[Senate Hearing 113-790]
[From the U.S. Government Publishing Office]
S. Hrg. 113-790
CYBER SECURITY
=======================================================================
HEARING
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
----------
STRENGTHENING PUBLIC-PRIVATE PARTNERSHIPS TO REDUCE
CYBER RISKS TO OUR NATION'S CRITICAL INFRASTRUCTURE, MARCH 26, 2014
DATA BREACH ON THE RISE: PROTECTING PERSONAL INFORMATION FROM HARM,
APRIL 2, 2014
----------
Available via the World Wide Web: http://www.fdsys.gov/
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
S. Hrg. 113-790
CYBER SECURITY
=======================================================================
HEARING
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
STRENGTHENING PUBLIC-PRIVATE PARTNERSHIPS TO REDUCE
CYBER RISKS TO OUR NATION'S CRITICAL INFRASTRUCTURE, MARCH 26, 2014
DATA BREACH ON THE RISE: PROTECTING PERSONAL INFORMATION FROM HARM,
APRIL 2, 2014
__________
Available via the World Wide Web: http://www.fdsys.gov/
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
U.S. GOVERNMENT PUBLISHING OFFICE
89-521 PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
THOMAS R. CARPER, Delaware Chairman
CARL LEVIN, Michigan TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio
JON TESTER, Montana RAND PAUL, Kentucky
MARK BEGICH, Alaska MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota
Gabrielle A. Batkin, Staff Director
John P. Kilvington, Deputy Staff Director
Mary Beth Schultz, Chief Counsel for Homeland Security
Stephen R. Vina, Deputy Counsel for Homeland Security
Matthew R. Grote, Senior Professional Staff Member
Amanda Slater, Legislative Assistant, Office of Senator Carper
Keith B. Ashdown, Minority Staff Director
Christopher J. Barkley, Minority Deputy Staff Director
Andrew C. Dockham, Minority Chief Counsel
Daniel P. Lips, Minority Director of Homeland Security
William H.W. McKenna, Minority Investigative Counsel
Justin Rood, Minority Director of Investigations
Cory P. Wilson, U.S. Secret Service Detailee
Laura W. Kilbride, Chief Clerk
Lauren M. Corcoran, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Carper...............................................1, 175
Senator Coburn...............................................3, 179
Senator McCain............................................... 188
Prepared statements:
Senator Carper..............................................43, 215
Senator Coburn..............................................46, 217
WITNESSES
Wednesday, March 26, 2014
Phyllis Schneck, Ph.D., Deputy Under Secretary for Cybersecurity,
National Protection and Programs Directorate, U.S. Department
of Homeland Security........................................... 5
Donna F. Dodson, Chief Cybersecurity Advisor, National Institute
of Standards and Technology, U.S. Department of Commerce....... 7
Stephen L. Caldwell, Director, Homeland Security and Justice
Issues, U.S. Government Accountability Office; accompanied by
Gregory C. Wilshusen, Director, Information Security Issues,
U.S. Government Accountability Office.......................... 9
Elayne M. Starkey, Chief Security Officer, Delaware Department of
Technology and Information..................................... 27
Steven R. Chabinsky, Chief Risk Officer, CrowdStrike, Inc.
(testifying in his personal capacity).......................... 29
Doug Johnson, Vice Chairman, Financial Services Sector
Coordinating Council........................................... 31
David Velazquez, Executive Vice President for Power Delivery,
Pepco Holdings, Inc............................................ 33
Alphabetical List of Witnesses
Caldwell, Stephen L.:
Testimony.................................................... 9
Prepared statement........................................... 63
Chabinsky, Steven R.:
Testimony.................................................... 29
Prepared statement........................................... 93
Dodson, Donna F.:
Testimony.................................................... 7
Prepared statement........................................... 55
Johnson, Doug:
Testimony.................................................... 31
Prepared statement........................................... 103
Schneck, Phyllis, Ph.D.:
Testimony.................................................... 5
Prepared statement........................................... 49
Starkey, Elayne M.:
Testimony.................................................... 27
Prepared statement........................................... 85
Velazquez, David:
Testimony.................................................... 33
Prepared statement........................................... 113
APPENDIX
HSGAC minority report............................................ 119
ETA statement submitted by Senator Johnson....................... 138
Responses for post-hearing questions for the Record from:
Ms. Schneck.................................................. 144
Ms. Dodson................................................... 156
Mr. Caldwell................................................. 157
Mr. Chabinsky................................................ 165
Mr. Johnson.................................................. 169
Mr. Velazquez................................................ 172
Wednesday, April 2, 2014
Hon. Roy Blunt, United States Senator from the State of Missouri. 178
Hon. Edith Ramirez, Chairwoman, Federal Trade Commission......... 181
William Noonan, Deputy Special Agent in Charge, Criminal
Investigative Division, Cyber Operations Branch, U.S. Secret
Service, U.S. Department of Homeland Security.................. 183
Gregory C. Wilshusen, Director, Information Security Issues, U.S.
Government Accountability Office............................... 185
Hon. Tim Pawlenty, Chief Executive Officer, Financial Services
Roundtable..................................................... 198
Sandra L. Kennedy, President, Retail Industry Leaders Association 200
Tiffany O. Jones, Senior Vice President and Chief Revenue
Officer, iSIGHT Partners, Inc.................................. 201
Alphabetical List of Witnesses
Blunt, Hon. Roy:
Testimony.................................................... 178
Prepared statement........................................... 220
Jones, Tiffany O.:
Testimony.................................................... 201
Prepared statement........................................... 278
Kennedy, Sandra L.:
Testimony.................................................... 200
Prepared statement........................................... 273
Noonan, William:
Testimony.................................................... 183
Prepared statement........................................... 239
Pawlenty, Hon. Tim:
Testimony.................................................... 198
Prepared statement........................................... 267
Ramirez, Hon. Edith:
Testimony.................................................... 181
Prepared statement........................................... 227
Wilshusen, Gregory C.:
Testimony.................................................... 185
Prepared statement........................................... 250
APPENDIX
Additional statements for the Record from:
Food Marketing Institute..................................... 282
Independent Community Bankers of America..................... 284
National Association of Federal Credit Unions................ 286
National Retail Federation................................... 290
Responses for post-hearing questions for the Record from:
Ms. Ramirez.................................................. 317
Mr. Noonan................................................... 320
Mr. Wilshusen................................................ 328
Mr. Pawlenty................................................. 332
Ms. Kennedy.................................................. 339
Ms. Jones.................................................... 342
STRENGTHENING PUBLIC-PRIVATE
PARTNERSHIPS TO REDUCE CYBER RISKS TO OUR NATION'S CRITICAL
INFRASTRUCTURE
----------
WEDNESDAY, MARCH 26, 2014
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10 a.m., in room
SD-342, Dirksen Senate Office Building, Hon. Thomas R. Carper,
Chairman of the Committee, presiding.
Present: Senators Carper, Coburn, McCain, and Johnson.
OPENING STATEMENT OF CHAIRMAN CARPER
Chairman Carper. This hearing will come to order. Welcome,
everyone.
This is a day that I would describe for us here in the
Senate, I suspect for Dr. Coburn and me as well, it is like
fitting a size 13 foot into a size 10 shoe, how we are going to
make all this work. We just had a bunch of votes added this
morning and this afternoon, and somehow we are going to do our
best to get everything done. But thank you very much for
joining us. This is an important hearing, and we are delighted
that you have come.
A little more than a year ago, President Obama signed an
Executive Order (EO) which put into place a number of efforts
intended to enhance our Nation's cybersecurity, and we are here
today to see what kind of progress has been made in
implementing the Order and to gather other ideas about better
securing our critical infrastructure from cyber attacks.
Every day, sophisticated criminals, hackers, and even
nation states are probing our government agencies,
universities, major retailers, and critical infrastructure, and
they are looking for weak spots in our defenses. They want to
exploit these weaknesses to cause disruptions, steal our
personal information and trade secrets, or even worse, to cause
us physical harm.
While we have been able to hold off some of these cyber
attacks, anyone who has examined this issue even casually will
tell you that our adversaries are getting into our systems
every day. Earlier this week, for instance, the Washington Post
reported that Federal agents notified more than 3,000 U.S.
companies last year that their computer systems had been
hacked.
One of the most significant accomplishments over the last
year though, was the release of a voluntary Cybersecurity
Framework. This framework provides those who choose to
implement it--whether they be government entities, utilities,
or businesses large and small--with a common but flexible set
of best practices and standards they can use to better secure
their systems. I tend to think of the framework as a
``blueprint'' or ``road map'' to lead us toward stronger
cybersecurity.
The President's Executive Order called on the National
Institute of Standards Technology (NIST) including Ms. Dodson
here today, to work hand-in-hand with industry to develop the
framework. It is a living document, dynamic, so NIST, working
with industry, will continue to update the framework to include
lessons learned and to address the latest cyber threats.
From what I understand, the development of the framework
ran very smoothly, and the end result is a product that has
been well received by many stakeholders, some who were quite
critical of our efforts in these venues previously.
In fact, just last week in Delaware, I sat down with a
group of cybersecurity experts at DuPont Company who were all
extremely appreciative of the public-private collaboration that
went into the development of the framework. To NIST and all the
partners that have worked on this framework together, I just
want to say ``Bravo Zulu.'' But I think that we can all agree
that we have not yet crossed the finish line. This is not the
finish line.
Right now, many organizations across our Nation are
actively analyzing the framework to determine how they can use
it and incorporate it into their own cyber practices. I commend
those efforts, and I am pleased that we have several witnesses
with us today who will share their thoughts on using the
framework.
Naturally, not every company or State is ready to use the
framework. Some may not even really understand what it is all
about. To those organizations, I can say that help is around
the corner. If you want it, we are there to help.
Under the leadership of the very talented Dr. Phyllis
Schneck, the Department of Homeland Security (DHS) has launched
a new voluntary program to assist organizations in adopting the
framework. This program will be incredibly important to the
success of the framework, and we will be closely monitoring its
progress to ensure it is providing the right tools and
information to stakeholders. For instance, we need to make sure
our Nation's small and medium-sized businesses are getting the
attention that they need to really drill down on the framework.
At the end of the day, though, I think the question that we
are all asking is whether or not the framework will help
improve our Nation's cybersecurity. While it might be too early
to answer that key question, I do believe that the framework
itself provides a much needed road map for companies that want
to improve their cybersecurity, and this is a very good first
step.
Of course, the framework will only be successful if
companies actually use it, so it is time for industry to roll
up their sleeves and put this roadmap to use to help us make it
better. It makes business sense, too. In the words of Dr. Pat
Gallagher, whom I think Donna knows pretty well, the head of
NIST and now the Acting Deputy Secretary of Commerce, who sat
right here, Donna, where you are sitting today, and said,
``good cybersecurity is good business.'' When those two become
synonymous, we know we have gotten to a very good place.
When you consider the threats that we are up against,
however, I think we can all agree that there is much more that
needs to be done, and that is why we continue to believe that
bipartisan legislation is the best long-term solution to
address this growing concern. We have been working hard with
our Ranking Member, Dr. Coburn, and our staffs, the folks at
DHS, and others in an attempt to produce such legislation.
For example, I think we need to modernize the way we
protect our Federal networks from cyber attacks. There is not
much argument about that.
We also need to clarify and strengthen the public-private
partnership that we want the Department of Homeland Security
and industry to have regarding cybersecurity.
And we need to make information sharing easier so that
companies can freely share best practices and threat
information with each other and with the Federal Government.
And, finally, we need to continue to develop the next
generation of cyber professionals and enhance our cyber
research and development efforts right here at home.
Last week, I had the privilege of visiting a new
cybersecurity class and program at the University of Delaware.
I was very impressed with the students and was even told--they
were from not only all over Delaware but all over the country
and from around the world. But I was told that the class was
``oversubscribed to both,'' undergraduate and graduate
students. I think that is a good problem to have.
The students at the University of Delaware, they get it.
They understand what cybersecurity means and how important it
is for our economic and national security. Our friends with us
today understand it, too. But for some other folks, this is
just a hard issue to grasp.
It is my hope that the framework can help us jumpstart a
new conversation about cybersecurity in this country. And it is
my hope that we can come together as a government and industry,
Democrat and Republican--and work together to tackle this
growing threat that we face.
With that, let me turn to Dr. Coburn for any remarks that
he might want to add. Dr. Coburn.
OPENING STATEMENT OF SENATOR COBURN
Senator Coburn. Thank you, Mr. Chairman, and thank you for
this hearing. I cannot let you get away with mentioning
Delaware without mentioning the University of Tulsa, one of the
leaders in cybersecurity in the country, and they are doing
phenomenal work.
I also want to praise the administration for the Executive
Order. I have done it before, but it shows what happens when
government actually goes out to listen to industry and then
works with industry to try to solve problems. And the whole
framework for the Executive Order came out of this meeting of
minds of what is the problem, what are the potential solutions,
how do we get about that. And so this hearing today is an
important hearing for us in terms of critical infrastructure
and cybersecurity.
