--privacy versus national security, what the role of private enterprise is. We continue to address this in a circular fashion. One of the reasons is because we have oversight overlap of so many different committees that have responsibilities--the Judiciary Committee, Armed Services Committee, this Committee, and probably the Commerce Committee and many others. Given the gravity of this challenge that we face, I have been arguing for a Select Committee. I count some 30 pieces of legislation that have already been introduced in both Houses, and, of course, none of them are going anywhere. Mr. Caldwell, does GAO have a thought on that subject? Mr. Wilshusen. Certainly there are a number of Congressional committees that have oversight of the Department. I believe the Department would probably be better positioned to determine what impact that has on it. But we do testify before a number of committees on this subject. But it is up to Congress to organize as it sees fit in terms of how it provides oversight. Senator McCain. Thank you. Ms. Schneck, should we shift the focus to telecommunications companies and Internet Service Providers (ISPs) and examine whether they could be doing more to monitor the various cyber threats coming through their infrastructure? Ms. Schneck. So cybersecurity is a shared responsibility. We all have a piece throughout government and the private sector. In my experience, the telecoms have done a lot. They have really stepped up and helped, for example, in botnets, which is when the adversary ties together tens of thousands of machines sometimes, compromises them, and tells them to send a lot of traffic all to one or two places. That is called ``distributed denial of service,'' and it prevents business from being done because imagine too much water from a fire hose going into a straw. It just cannot be handled. One of the things that the ISPs have stepped up to help us do with the NCCIC is when we use our trusted partnerships to coordinate and understand which machines are causing the harm, the ISPs actually are online ready there to take the information from us and help distribute that through their networks since they are carrying all of this traffic. So that is one way they have partnered. They are very engaged in many of the different public-private partnerships, and I hope that other sectors--some already are and some are not--but, again, they are one piece, and, again, it is a shared responsibility. Senator McCain. Well, it is my conclusion, after looking at where different personnel assigned to cybersecurity responsibilities are spread throughout the Federal Government, we have Cybersecurity Command in the Department of Defense (DOD), we have you, we have other agencies of government all who have a cybersecurity responsibility. And, frankly, I do not see the coordination between those different agencies of government that I think would increase dramatically our effectiveness. And if we engage in legislation, which we have tried to do without success, I would argue that that has to be part of any legislation that we enact. If you view this threat with the gravity that many of us do now, then it may require a reorganization such as we carried out after 9/11, which is the reason why this Committee and the Department of Homeland Security is in being. I hope that you will contemplate that kind of option as we examine all options, because one thing we do agree on, this problem is going to get a lot worse before it gets better. I thank you, Mr. Chairman. Chairman Carper. We are going to start voting here very shortly, and my inclination--I checked with Dr. Coburn to see what he thought, and we think we will be here until about 11:15 for the first panel. Then we will excuse you. We will run to vote, and we will have a series of votes and come back as soon as we can, my hope is around noon. But we will see how that works out. I would say to our second panel, those of you that are here, thank you for joining us. Please be patient with us. I want to go back to something that I think you said maybe in response to Senator McCain, Dr. Schneck, and I think you mentioned the words ``targeted liability protection.'' Senator McCain knows, as do my other colleagues, Dr. Coburn especially, that one of the issues that has made it difficult for us to put together any kind of comprehensive cybersecurity policy has been our inability to agree on what kind of liability is appropriate. And Secretary Johnson mentioned to me last week that he has been noodling on this and thinking it through as an attorney what might make sense, and obviously you have as well. Just think out loud for--and I am going to take about 3 minutes, and then turn it over to Dr. Coburn. But think out loud for us about what form that targeted liability protection might take, looking at your private sector experience, which you have alluded to, and your current role. Ms. Schneck. So thank you. The end goal is to get the combined set of information. You have a wide set of companies that see a lot, some that make cyber products, some that use them, some across all different sectors from electric to water. We need to know what they see. We need to know what they know. And they need to know what we see from across, so how do we build that trust? It is very difficult coming from inside of a company to make an attorney feel comfortable--and I am not a lawyer, so I can say that--with the idea that I am going to pick up the phone and call someone in government when, again, a lot of these companies are not based in Washington so there is--and that is why I have spent some time in California. There is a lack of understanding as to what happens in Washington. And we have tried as a Department to put a friendly customer service face and engage other areas of the country because of this. We have to get the general counsels to be comfortable with the fact that information is going to come--not intellectual property but information about awareness and cyber events, whether it is their breach or something else that they are seeing or building. We have to have the lawyers comfortable with that transfer of information. I was held accountable. I trusted, candidly, Larry Zelvin in our NCCIC. I called him and I called some folks at the FBI that I knew, and those were trusted relationships. I could have lost my job if something went wrong. DHS, FBI and the Secret Service has always handled my information the way we asked. We could control whether it went to government, whether it went to industry. But, again, we wanted to be protected from getting hurt. If you tell the government that the electric sector has--we have seen activity across the electric sector, as we saw in Night Dragon in 2011, where five oil and gas companies had their oil exfiltration diagrams shipped off to another country unknowingly. We wanted to issue a warning to the whole sector, and the lawyers had a very difficult time with that because they felt that the shareholders in that sector would suffer the next morning and it would be the company's fault. So that is a case where some protection would be needed, not liability for everything on the planet, but liability protection for that case. And I believe that is part of what the administration means by targeted liability. And if those companies can feel comfortable in those situations, we believe more information will come in that we can then use to protect. Right now it is game on for the adversary because everybody is afraid to share information. And if we wait and do not share this information and do not engage these partnerships and do not leverage the work of NIST and this framework, we let the adversary get far too ahead. Chairman Carper. All right. Well, this is a conversation we are going to want to continue. Ms. Schneck. Yes. Chairman Carper. And if we can solve this one, I think we will move a long ways toward where were need to go in this arena. Ms. Schneck. Thank you. Chairman Carper. Dr. Coburn. Senator Coburn. One of the assumptions that has changed during my lifetime as a citizen of this country is the assumption in government that people are going to do something wrong rather than they are going to do something right. And it has been one of the most discouraging things I have ever seen in our country. It is because basically the vast majority of the people in this country want to do everything right. They do not want to do it wrong. But government's interface with them works under the assumption that they have done it wrong, now prove that you have done it right. And that is the key where we are on this liability. Just for example, let us take two of the large Internet service providers. Unlimited liability, that is a great focused thing, but look what we lose when we start limiting the ability of two ISPs who are working on something back and forth to actually really talk a lot back and forth, and the Justice Department comes in with their Antitrust Division and says, ``Hey, wait a minute, you have to prove that that was necessary for cybersecurity rather than you guys colluding to keep somebody out.'' And that is where this gets sticky. It is like Senator Johnson said. The fact is that I know right now ISP providers are talking back and forth without any immunity because it is the best thing to do for the country to protect us. And yet what we are finding is resistance here to give them that kind of broad legal liability because we do not trust them. We do not trust them to do what is best for the country as a whole, and we think they are always self-centered, they are only going to do what is good for them. And we have already seen in the cyber arena that is not true. And yet this whole concept of a very narrow limited liability is based on the assumption that we do not trust them, and so, therefore, we can only give you limited liability. And what we are going to do, if we do a very narrow limited liability, we are not going to get where you have espoused we want to get, because their same lawyer is going to say, no, you got to have this there, so, therefore, you can no longer do this. So that is the downside to this, and it is important that that gets communicated up the chain when we start talking about specific limited liabilities versus general liabilities. And the proof is in the pudding of what are your actions directed toward and what are you trying to accomplish, not a specific event, because if it is only event related, we are going to lose. We are going to lose in this battle. Mr. Caldwell, I want to talk to you a little bit--and I am saying this based on hindsight, and it is no reflection on DHS today. But there is a great example on how not to do something. It is called the Chemical Facility Anti-Terrorism Standards (CFATS), the chemical facility security act. And I just wondered, have you looked at that at all? We spent billions. We have not inspected the first chemical plant. We did not use this proactive Executive Order style that the President used in terms of creating a partnership. We did not listen to industry. What we did is create a bureaucracy and spent a bunch of money. And today we still have not accomplished what we need to in terms of chemical facilities. So my question to you--I do not think that DHS has been effective at CFATS. It is better. I admit that. The guy that is running it today is far superior to what we had in the past. It is improving. Do you think CFATS would have been better if we had done a public-private partnership much like we have done in terms of cyber? Mr. Caldwell. I think it is hard to say. I will say a couple things about CFATS. We have done a number of reports about it, and I would agree the last 2 years they have made a lot of progress, and a lot of it has been actually tracking what they are doing and paying attention to it and trying to work with industry. So there has been--they are getting closer to those compliance inspections for those facilities that are deemed to be high risk. There have been a lot of distractions along the way. I think a lot of the problem was actually setting up the bureaucracy in the first place in terms of deciding what they were going to do, what kind of people they needed, what kind of inspections they were going to do, and how they were going to do their risk analysis. We have made a number of recommendations that they have taken pretty seriously and they are moving toward. It was very slow, and that is maybe a cautionary tale of going down a regulatory path, that there is a lot of structure to a government regulatory process, whether it is through the rulemaking process or other things that take a lot of time. And I think that is some of it. But I think a lot of it can be traced back to starting from scratch. For example, the Coast Guard, they had the Maritime Transportation Security Act. They had that up running within about 18 months, but you have to remember they also had a lot of regulatory structure that related to the maritime sector. They had people that already---- Senator Coburn. Well, they also have a different management structure. You will do it, or you are getting booted out of the Coast Guard. That is different. Mr. Caldwell. Yes, sir. Senator Coburn. Let me go back to my original point. Mr. Caldwell. Please. Senator Coburn. Had we started out CFATS with the framework that said we are going to bring all the industry together and say how do we best solve this problem--that is not what we did with CFATS. And that is what we are trying to do now. I understand that. But it is my point, and it is a great lesson for us, and I think we have that dynamic going now in cybersecurity. But in this one, it is in the best interest of a chemical company to not have exposure. But the assumption under CFATS, which goes back to what I said before, is prove that you are not, rather than the assumption is we are going to assume you are and we are going to have to show you where you are not, and let us do this in a cooperative manner so that when we regulate you, we can take what we learn from XYZ Company and put it over to ABC Company, and we will come with judgment, because that is what was lacking with CFATS. There was no judgment because there was no knowledge, because we did not listen to industry, who at their own best interest want to protect their facilities. Mr. Caldwell. I think the---- Chairman Carper. I am going to ask you to be very brief. I want to make sure that Senator Johnson has a chance to ask a question or two before we close. Go ahead, very briefly. Mr. Caldwell. So, briefly, I think industry was engaged with government when CFATS was created. I think one of the problems that happened is after the law went into place, then government kind of went into this quiet period where that engagement kind of stopped, and maybe that is where when we move forward with this, we have to make sure that engagement stays at a high level all the way through. Senator Coburn. All right. Chairman Carper. Good point. Senator Johnson. Senator Johnson. Thank you. I want to drill down on the liability protection issue. Right now it seems to me like we are erring on the side of limited liability protection or no liability protection. As a result, we are not getting the information that everybody believes is absolutely crucial if we are going to provide cybersecurity. Correct? Ms. Schneck. I would add that a lot of information is already being shared through our Cyber Information Sharing and Collaboration Program (CISCP) programs. Senator Johnson. But not enough. Ms. Schneck. There is more. And coming from the other side, I know why some of those lawyers want liability protection. We need a balance. Senator Johnson. So let me complete my question. What would be wrong with erring on the side of too much liability protection so we would get the information, so we would, complete this urgent need to provide greater cybersecurity? What would be wrong in just erring on the side of maybe too much liability protection? What is the cost? What is the damage in doing that, other than to the trial lawyers? Ms. Schneck. So that is hard for me as a nerd, not a lawyer, but I am open to have the conversation. Again, you know my goal. It is to bring all the information together. And I need to work with our experts in the administration and in Congress to understand what our folks at NIST and DHS have---- Senator Johnson. But, again, if we provide too much liability protection, that means companies will not be able to be sued as readily, correct? Isn't that the---- Ms. Schneck. We do not want companies getting sued. No, we do not. We want information shared. I need---- Senator Johnson. Why would we withhold a broader level of liability protection other than for that reason? Ms. Schneck. I need to understand all the legal issues around that, and, again---- Senator Johnson. Let us just walk through when companies get sued, who pays for that. I just want to so people understand. If a company gets sued and they pay a big old fine to the Federal Government or a great big class action suit, who really bears the cost of that litigation? Ms. Schneck. We absolutely all do, and the bad guys win. It is a terrible situation. Senator Johnson. We all do. Ms. Schneck. Yes. Senator Johnson. So every consumer ends up paying higher prices, correct. Ms. Schneck. Absolutely. It is a terrible situation. It is---- Senator Johnson. Now, who benefits from that liability? I mean, when somebody sues successfully, who benefits? Ms. Schneck. I am not a lawyer, but probably the lawyers. Senator Johnson. Certainly trial lawyers on a contingency fee, they make a lot of money, correct? Ms. Schneck. Probably. Senator Johnson. Every now and again, when it is a class action, the members in that class might get, oh, a couple pennies? Ms. Schneck. I actually do not know. Senator Johnson. Well, that is really, in effect, what happens. So, again, I just want us to be really realistic in terms of what is happening here. By not providing broader liability protection, we are putting our cyber assets at risk. And what we are doing is we are protecting the ability of trial lawyers to get big old fees. Generally the class action plaintiffs get very little. And when we do have these huge settlements, it is American consumers overall that pay the higher costs. Ms. Schneck. And this is why the adversary is winning because they have no lawyers---- Senator Johnson. Precisely. So, again, I think it is just important that we understand what is happening when we refuse to provide broader liability protection so we can actually get the information that we need to provide cybersecurity. Ms. Schneck. And that is why we need to have a conversation, before anybody refuses anything. But, again, we need the experts from the science side, the legal side, the administration to find that balance, because we do not want to err on the side of not honoring the privacy and civil liberties that we are all here to fight to keep. Senator Johnson. I understand. Again, I appreciate your willingness to serve your Nation in this capacity. I think, your kind of background, your willingness to come from the private sector, a very lucrative job, I am sure, in the private sector, to really address this challenge is just really appreciated. Thank you. Ms. Schneck. Thank you. Senator Coburn. Uplifting. Chairman Carper. ``Uplifting.'' That is what Dr. Coburn said. It is uplifting. Well, it is uplifting to have all of you before us, and, Ms. Dodson, nice to see you again. Thank you for your testimony. Mr. Caldwell, good to see you. Greg, thank you for joining us. We are going to have to run and vote. We are running out of time, and they will not hold the clocks for us. So thank you all. There are going to be some questions, followup questions that you will be receiving subsequent to this hearing, and we just ask that you respond to those. Chairman Carper. And we look forward to an ongoing conversation. This has been a very encouraging panel, so thanks so much. And we should be reconvening around noon. [Recess.] We are going to reconvene now. I want to thank everybody for their patience and for waiting for us. When Dr. Coburn and I are the leaders of the Senate, we will not schedule these votes and interrupt our hearings. But we appreciate your patience and appreciate your being here with us. Our first witness is a familiar-looking person. I think I have seen her before, Dr. Coburn. Elayne Starkey is our chief security officer (CSO) for the State of Delaware where she is responsible for the enterprise-wide protection of information assets from high-consequence events. Ms. Starkey is also the Chair of the Delaware Information Security Council and member of the Governor's Homeland Security Council. Before joining State government, Ms. Starkey spent 12 years in software engineering in the private sector, and, Tom, I just want you to know, for the 8 years that I served as Governor, most of those years I worked for this woman, and it is great to see her again. We thank you for your service to our State. Our next witness is David Velazquez, executive vice president and leader of power delivery business for Pepco Holdings Inc. (PHI). Previously Mr. Velazquez served as president and chief executive officer of Connective Energy. He serves on the boards of the Maryland Business Roundtable for Education, Southeastern Electric Exchange, the Trust for The National Mall, and the Smithsonian National Zoo Advisory Board. Welcome. Nice to see you. Doug Johnson is vice chairman of the Federal Services Sector Coordinating Council, which advises the Federal bank regulatory agencies on homeland security and critical infrastructure protection issues. Mr. Johnson also serves as vice president and senior advisor of risk management policy, at the American Bankers Association (ABA), where he leads enterprise risk, physical and cybersecurity, business continuity and resiliency policy, and fraud deterrence. I understand you are also a member of the Financial Services Information Sharing and Analysis Center. Is that right? Mr. Johnson. I am. Chairman Carper. OK. A private corporation that works with the government to provide the financial sector with cyber and physical threat and vulnerability information as part of our Nation's homeland security efforts. A final witness, saving the best for last, the final witness is Steven Chabinsky, senior vice president of legal affairs, general counsel, and chief risk officer for CrowdStrike, a big data security technology firm specializing in continuous threat detection, cyber intelligence, and computer incident response. He also serves as an adjunct faculty member of the George Washington University and is a cyber columnist for Security Magazine. Before joining CrowdStrike, Mr. Chabinsky had a distinguished career with the government culminating in his service as Deputy Assistant Director of the FBI's Cyber Division. A big thanks to all of you for coming, for your testimonies, and for your patience with us today. Elayne, would you please proceed? Your entire statement will be made part of the record. You can summarize as you see fit. TESTIMONY OF ELAYNE M. STARKEY,\1\ CHIEF SECURITY OFFICER, DELAWARE DEPARTMENT OF TECHNOLOGY AND INFORMATION Ms. Starkey. Good afternoon, Senator Carper, Ranking Member Coburn. Thank you for the opportunity to be here at the hearing today. --------------------------------------------------------------------------- \1\ The prepared statement of Ms. Starkey appears in the Appendix on page 85. --------------------------------------------------------------------------- As the chief security officer for the State of Delaware, I can report that we are combatting a greater number of cyber attacks than ever before. State governments not