But we also have tremendous weaknesses. Dr. Schneck, this
is the first time I have gotten to meet you. Everything I hear
is great. I hope to come back out there and actually work with
you directly at your facility. But, we run United States
Computer Emergency Readiness Team (US-CERT) from Homeland
Security, and they put out a notice on Windows XP. It is not
going to be maintained anymore. But guess what agency has the
largest number of Windows XP programs? Homeland Security.
And that is not to be critical. That is to say the problems
are so big, and Homeland Security was brought together, and we
are just now getting to the able-bodied capability that we need
there to start addressing some of these internal problems.
The other thing that Senator Carper, and I have and we are
working on the other side as well, is we are going to get you
the capability to hire the people you need, and that is going
to be on our next markup, I have been assured, and we are going
to help that flow through Congress and gets to the President's
desk, because one of the things you have to do is be able to
compete with private industry for all these oversubscribed
classes.
So I look forward to our hearings. I look forward to our
second panel as well. I would also note we have a vote at 11
o'clock that is going to tie us up for 45 minutes to an hour,
because there is a multitude of votes. So maybe we should get
with it, and I will submit a written statement\1\ for the
record.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Coburn appears in the
Appendix on page 46.
---------------------------------------------------------------------------
Chairman Carper. Sounds great.
Very briefly, our witnesses: Dr. Schneck, is Deputy Under
Secretary for Cybersecurity and Communications for the National
Protection and Programs Directorate (NPPD) at the Department of
Homeland Security. In this role, she is the chief cybersecurity
official for DHS. Prior to joining DHS, Dr. Schneck worked at
McAfee, Incorporated, where she was the chief technology
officer for the global public sector.
Our second witness is Donna Dodson. Ms. Dodson is Chief
Cybersecurity Officer for the National Institute of Standards
and Technology at the Department of Commerce. Ms. Dodson also
serves as the Division Chief of the Computer Security Division
and Acting Executive Director of the National Cybersecurity
Center of Excellence. In her position, Ms. Dodson oversees
research programs to develop cybersecurity standards for
Federal agencies and promotes the broader adoption of
cybersecurity standards through public-private collaborations.
Good to see you.
Our final witness is Stephen Caldwell. Mr. Caldwell is
Director of Homeland Security and Justice Issues team at the
Government Accountability Office (GAO). In his capacity he has
worked on recent reports regarding the protection of critical
infrastructure and the promotion of resiliency. Mr. Caldwell
has over 30 years of experience at GAO, and we thank him and
all of our witnesses for joining us today.
I want to thank Senator Johnson for joining us today. Very
nice to see you.
Senator Coburn. I would just like unanimous consent to put
into the record a report on the Federal Government's track
record on cybersecurity and critical infrastructure\1\ that was
from February 4, 2014.
---------------------------------------------------------------------------
\1\ The report submitted by Senator Coburn appears in the Appendix
on page 119.
---------------------------------------------------------------------------
Chairman Carper. Without objection.
All right. Dr. Schneck, you are the lead-off hitter. Swing
away.
TESTIMONY OF PHYLLIS SCHNECK,\2\ PH.D., DEPUTY UNDER SECRETARY
FOR CYBERSECURITY, NATIONAL PROTECTION AND PROGRAMS
DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Schneck. Thank you, and thank you for your very kind
words. Good morning, again, Chairman Carper, Ranking Member
Coburn, and distinguished Members of the Committee. It is an
honor and a pleasure to be here before you today to talk about
the Department of Homeland Security's----
---------------------------------------------------------------------------
\2\ The prepared statement of Ms. Schneck appears in the Appendix
on page 49.
---------------------------------------------------------------------------
Chairman Carper. Is this the first time you have testified
before a committee?
Ms. Schneck. It is my first time as a government witness,
sir.
Chairman Carper. OK. Fair enough.
Ms. Schneck. Which I have heard is a bit different. But it
is a pleasure to be here to talk about the Department's work in
cybersecurity and critical infrastructure.
We face a cyber adversary that is fast. They have no
lawyers, no laws, nothing to protect, and they share
information very easily. They execute when they want with an
alacrity that we envy, and it is greater than ours. So in that
spirit today, I will speak to you about our vision for the
Department of Homeland Security, our work with the Executive
Order, and with the fine people at NIST, and our implementation
of the voluntary program, which we call the Critical
Infrastructure Cybersecurity Community--C3 Voluntary Program.
I came to DHS 6 months ago. I came for the mission. I came
to bridge the public and private. I come from a technical
background in the private sector, and I was the authorizing
person to share information with the government. That was hard.
It was based in trust, and we knew we had to do it. And now
that I have been in government, I have a whole new perspective
of the challenges in government, and a top priority for me at
the Department will be enhancing the trust that we have with
our private sector stakeholders, as well as our Federal
Government, our State and local stakeholders as well. Building
that public confidence, leveraging the internal sibling
organizations that we have with the U.S. Secret Service
cybersecurity, the Coast Guard, the TSA, the Federal Emergency
Management Agency (FEMA), our research and development, and, of
course, our homeland security investigations, our internal law
enforcement as well as our external partners with the Federal
Bureau of Investigations (FBI) and the intelligence community,
it is vital.
What we need to really improve our infrastructure
resilience is speed. It is how do we increase that alacrity,
and in that process I envision our National Cybersecurity and
Communications Integration Center (NCCIC), as the core of that.
How we have the government indicators that we get from our
programs, such as EINSTEIN, Continuous Diagnostics and
Mitigation, how we pull those together that only we can see
because it is government, how we leverage our strengths and
privacy and civil liberties, our ability to show the world
everything that we do, full transparency, and work with the
private sector through that trust that we need to build better
partnerships, to create that common operating picture that the
President requested.
We are already partway there in creating indicators, what I
call a weather map. This is what the adversary cannot do, that
situational awareness to turn our networks into more self-
healing. Your body does not have a meeting to fight a cold. In
the same way, our networks should not pass bad traffic. Right
now we are passing malicious traffic at 320 gigs per second on
world-class carrier grade routers to good people, and we need
to work together in partnership. And one way we do that is with
this framework.
I was on the first 6 months of this process with the great
people at NIST as the private sector where all of our companies
put our finest scientists to work with the government to create
this broad set of guidelines for cybersecurity so that large
companies could take what they know and put good practices into
their suppliers, into their customers, and help raise the level
of all cybersecurity to make our country safer.
One of the first things I did when I got to the Department
is work with a team to take money to pay for Managed Security
Services for State and local governments when they adopt the
framework, logic being that in a year or so, when they are
protected, because they sit on critical infrastructure
information, private citizen information, and they know how
much they have to protect but they are woefully underbudgeted.
We will be protecting them while they use the concepts in the
framework and the voluntary program and all the resources of
DHS that come with adopting the framework--cyber resilience
reviews, technical assistance--they will now be able to take
that cybersecurity discussion to a level of risk-consequence,
and likely have better budgeting decisions. Same with small to
medium businesses to whom we have released a request for
information saying how can you go forth and innovate, do what
our country does best, take leadership and make elite security,
new security products, services, things that protect us, but
things that are affordable to those small to medium businesses,
so that we all raise our level of security together.
We look forward to having that tie back to our vision
because in that partnership, as we look at security
holistically, as part of keeping the lights on and maintaining
our way of life, part of infrastructure resilience, we build
that trust and partnership across all sectors, that NCCIC
continues to get information, that we cannot only provide in a
weather map picture, which we already do, but also put out in
real time so that when traffic is passed, networks know whether
or not they should accept it. That is where we outdo the
current alacrity of our adversary.
We have enjoyed the support of you and your Committee. We
thank you for the confirmation of our Under Secretary Suzanne
Spaulding. What we need is some statutory clarification of our
role. To react more proactively and with greater alacrity, we
need to spend less time proving through a patchwork of
legislation to our partners what our role actually is and more
time just getting to it more quickly. That would help a lot,
and also thank you for your kind words in the beginning about
our workforce. I have had the opportunity and the honor to
visit with Secretary Johnson some universities and some
students. There is fine talent out there, and I know with our
mission we could actually use our mission and outdo some of
those salaries they are offered. But we have to have the
flexibility and some additional competitiveness to bring them
inside and see what we do and get them on board. That is our
future.
So I thank you for the opportunity to briefly share our
vision, to talk about the Executive Order, and I look forward
to working more with you to make our country safer and more
resilient. Thank you.
Chairman Carper. That was an impressive debut.
Ms. Schneck. Thank you.
Chairman Carper. Thank you.
Ms. Dodson, very nice to see you. Welcome. Please proceed.
TESTIMONY OF DONNA F. DODSON,\1\ CHIEF CYBERSECURITY ADVISOR,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, U.S. DEPARTMENT
OF COMMERCE
Ms. Dodson. Thank you. Chairman Carper, Ranking Member
Coburn, and Senator Johnson, thank you for this opportunity to
testify today on the National Institute of Standards and
Technology's work through public-private partnerships in the
area of cybersecurity.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Dodson appears in the Appendix on
page 55.
---------------------------------------------------------------------------
As a scientific organization focused on promoting U.S.
innovation and industrial competitiveness, we at NIST see
ourselves as industry's laboratory with strong partnerships
with the private sector driving all that we do.
As this Committee is well aware, NIST has spent the last
year convening critical infrastructure sectors and relevant
stakeholders to develop the Cybersecurity Framework. On
February 12, Version 1.0 was released, along with a road map
for future work in support of this effort.
From the start, NIST saw the framework as a tool that any
organization in any one of the very critical infrastructure
sectors could use to build strong cybersecurity programs. The
intent was to assess the current capability of the market while
offering a common language to address and manage cybersecurity
risks. The voluntary nature of the program and the extensive
private sector engagement has encouraged the widest set of
stakeholders to come to the table and work collaboratively.
This approach, with its reliance on consensus standards, has a
proven track record. When industries and other private sector
stakeholders get together and determine for themselves what
standards are needed to ensure confidence and quality, those
standards are much more likely to be adopted and implemented.
NIST began the framework development process with a request
for information and received hundreds of submissions. Those
submissions provided a foundation for the framework. We
followed this request with five workshops around the country
with thousands of participants. Our approach was to gather
feedback from participants, conduct analysis, and present those
findings back to the community for additional refinement. Even
the fundamental structure of the framework came from this
engagement as an initial outline, was presented to the
stakeholders, and then that outline was filled in at our
workshops.
The result of this effort is a document that lays out
critical elements of any cybersecurity program and then links
those elements to proven best practices and protections for
organizations to consider using while factoring in privacy and
civil liberty needs.
The framework consists of three parts: the Framework Core,
the body of existing practices that can help an organization
answer fundamental questions, including how we are doing; the
Framework Tiers that help to provide context on how an
organization views cybersecurity risks; and the Framework
Profiles that can be used to identify opportunities for
improving cybersecurity posture by comparing a current state
with a desired or target state. My written testimony has
additional details on each of these pieces.
The framework structure will enable organizations to tailor
plans to their specific needs and communicate them throughout
their organization. Some companies may discover that an entire
cybersecurity effort consists only of passwords and antivirus
software with no real-time detection capability, and other
companies may find the framework a useful tool for holding
their key suppliers accountable for their practices.
As organizations use the framework, their experiences can
then be reflected back to keep pace with changes in technology,
threats, and other factors, and to incorporate lessons learned
from its use and to ensure it is meeting national priorities.
Moving forward, NIST will continue to work with industry,
DHS, and other government agencies to help organizations
understand, use, and improve the framework.
Only 6 weeks in, we are aware of many organizations that
are already using the framework and providing feedback to DHS
and NIST. Phyllis has already discussed the great strides that
DHS is making in working with sectors on more detailed
operational guidance, which we will work with them to support.
We recognize that the cybersecurity challenge facing this
Nation is greater than it has ever been. We are committed to
working as part of the private-public sector team to address
this challenge. In particular, NIST will continue to support a
comprehensive set of technical solutions, standards,
guidelines, and best practices that are necessary to address
this challenge. Some of NIST's work will be conducted through
other programs, including our work under the Federal
Information Security and Management Act, the National Strategy
for Trusted Identities in Cyberspace, and the National
Cybersecurity Center of Excellence, as well as our research and
development work.
Thank you for this opportunity to testify today, and I
would be happy to answer any questions you may have.
Chairman Carper. Ms. Dodson, thanks so much for your
testimony and for being with us. Mr. Caldwell.
TESTIMONY OF STEPHEN L. CALDWELL,\1\ DIRECTOR, HOMELAND
SECURITY AND JUSTICE ISSUES, U.S. GOVERNMENT ACCOUNTABILITY
OFFICE; ACCOMPANIED BY GREGORY C. WILSHUSEN, DIRECTOR,
INFORMATION SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY
OFFICE
Mr. Caldwell. Chairman Carper, Dr. Coburn, and Senator
Johnson, thank you very much for asking GAO to come here today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Caldwell appears in the Appendix
on page 63.
---------------------------------------------------------------------------
Chairman Carper. How about Senator McCain over here?
Mr. Caldwell. Oh, sorry, Senator McCain. I did not see you
slip into the----
Chairman Carper. He slipped in a little late, but he is
here.
Senator Coburn. He is hard to miss.
Senator McCain. I am insulted. [Laughter.]
Mr. Caldwell. I am Steve Caldwell, and I am from GAO's
Homeland Security Team, and I am in charge of our work on the
physical protection of infrastructure. I am accompanied by Greg
Wilshusen here, whom I think you know. He has testified before
this Committee previously. He is in charge of GAO's work on
cybersecurity. The reason both of us are here is we are
bringing together some of our work on both the physical and the
cybersecurity areas that deal with the partnership that we are
talking about our report is here in the broader sense of trying
to pull up some more generic lessons learned perhaps as we move
forward with the new C3 initiative.
Since 2003, GAO has listed cybersecurity of critical
infrastructure as a high-risk issue. There are several reasons
for that. One of these is the importance of cybersecurity, as
our dependence on it continues to grow and evolve. Also, cyber
incidents continue to rise at a very quick pace, at least the
ones we know about. Then the Federal Government continues to
have a number of challenges in trying to deal with these
incidents.
As noted, in the wake of the Presidential directives and
the Executive Order last year, there is a new program, the C3
Voluntary Program here.
So today I am going to discuss key factors related to the
partnership between the private sector and government that may
provide lessons, moving forward. My statement is based on a
broad body of GAO work that has included all 16 sectors of
critical infrastructure. It has looked at protection against
all hazards, both cyber and physical. It has looked at
infrastructure largely owned by the private sector and programs
that have used both a voluntary and a regulatory approach.
As a whole, the DHS partnership has made a lot of progress
in terms of sharing threat, protection, and resiliency
information with a wide variety of partners. These include
other Federal agencies, State and local governments, and most
importantly, with industry.
However, there have been many challenges, and we have noted
these in our written statement. My written statement goes into
both progress made in both the physical and cyber partnerships
as well as several examples.
For example, our recommendations have asked DHS to seek
better understanding and focus on what the expectations are of
industry. We have asked DHS to identify and, where possible,
clear some of the barriers to information sharing that we have
found. We have asked DHS to determine why industry does not
participate in some of the programs DHS runs so it has to go
beyond those that participate to those that do not participate
to find out why. We have also asked them to share information
more broadly at the sector level and at the regional level. It
should share information, not just with individual companies
but in the broader sense of the grouping of companies. And we
have also asked DHS to evaluate whether and how industry is
actually using some of the assessments that DHS has provided,
particularly in the voluntary programs. And then, finally, we
are asking DHS to systematically assess the performance of the
outreach efforts that they have to industry.
In closing, DHS has taken a number of steps to develop
these partnerships, and these are critical for protection
against both physical and cyber attacks. However, a lot more
work remains, and we have kept the cybersecurity of
infrastructure on our high-risk list in our last iteration of
the list and anticipate that it will remain so as we move
forward.
So until the Nation's most critical infrastructure systems
have a better partnership with DHS these systems remain at
risk.
That concludes my remarks. Mr. Wilshusen and I will be
happy to answer any questions you may have. Thank you.
Chairman Carper. Thank you very much.
Dr. Schneck, we just heard from Mr. Caldwell a series of, I
will call them, ``asks'' from GAO. He says we have asked DHS to
do this, and I think about a half dozen or so. Are you aware of
those asks? And would you care to respond to what DHS is doing
in light of them?
Ms. Schneck. Absolutely. And, first of all, thank you. We
do a lot of work--again, my first 6 months with government, I
am learning a lot, and I really appreciate the work of the GAO.
Chairman Carper. They are good people.
Ms. Schneck. Absolutely, and I had the opportunity to work
with them before. So there are many asks, some of which I have
known a little of and some not, but we are in the first phase
of, as Donna mentioned, an evolving program with the framework.
So this is Phase 1. We are now into Phase 2. This is a living
document. It will adapt and we will adapt to how industry and
government need to raise the level of our security, evolve with
our guidelines, and these metrics will evolve.
I think we are assessing right now our outreach. We are
2\1/2\ months in. We already have actually a checklist for our
State and local as to who has adopted what parts of the
framework, who is actually using services, who was before. We
will be looking at doing something similar for the private
sector, and certainly on the government side, absolutely. So we
are very much on top of that, but also tracking in partnership,
because the success of this, as I saw in the first phase as the
private sector, comes from the fact that the private sector is
very bought in. They know that they designed this thing with
us, with NIST, and they have a lot of trust in that. So we want
to maintain their input as we build how we rate the success.
Chairman Carper. Could you just describe for us in your own
words the role--we have the framework, we have the blueprint,
the road map. It has been well received in a lot of circles.
What are some of the criticisms you have heard of it? This is
for anybody. What are the criticisms we have heard of the
process and the product to date? I have not heard any, and
there must be some.
Ms. Dodson. So as we were beginning the development of the
framework, I think people were concerned if this would truly be
a private-public partnership, or did the government have the
answer in its back pocket that it was going to put out and put
forward. Through the process that we put together with industry
and the iterative and the constant communication from one
workshop to the next workshop, they could see the development
of the framework and the inputs that we received and how we got
to the end stage.
People are always concerned about cost, and so as you look
at the framework development, we took a risk management
approach so that it is integrated in with your entire business.
And really that work with the private industry on the
appropriate set of standards and best practices to put in
there, there is an element of cost there, and they can balance
that with the risks that they see and the need to protect their
information.
So those are two of the major concerns that we heard during
the development process of the framework and how we addressed
those collectively across the government.
Chairman Carper. All right. Thank you.
Dr. Schneck, talk to us a little bit about the role of DHS
going forward in terms of implementing the framework and
figuring out who needs some help in implementing maybe small
and mid-sized businesses, maybe even some larger ones. How do
you identify them? Do they just step forward and say, ``Well,
we need some help. What can you do for us? and then you have a
conversation?'' How does that work?
Also, in terms of what you need at DHS to do that job, the
kind of resources that you need, be they people, the kind of
people skills that Dr. Coburn talked about, technology,
authorization, maybe things you need from us, talk about those,
what your needs are to be able to meet your responsibilities in
implementing the framework.
Ms. Schneck. OK. I will start with DHS' role, the response
and mitigation to cyber attacks focused on critical
infrastructure resilience, basically to protect that holistic
all-hazards approach, and really looking at cyber discussion as
that risk-consequence equation. Going back to what Dr.
Gallagher said about equating cybersecurity and business
practice, when are we going to get there? And I think our role
is twofold.
One is on the people side really engaging those
partnerships. To Donna's point, there was a lot of skepticism.
Will this really be a partnership? And part of our role in
working with NIST and others is to make sure that the private
sector is at the table in helping those discussions and taking
their lead on what it is going to take to, No. 1, help the
providers make better technology, to help us innovate and drive
those markets economically; and the other is how do--to your
other point on small to medium business, that is a huge risk. I
testified on that in another capacity some years ago. These are
companies that have no idea in many cases that they have
something to protect, and yet they are connecting to everybody
else, making the rest of us not secure, with very small
budgets.
I went to Silicon Valley 2 weeks ago to talk to our venture
capital community, to talk to our innovators out there about
how they can protect those assets they are funding and growing.
So our role in DHS on the people side is really to engage,
to partner, to build that trust, and to use those qualities
that we leverage most--the privacy, the civil liberties, the
transparency--so that when we bring people and information
together, we can push it out as fast as possible to help stop
bad things getting to good people. But we can also be a
resource for people to learn.
On your next question about implementing the framework, we
have a very aggressive schedule on helping. We are reaching out
to small to medium business through the Chamber, through other
organizations, obviously reaching out to the larger businesses
through our Conservative Political Action Committee (CPAC)
partnerships with all 18 critical infrastructures, certainly on
our Federal civilian side working with all of the agencies and
with the State and local through the Multi-State Information
Sharing and Analysis Center (MS-ISAC), so certainly reaching
everybody. Everybody has different sensitivities. Everybody has
different things they need to see. And working through all of
that through different teams that are joined together.
And quickly to cover on the workforce, there is great
talent out there. We need everything from technical----
Chairman Carper. When you say ``out there,'' out where?
Ms. Schneck. The universities that----
Chairman Carper. Within DHS or outside?
Ms. Schneck. Both.
Chairman Carper. OK.
Ms. Schneck. And I will say for all the skeptics, I walked
into one of the finest teams on the planet.
Chairman Carper. Really?
Ms. Schneck. So those who think that government is not
smart, they are wrong. What we need is more people like the
ones we have, some more technical resources like we have in our
US-CERT, because more and more we have those teams that fly off
and help people respond to attacks. We need to have more of
that. And there is a spectrum of skill sets. We need the
cybersecurity experts. We also need folks that are skilled in
analytics. We need policy people. And that combination of
talent and people that work with us, with our Science and
Technology Directorate, through Research and Development (R&D),
need to look at a holistic view of what we can do with our
partnerships, what we can do across cybersecurity across DHS,
and have a mind-set of where we can go next. This is how we get
faster from our adversary, and I have had the opportunity, as I
mentioned, with Secretary Johnson to meet some people that I
believe fit that bill. And I believe our mission can meet what
their other salary offers can meet in a different way.
Chairman Carper. How can we help? Dr. Coburn mentioned
briefly one idea, and that is to make sure you are able to
attract and retain the kind of talent that you need in this
arena. But whether it is in that regard or some other regard,
how can we help you meet the responsibilities that you are
facing?
Ms. Schneck. The onboarding process, if we could make that
easier, give us a little bit more money to hire, a little bit
stronger hiring authorities to make things more competitive for
us, because our mission meets the salary. People say that good
talent does not come because we cannot pay them. Sometimes we
can make up some of that gap with our mission, but the rest of
the gap and the long process and what it takes to come work for
government, if you could help us make that easier, give us some
additional authorities to bring great people on, that will help
our overall partnership. And I believe that goes to the safety
of our Nation.
Chairman Carper. Good. Thanks so much. Dr. Coburn.
Senator Coburn. One of the words that you spoke a minute
ago was maintain input from the private sector. And what I hear
from the private sector is this inherent worry that we get to
the implementation phase and this is no longer a voluntary
program but a mandatory program. Talk to us about that.
Ms. Schneck. Thank you for that question because it is
something that we work with every day, because we heard it
every day from our stakeholders. The main goal of this
framework was to engage the private sector to drive this with
their innovation, with their picture, and to get us as a
country together, public and private. There is no better
incentive than actual security and safety.
At the White House anniversary of the framework on February
12 of this year as well as the day of the beginning of the
launch of the voluntary program to adopt the framework, we had
several CEOs in attendance of some of the major large
companies, and one actually said his major incentive was fear
and that he would be helping us to implement this.
So other ways that we are looking at this is how do we
continually in a phased approach maintain the private sector's
involvement as we do the adoption. We will learn. We are
putting all of our resources out to the private sector. We are
not asking them to report to us if they have used it or not. We
want to look at our outreach. We want to study our metrics,
stay involved with the large companies that are--and this is
very key to me--asking their suppliers to be more secure so
that when you connect to a smaller company, you do not endanger
the larger company, and requiring of their customers, same with
the State and local. And a lot of basic cyber hygiene and
guidelines that are mentioned in this framework could have
prevented a lot of the attacks that we have seen thus far.
Senator Coburn. Thank you. Talking a little bit about
government, hygiene in the government, it is a big problem,
isn't it? How do we solve that?
Ms. Schneck. Wow. So one approach that I would look at--and
you mentioned the Windows XP, so that is a great example. This
is a critical issue that is affecting everybody. DHS has worked
with Federal agencies to get this awareness out. We have a
great partnership between the National Protection and Programs
Directorate, where I sit, and our Chief Information Officer
(CIO). Our great new Chief Information Security Officer (CISO)
Jeff Eisensmith, and CIO Luke McCormack and I talk all the
time, because, candidly, there is no sweeter network than
DHS.gov to learn from who is trying to attack us. And then we
put that knowledge into how we protect everybody else.
On the XP issue, the migration to Windows 7 for us is
expected to be complete before the end of the security updates
for XP, and I know that DHS long before I got here put that
warning out to all other agencies. So that is one way I think
DHS protects our other agencies.
The other is in programs such as EINSTEIN, with simple
network protection intrusion, prevention and detection. But the
ability to understand with our information--again, we see all
the networks we protect, so all that information that large
view in the Concept of Operations (CONOPS) for cyber from that
NCCIC goes into the protection of every single agency that we
protect. And then every time we see something, we learn
something from it, and that goes to protect everyone else, and
we can push that information out as well to State and local. So
that hygiene in government can come back to our programs.