only host volumes of sensitive data about our citizens, we use the Internet to deliver vital services, and ensure our first responders can access the data they need in crisis situations. State government IT systems are a vital component of the Nation's critical infrastructure. Today, with this testimony, I want to provide the Committee information on the value of public-private partnerships, as I see it from where I sit. Cyber threats know no borders, and in our interconnected world where all levels of government work with each other and work with private sector partners and citizens, the only defense is a multi-sector approach. I view these partnerships as a critical component of the Delaware Information Security Program, and I am eager to give you very specific examples of what is working in my State. We have been partnering with the U.S. Department of Homeland Security since our program started back in 2004, and over the years, our incident response capabilities have improved significantly by partnering and participating in their Cyber Storm Exercises. We have advanced our capabilities, thanks to applying funding from the Homeland Security Preparedness Grant Program, and we have used this money for a variety of different things, including annual employee awareness training, e-mail phishing simulations, technical training, and I am most grateful to have received approval for this funding. Delaware, however, is an exception. In contrast, most of my peers in other States report limited success in competing with traditional emergency responders for just a small share of those grant funds. I urge Congress to carve out a portion of this funding for States to use exclusively on cybersecurity initiatives. One of the things I am most proud of is Delaware's effective outreach and collaboration with local governments and other critical infrastructure providers. We were delighted to be selected to participate in the Community Cyber Security Maturity Model, run by the Center for Infrastructure Assurance and Security at the University of Texas at San Antonio. This program has resulted in training at all levels, and exercises, and seminars. In fact, our next event is a statewide cybersecurity conference on May 6. This is a day-long education workshop where we will bring together State and local government, law enforcement, military, higher education, health care, and other critical infrastructure providers. Cyber awareness and education and training have been the cornerstones of Delaware's program ever since we got started. Our campaign is very active throughout the year. But in October, as part of National Cybersecurity Awareness Month, we racheted up the program with TV and radio advertising, and even wrapping a Delaware Transit bus with an eye-popping cybersecurity message. In the testimony that I provided,\1\ if you cannot imagine what a wrapped cybersecurity bus looks like, there are some pictures in the testimony that I provided. This literally has become a moving billboard up and down the State, carrying the Internet safety message to 50,000 motorists each day. --------------------------------------------------------------------------- \1\ The pictures submitted by Ms. Starkey appear in the Appendix on page 91. --------------------------------------------------------------------------- We are unable to use State funding to do projects like that, so that is why I am so thankful to Verizon. Verizon's support of this program has been unwavering. We could not have done many of these initiatives without the financial support from the Verizon Foundation and the incredible volunteer support from Verizon employees as we go out into Delaware elementary schools and present on Internet safety. We have reached 25,000 fourth graders over the last 7 years thanks to this wonderful partnership that we have with Verizon. Cybersecurity works best when people have an understanding of the risks and the threats, so I am especially appreciative of our strong partnership and collaboration with the Multi- State Information Sharing and Analysis Center (MS-ISAC) and the National Association of Chief Information Officers. My final partnership example is with higher education. Five years ago, a team of people came together, and we discovered we all had the same passion. We had a passion for nurturing the next generation of cybersecurity professionals, and today that team includes all Delaware universities and colleges. And together with the Council on Cybersecurity and SANS Institute, we are planning our 5th annual U.S. Cyber Challenge summer camp. It is a week-long, intensive training filled with specialized speakers intended to reduce the shortage in the cyber workforce. So, in conclusion, my compliments to NIST and DHS and all the stakeholders that worked together to develop the Cybersecurity Framework. It is valuable to State governments. It is valuable to reference a core set of activities to mitigate against attacks on our systems. For those of us that have established security programs, the framework will not introduce major changes for us. Rather, the framework offers valuable risk management guidance and is complementary to our Exercise and Incident Response Program. I endorse the framework as an excellent first step; however, it is important to stress it is the beginning and it is not the end. My hope is that future versions are going to include incentives to adopt the framework and strive for continuous reduction of the cyber risk. This is a complex issue. We have a long road ahead of us to making our Nation's systems more secure. It is a journey, and it is a race with no finish line. There is no single solution; there is no silver bullet. I compliment you for holding hearings such as these. I ask Congress to continue to work with States to identify ways to protect our Nation's information assets and provide funding opportunities for State government cybersecurity. Thank you. Chairman Carper. Elayne, thank you so much. Great to see you here, and thank you for joining us. Steven Chabinsky, please proceed. TESTIMONY OF STEVEN R. CHABINSKY,\1\ CHIEF RISK OFFICER, CROWDSTRIKE, INC. (TESTIFYING IN HIS PERSONAL CAPACITY) Mr. Chabinsky. Thank you. Good afternoon, Chairman Carper, Ranking Member Coburn. I am pleased to appear before you today to discuss cybersecurity public-private partnerships. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Chabinsky appears in the Appendix on page 93. --------------------------------------------------------------------------- First, I would like to discuss the Cybersecurity Framework. Senator Rockefeller had proclaimed last year that NIST is the ``jewel of the Federal Government.'' I agree. I especially commend NIST for having engaged with over 3,000 individuals and organizations on the framework. In doing so, NIST established a true public-private partnership. I would also note that the Cybersecurity Framework is written in such a straightforward manner and so concisely that it should be required reading for every corporate officer and director. I have no doubt that, if implemented, it would improve our critical infrastructure cybersecurity. But having improved security is not the same thing as having adequate security. And in my professional opinion, the strategy we are pursuing to include the NIST framework will not result in adequate security of our critical infrastructure and for our country. Regardless of how vigorously industry applies risk management principles, there simply is no chance the private sector can consistently withstand intrusion attempts from foreign military units and intelligence services or even, for that matter, from transnational organized crime. As a result, improving our security posture requires that we reconsider our efforts rather than simply redouble them. We must ensure that our cybersecurity strategies focus greater attention not on preventing all intrusions but on more quickly detecting them and mitigating harm while in parallel-- and this is the significant part--identifying, locating, and penalizing bad actors. Doing so also would align our cybersecurity efforts with the security strategies we successfully use every day in the physical world. In the physical world, vulnerability mitigation efforts certainly have their place. We take reasonable precautions to lock our doors and windows, and depending upon the type of business, those locked doors and windows will be of varying strength and expense. Still, we do not spend an endless amount of resources seeking to cutoff every possible point of entry against those who might dig holes underground or parachute onto the roof. Instead, to counter determined adversaries, we ultimately concede that they can gain unlawful entry. So we shift our focus. We might hire armed guards. More often we get security systems that have alarms for instant detection and video cameras to capture attribution. None of these make the facility any stronger or less penetrable; rather, in the physical world, guards, alarms, and cameras essentially declare to the bad guy, ``It is no longer about us. Now it is about you.'' When a monitoring company is alerted that a door was broken into at 3 in the morning, it calls the police to respond. It does not call the locksmith. And as a result, most would-be intruders are deterred from acting in the first place. It is surprising then and suggests a larger strategic problem that, in the world of cyber, when the intrusion detection system goes off, the response has been to blame the victim time and again and to demand that they prevent it from happening again. The goal then becomes one of ridding the network of malware rather than of finding and deterring the attackers. I believe that this single-minded focus of preventing or cleaning up after an intrusion is grossly misplaced. Consider the scene in ``The Godfather'' movie of waking up to find a horse's head in your bed. That is no time to wonder how you are going to clean it up. Rather, the obvious questions are: Who did it? What are they after? Are they coming back? And what will it take to stop them or change their mind? It is threat deterrence, not vulnerability mitigation, that effects security in the physical world every day. Making matters worse, as industry and government agencies continue to spend greater resources on vulnerability mitigation, we find ourselves facing the problems of diminishing economic returns and perhaps even negative returns. With respect to diminishing returns, imagine trying to protect a building by spending millions of dollars on a 20-foot brick wall. Meanwhile, an adversary can go to a hardware store and for less than $100 buy a 30-foot ladder. That is happening every day in cyber where defenses are expensive and malware is cheap. Far worse, though, is the concept of negative returns in which well-intentioned efforts actually make the problem worse. Consider our brick wall again. What if instead of buying a ladder the adversary decides to use a life-threatening explosive to bring down the wall? This is not dissimilar from our current defensive cyber strategy, which has had the unintended consequence of proliferating a greater quantity and quality of attack methods, thereby escalating the problem and placing more of our infrastructure at greater risk. We can and must do better. It is time to refocus our public-private partnerships on developing the technologies and policies necessary to achieve the level of hacker detection, attribution, and punitive response that is necessary to reduce the threat. By doing so, businesses and consumers are far more likely to benefit from improved, sustained cybersecurity and at lower costs. Thank you for the opportunity to testify today. I would be very happy to answer any questions you may have. Chairman Carper. Thank you, sir. We are very happy you are here, and thank you for that testimony. Mr. Johnson, please. TESTIMONY OF DOUG JOHNSON,\1\ VICE CHAIRMAN, FINANCIAL SERVICES SECTOR COORDINATING COUNCIL Mr. Johnson. Yes, Chairman Carper, Ranking Member Coburn, my name is Doug Johnson. I am vice president of risk management policy at the American Bankers Association. I am here today testifying in my capacity as the vice chairman of the Financial Services Sector Coordinating Council (FSSCC), and also in my capacity as a board member of the Financial Services Information Sharing and Analysis Center (FS-ISAC). --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Johnson appears in the Appendix on page 103. --------------------------------------------------------------------------- ABA is always proud of and committed to maintaining its leadership role in organizations such as these as we help to protect our Nation's critical infrastructure, and we feel that it is extremely important to do so as an association. The financial sector shares the Committee's commitment to strengthening the public-private partnership to reduce cyber risks to our Nation's critical infrastructure. The nature and the frequency of cyber attacks against financial services and others sectors have focused a great deal of attention on whether our institutions, regardless of size, are properly prepared for such events and whether we are committing the appropriate level of resources to detect and defend against them. This is not a new exercise. The financial services sector continuously assesses and refines our preparedness to detect and to respond to future attacks and actively engage our government partners in this process. These efforts build on a longstanding, collaborative imperative for the financial sector to protect institutions and customers from physical and cyber events. A significant protection infrastructure, in partnership with government, exists, and the FSSCC and the FS-ISAC obviously play vital roles in the process. For the FSSCC, much of 2013 and now 2014 was and has been dedicated to responding to the administration's Executive Order, and particularly regarding the development of NIST's Cybersecurity Framework. You have heard a lot of compliments about the framework, and we share in that assessment. Our sector is supportive of the administration's and NIST's efforts in this regard to build a voluntary framework and will remain engaged as we migrate into what is really the all-important implementation phase of the framework. Our government partners are many. Our partnership with DHS is really extremely important. Of particular note is DHS' assistance. The FS-ISAC is now the third sector which is participating in the National Cybersecurity and Communications Integration Center. The collocation of sectors in the NCCIC is an extremely important component of our overall effort to build the trusted network between government and industry, and the only way to do that, frankly, is to have an ability to really share information in very much of a trusted network, which requires individuals really to have that trusted ability to communicate with each other. And the NCCIC is a prime example of how the co-location of subject matter experts across the public and private sector can build that model. That enhances the ability both to protect our critical infrastructure and to build that trust. The FS-ISAC also works very closely with other critical infrastructure sectors through the National Council of ISACs where our cross-sector cooperation and coordination for the FSSCC occurs through the Partnership for Critical Infrastructure Security (PCIS) Cross-Sector Council. The 20 sectors and the subsectors that really comprise the PCIS Cross- Sector Council are unanimously in support of it remaining the mechanism to engage DHS on our joint critical infrastructure protection mission. We look forward to working with DHS in a manner consistent with the National Infrastructure Protection Plan in that regard. Through the FS-ISAC and the sector, our sector is committed to working collaboratively with NIST to further improve the framework and our Nation's overall cybersecurity posture. In my written testimony, I have offered a number of recommendations to meet our mutual goals, including: encouraging the development of sector-specific approaches to the framework; facilitating automated information sharing; clarifying liability protections for the sharing of information; fostering the growth of the existing ISACs and encouraging the development of additional models similar to that in other sectors that might not currently be deemed critical infrastructure protection; leveraging existing audit and examination processes when implementing the framework to the greatest extent possible; creating incentives that are tailored to address specific market gaps and letting the market make the determination as to whether or not they can fill those gaps independent of government; and, last, fostering research and development and workforce creation is always very important, as you have heard others speak of today. Thank you for holding this important hearing. Financial services companies do make cybersecurity a top priority. We look forward to continuing to work with you toward our mutual goal, and at this point I would be willing to take any questions. Thank you. Chairman Carper. Thank you, Mr. Johnson. And our last witness, Mr. Velazquez, please proceed. Good to see you. TESTIMONY OF DAVID VELAZQUEZ,\1\ EXECUTIVE VICE PRESIDENT FOR POWER DELIVERY, PEPCO HOLDINGS, INC. Mr. Velazquez. Thank you, Chairman Carper, Ranking Member Coburn. I am Dave Velazquez, and I have the privilege of serving as executive vice president of power delivery for Pepco Holdings Inc. (PHI). We are an electric utility that serves about 2 million customers in the Mid-Atlantic area, including here in Washington, DC. It is my pleasure to appear before you today to discuss an issue of fundamental significance to our industry, the electric utility sector: the public-private partnerships to advance the security of our electric grid. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Velazquez appears in the Appendix on page 113. --------------------------------------------------------------------------- As the utility power in the Nation's capital, PHI has been actively engaged in cybersecurity protection and in the advancement of national cybersecurity regulations and legislation. In addition to Washington, we serve customers in four other jurisdictions. The thought that each of these jurisdictions could develop its own Cybersecurity Framework and protocols becomes quite daunting for us. That is why we believe Federal legislation is necessary, and we commend the work of this Committee and others in the House and Senate, the work that has been toward that goal. We were very active in the public information gathering sessions led by NIST to develop the framework. We found that process to be very collaborative and respectful of the work that the electric utility sector and our regulators had already done. PHI has pledged to be among the first utilities to work with DHS and the Department of Energy (DOE) to apply that framework to our operations. This self-assessment process is ongoing, but to be truly resonant with our regulators, PHI believes it should include some form of standardized third- party verification. The framework is not, however, the first example of a public-private partnership for grid security. There are a number of others in which PHI is active. Critical Infrastructure Protection (CIP) standards are mandatory for all owners and operators of bulk power system assets, and they are enforceable by the Federal Energy Regulatory Commission (FERC). In this way, the CIP standards ensure basic network hygiene and baseline levels of security for the grid. The NCCIC serves as a centralized location where cybersecurity operational elements are coordinated and integrated. NCCIC partners include the Federal agencies, State and local governments, the private sector, and international entities. PHI is in the process of obtaining the clearances needed to maintain a seat on the NCCIC floor. The Electricity Subsector Coordinating Council, which is made up of utility and trade association leaders and government executives, has focused its efforts on three areas of industry- government collaboration: incident response, information flow, and tools and technology. PHI is also an active participant in the ICS-CERT, a program that provides vulnerability information regarding industry control systems. While the NCCIC, Electricity Subsector Coordinating Council (ESCC), and Industrial Control Systems Cyber Emergency Response System (ICS-CERT) are industry-wide initiatives, there are also opportunities for individual utilities to apply federally developed threat detection technologies. Though I am not at liberty to discuss the details of these threat detection programs, I can say that PHI has been afforded the opportunity to participate in Federal security technology applications that allow both temporary and also permanent real-time, machine-to- machine threat detection. Additionally, last November the North American Electric Reliability Corporation (NERC) conducted Grid-Ex II, a 2-day cyber and physical security and incident response exercise in which more than 165 industry and governmental organizations participated. One of the key learnings from the exercise was the need for clearer protocols to coordinate governmental roles in the physical defense of privately held critical infrastructure. Though these existing partnerships are impactful, there are some open issues that exist. For instance, though the federally administered technology programs in which a number of the utilities participate offer some threat information sharing capability, in the absence of Federal legislation much is left undefined with regard to data privacy and also liability associated with the bi-directional threat information sharing. Similarly, forums exist for event response coordination. Without explicit authorization, these forums may not resolve all the jurisdictional issues. And, very importantly, we must have clear protocols for industry-government event response before an event occurs. Finally, some assurance of prompt and reasonable recovery of cybersecurity investments will be imperative. Today our regulators seem willing to acknowledge the value of the investments we are making in cybersecurity. However, as the threat continues to become more sophisticated, our investments will likely rise pretty rapidly, and some systemized form of prompt cost recovery would facilitate our capacity to grow our expertise. In summary, PHI has been very active in and benefited greatly from the growing array of opportunities to partner with Federal, State, and local authorities. Public-private partnerships have improved cyber threat detection and cyber and physical event preparation and response coordination. However, more can be done. In particular, some issues still needing attention include real-time and actionable threat information sharing, liability protection, event response protocols and systemized cost recovery. We look forward to continuing to work with the administration, this Committee, and your colleagues in the House and Senate to advance legislation to address these open issues. Thank you. Chairman Carper. David, thank you very much. Dr. Coburn has to be off to another meeting, and he is going to ask some questions. I am going to step out and take a phone call and then come right back and continue, and we will wrap up a little bit after 1. Dr. Coburn. Senator Coburn. Thank you, Mr. Chairman. Mr. Chabinsky, I am really interested in your testimony because you have taken a track that nobody else has taken here other than Senator McCain in his questions that he asked earlier. And you have a lot of experience in terms of deterrence with your past history. I was wondering what the other panelists thought about what he said. You all talked about mitigation of vulnerabilities, and he is talking about deterrence--one of which is cheaper, one of which is more effective. Any comments about what Mr. Chabinsky had to say? Mr. Johnson. Well, Senator, I would be glad to take a first shot at that. I think that what we saw during the denial-of- service attacks that we had over a period of over a year gave us a real understanding of the dynamics associated with that particular issue. I will go back to anecdote that occurred in a conversation between Treasury and a series of bankers from New York that are not necessarily shy in a lot of cases. Basically during the height of the denial-of-service attacks, they were asking Treasury whether or not the denial-of-service attacks in and of themselves were part of the defensive strategy that we as a Nation were taking as it related to Iran. And I think that what that really brought to the fore is the jobs issue. Whose job is it to really take that so-called active defenses? And I think that in large part that is an area that is still to be determined, because clearly it is the expectation of industry that government has a role, a substantial role in that defense, and obviously when we are talking about issues such as ``hack back,'' there has been a lot of controversy associated with the private sector taking those kind of roles. And, in fact, it is illegal at this particular juncture to do so. And I love Steve's analogies. He is always extremely good at them. But if you go back to the analogy of physical security, when the bank is robbed, it is not up to bank personnel to catch the robber. Senator Coburn. Right. I agree. Mr. Johnson. And so I think that while there is some substantial role that organizations have on the front end--and that role might migrate to some degree toward active defense--I think that we really have to be clear on what that line is. Senator Coburn. But the key is that you can give the government attribution. Mr. Johnson. Yes. Senator Coburn. And the government by itself does not have that. So for it to act, we need to create a pathway so that that information on attribution can get to the government if the government is going to act on it. Mr. Johnson. Right, and that is where the analogy still holds, because when you are talking about fiscal crime, essentially one of the first things the police are going to ask when the bank is robbed is, ``What did the robber look like?'' Senator Coburn. Yes. Mr. Johnson. And so I think that analogy still holds. Senator Coburn. Mr. Velazquez. Mr. Velazquez. I would just second Mr. Johnson's comments, and I think one of the critical pieces from a private-public partnership is being able to share that information in real time so that the government can take appropriate action. Senator Coburn. Right, OK. Mr. Chabinsky, are you familiar with the Deter Cyber Theft Act? Mr. Chabinsky. I am, Senator. Senator Coburn. What do you think about that? Mr. Chabinsky. I think that that is exactly the right path that we need to be going down, which is threat deterrence, making sure that the recipients of illegally obtained intellectual property are not able to benefit from that to further actually impact our economy. Bad enough that our intellectual property is being stolen every day by foreign powers. Then to have the corporate recipients of those companies come back to our shores and unfairly compete against our industry is unconscionable. Thank you for introducing that. Senator Coburn. Thank you. Ms. Starkey, I thank you for your testimony and what you are doing in the State of Delaware. Maybe I have some bad news for you. The fact is that 3 or 4 years from now you are not going to be getting a penny from the Federal Government for what you are doing. And the question is, it is really not our role to do that. The taxpayers of Delaware ought to fund theirs. But our financial situation is going to be such--we are going back to trillion-dollar deficits even in a growing economy, 3 or 4 percent. So we are not going to be there. So are you prepared as representative of the State of Delaware to do what you need to do without Federal money? Ms. Starkey. Yes, we recognize that, and we have seen the dwindling amounts that have been coming out of the Homeland Security Grant just over the last few years. That is the reason, that is exactly the reason why we pursued the partnership with the Verizon Foundation, to be able to continue the momentum that we had through non-government dollars, if you will. So we are fully prepared for that. I cannot really speak on behalf of the budget writers in the Delaware State government. Senator Coburn. I understand. Ms. Starkey. But it is something that we are paying attention to. We are alerting them that, you know, the threats keep going up, and there needs to be additional tools added to our toolkit to combat the threats all the time, and those tools--as has been pointed out here, those tools are expensive. It is very expensive to be secure. Senator Coburn. But if we did more deterrence and less vulnerability mitigation, what we might see is less capability, because the fact is if you take a bunch of smart people, no matter what you put on your network, they are going to eventually find a hole in it. Now, we may respond to that. We may protect everybody else that was not attacked. But eventually, if they want to, the guys that want to rob the bank, they are going to rob the bank. They are going to do that. So Mr. Chabinsky's point is well made. Mr. Chabinsky, you spent some time with the FBI. What resources now do we have at the FBI in terms of manpower in terms of going after these people versus what you think in your opinion we should have? Mr. Chabinsky. Thank you, Dr. Coburn, for the question. When you look at the FBI's resources, the FBI and the Secret Service both have concurrent jurisdiction over cyber crime, and the FBI has exclusive jurisdiction when the intrusions are nation state sponsored. The FBI's manpower of agents that are exclusively focusing on intrusions is in the hundreds, not thousands of persons. And since this crime is international, one would then look to see what resources the FBI has to place special agents abroad, working with partners in other countries who actually want to work with us. And what we see is that those are able to be counted on both hands. So we are looking at a problem that, on the defensive side, we are putting tens of billions of dollars into, and on the side that actually could help the private sector make those handoffs to the government to have threat deterrence, put these bad guys in jail, we are severely understaffing and underfunding that. Making matters worse, when we look at the Presidential Executive Order, the Executive order is focused on steering some of those very investigative resources away from investigations and toward warning the private sector that it is under attack. So now you have a limited pool of resources that should be investigating the crime. Now they are spending all day actually warning victims. And we do not see anything in the Executive Order that functions get the private sector to provide information to law enforcement to work hand in glove to try to figure out who these bad guys are and to bring them to justice. Senator Coburn. That is really important for us as we try to write a cyber bill. I have a lot of other questions, but my time constraints will force me to put them in the record. Thank you. Chairman Carper. Let me ask a question for Elayne Starkey, for David, and for Mr. Johnson. OK? I think one of the interesting, maybe unique features of the framework that has been constructed is that it can apply equally to an energy company, a utility, a bank, even a State or local government. It is also scalable so that both small business and large business can take advantage of it. All of you have already touched on how you will be using the framework in your statements, but I would like to ask you to drill down on this issue just a little bit more. OK? What can we do, not just this Committee, not just the Federal Government, but government and industry, maybe working together, to encourage more businesses to adopt the framework that has been produced? In particular, can you talk with us a little bit about what type of help you would like to see from the Department of Homeland Security and other Federal agencies as you and your sectors work to implement the framework? Elayne, if you would start that off, I would appreciate it. Ms. Starkey. Sure. I am glad you asked the question. Business adoption of this, in particular small to medium-sized business, is absolutely critical to the success, in my opinion. The larger companies have established programs, and they have been paying attention to this for a long time. It is the small and medium-sized businesses that maybe do not know what they do not know, or just simply do not have the resources to throw at this problem. It is a huge problem. It is an expensive problem. And, quite frankly, it does not increase or improve their bottom line by adding a lot of security defenses necessarily. So that is not an automatic. So I think it is going to be critical in the next few months and years as we see how this is going to be rolled out and adopted by not just governments but by the private sector as well. The second part to your question in terms of what DHS can do, certainly what our plans in Delaware are---- Chairman Carper. And not just DHS, but other relevant Federal agencies, please. Ms. Starkey. OK, sure. In Delaware, we have had an established program now for a number of years based on the International Organization for Standardization (ISO) international standards and NIST standards, and they have served us incredibly well. We do not plan to change that because our whole framework is centered around those NIST and ISO standards. But what we are going to do and have started to do is to take this framework and overlay it with our current framework and identify where there are gaps and work to close those gaps. So we will be anxious to see--we are following the rollout from DHS. I know there is a kickoff meeting tomorrow, actually, all morning tomorrow. We are fortunate because I know cyber resilience is a huge part of the rollout plan, and we have some success with that, because back in 2010 we invited DHS to come in and do a cyber resilience study for Delaware State government, and it was an incredibly valuable exercise for us. We got a lot of good feedback. They brought in folks from US- CERT, from Carnegie Mellon, as well as here in D.C., and they spent all day with us talking to a variety of different parts of my department and parts of State government. And I was so pleased to see that that cyber resilience program is part of their rollout strategy. So I am looking forward to that. Chairman Carper. That is good to hear. Mr. Chabinsky, same question--or no, you are the one person that gets---- [Laughter.] David. Mr. Velazquez. Yes, I think first I would mention that I think with the NIST framework, the flexibility that has been built inherent in it, and as that flexibility continues and being respectful of other regulations that cover the different sectors, I think that is very helpful for the continued adoption and more people adopting it. I think if there are incentives for participation, although I would note that, like most companies, the real incentive for participation is our customers and providing them service. And I think if any business, if your customers lose confidence in your ability, you lose business. But beyond that, we had talked already about liability protection, I think could help spur some others adopting it. If there is a way to provide discounted terrorism insurance as a result of that, access to Federal technologies maybe that comes with that, and then as a regulated industry as well, support for timely recovery of the investments necessary to support it. All those I think would help. Chairman Carper. Good. That is helpful. Mr. Johnson. Mr. Johnson. Yes, as you indicated, probably in financial services, we are already essentially at the highest tiers within the Cybersecurity Framework. And so the question becomes one of two things: What do financial institutions have to do associated with the framework? And then how can they leverage the framework in their environment to increase adoption? I think one thing that I have seen in our institutions is they are largely doing what the framework is--they might call it different things in different places, but by and large, conceptually the manner in which the framework is devised, financial institutions by and large are doing that. And so one of the things I think will be to our advantage is the ability to leverage this within our supply chain. We have heard talk of that in the earlier panel. I think it is really vital to be able to give those supply chain partners a mechanism to think about what cybersecurity should look like in their organization and to aspire toward various tiers, to aspire toward the next tier, if you will, and to have a path forward. And I think the framework gives them that in large degree. And so I think that will be helpful for not only the critical suppliers that we have that are by law supposed to be adhering to the same information security standards that we do as financial institutions, but also the less critical suppliers as well, because I do not know that, for instance, the air conditioning supplier to Target was felt to be a critical supplier but, nonetheless, I think what that points to is the need to have the entire environment have some higher level of cybersecurity. And I think the framework essentially enables you to do that. From the standpoint of what government could do, sometimes I think it is helpful if government would set their children free, if you will. I think that NIST has a tendency to do that with standards and is looking to do that to some degree with the framework where--trying to find a home for the framework for implementation purposes, for instance. But I would think long and hard before I established legislative incentives before I see what the market can do in terms of incentives. I see insurance companies, for instance, already going into our financial institutions and asking how the institution is thinking about the Cybersecurity Framework. I see insurance associations that write those policies coming to us as financial institutions and rethinking how they might want to write those cybersecurity policies on the basis of the framework. And so I think some of that thinking is very important to lay the groundwork for where the gaps are from the standpoint of incentives, because I do not know that we know yet where those gaps are. Liability has been spoken of as a particular gap, and I think that for one thing, liability means a lot of different things in terms of protection to a lot of different people. And I think that one of the things that we saw, going back from the denial-of-service attacks again, is the fact that, to some degree, the sharing of information was impeded by the potential for the use of that information to have unintended consequences. And by that I mean when you want to shut down, for instance, a set of Internet addresses or compel an Internet service provider to take a certain action that might actually harm some individuals that are innocent, what kind of protections does that particular company have associated with taking that action? Can they be subject to civil suits to the extent that someone is harmed in that environment? So I think that is something that we need to potentially look at from the standpoint of liability protection, is the use of that data. And under what criteria should personally identifiable information, properly defined, be able to be utilized to the extent that a threat is imminent? To what extent are Internet protocol or Internet addresses personally identifiable information? Are they not? There is some uncertainty associated with that. So I think those are some things the government could certainly be able to do. Chairman Carper. Good. Well, those are all very helpful answers. Thank you. One last question, and we will break and send you on your own, and I will go back to my day job. I had originally thought I would ask the same question of these three people. I am going to ask Mr. Chabinsky to join in on this question if you would like to as well. But failures in our critical infrastructure can, as we know, have cascading effects that ripple through our communities, our lives. For example, if the power goes out for an extended period of time, our communications, our transportation, our drinking water might all be negatively impacted in some way. Should something terrible happen like that--and it probably will--I am not so sure we have clearly defined the roles and the responsibilities of the Federal Government, States, and the private sector to respond. Two questions, if I could. One, are you confident that you will know who to turn to for help if there is a major cyber incident that takes down some of our most critical infrastructure for an extended period of time? And the second question would be: Are there any roles and responsibilities that need to be more clearly defined in law so you know what to expect and from whom? Elayne, if you would like to take a shot at that? Ms. Starkey. Part one is extremely confident. I would like to think that I should not be in the job I am in if I was not confident in that. The reason I am so confident is because we practice. We simulate. We have held nine consecutive annual exercises involving examples like you just gave. They are simulations, granted. It is different when it is the real thing. But we pull together those folks. Not only am I confident of knowing who to contact, I am reasonably comfortable with what their response is going to be and what their readiness level is. So, that is what drills are all about. So definitely for part one. Part two is additional roles and responsibilities. Yes, I think that comes out of every exercise, is areas for improvement, action items, corrective action items, communication is always one that comes out in various channels that can always be improved, and we try to do that on an annual basis. Chairman Carper. OK. thanks. Mr. Chabinsky, I do not know if you have a comment here, but if you do in response to either questions, please feel free. Mr. Chabinsky. I do appreciate the opportunity, Chairman Carper. From my time in government, I believe that the government actually is very well situated with specific discrete roles and responsibilities that it has communicated effectively to the private sector. The National Cyber Investigative Joint Task Force, for example, that is led by the FBI but includes DHS and other agencies, has a clear responsibility for organizing the investigative approach to find out who the bad guy is and to try to bring that to an end. The Department of Homeland Security, both on the vulnerability mitigation side, has gone out to owners and operators and has provided on-the-ground assistance with mitigation efforts, and in the worst-case scenario, if FEMA were needed to be brought in under DHS for consequence management, I believe that those roles are actually quite well understood. The issue that I pointed out in my written testimony, though, is I think there really has not been a very effective coordination in the area of emerging threats, and one of those threats that I wanted to bring to the attention of this Committee is the emerging threat of purposeful interference. Whether it is GPS signals or just regular communications jamming that could impact first responders, that is an area where there is currently no centralized place for reporting information, no central analysis of data that is coming off of purposeful interference events, and law enforcement not at this moment coordinating its response with education and technologies that would be necessary to quickly isolate and identify from where the interference events are coming. So I think that there are certainly areas to extend public-private partnership specifically focused on emerging threats. Chairman Carper. Good. Thank you. Mr. Johnson, if you could be fairly brief, I have other people waiting for me, so I do not want to cut you off, but just be brief, if you will. And David as well. Mr. Johnson. What Mr. Chabinsky said. [Laughter.] Mr. Velazquez. The only thing I would add is we very much know who to turn to. Our concern is more in a major event having too many different agencies turning to us, and the coordination and the clear roles defined so that we do not have the FBI, DOE, DHS, and three other agencies showing up on our doorsteps all wanting the same thing. And I think tremendous advances have been made, and the Grid-Ex exercise pointed out some of those advances, but also pointed out the need to continue to define those roles more clearly. Chairman Carper. OK, great. Mr. Johnson. I do think that the NCCIC provides an opportunity for collocation that can solve some of those problems as well. So that would be the comment that I would make, is try to find a way to really have security operations centers to effect the kind of trusted network you need to really have the proper level of response in a lot of instances. Chairman Carper. All right. Thank you. Thanks for adding that. We are in your debt for a lot of reasons: one, for the good work that you have done and continue to do with your lives; we are in debt to you for being here today and preparing for this testimony and giving it and responding to Dr. Coburn's questions in writing. We will keep the record open for about 15 more days, until April 13 at 5 p.m., for the submission of statements and for questions for the record. If you get some questions, I would just ask that you respond to them promptly, and that will be much appreciated. Again, great to see you all, and thank you so much for being a part of this. I apologize you had to wait. Sometimes we have to vote on things over on the floor, and we had about four of them today, and so it disrupted our hearing. But thank you for going with the flow. Thanks, and with that we are adjourned. [Whereupon, at 1:13 p.m., the Committee was adjourned.] A P P E N D I X ---------- [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] DATA BREACH ON THE RISE: PROTECTING PERSONAL INFORMATION FROM HARM ---------- WEDNESDAY, APRIL 2, 2014 U.S. Senate, Committee on Homeland Security and Governmental Affairs, Washington, DC. The Committee met, pursuant to notice, at 10:12 a.m., in room SD-342, Dirksen Senate Office Building, Hon. Thomas R. Carper, presiding. Present: Senators Carper, Coburn, McCain, and Johnson. OPENING STATEMENT OF CHAIRMAN CARPER Chairman Carper. The hearing will come to order. I just want to say good morning, everyone. Thank you very much for joining us. For our first panel and for anyone on our second panel who is actually in the audience, thank you for coming, as well. To the audience, we are happy to see all of you. I really want to extend a warm welcome to Senator Blunt, with whom I have been working on data breach issues and some others for a while. We really appreciate his participation. He is one of those people who is always interesting. He is a glass-half-full guy. He is always looking to find the middle and to figure out how we can use some common sense and collaborate. Whenever I ask, Roy, whenever I ask people who have been married a long time, I ask them, what is the secret to being married, like, 50, 60, 70 years, and I get really hilarious answers. The best answer I ever got was two