I also want to call out on that same note Continuous
Diagnostics and Mitigation. That is near and dear to me because
it takes the 3-year book of compliance that I called a
``doorstop'' when I was in the private sector; it takes
people's resources to build this one book of compliance that
says at this moment in time this is how my network looked.
Continuous Diagnostics and Mitigation changes your network into
an immune system. At any given moment, it will understand,
detect, and attack something that is bad and report on it. So
you can save your strongest minds to hunt for the most
malicious actors.
So in government, we are taking large strides toward that
hygiene. All of that fits within the guidelines of the
framework. And then certainly taking that data from Government
that we learn and pushing it out to private sector. So we think
Government hygiene will uplift everybody else, and we certainly
hold ourselves to higher standards than others at DHS.
Senator Coburn. There has been some maybe not criticism but
some questions about the efficacy of EINSTEIN. Do you feel
comfortable that it is where it needs to be?
Ms. Schneck. I do. So 6 months ago, when I came in, one of
the first things I did was learn the history and then the
current path of where we are. There were, of course, some
hiccups, as in any large technology program that I have seen
all my life. But now we have our second service provider on. In
fact, now that that service provider is signed up to provide
Einstein 3 Accelerated (E3A) accelerated services, which is
used in prevention, we at DHS will be leveraging those services
as well.
We are finally at a point as well where we are getting
enough data and protecting enough agencies--I think about a
quarter now of the seats in the government--and a lot of that
depends on, again, getting other service providers signed up,
but I think we are at a point where we are now looking at the
more interesting topic, if you will, which is how do we use the
data that we are collecting from government to give it to the
private sector.
Senator Coburn. Sure.
Ms. Schneck. For example, programs such as Enhanced
Cybersecurity Services, which allow us to protect the private
sector with classified information, as well as take
unclassified information but that we learn from the EINSTEIN
program in government and push that out in real time with
regular trafficks, so that as traffic flows through the
network, other parts of the network and other devices know not
to accept it if it is going to hurt you.
So to wrap up, government hygiene I think is important, and
it affects everybody.
Senator Coburn. So it is important not just to maintain the
input from the private sector, but also to maintain the trust
of the private sector that what you have provided to them is
worth them having.
Ms. Schneck. Oh, absolutely, because, again, someone like
me, 6 months ago in a company, was given the ability and the
authorization to use my own judgment when we should talk with
government, and I was always asked what are we getting back,
what are they doing. So that is in both human time, what are we
going to learn from different government agencies by sharing;
and then in real time, the government and I believe DHS
uniquely, because of our emphasis on privacy, civil liberties,
and transparency, and our NCCIC, has the ability to correlate
that data and learn a lot from private sector, combine that
with what we as only government can see, and push that out
faster than our adversaries could hurt us.
Senator Coburn. And so in your thought pattern right now,
as long as you can keep the voluntary compliance and working
relationship on a basis of trust and value, we are not looking
at hard regs mandated by the Federal Government for this is how
you will do this.
Ms. Schneck. We are focused on voluntary engagement,
learning as much as we can from the private sector, and pushing
as much correlated data out as we can.
Senator Coburn. All right. Thank you.
Ms. Schneck. Thank you.
Chairman Carper. Senator Johnson.
Senator Johnson. Thank you, Mr. Chairman. Ms. Schneck,
welcome.
Let me pick up where Dr. Coburn left off there. I have been
here 3 years now, and we have been talking about cybersecurity.
I was actually in the meeting with a bunch of Senators trying
to hammer out a cybersecurity bill. A pretty prevalent attitude
in that room was that businesses, the private sector, needs to
be forced into protecting their cyber assets. Is that your
experience in the private sector?
Ms. Schneck. So I came from a large cyber provider, so, no,
we did not need to be forced to protect cyber assets. But I can
tell you that our customers did not either. They had either
experienced a breach or knew enough to know that they would
experience a breach, and many in the field say that there are
two kinds of companies and entities right now: those who know
they are compromised and those who do not.
So the issue is how we raise cybersecurity to a business
discussion. I think that the framework and the voluntary
program will get it to the board room, because it becomes part
of the risk. We do not force people to lock their doors, and
yet they do. So this is part of a culture of security that has
been talked about for 12 years. I think Howard Schmidt is the
first person to use that phrase back in 2000, 2001, or 2002.
And looking at how we continue to engage that private sector
innovation, drive the market.
Once NIST engaged with the private sector, they sent out
their best and their brightest for 3 to 4 days at a time to
workshops that required long flights, and they are continuing
to remain involved because they see the importance, not just
for their brand reputation but for their customers and,
candidly, as part of our Nation's network and our global
assets.
Senator Johnson. Well, it was certainly my attitude, and
trust me, I was the minority view, that I really think
businesses want to protect their cyber assets and actually look
to government, acknowledging the fact that the government has
an awful lot to offer. And so I have really been pleased with
what NIST is trying to do, make this a voluntary approach. It
is the way to go. If we can facilitate cybersecurity versus
dictate it, I think this will work. If we try and dictate it, I
think the private sector shuts down.
Over these 3 years, it seems like the No. 1 component or
the first priority is really to facilitate information sharing.
Ms. Schneck, you talked about the need for speed. What is the
greatest inhibitor to get that free flow, that rapid, the
speedy information sharing that is required if we are going to
detect cyber threats and try and contain them as much as
possible.
Ms. Schneck. I have an optimistic view of that, and there
are pockets in the private sector that can already do this.
That is how I know we can build it, and that is how I know
how--I built one of those in my previous life--where the
analysis of data can be in real time pushed out with traffic.
I think our job as government, and especially with DHS as a
lead civilian agency for this, with the ability, again, to do
it right, with privacy experts and civil liberties, and show
the world exactly how we do it, we have the ability to
correlate information and get a global view of what traffic
might be OK and what might not be, and to literally pass that
at machine speed. Just as you send an e-mail----
Senator Johnson. But, again, businesses have to feel
comfortable to share that information. Isn't liability
protection a big problem in terms of businesses not being
willing to share that? And isn't that something Congress needs
to do?
Ms. Schneck. So we look at liability protection. I can give
you an anecdote from my previous life. This is something that
would have helped us, because I was often in situations where,
as company or country, and can you share, the lawyer will not
let you, but you know that the information you have from the
research you do could help a lot of people. So I know the
administration is looking at targeted liability protection,
and, again, my perspectives have changed a bit since I have
come over to government, because I see some of the different
challenges. And part of what I want to do is bridge that, and
that is why I want to build that trust.
And I think that the targeted liability protection that the
administration is looking at right now would help us because it
would protect companies in the instances defined to share
information, and they would not get hurt by that and would not
be held liable, nor would their shareholders, if--for example,
in my case, when I did this, a sector could be exposed for
having potential liabilities. But it would not be so broad that
it threatens even the optics or the perception of threatening
our privacy and civil liberties because we are fighting to
protect, again, our way of life. So it is a balance.
Senator Johnson. The devil will be in the details on that
one.
First of all, I am pleased to hear that you appreciate the
talent that is already in your agency. That is good to hear. I
am intrigued, by the way. I really appreciate the fact that you
are willing to leave probably a pretty good-paying job and come
in here and do work for the Federal Government, pretty
important work.
Ms. Schneck. Thank you.
Senator Johnson. Let me just ask you, if you had to go
through the confirmation process, would you have decided to
make that switch?
Ms. Schneck. If I had to go through the confirmation
process? So when----
Senator Johnson. Did you go through the confirmation
process? My information is you did not.
Ms. Schneck. Not the Senate confirmation, no, sir.
Senator Johnson. Correct. But if you----
Ms. Schneck. But I would have done it anyway.
Senator Johnson. But had you gone through the confirmation
process, would that have prevented you from considering a
position here in the administration?
Ms. Schneck. No.
Senator Johnson. OK. In terms of attracting other people
into government, into these high-tech positions, certainly
there is kind of the mission challenge that is attractive, but,
again, there are a lot of good-paying jobs out in the private
sector. Can you speak to what kind of dollar differences we are
talking about?
Ms. Schneck. Oh, wow. So, again, all of that, it depends
on----
Senator Johnson. I am a business guy, so I focus in on some
of those practical concerns.
Ms. Schneck. So in many cases, sir, there are six-figure
differences, and that is before the stock. However, I think
there is a much more important--it is not always that way, but
there is a much bigger, I think, calling, if you will, and that
is that when you get to government and you can--and I only
learned this 6 months ago, but how much people in government do
so that someone in my position never knew it got done and just
felt safe every day. I think that having that other piece of
knowledge helps bridge the gaps that we need to bridge to keep
our economy--to let our private sector drive innovation to keep
our country in leadership in science, and all of that will make
us more secure. And so what I would love to do is be able to
pull some more people from the private sector and say, ``Come
see what I learned, and come join our team and help us.'' I
know that our mission can pull them.
From what I am told, the hiring process is very difficult,
and, if, again, we could get that help from Dr. Coburn and from
the Committee----
Senator Johnson. OK. That is really the point I am trying
to make.
Having come from the private sector, which obviously has
bureaucratic problems as well, can you just compare and
contrast a little bit in terms of what you see, what your
viewpoint is, comparing bureaucracy in the private sector
versus bureaucracy here in government? Because, again, this has
been an urgent need since I have been here, and even before
that. This is 3 years. We are still moving forward. We are
still talking pretty much about the same issues, although there
has been some real advancements because of the Executive Order
and NIST, and I appreciate that. But we are still, it seems
like we certainly have a ways to go.
Ms. Schneck. So do you mean in the hiring or in the
technology?
Senator Johnson. I am talking about just in terms of moving
a process forward and the bureaucracy versus the private sector
versus government.
Ms. Schneck. So in my short 6 months here, I have learned
that working with our partners across the Department as well as
across agencies and certainly with committees such as this is
the best way to get things done because you build support for
what needs to get done, you target your budget, your blueprints
and your outlook, your strategic plan toward what you feel
needs to get done. In a company, I think that sometimes things
move a little bit faster. But bringing that together--and that
is what companies can do best. That is why they can innovate so
quickly. But then, again, there are rules and reasons why we
have government processes. I have had the opportunity and honor
to start to understand some of that. It keeps government
honest. And we do have a lot of information and deal with very
large budgets. I think that is fair.
But, again, bridging that, building that partnership,
building that balance, I have seen both bureaucracies, and I
know we can work together, and I plan to get that done with
your help. We need your help.
Senator Johnson. OK. Thank you.
Thanks, Mr. Chairman.
Chairman Carper. Thank you, Senator Johnson. Senator
McCain.
Senator McCain. Well, thank you, and I thank the witnesses.
Ms. Schneck, you said that would not have deterred you,
having to go through the confirmation process, but I guarantee
you are just as happy you did not. [Laughter.]
Let me ask all three witnesses, isn't it true that current
trends indicate that the incidence of cyber attacks and
incidence of breaches of cybersecurity will continue to
increase in terms of frequency and gravity for the next 3 years
and the costs will increase more quickly than the benefits?
Would you agree with that assessment?
Ms. Schneck. So I have not seen those numbers or the
source. I do think cyber attacks are increasing. I do think the
gravity is increasing. And we see everything on the spectrum
from making noise to preventing business to actual destruction.
Senator McCain. Ms. Dodson.
Ms. Dodson. So when we started the development of the
framework----
Senator McCain. My question is: Do you believe that they
are increasing?
Ms. Dodson. So yes, we do believe that they are increasing,
and that is why the framework addresses resiliency, not just
stopping the attacks but that protect, detect, respond, and
recover capability that are outlined in the framework, because
that resiliency is very important.
Senator McCain. Thank you. Mr. Caldwell.
Mr. Caldwell. Senator McCain, hopefully I can make up for
my omission at the beginning----
Senator McCain. Inexcusable. [Laughter.]
Mr. Caldwell. The data that we use, which is from CERT,
certainly shows a striking increase in incident numbers.
Senator McCain. And more than 100 countries are cyber
capable. And if you put it into different categories--and there
are different ways of doing that, but let me try this:
Political activism, organized crime, intellectual property
theft, espionage, disruption of service, and destruction of
property--which of those are our highest priorities, would you
say, Dr. Schneck?
Ms. Schneck. I believe that resilience against all of them.
They are all happening. If we prioritize toward one, the
adversary will go after----
Senator McCain. One or two is fine.
Ms. Schneck. So the ones that harm our way of life, the
destruction for me, and certainly for the business.
Ms. Dodson. So I agree with Phyllis that look at resiliency
is critical, and those things that really affect our way of
life and those things that touch our life, and it is a big
challenge as we look at the explosion of information technology
across all aspects of our life.
Mr. Caldwell. Senator McCain, really the priorities on
those threats would vary a lot. Obviously, in government you
have to worry about espionage of national secrets. If you are
big company, you are worried about data breaches, dealing with
your consumers and your clients. If your business is dependent
on the innovation end, you are worried about the stealing of
your intellectual property.
Senator McCain. And I think we all conclude that the
cybersecurity is an issue of transcendent importance.
Mr. Caldwell, the cybersecurity budget is about $1.5
billion. It is less than 5 percent of the total DHS budget. We
do not like to talk just in terms of money, but money is a very
significant factor. Do you think that that is sufficient
priority of cybersecurity, that amount of money?
Mr. Caldwell. I am going to ask Greg Wilshusen to address
that. He does most of our cyber work within GAO.
Mr. Wilshusen. Good morning. I would say that, we did not
address the budget per se, whether that particular amount is
enough. One of the things that governmentwide has been reported
is that government spending toward information security has
been around $13 to $15 billion out of about $70 to $80 billion
spent on information technology (IT). So it has been about 18
percent, as has been reported by the Office of Management and
Budget (OMB). Within the Department of Homeland Security, I do
not know if I could actually say that that is the accurate
amount or the total amount that should be spent.
Clearly, the Department has many responsibilities and needs
to do a better job in certain areas in terms of providing
better support to the Federal agencies as well as to critical
infrastructure. If that is a matter of budget, I think we
talked earlier about there are some needs for top talented
people to continue to come to the Department.
Senator McCain. Thank you. I, like Senator Carper and
Senator Johnson, have spent many hours in meetings trying to
formulate cybersecurity legislation. We bump up into various
problem areas--privacy versus national security, what the role
of private enterprise is. We continue to address this in a
circular fashion.
One of the reasons is because we have oversight overlap of
so many different committees that have responsibilities--the
Judiciary Committee, Armed Services Committee, this Committee,
and probably the Commerce Committee and many others.
Given the gravity of this challenge that we face, I have
been arguing for a Select Committee. I count some 30 pieces of
legislation that have already been introduced in both Houses,
and, of course, none of them are going anywhere.
Mr. Caldwell, does GAO have a thought on that subject?
Mr. Wilshusen. Certainly there are a number of
Congressional committees that have oversight of the Department.
I believe the Department would probably be better positioned to
determine what impact that has on it. But we do testify before
a number of committees on this subject. But it is up to
Congress to organize as it sees fit in terms of how it provides
oversight.
Senator McCain. Thank you.
Ms. Schneck, should we shift the focus to
telecommunications companies and Internet Service Providers
(ISPs) and examine whether they could be doing more to monitor
the various cyber threats coming through their infrastructure?
Ms. Schneck. So cybersecurity is a shared responsibility.
We all have a piece throughout government and the private
sector. In my experience, the telecoms have done a lot. They
have really stepped up and helped, for example, in botnets,
which is when the adversary ties together tens of thousands of
machines sometimes, compromises them, and tells them to send a
lot of traffic all to one or two places. That is called
``distributed denial of service,'' and it prevents business
from being done because imagine too much water from a fire hose
going into a straw. It just cannot be handled.
One of the things that the ISPs have stepped up to help us
do with the NCCIC is when we use our trusted partnerships to
coordinate and understand which machines are causing the harm,
the ISPs actually are online ready there to take the
information from us and help distribute that through their
networks since they are carrying all of this traffic. So that
is one way they have partnered. They are very engaged in many
of the different public-private partnerships, and I hope that
other sectors--some already are and some are not--but, again,
they are one piece, and, again, it is a shared responsibility.
Senator McCain. Well, it is my conclusion, after looking at
where different personnel assigned to cybersecurity
responsibilities are spread throughout the Federal Government,
we have Cybersecurity Command in the Department of Defense
(DOD), we have you, we have other agencies of government all
who have a cybersecurity responsibility. And, frankly, I do not
see the coordination between those different agencies of
government that I think would increase dramatically our
effectiveness. And if we engage in legislation, which we have
tried to do without success, I would argue that that has to be
part of any legislation that we enact.
If you view this threat with the gravity that many of us do
now, then it may require a reorganization such as we carried
out after 9/11, which is the reason why this Committee and the
Department of Homeland Security is in being. I hope that you
will contemplate that kind of option as we examine all options,
because one thing we do agree on, this problem is going to get
a lot worse before it gets better.
I thank you, Mr. Chairman.
Chairman Carper. We are going to start voting here very
shortly, and my inclination--I checked with Dr. Coburn to see
what he thought, and we think we will be here until about 11:15
for the first panel. Then we will excuse you. We will run to
vote, and we will have a series of votes and come back as soon
as we can, my hope is around noon. But we will see how that
works out.
I would say to our second panel, those of you that are
here, thank you for joining us. Please be patient with us.
I want to go back to something that I think you said maybe
in response to Senator McCain, Dr. Schneck, and I think you
mentioned the words ``targeted liability protection.'' Senator
McCain knows, as do my other colleagues, Dr. Coburn especially,
that one of the issues that has made it difficult for us to put
together any kind of comprehensive cybersecurity policy has
been our inability to agree on what kind of liability is
appropriate. And Secretary Johnson mentioned to me last week
that he has been noodling on this and thinking it through as an
attorney what might make sense, and obviously you have as well.
Just think out loud for--and I am going to take about 3
minutes, and then turn it over to Dr. Coburn. But think out
loud for us about what form that targeted liability protection
might take, looking at your private sector experience, which
you have alluded to, and your current role.
Ms. Schneck. So thank you. The end goal is to get the
combined set of information. You have a wide set of companies
that see a lot, some that make cyber products, some that use
them, some across all different sectors from electric to water.
We need to know what they see. We need to know what they know.
And they need to know what we see from across, so how do we
build that trust?
It is very difficult coming from inside of a company to
make an attorney feel comfortable--and I am not a lawyer, so I
can say that--with the idea that I am going to pick up the
phone and call someone in government when, again, a lot of
these companies are not based in Washington so there is--and
that is why I have spent some time in California. There is a
lack of understanding as to what happens in Washington. And we
have tried as a Department to put a friendly customer service
face and engage other areas of the country because of this.
We have to get the general counsels to be comfortable with
the fact that information is going to come--not intellectual
property but information about awareness and cyber events,
whether it is their breach or something else that they are
seeing or building. We have to have the lawyers comfortable
with that transfer of information.
I was held accountable. I trusted, candidly, Larry Zelvin
in our NCCIC. I called him and I called some folks at the FBI
that I knew, and those were trusted relationships. I could have
lost my job if something went wrong.
DHS, FBI and the Secret Service has always handled my
information the way we asked. We could control whether it went
to government, whether it went to industry. But, again, we
wanted to be protected from getting hurt. If you tell the
government that the electric sector has--we have seen activity
across the electric sector, as we saw in Night Dragon in 2011,
where five oil and gas companies had their oil exfiltration
diagrams shipped off to another country unknowingly. We wanted
to issue a warning to the whole sector, and the lawyers had a
very difficult time with that because they felt that the
shareholders in that sector would suffer the next morning and
it would be the company's fault.
So that is a case where some protection would be needed,
not liability for everything on the planet, but liability
protection for that case. And I believe that is part of what
the administration means by targeted liability. And if those
companies can feel comfortable in those situations, we believe
more information will come in that we can then use to protect.
Right now it is game on for the adversary because everybody
is afraid to share information. And if we wait and do not share
this information and do not engage these partnerships and do
not leverage the work of NIST and this framework, we let the
adversary get far too ahead.
Chairman Carper. All right. Well, this is a conversation we
are going to want to continue.
Ms. Schneck. Yes.
Chairman Carper. And if we can solve this one, I think we
will move a long ways toward where were need to go in this
arena.
Ms. Schneck. Thank you.
Chairman Carper. Dr. Coburn.
Senator Coburn. One of the assumptions that has changed
during my lifetime as a citizen of this country is the
assumption in government that people are going to do something
wrong rather than they are going to do something right. And it
has been one of the most discouraging things I have ever seen
in our country. It is because basically the vast majority of
the people in this country want to do everything right. They do
not want to do it wrong. But government's interface with them
works under the assumption that they have done it wrong, now
prove that you have done it right. And that is the key where we
are on this liability.
Just for example, let us take two of the large Internet
service providers. Unlimited liability, that is a great focused
thing, but look what we lose when we start limiting the ability
of two ISPs who are working on something back and forth to
actually really talk a lot back and forth, and the Justice
Department comes in with their Antitrust Division and says,
``Hey, wait a minute, you have to prove that that was necessary
for cybersecurity rather than you guys colluding to keep
somebody out.''
And that is where this gets sticky. It is like Senator
Johnson said. The fact is that I know right now ISP providers
are talking back and forth without any immunity because it is
the best thing to do for the country to protect us. And yet
what we are finding is resistance here to give them that kind
of broad legal liability because we do not trust them. We do
not trust them to do what is best for the country as a whole,
and we think they are always self-centered, they are only going
to do what is good for them. And we have already seen in the
cyber arena that is not true. And yet this whole concept of a
very narrow limited liability is based on the assumption that
we do not trust them, and so, therefore, we can only give you
limited liability. And what we are going to do, if we do a very
narrow limited liability, we are not going to get where you
have espoused we want to get, because their same lawyer is
going to say, no, you got to have this there, so, therefore,
you can no longer do this.
So that is the downside to this, and it is important that
that gets communicated up the chain when we start talking about
specific limited liabilities versus general liabilities. And
the proof is in the pudding of what are your actions directed
toward and what are you trying to accomplish, not a specific
event, because if it is only event related, we are going to
lose. We are going to lose in this battle.
Mr. Caldwell, I want to talk to you a little bit--and I am
saying this based on hindsight, and it is no reflection on DHS
today. But there is a great example on how not to do something.
It is called the Chemical Facility Anti-Terrorism Standards
(CFATS), the chemical facility security act. And I just
wondered, have you looked at that at all? We spent billions. We
have not inspected the first chemical plant. We did not use
this proactive Executive Order style that the President used in
terms of creating a partnership. We did not listen to industry.
What we did is create a bureaucracy and spent a bunch of money.
And today we still have not accomplished what we need to in
terms of chemical facilities.
So my question to you--I do not think that DHS has been
effective at CFATS. It is better. I admit that. The guy that is
running it today is far superior to what we had in the past. It
is improving. Do you think CFATS would have been better if we
had done a public-private partnership much like we have done in
terms of cyber?
Mr. Caldwell. I think it is hard to say. I will say a
couple things about CFATS.
We have done a number of reports about it, and I would
agree the last 2 years they have made a lot of progress, and a
lot of it has been actually tracking what they are doing and
paying attention to it and trying to work with industry. So
there has been--they are getting closer to those compliance
inspections for those facilities that are deemed to be high
risk.
There have been a lot of distractions along the way. I
think a lot of the problem was actually setting up the
bureaucracy in the first place in terms of deciding what they
were going to do, what kind of people they needed, what kind of
inspections they were going to do, and how they were going to
do their risk analysis. We have made a number of
recommendations that they have taken pretty seriously and they
are moving toward.
It was very slow, and that is maybe a cautionary tale of
going down a regulatory path, that there is a lot of structure
to a government regulatory process, whether it is through the
rulemaking process or other things that take a lot of time. And
I think that is some of it. But I think a lot of it can be
traced back to starting from scratch.
For example, the Coast Guard, they had the Maritime
Transportation Security Act. They had that up running within
about 18 months, but you have to remember they also had a lot
of regulatory structure that related to the maritime sector.
They had people that already----
Senator Coburn. Well, they also have a different management
structure. You will do it, or you are getting booted out of the
Coast Guard. That is different.
Mr. Caldwell. Yes, sir.
Senator Coburn. Let me go back to my original point.
Mr. Caldwell. Please.
Senator Coburn. Had we started out CFATS with the framework
that said we are going to bring all the industry together and
say how do we best solve this problem--that is not what we did
with CFATS. And that is what we are trying to do now. I
understand that. But it is my point, and it is a great lesson
for us, and I think we have that dynamic going now in
cybersecurity. But in this one, it is in the best interest of a
chemical company to not have exposure. But the assumption under
CFATS, which goes back to what I said before, is prove that you
are not, rather than the assumption is we are going to assume
you are and we are going to have to show you where you are not,
and let us do this in a cooperative manner so that when we
regulate you, we can take what we learn from XYZ Company and
put it over to ABC Company, and we will come with judgment,
because that is what was lacking with CFATS. There was no
judgment because there was no knowledge, because we did not
listen to industry, who at their own best interest want to
protect their facilities.
Mr. Caldwell. I think the----
Chairman Carper. I am going to ask you to be very brief. I
want to make sure that Senator Johnson has a chance to ask a
question or two before we close. Go ahead, very briefly.
Mr. Caldwell. So, briefly, I think industry was engaged
with government when CFATS was created. I think one of the
problems that happened is after the law went into place, then
government kind of went into this quiet period where that
engagement kind of stopped, and maybe that is where when we
move forward with this, we have to make sure that engagement
stays at a high level all the way through.
Senator Coburn. All right.
Chairman Carper. Good point. Senator Johnson.