Cs, communicate and compromise. Communicate and compromise. And I would add a third C. The two Cs are also--communicate and compromise--the secret to a vibrant democracy. But if you add a third one, collaborate, I think that is the secret for us actually having some success with respect to data breach. Communicate, find principal compromises, collaborate, and the hearing today here is really designed to move us in that direction. Senator Blunt and I have introduced a bill, the same bill, actually, for the last couple of Congresses. Is it perfect? Probably not. Could it be improved? Probably so, and what we want to do is work with the other sponsors of legislation in the Senate, and there are a number of them who have their own bills, other Committees with jurisdiction, and just work together and see if we cannot get something done, which is really what the American people sent us here to do. There is no doubt that technology has evolved rapidly, particularly over the last decade, and these advances will continue to grow exponentially in the coming years. Technology that 10 years ago could have been something out of a science fiction movie is now a part of our daily lives. In fact, I saw a science fiction movie last night starring Woody Allen, and I am trying to remember the name of it. It came on really late at night. I turned it on as my wife was getting ready for bed and she said, ``What is that?'' And I said, it is a Woody Allen movie. Does anybody in the audience remember the name of it? It is just a great--pardon? ``Sleeper''? Yes, I think maybe that is it. Oh, what a---- [Laughter.] But, anyway, some of the technology in that movie, it seemed pretty outrageous then, but today, it is coming true, with a sense of humor. But, as we embrace the latest technology both at home and in the workplace, there is little doubt that more of our sensitive personal information is at risk of being compromised. Whether it is stored in our electronic devices we use daily or on company servers, this data can be vulnerable to the threat. As the way we communicate and do business has evolved, so have the tactics used by criminals to steal our money and steal our personal information. And today, cyber criminals run sophisticated operations and are discovering how to manipulate computer networks and make off with troves of our personal data. These data breaches have become much more prevalent, with a new one seemingly reported almost every day. My wife now teaches at the University of Delaware and they had a breach last year. I think the State of Delaware--as an old Governor, I know the State Treasury had a breach in the last couple of years. I get these monthly reports from, I think it is Experian, telling me they are monitoring my accounts and personal data, and I was one of those people who had a credit card that we used at Target. We ultimately ended up getting a new credit card and replacing my old credit card just 3 months after I had gotten a new credit card, and I got the new credit card and it did not work. So, we know personally how it is not just inconvenience, but how this can damage our financial well- being and really cause a lot of distress. But data breaches can put our most valuable and personal information at risk, causing worry and confusion for millions of individuals and businesses. The impact of a data breach on the average American can be extremely inconvenient and sometimes results in serious financial harm. Data breaches can also be extremely expensive for banks and other entities to respond to and remediate, including to merchants. Although several high-profile retailers have recently come face to face with data breaches, they are not the only victims of these cyber intrusions. Hackers are targeting all types of organizations that people trust to protect their information, from popular social media platforms to major research universities, including the University of Delaware. The pervasiveness of these incidents highlights the need for us to find reasonable solutions to prevent attacks and protect consumers and businesses if a breach occurs. We will hear in the testimony today that many retailers, financial institutions, payment processors, and the groups representing them are coming together to find common sense solutions that the private sector can undertake proactively without the help of Congress. These are groups which oftentimes find themselves on different sides of this issue. I recognize, though, that there are many existing areas where Congress can and should play a constructive role. An important area where Congress can play a constructive role is answering the call for implementing a uniform national notification standard for when a data breach occurs. Currently, when a breach happens, notification occurs under a patchwork quilt, as we know, of 46 separate State laws. While some of these laws have common elements, creating a strong uniform national standard will allow consumers to know the rules of the road and allow business to invest the money saved from compliance into important upgrades and protections. That is why I joined Senator Blunt to introduce our Data Security Act of 2014. We think this common sense legislation, along with other good legislation that has been introduced, as I mentioned earlier, would require a national standard for entities that collect sensitive personal information. It would require these entities to enact a cohesive plan for preventing and responding to data breaches, plans that would detail steps that will be taken to protect information, investigate breaches, and notify consumers (PIN). I will say those three things again: Protect information, investigate breaches, and notify consumers. Most importantly, these plans would provide consistency throughout the Nation and allow consumers to have a greater level of confidence that their information will be protected and they will be notified if a breach occurs, despite whatever protective measures have been put into place. We are never going to be able to prevent every breach, I know that. We all know that. But we owe it to our consumers, we owe it to our taxpayers, we owe it to businesses and other entities that have been and will be victims of breaches to put into place the best system possible to grow with this growing threat. We look forward to hearing from our witnesses today who are leading the voices on cybersecurity and data breach in both government and the private sector. I am sure that your insights will be valuable as we continue our efforts to fix this problem, and I am encouraged that a number of our colleagues share our interest in advancing our efforts to address data breaches. I hope we can raise the 80/20 rule. The 80/20 rule, to our visitors here, a guy named Mike Enzi, a very good guy, a Senator from Wyoming, has this 80/20 rule. And I once asked him how he and Ted Kennedy got so much done when they took turns leading the Health, Education, Labor, and Pension Committee and he said, ``Well, Ted and I subscribe to the 80/20 rule.'' And I said, what is that? He said, ``Ted and I agree on 80 percent of the stuff. We disagree on 20 percent of the stuff. And what we do is just focus on the 80 percent where we agree and we set the 20 percent aside to another day,'' and I think that is what we need to do here. I hope we will keep that in mind as we go forward, is focus on that 80 percent where we can agree. I think it is in everyone's interest to ensure that we minimize the occurrence and impacts of data breaches, and I am sure you agree. I am happy to turn to Dr. Coburn and then to Senator Blunt for any comments that they would like to make. Senator Coburn. Let me defer to Senator Blunt and then I will followup. Chairman Carper. Senator Blunt, welcome aboard. OPENING STATEMENT OF THE HONORABLE ROY BLUNT, U.S. SENATE Senator Blunt. Well, thank you. Chairman Carper. A former Secretary of State, I just learned today. Senator Blunt. as we were talking about that, both you and I, as former Statewide elected officials, have a predisposition to think that many of these things are handled better at the State and local level and that should be where we look first. I have a prepared statement\1\ I am going to leave, but I would like to say, first of all, this is an issue that has been around longer than it should have been around. You and I introduced legislation over 2 years ago, but it got a lot more attention after what happened at the end of last year and the beginning of this year. --------------------------------------------------------------------------- \1\ The prepared statement of Senator Blunt appears in the Appendix on page 220. --------------------------------------------------------------------------- But, I am persuaded on this topic that we cannot expect people to successfully comply with 49 different standards, and I think that is where we are now, 46 States and another three standards in Territories and other places that you have to comply with. That is an unreasonable thing to do and it is probably an impossible thing to do successfully every time you need to do it. The other thing I would see as a hallmark of whatever we do would be that the Congress cannot be too prescriptive in how we secure this important information. I am absolutely confident that the hackers and the criminals will be more nimble than the Congress, and if you put the code in the law, you just tell them the code that has to be broken and then you have to change the law before somebody can protect themselves adequately against the code itself. So, I would think those two things are principal goals that we should try to achieve. As Senator Carper says, there are a number of different people talking about this, and different Committees of jurisdiction. Some of you were at the Commerce Committee just the other day to talk about this same topic. But we need to move beyond talking about this to finding the solution, and I think it is really pretty simple. If a financial institution, retailer, or a Federal agency determines that sensitive information was or may have been compromised, the bill that Senator Carper and I have proposed would simply require them to investigate the scope of the breach and determine whether the information will likely be used to cause harm or fraud, and then if the answer is yes, to notify law enforcement, to notify appropriate Federal agencies, consumer reporting agencies, and the consumers themselves. There is clearly some discussion in the many discussions we have had on this about what level of breach has to be reached before you have to notify, and we are willing to have lots of input on what that number should be. I think the bill calls for one number, but that is probably not the perfect number, and frankly, whatever number we agree on probably will not be the perfect number. But, 49 different compliance regimens, an area that has driven us from one of the most secure places to do business and commerce as individuals in the world to way higher on the list of less secure than we would like to be is something that the Congress should be able to figure out a solution to. Senator Toomey has a bill that could very well be, many elements of it, added to the bill that Senator Carper and I have proposed now for two different Congresses. I look forward to this Committee playing a real leadership role in working toward a conclusion. Surely, we have talked about this long enough and now it is time to find that solution. I am sitting here wondering if actually Senator Carper and Senator Coburn agree on 80 percent of everything, but they agree on some percent of everything and they will be the ones to figure out what percent that is, and hopefully, we can work together and get this done. Thank you for letting me come by this morning. Chairman Carper. We are delighted that you are here. Thanks so much. Dr. Coburn and I agree on about 78 percent of everything. [Laughter.] We are closing in on 80. Senator Coburn. Point-six-six-seven. [Laughter.] Senator Blunt. Point-eight percent. OPENING STATEMENT OF SENATOR COBURN Senator Coburn. Well, thank you, Senator Blunt and Senator Carper. I would note, this is the fourth hearing on data breach in the Senate this year. And although it is an important topic, we are talking about vulnerability mitigation instead of deterrence. This Committee has had lots of testimony that we are going in the wrong direction. There is no question, I agree that we need to have some type of uniform set of standards, and I am not opposed to that. What I am opposed to is to not recognize the legitimate exposure that businesses see and why it would be in their own best interest to make sure they do not have data breaches, and I think all of them are looking at that now. I also understand that when you spend money for vulnerability mitigation, it does not increase sales. It does not produce new products. It does not do anything to add to the bottom line. It reduces the bottom line. But, it is a necessary expenditure, just like water and heat and light and other areas. There is no question that we have seen some serious problems in terms of data breach, but what we are not talking about today are the data breaches in the Federal Government. And to me, it is ironic that we can, as a Congress, sit and tell people, here are the rules, and we cannot even manage our own backyard in terms of data breaches. And I will not go into it. I will put my whole statement into the record.\1\ --------------------------------------------------------------------------- \1\ The prepared statement of Senator Coburn appears in the Appendix on page 217. --------------------------------------------------------------------------- But I think one of the important things is that we ought to be setting a good example on our own cyber within the government, and the multitude of breaches that have occurred in the Federal Government's networks would say that we are not doing that. And so we do not speak with authority on this subject until we have a track record that we, in fact, ourselves have accomplished what is necessary on our own responsibilities. I am happy that Mr. Wilshusen is here today from the Government Accountability Office (GAO), who can really talk about what these issues are within the Federal Government and also some discussion on the EINSTEIN program, on which the Inspector General (IG) released a report just this last week. It is poorly managed and is not meeting milestones, and actually does not have the milestones and the management capabilities to get where they need to with that. Although I am a supporter of that effort, we lack that. So, I look forward to our witnesses. I will have to leave for a period of time, but I am appreciative of the openness to talk about the whole area of data breaches, not just in the private sector. Thank you. Chairman Carper. Thank you, Tom. I am going to just offer a brief introduction for each of our witnesses and then turn it over to you. Our first witness is Edith Ramirez, Chairwoman of the Federal Trade Commission (FTC). In this capacity, she aims to prevent business practices that are anti-competitive or deceptive to consumers and enhance consumer choice and public understanding of the competitive process. Prior to joining the Commission, Ms. Ramirez was a partner in a Los Angeles law firm where she handled a broad range of complex business litigation, successfully representing clients in intellectual property, antitrust, unfair competition, and Lanham Act matters. What law firm was that? Ms. Ramirez. Quinn Emanuel. Chairman Carper. And how long were you with them? Ms. Ramirez. For 13 years. Chairman Carper. OK. Our second witness is William Noonan. Mr. Noonan, nice to see you. He is Deputy Special Agent in Charge of the Secret Service Criminal Investigative Division, Cyber Operations. Throughout his career at the Secret Service, he has focused on both protective and investigative missions of the agency. In his current position, he oversees the Secret Service's cyber portfolio. Mr. Noonan has over 20 years of Federal Government experience, and throughout his career, he has initiated and managed high-profile transnational fraud investigations involving network intrusions and theft of data information and intellectual property. Thank you for joining us. Our final witness is Greg Wilshusen, Director of Information Security Issues at GAO, where he leads cybersecurity and privacy-related studies and audits of the Federal Government and critical infrastructure. We have not seen you for almost a week, so it is nice you have come back. We are going to have to start paying you per visit. That would break the bank. Mr. Wilshusen has over 30 years of auditing, financial management, and information systems experience and has held a variety of public and private sector positions. He is a Certified Public Accountant, Certified Internal Auditor, and a Certified Information Systems Auditor. We thank all of you for joining us today. Your testimonies will be made part of the record. Feel free to summarize, and we will get started. I am not aware of any votes that are scheduled. Tom, are you? Ron? OK. So, I think we are good to go. Ms. Ramirez, please proceed. TESTIMONY OF HON. EDITH RAMIREZ,\1\ CHAIRWOMAN, FEDERAL TRADE COMMISSION Ms. Ramirez. Chairman Carper, Ranking Member Coburn, and Members of the Committee, thank you for the opportunity to appear before you to discuss the FTC's Data Security Enforcement Program. I am pleased to be testifying with my colleagues from the Secret Service and the Government Accountability Office. --------------------------------------------------------------------------- \1\ The prepared statement of Ms. Ramirez appears in the Appendix on page 227. --------------------------------------------------------------------------- As this Committee is well aware, consumers' data is at risk. Recent well-publicized breaches at major retailers remind us that consumer data is susceptible to compromise by those who seek to exploit security vulnerabilities. This takes place against the background of the threat of identity theft, which has been the FTC's top consumer complaint for the last 14 years. The Commission is here today to reiterate its bipartisan and unanimous call for Federal data security legislation. Never has the need for such legislation been greater. With reports of data breaches on the rise, Congress needs to act, and I would like to thank you, Chairman Carper, for your longstanding attention to the issue of data security. The FTC supports Federal legislation that would strengthen existing data security tools and require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach. Reasonable security practices are critical to preventing data breaches and protecting consumers from identity theft and other harm. And, when breaches do occur, notifying consumers helps them protect themselves from any harm that is likely to be caused by the misuse of their data. Legislation should give the FTC authority to seek civil penalties where warranted to help ensure that FTC actions have an appropriate deterrent effect. In addition, enabling the FTC to bring cases against nonprofits, such as universities and health systems, which have reported a substantial number of breaches, would help ensure that whenever personal information is collected from consumers, entities that maintain such data adequately protect it. Finally, Administrative Procedure Act (APA) rulemaking authority, like that used in the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), would allow the Commission to ensure that as technology changes and the risks from the use of certain types of information evolve, companies would be required to give adequate protection to such data. For example, whereas a decade ago, it would have been difficult and expensive for a company to track an individual's precise location, smartphones have made this information readily available. And in recent years, the growing problem of child identity theft has brought to light that Social Security numbers alone can be combined with another person's information to steal an identity. Using its existing authority, the FTC has settled 52 civil actions against companies that we alleged put consumer data at risk. In all these cases, the touchstone of the Commission's approach has been reasonableness. A company's data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities. The Commission has made clear that it does not require perfect security, and the fact that a breach occurred does not mean that a company has violated the law. A number of the breaches that have prompted FTC civil enforcement action have also led to investigation and enforcement by criminal authorities. For example, in 2008, the FTC settled allegations that security deficiencies of retailer TJX permitted hackers to obtain information about tens of millions of credit and debit cards. At the same time, the Department of Justice (DOJ) successfully prosecuted a hacker behind the TJX and other breaches. As the TJX case illustrates, the FTC and criminal authorities share complementary goals. FTC actions help ensure, on the front end, that businesses do not put their consumers' data at unnecessary risk, while criminal enforcers help ensure that cyber criminals are caught and punished. This dual approach to data security leverages government resources and best serves the interests of consumers, and to that end, the FTC, the Justice Department, and the Secret Service have worked to coordinate our respective data security investigations. The TJX case is also a good illustration of the Commission's approach to data security enforcement. In our case against TJX, the FTC alleged a failure to implement basic, fundamental safeguards with respect to consumer data. More specifically, the Commission alleged that the company engaged in a number of practices that, taken together, were unreasonable, such as allowing network administrators to use weak passwords, failing to limit wireless access to in-store networks, not using firewalls to isolate computers processing cardholder data from the Internet, and not having procedures to detect and prevent unauthorized access to its networks. In addition to the Commission's enforcement work, the FTC offers guidance to consumers and businesses. For those consumers affected by recent breaches, the FTC has posted information online about steps they should take to protect themselves. These materials are in addition to the large stable of other FTC resources we have for ID theft victims. We also engage in extensive policy initiatives on privacy and data security issues. In closing, I want to thank the Committee for holding this hearing and for the opportunity to provide the Commission's views. Data security is among the Commission's highest priorities, and we look forward to working with Congress on this critical issue. Thank you. Chairman Carper. Ms. Ramirez, thank you so much for that testimony. Mr. Noonan, welcome. Please proceed. TESTIMONY OF WILLIAM NOONAN,\1\ DEPUTY SPECIAL AGENT IN CHARGE, CRIMINAL INVESTIGATIVE DIVISION, CYBER OPERATIONS BRANCH, U.S. SECRET SERVICE, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Noonan. Thank you, sir. Good morning, Chairman Carper, Ranking Member Coburn, and distinguished Members of the Committee. Thank you for the opportunity to testify on behalf of the Department of Homeland Security (DHS) regarding the ongoing trend of criminals exploiting cyberspace to obtain sensitive financial and identity information as part of a complex criminal scheme to defraud our Nation's payment systems. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Noonan appears in the Appendix on page 239. --------------------------------------------------------------------------- Our modern financial system depends heavily on information technology (IT) for convenience and efficiency. Accordingly, criminals, motivated by greed, have adapted their methods and are increasingly using cyberspace to exploit our Nation's financial payment systems to engage in fraud and other illicit activities. The widely reported payment card data breaches of Target, Neiman Marcus, White Lodging, and other retailers are just recent examples of this trend. The Secret Service is investigating these recent data breaches and we are confident we will bring the criminals responsible to justice. This year is the 30th anniversary of when Congress first defined as specific Federal crimes both unauthorized access to computers and access device fraud, while explicitly assigning the Secret Service authority to investigate these crimes. Over the past three decades, the Secret Service has continuously innovated in how we investigate these crimes and defeat the criminal organizations responsible for major data breaches. In support of the Department of Homeland Security's missions to safeguard cyberspace, the Secret Service has developed a unique record of successes investigating cyber crime through the efforts of our highly trained special agents and the work of our growing network of 35 Electronic Crimes Task Forces, which Congress in 2001 assigned the mission of preventing, detecting, and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems. As a result of our cyber crime investigations, over the past 4 years, the Secret Service has arrested nearly 5,000 cyber criminals. In total, these criminals were responsible for over a billion dollars in fraud losses, and we estimate investigations prevented over $11 billion in fraud losses. Data breaches like the recently reported occurrences are just one part of the complex criminal scheme executed by organized cyber crime. These criminal groups are using increasingly sophisticated technology to conduct a criminal conspiracy consisting of five parts. One, gaining unauthorized access to computer systems carrying valuable protected information. Two, deploying specialized malware to capture and exfiltrate this data. Three, distributing or selling this sensitive data to their criminal associates. Four, engaging in sophisticated distributed frauds using the sensitive information obtained. And, five, laundering the proceeds of this illicit activity. All five of these activities are criminal violations in and of themselves, and when conducted by sophisticated transnational networks of cyber criminals, this scheme has yielded hundreds of millions of dollars in illicit proceeds. The Secret Service is committed to protecting our Nation from this threat. We disrupt every step of their five-part criminal scheme through proactive criminal investigations and defeat these transnational cyber criminals through coordinated arrests and seizure of assets. Foundational to these efforts are our private industry partners as well as the close partnerships that we have with the State, local, Federal, and international law enforcement. As a result of these partnerships, we are able to prevent many cyber crimes by sharing criminal intelligence regarding the plans of cyber criminals and by working with victim companies and financial institutions to minimize financial losses. Through our Department's National Cybersecurity and Communications Integration Center (NCCIC), the Secret Service also quickly shares technical cybersecurity information while protecting civil rights and civil liberties in order to enable other organizations to reduce their cyber risks by mitigating technical vulnerabilities. We also partner with the private sector and academia to research cyber threats and publish the information on cyber crime trends through reports like the Carnegie Mellon CERT Insider Threat Study, the Verizon Data Breach Investigations Report, and the Trustwave Global Security Report. The Secret Service has a long history of protecting our Nation's financial system from threats. In 1865, the threat we were founded to address was that of counterfeit currency. As our financial payment system has evolved, from paper to plastic to now digital information, so, too, has our investigative mission. The Secret Service is committed to continuing to protect our Nation's financial system, even as criminals increasingly exploit it through cyberspace. Through the dedicated efforts of our special agents, our Electronic Crimes Task Forces, and by working in close partnership with the Department of Justice, in particular, the Computer Crimes, Intellectual Property Section, and local U.S. Attorney's Offices, the Secret Service will continue to bring cyber criminals that perpetrate major data breaches to justice. Thank you for the opportunity to testify on this important topic, and we look forward to your questions. Chairman Carper. Thank you so much. I enjoyed meeting with you last week and learned a lot from that conversation, and I am sure we will learn a lot more here today. Thanks. Mr. Wilshusen, welcome aboard. TESTIMONY OF GREGORY C. WILSHUSEN,\1\ DIRECTOR, INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Mr. Wilshusen. Thank you. Chairman Carper, Ranking Member Dr. Coburn, and Members of the Committee, thank you for the opportunity to testify at today's hearing on data breaches. My testimony today will address Federal efforts to protect its information and to respond to data breaches that occur. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Wilshusen appears in the Appendix on page 250. --------------------------------------------------------------------------- Before I begin, if I may, I would like to recognize several members of my team, including John de Ferrari and Jeff Knott, who are sitting behind me, and Larry Crosland and Marisol Cruz, who conducted the work underpinning my testimony today. Chairman Carper. Would they raise their hands, please? Thank you. Mr. Wilshusen. In addition, Lee McCracken was instrumental in crafting my written statement. Mr. Chairman, as you know, the Federal Government collects and retains large volumes of sensitive information, including personal information on American citizens. The loss or unauthorized disclosure or alteration of this information can lead to serious consequences and substantial harm to individuals, as well as the Nation. Over the past 4 years, the number of information security incidents reported by Federal agencies involving personal information has more than doubled, to 25,566 in fiscal year (FY) 2013. Agencies continue to face challenges in securing their information. They have had mixed results in addressing the eight components of an agency-wide information security program called for by law, and most of the 24 agencies covered by the Chief Financial Officers Act have had weaknesses in implementing key security controls. In fiscal year 2013, for example, 18 of the 24 agencies reported a significant deficiency or material weakness in information security controls for financial reporting purposes. IGs at 21 agencies cited information security as a major management challenge for their agency. And GAO once again designated Federal information security as a Governmentwide High-Risk Area. Mr. Chairman, even when agencies have implemented effective information security programs, data breaches can still occur, so it is imperative that agencies respond appropriately. At the request of this Committee, we issued a report in December on agency responses to breaches of personally identifiable information (PII). We determined that agencies included in our review had generally developed policies and procedures for responding to data breaches and had implemented key preparatory practices that should be performed in advance of specific incidents, and these include establishing a Data Breach Response Team to oversee response activities and training employees on the roles and responsibility for breach response. However, agencies' implementation of key operational practices that should be performed in response to specific incidents was inconsistent. Although all the agencies reviewed had prepared and submitted reports of incidents to appropriate authorities, they did not consistently implement other key response practices. For example, of the seven agencies we reviewed, only the Internal Revenue Service (IRS) consistently assigned a risk level for each data breach reviewed and documented how that level was determined. The seven agencies documented the number of individuals affected by a breach in only 46 percent of the 363 incidents we reviewed. And only the Army and Securities and Exchange Commission (SEC) notified all affected individuals for each breach determined to be high-risk. In total, individuals were not notified in about 22 percent of the high-risk incidents. The seven agencies also did not consistently offer credit monitoring to individuals affected by PII-related breaches, and none of the agencies consistently document lessons learned from data breaches, including corrective actions to prevent or detect similar incidents in the future. We also reported that the Office of Management and Budget (OMB) requirement for agencies to individually report each PII- related incident involving paper-based information or the loss of hardware with encrypted data to U.S. Computer Emergency Readiness Team (US-CERT) within 1 hour of discovery added little value beyond what could be achieved by periodic consolidated reporting. We recommended that OMB revise its reporting requirements and update its guidance to improve the consistency and effectiveness of agency data breach response programs. We also made 22 recommendations to agencies to improve their data breach response practices. At the request of this Committee, we also studied Federal agencies' ability to respond to cyber incidents. We determined the extent to which Federal agencies are effectively responding to cyber incidents once they have been detected and the extent to which DHS is providing assistance to agencies. We plan to issue our report later this spring. Chairman Carper, Dr. Coburn, and Members of the Committee, this concludes my statement. I would be happy to answer any questions. Chairman Carper. Greg, thanks so much for joining us again this week. You have mentioned and Dr. Coburn has mentioned the ability of the Federal Government to protect its own sensitive information. There is an old law called the Federal Information and Security Management Act which needs desperately to be updated. One of the things--Dr. Coburn is threatening to leave us at the end of this year, as you may know, and one of the things I am very hopeful that we will be able to do is update that legislation. We are working on it, our staffs are working on it, and we appreciate very much your help in doing that. I think it was Abraham Lincoln who once said the role of government is to do for the people what they cannot do for themselves. With that thought in mind, what I really hope we can accomplish here today--I do not want to have a hearing just to have another hearing on data breach. We have all these different ideas, legislation from good people, Democrats, Republicans, and we have to get on the same page. We have to stop talking past each other. And, I think as the retailers, as the card issuers, as the card processors are coming together, creating their own coalition to look for ways to collaborate, that, I think, helps us to better figure out what we need to do and to guide us. But, here is what I am going to ask this panel, each of you, and I am going to ask the second panel, as well, is what does the Congress need to do? And to the extent that we can find some concurrence on that question, that would be hugely helpful. What do we need to do? Let me just start off with Chairwoman Ramirez, please. What does the Congress need to do? And maybe the second half of my question is, what do we need not to do? Ms. Ramirez. Let me focus on the first question that you posed, which I think is the central question to ask today. From our perspective at the Federal Trade Commission, we think that it is absolutely time for Congress to enact comprehensive Federal legislation in this area, setting robust standards and data breach notification requirements. And specifically, what we ask is that this legislation provide civil penalty authority to the FTC to augment our existing work in this arena and to ensure that there is appropriate deterrence and that companies invest appropriately and institute reasonable security measures to protect consumer information. We also think it is important for any legislation to give the FTC APA rulemaking authority, which---- Chairman Carper. I am sorry. APA---- Ms. Ramirez. Administrative Procedure Act. This would enable us to make rules to implement any legislation, and the reason that we think it is so necessary to have this authority is that it is really critical that we be provided the tools so that any legislation can be adapted to changing and evolving technology. And I mentioned in my opening statement today, geolocation information is readily available. A decade ago, that certainly was not the case, and we need to be able to adapt to changing times, both to be able to, if necessary, redefine what constitutes personal information, but then also, perhaps, to lift any requirements that may no longer be necessary, given the evolution of technology. And then, finally, we also ask that we be provided jurisdiction over nonprofits, which we currently lack. Today, we also know that university systems and nonprofit hospitals that are currently outside of our jurisdiction also have suffered breaches and we think it is important that the FTC have authority in this area. Chairman Carper. OK. Thanks. Mr. Noonan, if you and Mr. Wilshusen--feel free to react to what Ms. Ramirez has said, points that you agree with, maybe those that you do not. But again, the idea is for us to better understand today what the Congress needs to do and what we do not need to do and looking for consensus here. If we can find some of that, that would be great. Mr. Noonan. I think, generally, the consensus that I have is that we do need to establish a national bill where disclosure is made. Important to the Secret Service, and, I think, to the country, is there should be a piece there where there is notification or disclosure of data breaches to law enforcement with jurisdiction. Law enforcement plays a critical role in data breach investigations, both in law enforcement going after the criminal piece as a deterrent, but also as an information sharing piece, what we learn out of these data breaches and then how we are able to take that information and share it back with critical infrastructure. So, I think that is a critical piece of any national legislation that should potentially go forward, as well as increasing the penalties for these types of activities. If Congress were to increase the penalties of 18 USC 1030, potentially, that would act as a deterrent for criminals from coming into protected computer systems, as well as having 1030 act as a predicate offense to Racketeering and Organized Crime standards, so we can get higher-level prosecution. So, in our exposure and in what we have learned, too, is that the higher the level of penalties, the higher the level of cooperation sometimes is amongst some of the people that we bring to justice, and they are able to share information back with the government so we can prevent further acts from occurring. Chairman Carper. OK. Mr. Wilshusen, same question, please. Mr. Wilshusen. I would say one thing that Congress can do is to look at the Federal Information Security Management Act (FISMA) reform within the Federal space. As you know, FISMA gives OMB several responsibilities for overseeing and assisting agencies in their implementation of information security controls. OMB has delegated or transferred many of those responsibilities to the Department of Homeland Security, and so clarifying the roles and responsibilities of those two organizations for overseeing information security within the Federal space could be very helpful. I also think, that this Committee and others should continue to provide the oversight necessary within the Federal space and to assure that proper attention is given to protecting information security, not only within the Federal Government, but also in its interactions with critical infrastructure protection and other roles in helping our citizens protect information that they also have out on the Web and Internet. One thing Congress should not do is to turn a blind eye. Keep attention focused on this area. Chairman Carper. OK. Thanks very much. Senator McCain, welcome. OPENING STATEMENT OF SENATOR MCCAIN Senator McCain. Well, thank you, Mr. Chairman. Ms. Ramirez, so that people and perhaps Members of Congress can understand better what is going on here, let us talk a little bit about the data breach at Target Corporation. Apparently, there was some Russian input into it, or there may have been that there was Russian language or something like that into what we were able to ascertain about these hackers, is that right? Ms. Ramirez. Senator, let me just emphasize, the FTC focuses on the civil law side of this, and on the front end. And this is an investigation that Target has confirmed that the FTC is looking at it. I cannot comment on any pending investigation---- Senator McCain. Mr. Noonan, can you comment? It is in the public record, I mean. It is not a secret. Is there---- Chairman Carper. Can I just interject something, John? Mr. Noonan came and met with us in my office last week. He gave a great explanation of what happened at Target that even I could understand, and---- Senator McCain. Go ahead. And I am also interested in the financial loss there so that people can understand better the magnitude of this breach, which is symptomatic of many others. Go ahead, Mr. Noonan. Mr. Noonan. Sure, sir. I just want to kind of crosswalk you across these data breaches, these major data breaches, exactly how these intrusions occur and the nationality that we are talking about. These are transnational organized criminals. To say that it is one country that these people are from, it would be inaccurate if I told you that. I would like to say that---- Senator McCain. But there are some allegations that some of this has come from Russian sources. Mr. Noonan. So, a majority of these people that are attacking these systems are from Eastern Europe. They use the Russian language as a means to be able to communicate in---- Senator McCain. I got you. Mr. Noonan [continuing]. As an operations security (OPSEC), if you will, to keep domestic law enforcement out of their wares. So, the way it works it is not one criminal, it is not one criminal group, it is a loosely affiliated group. So, there are people out there that are gaining access to computer systems and they are potentially selling access on criminal undergrounds to one another. There are other people that are developing malware and that malware is then used by another person or another group that may insert that malware into the compromised system. There are other pieces of the organization that will test that malware to make sure that that malware is not susceptible to our antivirus means that are out there to stop this. You have to understand, these people are motivated by greed. So, when they go into a system, they have to be quiet. They cannot be found or discovered. Otherwise, they are not going to achieve their goal, and that is to exfiltrate out the data which they can sell. Exfiltrate, in the cases of a lot of the data breaches that are in the media right now, are related to payment cards, but that is just not what they are after. They are after whatever it is that they can monetize. So, I think that we have brought up the fact that personally identifiable information, is a piece that can be monetized and such. So, in the underground, once that data is exfiltrated out, there is a criminal underground that works on vending that data. So, they sell to other criminals across the world who then use that for their personal gain. And then there is a money laundering system where the money flow goes back, and when we talk about money flow, we are not talking about currencies. We are talking about digital currencies on how the money is moved back, where it is not traceable. It is very difficult for law enforcement to trace the movement of that money where it is not regulated. So, that is the type of criminal organizations we are talking about---- Senator McCain. So, in the case of Target, how much money are we talking about? Mr. Noonan. We are not at the point in our investigation where we can lock down a dollar amount, but we believe it is probably going to be several million dollars were at risk. Senator McCain. And no matter who is responsible, eventually, that cost is passed on to the consumer, and Target is just one of many, perhaps one of the more visible, but Neiman Marcus and others, this has happened. And there is no reason to believe this is going to stop, would you agree? Mr. Noonan. I believe that with the assistance of law enforcement, we are moving toward getting certain individuals to be able to stop this action as a deterrent. I would hope that we would be able to bring these criminals to justice. So, I think it is a long string, a long history of attacks that have occurred, and I think what our--and to your point, wherever we raise the fence, I think these criminals, because of their motivation, will always be looking for the edge of the fence. So, there is no silver bullet that is going to be able to take care of the problem. Senator McCain. And you would, as you have already stated, Ms. Ramirez, that different State laws obviously does not get it, that there needs to be Federal legislation. Ms. Ramirez. State laws only address the breach notification aspect of this, so I think there does need to be a Federal standard. And based on our own experience and what we look at, which is the measures that companies have in place, it is clear that companies are not investing adequately in the area of data security and that more needs to be done. Senator McCain. Mr. Wilshusen, you stated in your testimony that in a 2013 GAO report, GAO made 22 recommendations to Federal agencies which aim to improve data breach response activities. How are these agencies responding to those recommendations? Mr. Wilshusen. Well, we made recommendations to nine agencies. Four of them agreed and concurred with all the recommendations that we made. Three neither concurred or non- concurred. And we had two that agreed with one of our recommendations each to them, but disagreed, non-concurred, with the other recommendations we made to them. Senator McCain. Mr. Chairman, we ought to find out the reason why several of these agencies did not concur. They may have had some reason that I cannot detect, but this GAO report, I think, were common sense addressing some of these issues. So, you have not seen the kind of compliance or implementation of your recommendations that you think are adequate? Mr. Wilshusen. We just made the recommendations back in December. In the responses, six of the agencies indicated some of the actions that they were taking to implement our recommendations, and we will followup over the course of the year, and we will do so annually, to assess the status of their corrective actions in implementing our recommendations. Senator McCain. When do we expect to hear from you next? Mr. Wilshusen. Whenever you invite me. Senator McCain. I mean, as far as the assessment is concerned. Mr. Wilshusen. That would be later this