Senator Johnson. Thank you. I want to drill down on the
liability protection issue. Right now it seems to me like we
are erring on the side of limited liability protection or no
liability protection. As a result, we are not getting the
information that everybody believes is absolutely crucial if we
are going to provide cybersecurity. Correct?
Ms. Schneck. I would add that a lot of information is
already being shared through our Cyber Information Sharing and
Collaboration Program (CISCP) programs.
Senator Johnson. But not enough.
Ms. Schneck. There is more. And coming from the other side,
I know why some of those lawyers want liability protection. We
need a balance.
Senator Johnson. So let me complete my question. What would
be wrong with erring on the side of too much liability
protection so we would get the information, so we would,
complete this urgent need to provide greater cybersecurity?
What would be wrong in just erring on the side of maybe too
much liability protection? What is the cost? What is the damage
in doing that, other than to the trial lawyers?
Ms. Schneck. So that is hard for me as a nerd, not a
lawyer, but I am open to have the conversation. Again, you know
my goal. It is to bring all the information together. And I
need to work with our experts in the administration and in
Congress to understand what our folks at NIST and DHS have----
Senator Johnson. But, again, if we provide too much
liability protection, that means companies will not be able to
be sued as readily, correct? Isn't that the----
Ms. Schneck. We do not want companies getting sued. No, we
do not. We want information shared. I need----
Senator Johnson. Why would we withhold a broader level of
liability protection other than for that reason?
Ms. Schneck. I need to understand all the legal issues
around that, and, again----
Senator Johnson. Let us just walk through when companies
get sued, who pays for that. I just want to so people
understand. If a company gets sued and they pay a big old fine
to the Federal Government or a great big class action suit, who
really bears the cost of that litigation?
Ms. Schneck. We absolutely all do, and the bad guys win. It
is a terrible situation.
Senator Johnson. We all do.
Ms. Schneck. Yes.
Senator Johnson. So every consumer ends up paying higher
prices, correct.
Ms. Schneck. Absolutely. It is a terrible situation. It
is----
Senator Johnson. Now, who benefits from that liability? I
mean, when somebody sues successfully, who benefits?
Ms. Schneck. I am not a lawyer, but probably the lawyers.
Senator Johnson. Certainly trial lawyers on a contingency
fee, they make a lot of money, correct?
Ms. Schneck. Probably.
Senator Johnson. Every now and again, when it is a class
action, the members in that class might get, oh, a couple
pennies?
Ms. Schneck. I actually do not know.
Senator Johnson. Well, that is really, in effect, what
happens. So, again, I just want us to be really realistic in
terms of what is happening here. By not providing broader
liability protection, we are putting our cyber assets at risk.
And what we are doing is we are protecting the ability of trial
lawyers to get big old fees. Generally the class action
plaintiffs get very little. And when we do have these huge
settlements, it is American consumers overall that pay the
higher costs.
Ms. Schneck. And this is why the adversary is winning
because they have no lawyers----
Senator Johnson. Precisely. So, again, I think it is just
important that we understand what is happening when we refuse
to provide broader liability protection so we can actually get
the information that we need to provide cybersecurity.
Ms. Schneck. And that is why we need to have a
conversation, before anybody refuses anything. But, again, we
need the experts from the science side, the legal side, the
administration to find that balance, because we do not want to
err on the side of not honoring the privacy and civil liberties
that we are all here to fight to keep.
Senator Johnson. I understand. Again, I appreciate your
willingness to serve your Nation in this capacity. I think,
your kind of background, your willingness to come from the
private sector, a very lucrative job, I am sure, in the private
sector, to really address this challenge is just really
appreciated. Thank you.
Ms. Schneck. Thank you.
Senator Coburn. Uplifting.
Chairman Carper. ``Uplifting.'' That is what Dr. Coburn
said. It is uplifting. Well, it is uplifting to have all of you
before us, and, Ms. Dodson, nice to see you again. Thank you
for your testimony. Mr. Caldwell, good to see you. Greg, thank
you for joining us.
We are going to have to run and vote. We are running out of
time, and they will not hold the clocks for us. So thank you
all. There are going to be some questions, followup questions
that you will be receiving subsequent to this hearing, and we
just ask that you respond to those.
Chairman Carper. And we look forward to an ongoing
conversation. This has been a very encouraging panel, so thanks
so much. And we should be reconvening around noon.
[Recess.]
We are going to reconvene now. I want to thank everybody
for their patience and for waiting for us. When Dr. Coburn and
I are the leaders of the Senate, we will not schedule these
votes and interrupt our hearings. But we appreciate your
patience and appreciate your being here with us.
Our first witness is a familiar-looking person. I think I
have seen her before, Dr. Coburn. Elayne Starkey is our chief
security officer (CSO) for the State of Delaware where she is
responsible for the enterprise-wide protection of information
assets from high-consequence events. Ms. Starkey is also the
Chair of the Delaware Information Security Council and member
of the Governor's Homeland Security Council. Before joining
State government, Ms. Starkey spent 12 years in software
engineering in the private sector, and, Tom, I just want you to
know, for the 8 years that I served as Governor, most of those
years I worked for this woman, and it is great to see her
again. We thank you for your service to our State.
Our next witness is David Velazquez, executive vice
president and leader of power delivery business for Pepco
Holdings Inc. (PHI). Previously Mr. Velazquez served as
president and chief executive officer of Connective Energy. He
serves on the boards of the Maryland Business Roundtable for
Education, Southeastern Electric Exchange, the Trust for The
National Mall, and the Smithsonian National Zoo Advisory Board.
Welcome. Nice to see you.
Doug Johnson is vice chairman of the Federal Services
Sector Coordinating Council, which advises the Federal bank
regulatory agencies on homeland security and critical
infrastructure protection issues. Mr. Johnson also serves as
vice president and senior advisor of risk management policy, at
the American Bankers Association (ABA), where he leads
enterprise risk, physical and cybersecurity, business
continuity and resiliency policy, and fraud deterrence. I
understand you are also a member of the Financial Services
Information Sharing and Analysis Center. Is that right?
Mr. Johnson. I am.
Chairman Carper. OK. A private corporation that works with
the government to provide the financial sector with cyber and
physical threat and vulnerability information as part of our
Nation's homeland security efforts.
A final witness, saving the best for last, the final
witness is Steven Chabinsky, senior vice president of legal
affairs, general counsel, and chief risk officer for
CrowdStrike, a big data security technology firm specializing
in continuous threat detection, cyber intelligence, and
computer incident response. He also serves as an adjunct
faculty member of the George Washington University and is a
cyber columnist for Security Magazine. Before joining
CrowdStrike, Mr. Chabinsky had a distinguished career with the
government culminating in his service as Deputy Assistant
Director of the FBI's Cyber Division.
A big thanks to all of you for coming, for your
testimonies, and for your patience with us today.
Elayne, would you please proceed? Your entire statement
will be made part of the record. You can summarize as you see
fit.
TESTIMONY OF ELAYNE M. STARKEY,\1\ CHIEF SECURITY OFFICER,
DELAWARE DEPARTMENT OF TECHNOLOGY AND INFORMATION
Ms. Starkey. Good afternoon, Senator Carper, Ranking Member
Coburn. Thank you for the opportunity to be here at the hearing
today.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Starkey appears in the Appendix
on page 85.
---------------------------------------------------------------------------
As the chief security officer for the State of Delaware, I
can report that we are combatting a greater number of cyber
attacks than ever before. State governments not only host
volumes of sensitive data about our citizens, we use the
Internet to deliver vital services, and ensure our first
responders can access the data they need in crisis situations.
State government IT systems are a vital component of the
Nation's critical infrastructure.
Today, with this testimony, I want to provide the Committee
information on the value of public-private partnerships, as I
see it from where I sit. Cyber threats know no borders, and in
our interconnected world where all levels of government work
with each other and work with private sector partners and
citizens, the only defense is a multi-sector approach. I view
these partnerships as a critical component of the Delaware
Information Security Program, and I am eager to give you very
specific examples of what is working in my State.
We have been partnering with the U.S. Department of
Homeland Security since our program started back in 2004, and
over the years, our incident response capabilities have
improved significantly by partnering and participating in their
Cyber Storm Exercises. We have advanced our capabilities,
thanks to applying funding from the Homeland Security
Preparedness Grant Program, and we have used this money for a
variety of different things, including annual employee
awareness training, e-mail phishing simulations, technical
training, and I am most grateful to have received approval for
this funding.
Delaware, however, is an exception. In contrast, most of my
peers in other States report limited success in competing with
traditional emergency responders for just a small share of
those grant funds. I urge Congress to carve out a portion of
this funding for States to use exclusively on cybersecurity
initiatives.
One of the things I am most proud of is Delaware's
effective outreach and collaboration with local governments and
other critical infrastructure providers. We were delighted to
be selected to participate in the Community Cyber Security
Maturity Model, run by the Center for Infrastructure Assurance
and Security at the University of Texas at San Antonio. This
program has resulted in training at all levels, and exercises,
and seminars. In fact, our next event is a statewide
cybersecurity conference on May 6. This is a day-long education
workshop where we will bring together State and local
government, law enforcement, military, higher education, health
care, and other critical infrastructure providers.
Cyber awareness and education and training have been the
cornerstones of Delaware's program ever since we got started.
Our campaign is very active throughout the year. But in
October, as part of National Cybersecurity Awareness Month, we
racheted up the program with TV and radio advertising, and even
wrapping a Delaware Transit bus with an eye-popping
cybersecurity message. In the testimony that I provided,\1\ if
you cannot imagine what a wrapped cybersecurity bus looks like,
there are some pictures in the testimony that I provided. This
literally has become a moving billboard up and down the State,
carrying the Internet safety message to 50,000 motorists each
day.
---------------------------------------------------------------------------
\1\ The pictures submitted by Ms. Starkey appear in the Appendix on
page 91.
---------------------------------------------------------------------------
We are unable to use State funding to do projects like
that, so that is why I am so thankful to Verizon. Verizon's
support of this program has been unwavering. We could not have
done many of these initiatives without the financial support
from the Verizon Foundation and the incredible volunteer
support from Verizon employees as we go out into Delaware
elementary schools and present on Internet safety. We have
reached 25,000 fourth graders over the last 7 years thanks to
this wonderful partnership that we have with Verizon.
Cybersecurity works best when people have an understanding
of the risks and the threats, so I am especially appreciative
of our strong partnership and collaboration with the Multi-
State Information Sharing and Analysis Center (MS-ISAC) and the
National Association of Chief Information Officers.
My final partnership example is with higher education. Five
years ago, a team of people came together, and we discovered we
all had the same passion. We had a passion for nurturing the
next generation of cybersecurity professionals, and today that
team includes all Delaware universities and colleges. And
together with the Council on Cybersecurity and SANS Institute,
we are planning our 5th annual U.S. Cyber Challenge summer
camp. It is a week-long, intensive training filled with
specialized speakers intended to reduce the shortage in the
cyber workforce.
So, in conclusion, my compliments to NIST and DHS and all
the stakeholders that worked together to develop the
Cybersecurity Framework. It is valuable to State governments.
It is valuable to reference a core set of activities to
mitigate against attacks on our systems. For those of us that
have established security programs, the framework will not
introduce major changes for us. Rather, the framework offers
valuable risk management guidance and is complementary to our
Exercise and Incident Response Program. I endorse the framework
as an excellent first step; however, it is important to stress
it is the beginning and it is not the end. My hope is that
future versions are going to include incentives to adopt the
framework and strive for continuous reduction of the cyber
risk.
This is a complex issue. We have a long road ahead of us to
making our Nation's systems more secure. It is a journey, and
it is a race with no finish line. There is no single solution;
there is no silver bullet. I compliment you for holding
hearings such as these. I ask Congress to continue to work with
States to identify ways to protect our Nation's information
assets and provide funding opportunities for State government
cybersecurity.
Thank you.
Chairman Carper. Elayne, thank you so much. Great to see
you here, and thank you for joining us.
Steven Chabinsky, please proceed.
TESTIMONY OF STEVEN R. CHABINSKY,\1\ CHIEF RISK OFFICER,
CROWDSTRIKE, INC. (TESTIFYING IN HIS PERSONAL CAPACITY)
Mr. Chabinsky. Thank you. Good afternoon, Chairman Carper,
Ranking Member Coburn. I am pleased to appear before you today
to discuss cybersecurity public-private partnerships.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Chabinsky appears in the Appendix
on page 93.
---------------------------------------------------------------------------
First, I would like to discuss the Cybersecurity Framework.
Senator Rockefeller had proclaimed last year that NIST is the
``jewel of the Federal Government.'' I agree. I especially
commend NIST for having engaged with over 3,000 individuals and
organizations on the framework. In doing so, NIST established a
true public-private partnership. I would also note that the
Cybersecurity Framework is written in such a straightforward
manner and so concisely that it should be required reading for
every corporate officer and director.
I have no doubt that, if implemented, it would improve our
critical infrastructure cybersecurity. But having improved
security is not the same thing as having adequate security. And
in my professional opinion, the strategy we are pursuing to
include the NIST framework will not result in adequate security
of our critical infrastructure and for our country.
Regardless of how vigorously industry applies risk
management principles, there simply is no chance the private
sector can consistently withstand intrusion attempts from
foreign military units and intelligence services or even, for
that matter, from transnational organized crime. As a result,
improving our security posture requires that we reconsider our
efforts rather than simply redouble them.
We must ensure that our cybersecurity strategies focus
greater attention not on preventing all intrusions but on more
quickly detecting them and mitigating harm while in parallel--
and this is the significant part--identifying, locating, and
penalizing bad actors. Doing so also would align our
cybersecurity efforts with the security strategies we
successfully use every day in the physical world.
In the physical world, vulnerability mitigation efforts
certainly have their place. We take reasonable precautions to
lock our doors and windows, and depending upon the type of
business, those locked doors and windows will be of varying
strength and expense. Still, we do not spend an endless amount
of resources seeking to cutoff every possible point of entry
against those who might dig holes underground or parachute onto
the roof.
Instead, to counter determined adversaries, we ultimately
concede that they can gain unlawful entry. So we shift our
focus. We might hire armed guards. More often we get security
systems that have alarms for instant detection and video
cameras to capture attribution. None of these make the facility
any stronger or less penetrable; rather, in the physical world,
guards, alarms, and cameras essentially declare to the bad guy,
``It is no longer about us. Now it is about you.''
When a monitoring company is alerted that a door was broken
into at 3 in the morning, it calls the police to respond. It
does not call the locksmith. And as a result, most would-be
intruders are deterred from acting in the first place.
It is surprising then and suggests a larger strategic
problem that, in the world of cyber, when the intrusion
detection system goes off, the response has been to blame the
victim time and again and to demand that they prevent it from
happening again.
The goal then becomes one of ridding the network of malware
rather than of finding and deterring the attackers. I believe
that this single-minded focus of preventing or cleaning up
after an intrusion is grossly misplaced.
Consider the scene in ``The Godfather'' movie of waking up
to find a horse's head in your bed. That is no time to wonder
how you are going to clean it up. Rather, the obvious questions
are: Who did it? What are they after? Are they coming back? And
what will it take to stop them or change their mind? It is
threat deterrence, not vulnerability mitigation, that effects
security in the physical world every day.
Making matters worse, as industry and government agencies
continue to spend greater resources on vulnerability
mitigation, we find ourselves facing the problems of
diminishing economic returns and perhaps even negative returns.
With respect to diminishing returns, imagine trying to protect
a building by spending millions of dollars on a 20-foot brick
wall. Meanwhile, an adversary can go to a hardware store and
for less than $100 buy a 30-foot ladder. That is happening
every day in cyber where defenses are expensive and malware is
cheap.
Far worse, though, is the concept of negative returns in
which well-intentioned efforts actually make the problem worse.
Consider our brick wall again. What if instead of buying a
ladder the adversary decides to use a life-threatening
explosive to bring down the wall? This is not dissimilar from
our current defensive cyber strategy, which has had the
unintended consequence of proliferating a greater quantity and
quality of attack methods, thereby escalating the problem and
placing more of our infrastructure at greater risk.
We can and must do better. It is time to refocus our
public-private partnerships on developing the technologies and
policies necessary to achieve the level of hacker detection,
attribution, and punitive response that is necessary to reduce
the threat. By doing so, businesses and consumers are far more
likely to benefit from improved, sustained cybersecurity and at
lower costs.
Thank you for the opportunity to testify today. I would be
very happy to answer any questions you may have.
Chairman Carper. Thank you, sir. We are very happy you are
here, and thank you for that testimony.
Mr. Johnson, please.
TESTIMONY OF DOUG JOHNSON,\1\ VICE CHAIRMAN, FINANCIAL SERVICES
SECTOR COORDINATING COUNCIL
Mr. Johnson. Yes, Chairman Carper, Ranking Member Coburn,
my name is Doug Johnson. I am vice president of risk management
policy at the American Bankers Association. I am here today
testifying in my capacity as the vice chairman of the Financial
Services Sector Coordinating Council (FSSCC), and also in my
capacity as a board member of the Financial Services
Information Sharing and Analysis Center (FS-ISAC).
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Johnson appears in the Appendix
on page 103.
---------------------------------------------------------------------------
ABA is always proud of and committed to maintaining its
leadership role in organizations such as these as we help to
protect our Nation's critical infrastructure, and we feel that
it is extremely important to do so as an association. The
financial sector shares the Committee's commitment to
strengthening the public-private partnership to reduce cyber
risks to our Nation's critical infrastructure.
The nature and the frequency of cyber attacks against
financial services and others sectors have focused a great deal
of attention on whether our institutions, regardless of size,
are properly prepared for such events and whether we are
committing the appropriate level of resources to detect and
defend against them. This is not a new exercise. The financial
services sector continuously assesses and refines our
preparedness to detect and to respond to future attacks and
actively engage our government partners in this process. These
efforts build on a longstanding, collaborative imperative for
the financial sector to protect institutions and customers from
physical and cyber events. A significant protection
infrastructure, in partnership with government, exists, and the
FSSCC and the FS-ISAC obviously play vital roles in the
process.
For the FSSCC, much of 2013 and now 2014 was and has been
dedicated to responding to the administration's Executive
Order, and particularly regarding the development of NIST's
Cybersecurity Framework. You have heard a lot of compliments
about the framework, and we share in that assessment. Our
sector is supportive of the administration's and NIST's efforts
in this regard to build a voluntary framework and will remain
engaged as we migrate into what is really the all-important
implementation phase of the framework.
Our government partners are many. Our partnership with DHS
is really extremely important. Of particular note is DHS'
assistance. The FS-ISAC is now the third sector which is
participating in the National Cybersecurity and Communications
Integration Center. The collocation of sectors in the NCCIC is
an extremely important component of our overall effort to build
the trusted network between government and industry, and the
only way to do that, frankly, is to have an ability to really
share information in very much of a trusted network, which
requires individuals really to have that trusted ability to
communicate with each other. And the NCCIC is a prime example
of how the co-location of subject matter experts across the
public and private sector can build that model. That enhances
the ability both to protect our critical infrastructure and to
build that trust.
The FS-ISAC also works very closely with other critical
infrastructure sectors through the National Council of ISACs
where our cross-sector cooperation and coordination for the
FSSCC occurs through the Partnership for Critical
Infrastructure Security (PCIS) Cross-Sector Council. The 20
sectors and the subsectors that really comprise the PCIS Cross-
Sector Council are unanimously in support of it remaining the
mechanism to engage DHS on our joint critical infrastructure
protection mission. We look forward to working with DHS in a
manner consistent with the National Infrastructure Protection
Plan in that regard.
Through the FS-ISAC and the sector, our sector is committed
to working collaboratively with NIST to further improve the
framework and our Nation's overall cybersecurity posture. In my
written testimony, I have offered a number of recommendations
to meet our mutual goals, including: encouraging the
development of sector-specific approaches to the framework;
facilitating automated information sharing; clarifying
liability protections for the sharing of information; fostering
the growth of the existing ISACs and encouraging the
development of additional models similar to that in other
sectors that might not currently be deemed critical
infrastructure protection; leveraging existing audit and
examination processes when implementing the framework to the
greatest extent possible; creating incentives that are tailored
to address specific market gaps and letting the market make the
determination as to whether or not they can fill those gaps
independent of government; and, last, fostering research and
development and workforce creation is always very important, as
you have heard others speak of today.
Thank you for holding this important hearing. Financial
services companies do make cybersecurity a top priority. We
look forward to continuing to work with you toward our mutual
goal, and at this point I would be willing to take any
questions.
Thank you.
Chairman Carper. Thank you, Mr. Johnson.
And our last witness, Mr. Velazquez, please proceed. Good
to see you.
TESTIMONY OF DAVID VELAZQUEZ,\1\ EXECUTIVE VICE PRESIDENT FOR
POWER DELIVERY, PEPCO HOLDINGS, INC.
Mr. Velazquez. Thank you, Chairman Carper, Ranking Member
Coburn. I am Dave Velazquez, and I have the privilege of
serving as executive vice president of power delivery for Pepco
Holdings Inc. (PHI). We are an electric utility that serves
about 2 million customers in the Mid-Atlantic area, including
here in Washington, DC. It is my pleasure to appear before you
today to discuss an issue of fundamental significance to our
industry, the electric utility sector: the public-private
partnerships to advance the security of our electric grid.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Velazquez appears in the Appendix
on page 113.
---------------------------------------------------------------------------
As the utility power in the Nation's capital, PHI has been
actively engaged in cybersecurity protection and in the
advancement of national cybersecurity regulations and
legislation. In addition to Washington, we serve customers in
four other jurisdictions. The thought that each of these
jurisdictions could develop its own Cybersecurity Framework and
protocols becomes quite daunting for us. That is why we believe
Federal legislation is necessary, and we commend the work of
this Committee and others in the House and Senate, the work
that has been toward that goal.
We were very active in the public information gathering
sessions led by NIST to develop the framework. We found that
process to be very collaborative and respectful of the work
that the electric utility sector and our regulators had already
done.
PHI has pledged to be among the first utilities to work
with DHS and the Department of Energy (DOE) to apply that
framework to our operations. This self-assessment process is
ongoing, but to be truly resonant with our regulators, PHI
believes it should include some form of standardized third-
party verification.
The framework is not, however, the first example of a
public-private partnership for grid security. There are a
number of others in which PHI is active. Critical
Infrastructure Protection (CIP) standards are mandatory for all
owners and operators of bulk power system assets, and they are
enforceable by the Federal Energy Regulatory Commission (FERC).
In this way, the CIP standards ensure basic network hygiene and
baseline levels of security for the grid.
The NCCIC serves as a centralized location where
cybersecurity operational elements are coordinated and
integrated. NCCIC partners include the Federal agencies, State
and local governments, the private sector, and international
entities. PHI is in the process of obtaining the clearances
needed to maintain a seat on the NCCIC floor.
The Electricity Subsector Coordinating Council, which is
made up of utility and trade association leaders and government
executives, has focused its efforts on three areas of industry-
government collaboration: incident response, information flow,
and tools and technology.
PHI is also an active participant in the ICS-CERT, a
program that provides vulnerability information regarding
industry control systems.
While the NCCIC, Electricity Subsector Coordinating Council
(ESCC), and Industrial Control Systems Cyber Emergency Response
System (ICS-CERT) are industry-wide initiatives, there are also
opportunities for individual utilities to apply federally
developed threat detection technologies. Though I am not at
liberty to discuss the details of these threat detection
programs, I can say that PHI has been afforded the opportunity
to participate in Federal security technology applications that
allow both temporary and also permanent real-time, machine-to-
machine threat detection.
Additionally, last November the North American Electric
Reliability Corporation (NERC) conducted Grid-Ex II, a 2-day
cyber and physical security and incident response exercise in
which more than 165 industry and governmental organizations
participated. One of the key learnings from the exercise was
the need for clearer protocols to coordinate governmental roles
in the physical defense of privately held critical
infrastructure.
Though these existing partnerships are impactful, there are
some open issues that exist. For instance, though the federally
administered technology programs in which a number of the
utilities participate offer some threat information sharing
capability, in the absence of Federal legislation much is left
undefined with regard to data privacy and also liability
associated with the bi-directional threat information sharing.
Similarly, forums exist for event response coordination.
Without explicit authorization, these forums may not resolve
all the jurisdictional issues. And, very importantly, we must
have clear protocols for industry-government event response
before an event occurs. Finally, some assurance of prompt and
reasonable recovery of cybersecurity investments will be
imperative.
Today our regulators seem willing to acknowledge the value
of the investments we are making in cybersecurity. However, as
the threat continues to become more sophisticated, our
investments will likely rise pretty rapidly, and some
systemized form of prompt cost recovery would facilitate our
capacity to grow our expertise.
In summary, PHI has been very active in and benefited
greatly from the growing array of opportunities to partner with
Federal, State, and local authorities. Public-private
partnerships have improved cyber threat detection and cyber and
physical event preparation and response coordination. However,
more can be done.
In particular, some issues still needing attention include
real-time and actionable threat information sharing, liability
protection, event response protocols and systemized cost
recovery. We look forward to continuing to work with the
administration, this Committee, and your colleagues in the
House and Senate to advance legislation to address these open
issues.
Thank you.
Chairman Carper. David, thank you very much.
Dr. Coburn has to be off to another meeting, and he is
going to ask some questions. I am going to step out and take a
phone call and then come right back and continue, and we will
wrap up a little bit after 1. Dr. Coburn.
Senator Coburn. Thank you, Mr. Chairman.