year. Senator McCain. Like---- Mr. Wilshusen. Toward the end of the year, when we will check to see if--the first time we will hear something back from them will be in their 60-day letter to us on the status of their actions and final determinations of concurrence with our recommendations. Senator McCain. Thank you, Mr. Chairman. Chairman Carper. Dr. Coburn. Senator Coburn. Chairwoman Ramirez, in your oral testimony, you talked about civil penalties creating the deterrence effect. You were talking about a deterrence for businesses to be compliant with what they need to be. The deterrence I am talking about is what Mr. Noonan--so, of the 52 cases that you had authority in, and one of your statements is that you needed greater authority to hold them. Of those 52 cases, in how many were the perpetrators prosecuted? Ms. Ramirez. Senator, I am going to need to get back to you with a particular figure, but what I can tell you is that we work very closely with the criminal authorities. We coordinate with Mr. Noonan and his team on a number of different matters. So, even though we focus on what we call the front end, the way businesses are implementing data security measures, we do, of course, understand it is absolutely critical that criminal law enforcers go after---- Senator Coburn. Well, that is the real answer, because as soon as--here is the problem. When it is all regulatory authority to make compliance versus punishing the people who are violating the compliance, in other words, the people who are probing the networks, we are never going to get ahead of this. And we have had very strong testimony before this Committee that if you focus on mitigation vulnerabilities, mitigating the vulnerabilities in your network, and you do not put 60 to 70 percent of your time in terms of prosecuting the mal-actors, we are never going to win this battle. We can have the strongest networks in the world and there is always going to be somebody who goes after it. So, if we create the expectation in this country that if you are violating a network, you are going to get hammered, what we are going to do is markedly increase not only the events that happen, but the costs associated with protecting networks. And so I think it is really important that we look at that, and it bothers me a little bit, even though you say you work with them, the point is, you need to have a balanced approach. It needs to be both. It cannot just be businesses comply with this regulatory regime and you are fine, because we will never stop it. Ms. Ramirez. Senator, if I may, just so that I can clarify this point, my view is that this is a very complex problem that requires multiple prongs. At the FTC, we only have certain authority. We have civil law authority and our authority goes to the businesses that put data security measures in place. We think there is under-investment in that arena and that needs to be addressed. But, absolutely, all the points that you raise are absolutely valid, and we do collaborate with the other agencies that have another part to play in this arena. Senator Coburn. One other question. Of the 52 cases where you had the authority to work, how many other cases have you had greater authority? Where were you limited by not having additional authority? Can you name examples of places where you saw a problem but you did not see the authority to get the problem corrected? Ms. Ramirez. Well, the additional authority that we seek is very targeted. So we are asking for civil penalty authority, because today, we do not have, under our Section 5 authority, we do not have the ability to impose penalties, and we do think that it is necessary to have greater deterrence in this arena. We are also asking for---- Senator Coburn. Well, you really mean compliance. You do not mean deterrence. Deterrence is going after the bad actors. Compliance is what you really---- Ms. Ramirez. Well, we---- Senator Coburn. Is that right? Ms. Ramirez. No. We view deterrence also in terms of companies providing reasonable security measures and providing adequate protection to consumers. Senator Coburn. OK. Mr. Noonan, I am proud of the work that you all do and appreciate all of you being here. One of the other things that we had in our testimony was that we have very few Federal Bureau of Investigation (FBI) agents with which you can work that cooperate overseas on investigating. Do you see that as a problem as you all work these cases? Mr. Noonan. To have the number of agents that are overseas in our overseas offices? Senator Coburn. Well, not just your agents, but also FBI agents. Do you not work in conjunction with FBI on a lot of this stuff? Mr. Noonan. Yes, sir. So, we do coordinate with the FBI on a lot of these cases. Senator Coburn. But the testimony was there is really a slim number of those people with which to work. Do you see that as a problem as you try to execute prosecution and investigation on these cases? Do you see a lack of resources, as far as coming from the FBI, coordinating with you, with our partners overseas as we try to prosecute these events? Mr. Noonan. What I see is that we, together, have a unique history of bringing cyber criminals to justice. What I do think is that our relationship building is probably the most critical piece that we in Federal law enforcement have overseas. We do not have jurisdiction to really work in these overseas environments, but I think in Federal law enforcement, it is based on the relationship building and our efforts of coordinating with Federal--with other international law enforcement. So, as far as the numbers of people, could we always have more to assist in building that liaison and building on that coordination? Absolutely. But, I think it is based on our efforts, the Secret Service efforts, in our international offices and our working groups in developing those relationships with those international partners that is aiding us in bringing those different criminal actors in Eastern Europe to justice here domestically. We have a great---- Senator Coburn. I understand that, but here is what I am trying to get at. Mr. Chabinsky testified last week, Steve Chabinsky, that we have few FBI agents working overseas to try to coordinate to help you do that. And my question is, do you see that as a problem or not a problem? Do you dispute his testimony? Mr. Noonan. No, I would not dispute the Director's testimony. Senator Coburn. So, we do need more resources on the FBI to coordinate with you, with our partners overseas? Mr. Noonan. I think with all of Federal law enforcement, we would--and not just necessarily the FBI, but also with the Secret Service in our international capacities over in the international footprint, as well. Senator Coburn. OK. Mr. Wilshusen, would you clarify. Twenty-five-thousand-five-hundred-and-sixty-six events in 2013. Describe what you mean by ``event.'' Mr. Wilshusen. OK. Those would be incidents reported by Federal agencies to the US-CERT, and those can include various different types of security incidents. These all involved personal information or personally identifiable information, as opposed to other incidents which do not. And---- Senator Coburn. So, all 25,000 of these were PIIs? Mr. Wilshusen. Yes, that is correct---- Senator Coburn. OK. Mr. Wilshusen [continuing]. As reported by Federal agencies to the US-CERT. About 25 percent of all incidents including non-PII incidents were non-cyber incidents. Another 16 percent of those could be due to equipment loss or theft of equipment which contained PII data. Some of that data may have been encrypted on those machines, some perhaps not. And others included the implementation of--or installation, excuse me, of malicious code onto devices and onto the systems. It could also include, for example, policy violations, where individuals may have violated their agency's policy related to protecting or using personal information. Senator Coburn. OK. The other part of your report is that operational practices were inconsistent pretty well throughout the government. Mr. Wilshusen. Throughout the seven agencies that we reviewed as part of that review, and those agencies included the Army, Centers for Medicare and Medicaid Service (CMS), IRS, Department of Veterans Affairs, Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board, Securities and Exchange Commission, and the Federal Retirement Thrift Investment Board. Senator Coburn. OK. Chairman Carper and I, as well as the Commerce Committee and the Intelligence Committee, have the job of putting together a cyber bill this year. Hopefully, we will get that done. Any comments from any of you all on things that we should look at that will make your job easier and at the same time make us more effective as a Nation in terms of cybersecurity? Mr. Noonan. Yes, sir. In fact, we spoke earlier in the week about an issue regarding notification. We believe it is important to allow law enforcement to have an active role in these types of investigations. The late notification is a piece that we talked about as it relates to notification out to victims. So, when we potentially identify a victim company, the victim company, of course, has an obligation where they would like to inform its victims of the exposure, if you will. There are many times where law enforcement has ongoing operations, whether they are undercover operations or working with sources, which have the ability to get at the potential root that we talked about in a deterrent factor to try to gather more evidence and to identify who the criminal actors potentially are. So, in a case where law enforcement would work with the victim company and allow them to have a delay in their notification out to the individual victims---- Senator Coburn. It would give us an advantage to travel back. Mr. Noonan. Potentially, yes, sir. Senator Coburn. OK. Mr. Noonan. So, I think it is very important--in fact, I can crosswalk you through a case that we not too recently, but we have recently had, where we were engaged in an undercover operation where we had the opportunity to not only advise that company of their data breach, but after we had advised them of their data breach, we entered into an operation where we could actually obtain that data and get that data. The company was very quick and wanted to notify its consumers to the point where it was interfering with the operation. So, that is what-- -- Senator Coburn. So, we need to have the flexibility in any data act or cyber bill we have to protect the law enforcement to be able to do their job and continue a sting or something similar to that. In other words, there needs to be a variance if and when law enforcement says, please wait one week until we finish what we are doing. Mr. Noonan. Yes, sir. So, the word I would use is a compromise. So, there must be a compromise. When I use the word ``compromise,'' I mean notification should not be delayed by months and years. It should be a reasonable amount of time. Senator Coburn. All right. Anybody else? Mr. Wilshusen. I would just add, as it relates to FISMA and within the Federal space, just to clarify the roles and responsibilities of the Office of Management and Budget and the Department of Homeland Security with overseeing and assisting Federal agencies in implementing information security. Senator Coburn. Well, the only way you are going to get it implemented is have some teeth in it, and the only organization that has teeth right now is OMB. Homeland Security is coming on strong. They are improving rapidly, thanks to Senator Carper and the new Secretary and some of the work that was done before they got there. But it is important that we get a bill that causes people to buy into what we need to do on a timely basis. Thank you, Mr. Chairman. Chairman Carper. You bet. I want to go back to the questioning that was going on with Dr. Coburn and really with you, Mr. Noonan, on notification. I think I said earlier in my comments, I said there are three things we are focused on here. One, how do we protect information? Two, how do we investigate when there are problems? And, three, how do you go about notification? Another one would probably be, do we continue to have 40-some standards or do we compress that to one national standard, or something in between 49 and one that we should do. But, let us just stick with notification for a little bit. I heard from some sources that if people get notified too often, consumers get notified repeatedly for even minor breaches, that they come to a point where they become almost numb to the notifications. Can any of you comment on that, trying to figure out when should the notification occur for an individual to avoid that, if that is a legitimate concern? Ms. Ramirez. Chairman, I am happy to answer your question. I think it is a balance. We at the FTC are certainly very sensitive to the concern that you raise about potential over- notification. What we think needs to be done is that consumers need to be notified if there is a reasonable risk of harm. So, the---- Chairman Carper. How do we go about---- Ms. Ramirez. Well, it is a fact-specific test, but I think it is important that a company that holds consumer data have an opportunity before there is any notification to assess and determine exactly what data might have been compromised, and then based on that information, and based on the sensitivity of the information, that, in turn, can be used to determine when and who ought to be notified. So, I do think it is a balance, but I think the test ought to be a reasonableness test, and if there is a reasonable risk of harm to consumers, there ought to be notification. Chairman Carper. OK. Others, please. Mr. Wilshusen. Yes. Chairman Carper. Mr. Wilshusen. Mr. Wilshusen. Yes. Within the Federal space, agencies are supposed to assess the risk and level of impact that could occur once a data breach occurs; that is the level of harm that could occur to the affected individual. There are a number of factors that they take into account, or should take into account to determine that level of risk. Those include one the type of information that was actually compromised, whether it is just a name or is it the name and Social Security number and other personal information, and the two nature of the breach. Is it one in the case of where, for example, the PII is on a laptop for which the data is encrypted? The risk would be lower than if someone had intruded on a network and was exfiltrating this information out of the network. And so taking those factors and considering the risk of harm that could occur with the information that was compromised would be another factor in determining the level of risk, and also just the number of people that may be impacted by that incident. And based on that, make a determination on whether notification should be made to the affected individual, because as you point out, you do not want to unnecessarily or unduly notify someone who will really have a very minor or limited risk of their information being compromised. But if that risk is reasonable or high, certainly, notification should probably be made. Chairman Carper. Mr. Noonan, anything else you want to mention on this? Mr. Noonan. Yes, sir. I think it is also important to give a company the opportunity to look at its own systems. So, a lot of times, you are going to understand, in the report that we have worked with--the Verizon data breach, on the Verizon Data Breach Report, just last year, together, Verizon reported that over 70 percent of the disclosures to a victim company were made by an outside source, so, by law enforcement or another to the victim company saying that they have a problem. So, when that occurs, the company needs to take a look at itself within and determine if and when it actually did have a compromise and an exfiltration of that data. That being said, companies do need to have a window of time to be able to do an internal investigation to determine if there is actually a problem from the notification from law enforcement. So, it is not an instant occurrence where law enforcement comes to them and says, we believe you have a problem. They still have to take an opportunity to work with third-party forensic companies to take a look at their systems to determine if they do have a problem. So, by requiring too quick of a notification, it could damage the company or the company's reputation, as well. So, we think that is an important part, to give leverage to companies. Chairman Carper. OK. Good. One last question, and then we will excuse this panel and invite our second panel to join us. But in our next panel, we are going to hear from Governor Pawlenty, representing the Financial Services Roundtable, Ms. Kennedy from the Retail Industry Leaders Association about common sense solutions that the private sector can undertake proactively without the help of Congress. And these are groups which oftentimes find themselves, as you know, on different sides of an issue, and certainly this issue, so it is actually quite encouraging that they are taking steps to work together to get their arms around this very difficult issue. Can each of you just offer some advice to the new Working Group that has been formed in recent weeks. Just give them some advice, if you will. And, also, what should they be focusing on? What should they be focusing on? Who should they be talking to in order to make sure they are getting all the information that they need? Mr. Noonan. Yes, sir. So, the Secret Service and law enforcement work together collaboratively, especially since Secret Service has been so engaged in the area and the lane of the financial services sector. We work very closely with the Financial Services Information Sharing and Analysis Centers (FS-ISAC). We have developed a very close relationship, not just at their headquarters level, but throughout the country in our field offices. So, we have a group of 35 Electronic Crimes Task Forces throughout the country that those task forces have active members of the FS-ISAC sitting with them in these task force environments sharing information back and forth. Not to mention that the ability of the FS-ISAC, the Information Sharing and Analysis Center for the Financial Services Sector, they also sit up at the NCCIC. They sit on the NCCIC floor, where information flows freely and the FS-ISAC is able to take that information that they learned on the NCCIC floor and share that out with its different members. So, again, any new Information Sharing and Analysis Center, should do a couple of different things. It should develop a robust relationship with the Department of Homeland Security and the NCCIC and try to secure a position on that floor so they can gain access to that valuable information to share with its members, as well as develop a relationship with the law enforcement, Federal law enforcement. We believe that relationship is done through the network of our 35 Electronic Crimes Task Forces, which its members can join through any one of those task forces or through one of the local Secret Service offices. Chairman Carper. OK. Thank you. Just briefly, Mr. Wilshusen, please. Mr. Wilshusen. OK. I would just piggyback on what Mr. Noonan mentioned, and that is, and as we testified at last week's hearing, is to remove the barriers that would allow for effective information sharing of these threats, alerts, as well as other incidents that occur in this space. Chairman Carper. Good. Thanks. Ms. Ramirez, just very briefly, please. Ms. Ramirez. Let me just say that I applaud all of these efforts. From our perspective, anything that could be done to increase protection for consumer information is a good step. Chairman Carper. OK. Good. We are going to excuse you now, but we want to continue this conversation and we very much appreciate your input. You are part of the solution and we are, too, and we need your help and we appreciate the kindness and the counsel you have given us today. And we are determined to communicate, to find principal compromises, and to collaborate, and we look forward to doing all those things with you. Thank you so much. With that, we are going to have a brief recess while the next panel comes forward. Again, it is great to see you all. Thanks so much for your help. [Recess.] Hello. From one recovering Governor to another, welcome aboard. Ms. Kennedy, nice to see you again. Tiffany Jones, thank you so much for coming. You heard a little bit of advice there from the first panel to each of you and I hope you will take it to heart. We will, as well. But, our first witness is the Honorable Tim Pawlenty. Governor Pawlenty he used to be Chief Executive Officer for his State, and I still say that is the best job around, at least for a guy in our business--but, Chief Executive Officer now for the Financial Services Roundtable, an advocacy organization for America's financial services industry. Prior to joining the Financial Services Roundtable, Governor Pawlenty served, as we know, as the Governor of Minnesota for two terms. We are happy to see you. Our second witness is Sandra Kennedy. I have not talked with her since yesterday, and it is good to see you again this soon. She is President of the Retail Industry Leaders Association, the trade association for America's largest and most innovative retail brands. In this position, Ms. Kennedy works to promote the public policy interests of its members to ensure continued growth in the retail industry. Ms. Kennedy previously served as the Director of Leadership Dialogue Series for Accenture, a global management consulting and technology services company, and as the Senior Vice President of Member Services for the National Retail Federation. Our final witness is Tiffany Jones. Ms. Jones is the Senior Vice President of Client Solutions and Chief Revenue Officer for iSIGHT Partners, a cyber threat intelligence firm, where she leads the development of business strategies and field execution. Prior to joining iSIGHT Partners, Ms. Jones worked in senior roles at Symantec and served as Deputy Chief of Staff at the White House Office of Cybersecurity and Critical Infrastructure Protection. All I can say is you must have started really early in that work, early in your life. All right. We are glad you are here. Your whole testimonies will be made part of the record, and feel free to summarize as you wish and then we will just have a good conversation. Again, my charge to you, as it was to the first group, we talked enough about the different people's legislation, introducing legislation, the problem, why we need to do something. Everybody agrees we have to do something. There is a role for the private sector. There is a role for us here. What we have to do is figure out our role here, what to do, what not to do, so we need your help. I think this is, actually, two good panels to help us to accomplish those goals. So, Governor, take it away. TESTIMONY OF HON. TIM PAWLENTY,\1\ CHIEF EXECUTIVE OFFICER, FINANCIAL SERVICES ROUNDTABLE Mr. Pawlenty. Chairman Carper, good morning, and thank you for the opportunity to appear here today to address the important topic of data breaches and the further steps needed to better protect personal information and the payment system from cyber threats. We appreciate your leadership and your concern and your commitment to these very important issues. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Pawlenty appears in the Appendix on page 267. --------------------------------------------------------------------------- In my testimony this morning, I would like to address two major points. First, the financial services and retail industries are working together to aggressively address cybersecurity and the threat of cyber breaches. And second, and importantly, we cannot optimally address these challenges without congressional action, so we want to urge that, and I will touch upon that more in detail in just a second. The financial service sector is better prepared than other sectors to defend and respond to cyber attacks, but we also have more work to do as these threats continue to evolve. We have the strongest information sharing process of any critical infrastructure sector. Industry-wide initiatives are underway to identify and take action on information sharing, tactical operations, stronger Internet controls, and more research and development. We also plan and run simulations to improve defense and resiliency. As you know, financial institutions are also regulated and examined to ensure compliance with comprehensive data security, privacy protection, vendor management, and resiliency requirements. The financial service sector proactively works with the Treasury Department, regulators in government, and law enforcement agencies to improve cyber defenses. We also worked with the National Institute of Standards and Technology (NIST) as they developed the standards, and we support directionally, of course, the cybersecurity framework that was recently issued through the NIST process. We do all of this because we owe it to our customers to protect them and to maintain and keep their trust. You have already heard about and touched upon the scale and nature of the problems that our industry and the economy more broadly is facing, so rather than focus on that, I will focus on the future in the remainder of my time. In the wake of the recent data breaches at Target and other places, Sandy Kennedy and I got together and decided it would be best for our consumers and for our industry to collaborate with our other industry partners to strengthen our defenses and keep the focus on the real enemy, our cyber attackers, and try to minimize the finger pointing back and forth about who could or should be doing what. Chairman Carper. And maybe we should take a lesson from that here. [Laughter.] Mr. Pawlenty. So, along with 17 other trade associations, Mr. Chairman, we established the Merchant and Financial Services Cybersecurity Partnership. That partnership overall has two major goals, first, to improve overall security across the entire payments ecosystem, and second, to bolster consumer confidence in the security of their data and the payment system overall. The partnership consists of a number of things, but at core, it is five working groups that will focus on the following five topics: One, threat information sharing; two, cyber risk mitigation; three, advanced card present security technology; four, card not present and mobile security technology; and, five, cybersecurity and data breach notification. Our progress, however, is going to remain inadequate unless we have some additional help in partnership with further actions needed from Congress. Institutions need to have the ability and the necessary liability protections to share threat information with other private partners and the government when they act in good faith to defend consumers and the financial system. As was mentioned, we also need robust data breach notification legislation setting a strong national notification standard. This standard should be clear so that customers can understand what happened and companies know what actions to take. These standards should be uniform so that customers can be treated similarly, regardless of what State they live in. Mr. Chairman, your Data Security Act of 2014 and the Cyber Intelligence Sharing and Protection Act (CISPA), which was recently passed by the House, are both terrific efforts. We are very pleased with those efforts and we want to make sure that they advance and do all that we can to help you in your efforts to advance that legislation. In the end, all of us, retailers, financial service companies, the government, want to stop attacks in real time and prevent them, and we also want to make sure that if in the event attackers do break through, that they find nothing of value and cannot leave our system with things of value. Mr. Chairman, we believe the partnership between the retail industry and the financial service industry will help us get closer to achieving these goals. We will certainly keep you informed of our efforts and our progress. We do not view this as a multi-year framework. We would like to get this up and running with results over the next 6 to 12 months. And we also hope that the legislation that I referenced will pass the U.S. Congress. It is overdue. It is urgently needed. And we appreciate your efforts and leadership in that regard, and I certainly welcome any questions once the panel comments are complete. Chairman Carper. Great. Governor, thanks for those comments, and we appreciate your work on this and look forward to being your partner. Thank you. Ms. Kennedy. TESTIMONY OF SANDRA L. KENNEDY,\1\ PRESIDENT, RETAIL INDUSTRY LEADERS ASSOCIATION Ms. Kennedy. Chairman Carper, Ranking Member Dr. Coburn, and Members of the Committee, thank you for the opportunity to testify today before the Committee. --------------------------------------------------------------------------- \1\ The prepared statement of Ms. Kennedy appears in the Appendix on page 273. --------------------------------------------------------------------------- The Retail Industry Leaders Association (RILA) represents the Nation's largest and most innovative retailers. Together, our members employ millions of Americans, generate more than $1.5 trillion in annual sales, and operate more than 100,000 stores and distribution centers around the world. I welcome the opportunity to talk today about cybersecurity threats we collectively face and steps that the retail industry is taking to address them in order to better protect our customers. I am pleased to be testifying alongside Governor Pawlenty, a person with whom I have developed a strong working relationship as we pursue this very important partnership. The threat of cyber attacks is all too common. Though we place a premium on security, cyber criminals are persistent and their methods of attack are increasingly sophisticated. As we have seen, no organization, be it business, nonprofit, or government agency, is immune from attacks. Given the scale and impact of the threats, and with strong support of our Board of Directors, RILA launched a comprehensive initiative in January. The initiative is intended to enhance the industry's existing cybersecurity efforts, inform the public dialogue, and build and maintain consumer trust. We have identified three main components relevant to today's hearing: Strengthening threat information sharing in cybersecurity; engaging with Congress on breach notification legislation; and collaborating to pursue enhancements to payment security. There is widespread agreement that merchants should have had an information sharing mechanism through which retailers can communicate with each other about threats. To that end, RILA formed a council made up of the top security executives at our member companies. The council has formed a partnership with the National Cyber Forensics and Training Alliance, and we met last week at its headquarters to begin the important work of establishing a trusted forum. The forum will allow retailers to share threat information and collaborate with businesses and government agencies on solutions to combat cyber criminals. We have already begun to study the threat sharing model used by the financial services industry and believe there is a great deal that we can learn from that industry. The initiative also calls on Congress to pass a national breach notification law. Following a breach, retailers secure their systems and make every effort to provide timely notification and actionable information to their customers. RILA urges that Federal breach notification legislation, one, preempt the State laws in place today; two, take into account the practical realities of notification, such as providing adequate time to secure the breached environment, investigate and analyze the breach, and comply with any law enforcement direction; and, finally, be proportional and linked to the risk of harm, be it financial fraud or identity theft. We applaud Chairman Carper, Senator Blunt, and other Members of this Committee, for pursuing breach notification legislation. We want to work with you on a Federal bill that will be consistent with the goals I have outlined. Finally, RILA's initiative recognizes the need to strengthen security within the electronic payment system. The initiative spells out near and long-term actions that can be taken to improve payment security, including retiring the magnetic stripe, adding PIN authentication to all credit and debit card transactions, migrating to chip and PIN cards, and collaborating on solutions to online, mobile, and other transactions where the physical card is not present. While retailers believe these goals are reasonable, achieving them will be challenging and require substantive collaboration across the entire payments ecosystem. The need for collaboration was the genesis behind are partnership with Governor Pawlenty. The tasks of these working groups, which Governor Pawlenty described, are significant, but we believe that they are achievable and we are committed to pursuing significant progress over the course of the next 9 to 12 months. While we expect there to continue to be issues on which we disagree, we have a shared obligation to consumers to find ways to improve payment security. In closing, we believe by working together with public and private sector stakeholders, we can maintain the strongest defenses against cyber attacks and render stolen data largely valueless to cyber criminals. Again, I very much appreciate this opportunity, Mr. Chairman, and welcome your questions. Chairman Carper. Thank you, Ms. Kennedy. Thank you. Tiffany Jones, welcome. Please proceed. TESTIMONY OF TIFFANY O. JONES,\1\ SENIOR VICE PRESIDENT AND CHIEF REVENUE OFFICER, iSIGHT PARTNERS, INC. Ms. Jones. Chairman Carper, Ranking Member Coburn, and distinguished Members of the Committee, thank you for the opportunity. My name is Tiffany Jones. I represent iSIGHT Partners, a leading cyber threat intelligence firm. Over the last 7 years, we have built a team of over 220 experts dedicated to studying cyber threats in many nations across the globe and enabling organizations to protect themselves against these threats. --------------------------------------------------------------------------- \1\ The prepared statement of Ms. Jones appears in the Appendix on page 278. --------------------------------------------------------------------------- There are a variety of different threat domains that make up the cyber threat landscape today. Each of these threat domains is motivated differently. For example, Cyber Espionage, targeted intrusion operations aimed at corporate and government entities to collect information for the purpose of strategic advantage, can be politically motivated or economically motivated. Cyber hacktivism focuses on the intentions and capabilities of politically or ideologically motivated actors. And then you have cyber crime focusing on cyber threats from primarily financial motivated actors. The intelligence we research, analyze, and disseminate, coupled with the scope, scale, and duration of the recent retailer attacks, leads us to one very clear conclusion. We need to stop thinking about cyber crime like the movie, ``Catch Me If You Can,'' one clever young man assuming identities and passing bad checks, and instead, we need to understand that cyber crime is more like the movie ``Goodfellas,'' an organized community of bad people intent on crime, economically motivated, increasingly sophisticated, and operating without much fear of law enforcement. Cyber crime is a global industry, with a division of labor. It involves supply chain as well as a defined value chain. This chart over here actually gives you an overview of what the value chain looks like.\1\ --------------------------------------------------------------------------- \1\ The chart referenced by Ms. Jones appears in the Appendix on page 281. --------------------------------------------------------------------------- In step one, you have malware. Cyber crime starts with malware. Think of this like the App Store for hackers. Thousands of developers craft hacking tools and tool kits with various features, functions, and capabilities and then sell them in a broad array of electronic markets. Prices can range from a few to several thousand dollars. Just like an App Store, only a fraction of the malware goes on to be popular, depending upon the features, the targeted vulnerability, usability, and other characteristics. But at any point in time, there are probably a few thousand notable pieces of malware on the market, with 10 new entrants that warrant real analysis in a given month. At higher prices, subscriptions of $5,000 to $15,000 per month, there is also private access to malware developers. These are the more sophisticated designers. Step two is the infrastructure. Cyber criminals must obfuscate their operations. This means buying, storing, computing, and network services from dedicated infrastructure operators. Think of criminal cloud computing. This is a large and varied segment of the market, everything from securing $50 domain names to $1,000 per server, per month hosting arrangements, and some of these organizations can scale to multi-million-dollar operations serving more than a thousand criminal clients at a time. Step three is the cyber crime operators. Like entrepreneurs, operators assemble temporary teams, acquire tools, secure infrastructure, and execute against a plan. The better the plan, the bigger the payout. Like entrepreneurs, the very best exploit a market need, quickly monetize the value, and move to the next opportunity. In fact, one recent observation we have observed netted as much as $3.8 million for the operator and their team in just a couple of short months. Step four, the brokerages or intermediaries. To monetize stolen assets in cyber crime, typically, this is some form of personal data--credit card, health insurance, Social Security numbers, PII. The operators take that bulk data to brokers. Think of these players, again, numbering in the thousands, as wholesalers. The brokerages pay bulk prices to the operators for the stolen data and then parcel it up into sizes that a large number of smaller criminals can use. At the retail level, this looks like an underworld eBay with prices set by type, the newness, the quality, and the completeness of the stolen data. More reliable sellers get higher prices. In early December, we saw complete U.S. credit cards at $100 per card. But with the dramatic increase in supply due to several recent retailer breaches, the price dropped to $50. Much of that card data is now dated and U.S. cards are selling closer to $16 per card. Step five is the card buyers and mules. The transition from the criminal economy to the traditional economy presents the biggest bottleneck right now for cyber crime. Using stolen information involves risks and transaction costs, so most cyber criminals leave much of the small change on the table while focusing their efforts on the big quick hits. Card buyers and mules bear most of the risk. The typical card buyer or mule for receiving stolen property or bank payments is just a small time, sometimes even occasionally unwitting, criminal. Think of them as the intern of the cyber crime industry. They get relatively small payments for relatively small crimes. They are typically involved in the illegal activity for a short time and have no connection with the larger criminal enterprise. Like a pickpocket who just takes the cash from your wallet, their gain is small, but your loss in time effort and personal value can be significant. So, as you can see, the scope of the cyber criminal market is daunting and the money made pales in comparison to economic value destroyed as a result. At any time, there are tens, if not hundreds of thousands of independent actors. They are global. They are unregulated. They are better equipped, better trained, and more experienced than many of their law enforcement counterparts, and they are growing bolder. You will see, like the 2013 retailer breaches, again, with greater frequency. Business and government have started to understand the scope of the problem. They are increasingly shifting to an intelligence-led cybersecurity approach to improve prevention, speed response, and solve the cybersecurity risk equation. There is progress, but there needs to be more of it. Thanks to government entities like the Department of Homeland Security, U.S. Secret Service, and others, the severity and scope of the problem is becoming increasingly evident. I will be happy to answer any questions that you have following our discussion here today. Chairman Carper. Thank you. Thank you all for good, helpful testimonies. If you were here for the beginning of the first panel, I said to that panel--I quoted Abraham Lincoln. The role of government is to do for the people what they cannot do for themselves. And I asked them to help us figure out what the private sector can do in this regard to protect information, money, things of value, particularly with respect to these breaches. But, what can the government do and what should the government do? And there is a broad range of views on what is the role of the government. We heard a little bit of that this morning. But what I am trying to get at is consensus. If I had the first panel still here, I would put all of you up here and say, let us just go down the line and tell me where you think you agree. Tell me where you think you agree on what the government should do. What is our role? And let me just ask that, and Governor, I will ask you just to lead off. What is our role? Mr. Pawlenty. Mr. Chairman, I think there are a number of things the government can and should do, and we would urge you to take these actions. First of all, it is appropriate for your Committee to be focused on these issues. As was mentioned, many of these instances are not just transnational criminal elements, but we, of course, through public reports and otherwise, have reason to believe there is the prospect of cyber terrorism, self-declared cyber jihadists, and other elements that you would fall into the category of not just cyber criminal activity, but potential for cyber terrorism. So, obviously, your Committee is appropriately focused on these issues. At a minimum, Mr. Chairman, we hope that the Senate and the Congress more broadly would take action promptly on the national data breach notification laws that will help in terms of the response to incidents, but we also should realize that that is just one step and an incomplete step. We also need to do all that we can to be better prepared and more resilient on the prevention side. One thing that would help tremendously, Mr. Chairman, is if the Congress would pass an information sharing bill that would be similar, or at least directionally similar to the House CISPA bill. We realize that post-Snowden, that became more difficult, but we hope that post-Target, that that becomes more possible. Again, we are, as an industry and our sector, in particular, are extraordinarily dedicated on these issues. Fortunately, the financial service sector has not yet experienced a large-scale successful attack, but we are greatly concerned about these issues and these challenges and we would be better prepared and could be better on the prevention side if Congress would allow that threat information sharing bill. To give you one example, if we have reason to believe, good faith, a reason to believe that a certain entity or an Internet Service Providers (ISP) address is preventing threatening information and we move to constrain or shut off that ISP, even though we did it in good faith as a way to stop the contagion, if we do not have some protection around that action, if it is done in good faith for proper reason, we are going to be less likely to do that. If we are going to share threat information with another entity or the government and it is going to get the Freedom of Information Act (FOIA)-ed, it turns out to be not what we thought it was and we are going to get sued over that, or the entity is going to get sued over that, those are the kinds of things that are deterrents to more high-speed, more aggressive defensive mechanisms, and a bill like that would help, sir. Chairman Carper. OK. That is very helpful. Thank you. Ms. Kennedy. Ms. Kennedy. At the risk of being repetitive, Mr. Chairman---- Chairman Carper. Repetition is good. [Laughter.] This is one of those instances where repetition is good. Ms. Kennedy. We support Federal breach notification legislation, as well, and as you know, it is one of the working groups that the Governor and I will be working on with our fellow associations. It is important that such legislation creates a single national law that preempts the State laws so that we are not having to comply with a patchwork of 46 or 47 different State laws. It is also important that notification be proportional to harm. If someone has stolen my shoe size or the type of cookies I like, that is one thing. If they have stolen my personal information related to my payment system, that is another. So, that is important to us, as well as making sure that it is reasonable given the operational requirements as well as those that are placed on us by law enforcement. Chairman Carper. Give us some--that word ``reasonable'' is going to be not an easy one to define. Just think out loud about what, when you say reasonable, what are you thinking? Ms. Kennedy. I am thinking that---- Chairman Carper. Or maybe some examples. Ms. Kennedy [continuing]. It takes time for our members to identify the threat, to stop the threat, to assess the damage that has been done, and the data that has been stolen. And, of course, law enforcement has a role in that. So, I think it is important that that is all considered in terms of the practicality of the legislation. Chairman Carper. OK. Ms. Jones, same question. Ms. Jones. A couple of ``don't''s and then a couple of ``do''s. Chairman Carper. Umm, I like that. Ms. Jones. Do not seek to be technically prescriptive, so-- -- Chairman Carper. Chip and PIN. It is not our job to say---- Ms. Jones. So, chip and PIN, I will say, does increase security, absolutely, so if there is any question about that it does. But it is not the panacea. And so---- Chairman Carper. Is it our role to prescribe that? I think not. Ms. Jones. I do not think so. But I do think it is absolutely in your authority to look at the overall standards and make sure that they equate to the threat that is today, all right. Chairman Carper. Someone said to me, they said, if you want to go ahead and prescribe chip and PIN, you can do that, but the threats change, technology changes. He said that to me, if you have not noticed, sometimes it is hard to get Congress to move, and we need to be able to move a lot faster. Ms. Jones. Yes, and our information technology is dynamically changing, as well. And so today's cool thing is going to be tomorrow's, oh, that was so yesterday, right. So, I think there are other things to consider. I would say, think about it in the sense of do all that you can to deter the bad guys from getting in, but also, assume that they are in. How do you protect the data, assuming that the bad guys are in the environment? So, things like encrypting data at rest, encrypting data in transit, those types of things are also really important to think about. Chairman Carper. What was the first thing you said, encrypting data at rest? What does that mean? Ms. Jones. Correct. So, if it is just sitting there in a server, in a storage space, in a data center within an organization's environment, it is sitting there at rest. And in many cases for a lot of organizations today, they actually are only encrypting data as it is being transferred from their environment to another organization or environment. That is data in transit. So the data at rest is simply when it is just sitting there within their organization. Is it being properly protected? Chairman Carper. OK. Ms. Jones. And then, do not equate the quantity of arrests in cyber crime with the quality of arrests. Focus prosecution higher in the value chain. It makes a significantly bigger impact. And, again, I applaud the work of Secret Service and DOJ and what they are doing there. I think they are making the right steps, for sure. I would say on the ``do'' side, do increase global collaboration. Most of these people, these threat actors, are not inside our borders, and so that global collaboration among law enforcement is absolutely critical. And do pass national data breach legislation. It was said quite eloquently, there is a patchwork of State laws. I think of my mother and I think of, why does it matter what State she lives in to determine the level of protection that she has? It should not. Chairman Carper. Where does your mother live? Ms. Jones. She lives in Illinois. Chairman Carper. OK. Well, if things get too hot there, she is always welcome to come to Delaware. Ms. Jones. Delaware. [Laughter.] Chairman Carper. And when it gets hot, people will come to Delaware and they will go to our beaches. We have, I think, more five-star beaches than any---- Ms. Jones. They are beautiful. Chairman Carper [continuing]. Any State in the country. We are very proud of them. But, one of them is Rehoboth Beach. Rehoboth translates literally, Governor, and means room for all. Is that not nice? Room for all. All right. Some of you said very nice things about the legislation that Senator Blunt and I have introduced. I like to say, everything I do, I know I can do better. I think that is true of all of us. It is certainly true of the Federal Government, Federal agencies. But not everyone appreciates every aspect of our bill and I would just invite you to--you have heard some of the criticisms of each of the major pieces that have been introduced in the Senate. But just share with us some of the criticism, whether they are legitimate or not, of our legislation. And if you think those are reasonable criticisms that should be addressed in modifying our legislation, fine. I would like to hear that. If some of the criticisms, you think, are just not very well founded, not very well thought out, then help us rebut those. If you could do that, that would be much appreciated. Do you want to go first, Ms. Jones. Ms. Jones. I have no criticisms on the legislation---- Chairman Carper. But maybe criticisms that you have heard, because I read some articles where folks have taken some big potshots at the handiwork of Senator Blunt and myself. Ms. Jones. I think one of the criticisms, in general, for not wanting to pass national data breach legislation has simply been that you create a baseline that is so low, maybe there are certain State laws today that have higher levels of protection for their consumers. But, I counter that simply with just having a consistency across the Nation is more important for the consumer than the patchwork. And the amount of money that companies are spending today just on compliance is pretty unbelievable to deal with the various State laws. So, I think it is really important that they can reinvest their dollars that they are spending in compliancy today and actually put it into information security protection. Chairman Carper. OK. Thank you. Ms. Kennedy, what are some of the criticisms you have heard of our bill that you think are reasonable, should be incorporated, maybe some that are less thoughtful, and rebut those. Rebut those for us, if you could. Ms. Kennedy. I think that as we looked at your legislation, we certainly support the preemption and the recognition that businesses have practical operational areas they need to address before they do notification. We would welcome the opportunity, I think, to talk to you about enforcement, to make sure that the FTC has very clear direction on what enforcement looks like. And that is---- Chairman Carper. All right. Ms. Kennedy. Otherwise, we are in agreement with a number of things in your bill. Chairman Carper. Governor Pawlenty. Mr. Pawlenty. Mr. Chairman, I would echo those comments and just say there has been some criticism, not by us but by others, on the standard that is set in terms of substantial harm and inconvenience to the consumer. We think that standard strikes the right balance. Obviously, it is going to be interpreted, and so some others have expressed concern about that, but we just reinforce that we think that you and Senator Blunt have struck the right balance in that regard. If I might, Mr. Chairman, just for a second jump back to the issue around mandating technology, for all the reasons that were mentioned by Ms. Jones, we concur with that. Keep in mind that there are--as cards get misused, there are fraudulent or forfeited cards, and, of course, the chip protects the security of the card and so it cannot be forfeited or it would be much more difficult to forfeit. And then the PIN authenticates the user, or a signature does, or in some cases of small transactions, no signature. So, technology in the payment space is going to continue to evolve. It already is evolving rapidly. But also, keep in mind that relates to card present environments, and as commerce continues to migrate to the virtual space and e-commerce platforms, there is a whole another set of concerns and issues and opportunities around something called tokenization, secure cloud transactions in the space that will address the card not present environment that is important to the discussion, as well, because if you make it much more difficult for the fraud to occur at the card present environment, it will shift to the card not present environment and we need to do both. Chairman Carper. All right. Thank you. Card not present-- that is one I just learned this week. I hear all these new terms. No wonder my colleagues and I have a hard time figuring out what to do here. It can get pretty confusing. One of the things you are trying to do with this new partnership, though, Governor and Ms. Kennedy, is to try to take some of the obligation or the work that needs to be done off of our plates and really put it where it better belongs, and that is on yours. But we are pleased to see people like you and the folks you represent working together on these issues, and the new partnership certainly seems on its surface to be a step in the right direction. We would like to hear just a little bit more about it before we close, and if you maybe could just share with us some of the goals that you see. Mr. Pawlenty. Sure. Chairman Carper. These are the goals that we have for this partnership, and maybe give us a snapshot of the timeline for the group, please. Mr. Pawlenty. Sure. Well, again, I want to tip my cap to Sandy Kennedy and her leadership in the Retail Industry Leaders Association. They came forward on behalf of that sector and have been extremely constructive and forward leaning on these issues. We have said, to your 80/20 comments earlier, there is some stuff we are not going to agree on about card replacement costs and some of the fallout of these previous breaches. That is going to get litigated and settled, hopefully, in another forum. But, there is a lot of stuff we can agree on, so we are focused on that, and we think we can agree and hope to agree on these things. One, come together with a statement of principles, maybe even a specific statement of support on national data breach notification legislation. Two, make sure that we do all that we can to agree upon and advance cybersecurity information sharing legislation. But on the things we can do ourselves, we have realized even in the early inventory of practices, government to industry, industry to industry, that there is a lot that this partnership can share without government mandating a requirement on technology best practices, cyber best practices, cyber defenses, resiliency, simulations, sector coordinator councils, and much more. So, we can get that done. And then, last, there has not really been a good forum for various players in the payments ecosystem--retailers, card issuers, merchant acquirers, financial institutions, the banks on the other end of the transaction, various other cyber entities--coming together to talk about, can we agree on where we are headed in the so-called Europay, Mastercard, and Visa standard (EMV), card present, card not present, next steps on technology and cyber defenses. So, at the very least, we hope we can convene that discussion, but we believe that out of that discussion we can agree on some next steps that will be very important and helpful, and our timeline is 6 to 9 months, Mr. Chairman. Chairman Carper. OK. Thanks. Ms. Kennedy. Ms. Kennedy. I would just like to elaborate a little bit on the working groups. As I mentioned, they are comprised of executives from both the financial services as well as from our merchant members and they have clear objectives. We are working with people to help keep us on track, project management. They have clear deliverables, and they are going to be challenging deliverables, but we think that it is important for our shared customer that we deliver on those. I would also like to say that this has been a very welcome partnership. The payments system is an ecosystem and you have to have all the links in place and everyone as strong as they can be. So, we are going to learn a lot, I think, from our partners, and I think that we are also going to have an opportunity to address the future issues that we are going to face. The way our customers are shopping are changing every day, whether it is mobile or it could be wearable technology. I mean, they are adapting so quickly. So, it is very important that the payment system keep up with that so that confidence is maintained with our customers and they continue to shop with us. Chairman Carper. OK. The words ``information sharing'' have been mentioned a time or two on this panel, and I think even on the first panel, and I am not sure--Governor, I think it might have been you who mentioned what we might need to do to facilitate information sharing. Can you just drill down on that for me a little bit, please. Mr. Pawlenty. Sure, Mr. Chairman. One of your previous witness on the panel before us made reference to a recent study that I think is worth just camping on for a minute. The Washington Post recently reported that the Federal Government notified 3,000 businesses last year that they were breached, and the Verizon study indicated that 70 percent of those companies did not know they were breached until the Federal Government told them. So, when you think about these issues from a Federal Government knowledge standpoint and capacity standpoint, of course, that knowledge resides, oftentimes, in the FBI, Secret Service, Department of Defense, the National Security Agency (NSA), Homeland Security, Treasury, and others. So, there is an opportunity and a challenge to better integrate and coordinate intergovernmental information sharing and it is not optimized at the moment. But then, also, there is a need for that information to flow to the private sector in appropriate ways, respecting privacy rights. The FS-ISAC, and I know the Financial Services Sector Coordinating Council (FSSCC) which you are speaking to later today, are examples of portals between government and the private sector that allow that information to flow. But, unless we have the legal changes that I mentioned earlier that provide those protections for information sharing done in good faith-- again, threat information, not personal information--we cannot move this to the place that it needs to go. And so that is really needed and it is really helpful and it is one of the best things that we can do. The NSA, for example, is viewed by many as the best entity when it comes to cyber and they were breached. They had a massive breach, internal, insider threat. It crossed numerous platforms. So, the point is, the government has great knowledge they can share with private industry, but private industry, if one of our members shares it with the government and then it becomes a FOIA request and you have knowledge that is proprietary and/or you misstate something, even though it is done in good faith, the lawyers get a hold of that, class action suits start, regulators might want to be interested in that. Unless you have some rules of the road going into that, you are going to be less likely to share the information lest you know what is going to happen to it. Chairman Carper. All right. Ms. Kennedy, as you know, in this Committee, we work a fair amount on cybersecurity. We work on other things, too. But particularly with the defensive side, we often hear that technical collaboration and information sharing are essential parts to a strong cyber defense. Talk to us just a little bit here on information sharing, and I am going to give you a chance to ask you to come back and just revisit it with us here again, but do you think that the recent series of breaches has impacted the level of information sharing between companies, the willingness to share information between companies, the willingness to share information with, we will say, law enforcement, with Federal agencies? Ms. Kennedy. Absolutely, Mr. Chairman. We think it is imperative, and it was really key to our initiative that was approved by our Board of Directors, and we have already started that process. I think information sharing has been occurring within our industry, but we think it is important that we formalize that in some way and we are looking at different ways to do that now. We had, I believe, 30 of our member companies in Pittsburgh last week for a meeting where that was one of the central discussions, of how we can effectively share information to make sure that we are doing all that we can to protect our customer. Chairman Carper. OK. Ms. Jones, are you up for one more question? Ms. Jones. Absolutely. Chairman Carper. OK. This is really more of a focus, I guess, for law enforcement, but we will deputize you---- Ms. Jones. Thank you. Chairman Carper [continuing]. And ask you to step up to the plate. But, I think in your testimony, you provide a fair amount of background on the criminal networks that are often behind the data breaches that we are talking about here today. I was especially interested to learn about all the different steps that are needed to monetize the personal information that is stolen from an organization. And before I ask the question, as it turns out, one of the credit card banks that is involved in the Target breach is TD Bank and their credit card operation is in Wilmington, Delaware. We actually visited with them, and this was a month or so ago. We are interested in learning just how most of the losses are absorbed, I think, by banks, not by the merchants in these cases--trying to just get them to give us a sense for how much money was at stake here and at risk here to be lost. And I was struck by one of the things they said, and I think we heard it here, as well. The folks who actually figured out how to get in and steal the data or the information from Target were pretty good at doing that. They were less adept at monetizing and figuring out, once they had all this information, what to do with it and an effort to make money. The banks reacted very quickly. They immediately sent out to people like me new credit cards and responded. There is a lot of cost to this stuff, I am sure. But, the losses were, I think, a good deal less than certainly I ever expected them to be. And, again, the reason that was explained to me, they are better at stealing the data than actually monetizing, which is a good thing. It is a good thing. Where in the process are cyber criminals most vulnerable? In other words, where in the process should U.S. law enforcement be targeting our limited resources? This is something Dr. Coburn talked about quite a bit. Ms. Jones. Yes, absolutely. Chairman Carper. Go back and revisit that. Ms. Jones. So, pertaining to where law enforcement needs to focus, I think as I had talked about the ecosystem, lots of different players, loosely affiliated, or highly organized crime cells, I think you have to move up into the supply chain. Do not be going after the mules, necessarily, the small petty theft folks. I mean, yes, you want to try to gather all that you can and go after them all, but if you have limited resources, you really want to go after the highly organized kind of crime organizations that are really ultimately trying to monetize all of this, right. The operators, the infrastructure providers, they are just small pieces in all of this. Now, if you can start going after different points in the supply chain, you are going to get further along. But, ultimately, you get one infrastructure provider, pull him away, another will show up, because the demand is there. It is very low cost overall and low skill to establish those capabilities. You just have to have the resources to go buy them. Chairman Carper. OK. The last question is, we asked you to give an opening statement, and sometimes, if we have time, I like for our witnesses to give us a closing statement, especially when we are trying to develop consensus on an issue about which there is not absolute consensus. You can take advantage of this opportunity if you would like and give us a short closing statement. But if you have something you want to reiterate, a point that has been made, something that one of your colleagues has said that sort of triggered a thought, that would be fine, as well. But, just a very brief closing statement, maybe a minute or so. Mr. Pawlenty. Just very briefly, Mr. Chairman, thank you again for your leadership and your commitment to these issues. I would just try to impress upon you and the Committee a sense of urgency. The nature and sophistication and pace of these attacks is evolving daily, weekly, and it is concerning. And I hope that we do not find ourselves a year from now or 2 years from now waking up to a bigger problem, wishing action would have been taken earlier. So, if I were to just emphasize one theme, it would be a sense of urgency. As the threat increases, the pace of response needs to increase from us, from our partners, and, candidly, from the Congress. Chairman Carper. Good. Thank you. Ms. Kennedy. Ms. Kennedy. Cybersecurity is a top priority for the retail industry, and we are working in an ecosystem. The data that has been stolen was payment data, so it is important that we have our partners on board and it appears that we are going to make some great progress in that area. I think it is also important in this ecosystem to understand that we also share in the loss, share in the fraud. The Federal Reserve, in fact, puts it at almost 50/50. So, as we look at this, we all have a stake in this game. Chairman Carper. Good. We all have a dog in this fight. Ms. Kennedy. We do. Chairman Carper. Yes. Ms. Jones. Ms. Jones. Everybody is using the term ``cybersecurity'' as the buzz term of the day, but at the end of the day, what this is is just simply a risk management problem, like many problems out there today. But, we are not treating it like a risk management problem, typically. We are typically treating it like, let us throw more technology at the problem. And I think one of the things that we are recognizing in speaking--I am going around the country, speaking to a lot of retailers right now who have lots of questions--they are really trying to wrap their arms around, what is the threat? They actually do not have a good sense for their threat profile, many of these companies. And so you cannot solve for risk if you do not understand the threat profile. So, I would say, as we look at things like the NIST framework that I know there has been a lot of work that has gone into, making sure, threat is really brought in more effectively into the risk equation is going to be critical. Otherwise, we are continuing to solve for vulnerability mitigation. Chairman Carper. Well, that is a good note to end on. About a year ago, a fellow named Pat Gallagher sat right where you are sitting and he is now the Deputy Secretary of Commerce. But, for a while, he was the person--in fact, he may be double-hatted, I do not know, dual-hatted, and still running NIST. But, he sat right there where you sit and he said in his testimony, we will know we are in the right place in this arena when good cyber policy is synonymous with good business policy. That is what he said. We will know we are in the right place when good cyber policy is synonymous with good business policy and where the government has less of a need to, like, to command and control, to dictate, whether it is technology or best practices and so forth. But when the folks that are either controlling the critical infrastructure, our merchants, our banks, whatever, when good cyber policy is good business policy, we will know we are in the right place. I think we are actually moving in that direction, of which I am pleased. I think Pat and the folks at NIST did a very nice job working on the framework. I call it a blueprint or a roadmap. They got a lot of good support, a lot of good input, including from the folks at the table here and your member organizations, and we are grateful for that. One of the other things I learned from that effort is, we will say on the day that the framework was put out there, best practices, it was out of date, because the nature of the attacks change all the time and we continue to have to evolve. It has to be a dynamic framework, if you will, dynamic blueprint, and we will seek to do that. I think we will probably wrap it up here. This has been helpful, and we are going to be calling on you some more as Dr. Coburn, he said he is going to leave us at the end of the year, cutting his term short by 2 years, and I said--and he said he wants to finish strong. I want him to finish strong. I want us to finish strong and this would be a great area for not just the two of us to collaborate with John McCain and with Roy Blunt, but also Pat Leahy, Senator Leahy, with Jay Rockefeller, with John Thune and with Pat Toomey, all of our colleagues, Democrat and Republican, working with a lot of folks like you. And we look forward to doing that. I am going from here to a luncheon, not a cyber luncheon, but a luncheon that Senator Reid, our Majority Leader, hosts every couple of weeks of Committee Chairs, and the first thing on our agenda is going to be to talk about this issue, data breach, and maybe how can we collaborate, how can we communicate, and how can we find principal compromises that advance the security of our Nation's citizens and our businesses. With that, the hearing record will remain open for 15 days. I think that is until April 17, at 5 p.m. for the submission of statements and questions for the record. I suspect you will have some, and we would very much appreciate your responding to them in a timely way. Again, thank you all very, very much. And with that, this hearing is adjourned. [Whereupon, at 12:12 p.m., the Committee was adjourned.] A P P E N D I X ---------- [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] [all]