Mr. Chabinsky, I am really interested in your testimony
because you have taken a track that nobody else has taken here
other than Senator McCain in his questions that he asked
earlier. And you have a lot of experience in terms of
deterrence with your past history. I was wondering what the
other panelists thought about what he said. You all talked
about mitigation of vulnerabilities, and he is talking about
deterrence--one of which is cheaper, one of which is more
effective. Any comments about what Mr. Chabinsky had to say?
Mr. Johnson. Well, Senator, I would be glad to take a first
shot at that. I think that what we saw during the denial-of-
service attacks that we had over a period of over a year gave
us a real understanding of the dynamics associated with that
particular issue.
I will go back to anecdote that occurred in a conversation
between Treasury and a series of bankers from New York that are
not necessarily shy in a lot of cases. Basically during the
height of the denial-of-service attacks, they were asking
Treasury whether or not the denial-of-service attacks in and of
themselves were part of the defensive strategy that we as a
Nation were taking as it related to Iran. And I think that what
that really brought to the fore is the jobs issue. Whose job is
it to really take that so-called active defenses? And I think
that in large part that is an area that is still to be
determined, because clearly it is the expectation of industry
that government has a role, a substantial role in that defense,
and obviously when we are talking about issues such as ``hack
back,'' there has been a lot of controversy associated with the
private sector taking those kind of roles. And, in fact, it is
illegal at this particular juncture to do so.
And I love Steve's analogies. He is always extremely good
at them. But if you go back to the analogy of physical
security, when the bank is robbed, it is not up to bank
personnel to catch the robber.
Senator Coburn. Right. I agree.
Mr. Johnson. And so I think that while there is some
substantial role that organizations have on the front end--and
that role might migrate to some degree toward active defense--I
think that we really have to be clear on what that line is.
Senator Coburn. But the key is that you can give the
government attribution.
Mr. Johnson. Yes.
Senator Coburn. And the government by itself does not have
that. So for it to act, we need to create a pathway so that
that information on attribution can get to the government if
the government is going to act on it.
Mr. Johnson. Right, and that is where the analogy still
holds, because when you are talking about fiscal crime,
essentially one of the first things the police are going to ask
when the bank is robbed is, ``What did the robber look like?''
Senator Coburn. Yes.
Mr. Johnson. And so I think that analogy still holds.
Senator Coburn. Mr. Velazquez.
Mr. Velazquez. I would just second Mr. Johnson's comments,
and I think one of the critical pieces from a private-public
partnership is being able to share that information in real
time so that the government can take appropriate action.
Senator Coburn. Right, OK.
Mr. Chabinsky, are you familiar with the Deter Cyber Theft
Act?
Mr. Chabinsky. I am, Senator.
Senator Coburn. What do you think about that?
Mr. Chabinsky. I think that that is exactly the right path
that we need to be going down, which is threat deterrence,
making sure that the recipients of illegally obtained
intellectual property are not able to benefit from that to
further actually impact our economy. Bad enough that our
intellectual property is being stolen every day by foreign
powers. Then to have the corporate recipients of those
companies come back to our shores and unfairly compete against
our industry is unconscionable. Thank you for introducing that.
Senator Coburn. Thank you.
Ms. Starkey, I thank you for your testimony and what you
are doing in the State of Delaware. Maybe I have some bad news
for you. The fact is that 3 or 4 years from now you are not
going to be getting a penny from the Federal Government for
what you are doing. And the question is, it is really not our
role to do that. The taxpayers of Delaware ought to fund
theirs. But our financial situation is going to be such--we are
going back to trillion-dollar deficits even in a growing
economy, 3 or 4 percent. So we are not going to be there.
So are you prepared as representative of the State of
Delaware to do what you need to do without Federal money?
Ms. Starkey. Yes, we recognize that, and we have seen the
dwindling amounts that have been coming out of the Homeland
Security Grant just over the last few years. That is the
reason, that is exactly the reason why we pursued the
partnership with the Verizon Foundation, to be able to continue
the momentum that we had through non-government dollars, if you
will. So we are fully prepared for that.
I cannot really speak on behalf of the budget writers in
the Delaware State government.
Senator Coburn. I understand.
Ms. Starkey. But it is something that we are paying
attention to. We are alerting them that, you know, the threats
keep going up, and there needs to be additional tools added to
our toolkit to combat the threats all the time, and those
tools--as has been pointed out here, those tools are expensive.
It is very expensive to be secure.
Senator Coburn. But if we did more deterrence and less
vulnerability mitigation, what we might see is less capability,
because the fact is if you take a bunch of smart people, no
matter what you put on your network, they are going to
eventually find a hole in it.
Now, we may respond to that. We may protect everybody else
that was not attacked. But eventually, if they want to, the
guys that want to rob the bank, they are going to rob the bank.
They are going to do that. So Mr. Chabinsky's point is well
made.
Mr. Chabinsky, you spent some time with the FBI. What
resources now do we have at the FBI in terms of manpower in
terms of going after these people versus what you think in your
opinion we should have?
Mr. Chabinsky. Thank you, Dr. Coburn, for the question.
When you look at the FBI's resources, the FBI and the Secret
Service both have concurrent jurisdiction over cyber crime, and
the FBI has exclusive jurisdiction when the intrusions are
nation state sponsored.
The FBI's manpower of agents that are exclusively focusing
on intrusions is in the hundreds, not thousands of persons. And
since this crime is international, one would then look to see
what resources the FBI has to place special agents abroad,
working with partners in other countries who actually want to
work with us. And what we see is that those are able to be
counted on both hands.
So we are looking at a problem that, on the defensive side,
we are putting tens of billions of dollars into, and on the
side that actually could help the private sector make those
handoffs to the government to have threat deterrence, put these
bad guys in jail, we are severely understaffing and
underfunding that.
Making matters worse, when we look at the Presidential
Executive Order, the Executive order is focused on steering
some of those very investigative resources away from
investigations and toward warning the private sector that it is
under attack. So now you have a limited pool of resources that
should be investigating the crime. Now they are spending all
day actually warning victims. And we do not see anything in the
Executive Order that functions get the private sector to
provide information to law enforcement to work hand in glove to
try to figure out who these bad guys are and to bring them to
justice.
Senator Coburn. That is really important for us as we try
to write a cyber bill.
I have a lot of other questions, but my time constraints
will force me to put them in the record. Thank you.
Chairman Carper. Let me ask a question for Elayne Starkey,
for David, and for Mr. Johnson. OK? I think one of the
interesting, maybe unique features of the framework that has
been constructed is that it can apply equally to an energy
company, a utility, a bank, even a State or local government.
It is also scalable so that both small business and large
business can take advantage of it. All of you have already
touched on how you will be using the framework in your
statements, but I would like to ask you to drill down on this
issue just a little bit more. OK?
What can we do, not just this Committee, not just the
Federal Government, but government and industry, maybe working
together, to encourage more businesses to adopt the framework
that has been produced? In particular, can you talk with us a
little bit about what type of help you would like to see from
the Department of Homeland Security and other Federal agencies
as you and your sectors work to implement the framework?
Elayne, if you would start that off, I would appreciate it.
Ms. Starkey. Sure. I am glad you asked the question.
Business adoption of this, in particular small to medium-sized
business, is absolutely critical to the success, in my opinion.
The larger companies have established programs, and they have
been paying attention to this for a long time. It is the small
and medium-sized businesses that maybe do not know what they do
not know, or just simply do not have the resources to throw at
this problem.
It is a huge problem. It is an expensive problem. And,
quite frankly, it does not increase or improve their bottom
line by adding a lot of security defenses necessarily. So that
is not an automatic.
So I think it is going to be critical in the next few
months and years as we see how this is going to be rolled out
and adopted by not just governments but by the private sector
as well.
The second part to your question in terms of what DHS can
do, certainly what our plans in Delaware are----
Chairman Carper. And not just DHS, but other relevant
Federal agencies, please.
Ms. Starkey. OK, sure. In Delaware, we have had an
established program now for a number of years based on the
International Organization for Standardization (ISO)
international standards and NIST standards, and they have
served us incredibly well. We do not plan to change that
because our whole framework is centered around those NIST and
ISO standards. But what we are going to do and have started to
do is to take this framework and overlay it with our current
framework and identify where there are gaps and work to close
those gaps.
So we will be anxious to see--we are following the rollout
from DHS. I know there is a kickoff meeting tomorrow, actually,
all morning tomorrow. We are fortunate because I know cyber
resilience is a huge part of the rollout plan, and we have some
success with that, because back in 2010 we invited DHS to come
in and do a cyber resilience study for Delaware State
government, and it was an incredibly valuable exercise for us.
We got a lot of good feedback. They brought in folks from US-
CERT, from Carnegie Mellon, as well as here in D.C., and they
spent all day with us talking to a variety of different parts
of my department and parts of State government. And I was so
pleased to see that that cyber resilience program is part of
their rollout strategy. So I am looking forward to that.
Chairman Carper. That is good to hear.
Mr. Chabinsky, same question--or no, you are the one person
that gets---- [Laughter.]
David.
Mr. Velazquez. Yes, I think first I would mention that I
think with the NIST framework, the flexibility that has been
built inherent in it, and as that flexibility continues and
being respectful of other regulations that cover the different
sectors, I think that is very helpful for the continued
adoption and more people adopting it.
I think if there are incentives for participation, although
I would note that, like most companies, the real incentive for
participation is our customers and providing them service. And
I think if any business, if your customers lose confidence in
your ability, you lose business. But beyond that, we had talked
already about liability protection, I think could help spur
some others adopting it. If there is a way to provide
discounted terrorism insurance as a result of that, access to
Federal technologies maybe that comes with that, and then as a
regulated industry as well, support for timely recovery of the
investments necessary to support it. All those I think would
help.
Chairman Carper. Good. That is helpful. Mr. Johnson.
Mr. Johnson. Yes, as you indicated, probably in financial
services, we are already essentially at the highest tiers
within the Cybersecurity Framework. And so the question becomes
one of two things: What do financial institutions have to do
associated with the framework? And then how can they leverage
the framework in their environment to increase adoption?
I think one thing that I have seen in our institutions is
they are largely doing what the framework is--they might call
it different things in different places, but by and large,
conceptually the manner in which the framework is devised,
financial institutions by and large are doing that.
And so one of the things I think will be to our advantage
is the ability to leverage this within our supply chain. We
have heard talk of that in the earlier panel. I think it is
really vital to be able to give those supply chain partners a
mechanism to think about what cybersecurity should look like in
their organization and to aspire toward various tiers, to
aspire toward the next tier, if you will, and to have a path
forward. And I think the framework gives them that in large
degree. And so I think that will be helpful for not only the
critical suppliers that we have that are by law supposed to be
adhering to the same information security standards that we do
as financial institutions, but also the less critical suppliers
as well, because I do not know that, for instance, the air
conditioning supplier to Target was felt to be a critical
supplier but, nonetheless, I think what that points to is the
need to have the entire environment have some higher level of
cybersecurity. And I think the framework essentially enables
you to do that.
From the standpoint of what government could do, sometimes
I think it is helpful if government would set their children
free, if you will. I think that NIST has a tendency to do that
with standards and is looking to do that to some degree with
the framework where--trying to find a home for the framework
for implementation purposes, for instance. But I would think
long and hard before I established legislative incentives
before I see what the market can do in terms of incentives. I
see insurance companies, for instance, already going into our
financial institutions and asking how the institution is
thinking about the Cybersecurity Framework. I see insurance
associations that write those policies coming to us as
financial institutions and rethinking how they might want to
write those cybersecurity policies on the basis of the
framework. And so I think some of that thinking is very
important to lay the groundwork for where the gaps are from the
standpoint of incentives, because I do not know that we know
yet where those gaps are.
Liability has been spoken of as a particular gap, and I
think that for one thing, liability means a lot of different
things in terms of protection to a lot of different people. And
I think that one of the things that we saw, going back from the
denial-of-service attacks again, is the fact that, to some
degree, the sharing of information was impeded by the potential
for the use of that information to have unintended
consequences. And by that I mean when you want to shut down,
for instance, a set of Internet addresses or compel an Internet
service provider to take a certain action that might actually
harm some individuals that are innocent, what kind of
protections does that particular company have associated with
taking that action? Can they be subject to civil suits to the
extent that someone is harmed in that environment?
So I think that is something that we need to potentially
look at from the standpoint of liability protection, is the use
of that data. And under what criteria should personally
identifiable information, properly defined, be able to be
utilized to the extent that a threat is imminent? To what
extent are Internet protocol or Internet addresses personally
identifiable information? Are they not? There is some
uncertainty associated with that. So I think those are some
things the government could certainly be able to do.
Chairman Carper. Good. Well, those are all very helpful
answers. Thank you.
One last question, and we will break and send you on your
own, and I will go back to my day job. I had originally thought
I would ask the same question of these three people. I am going
to ask Mr. Chabinsky to join in on this question if you would
like to as well. But failures in our critical infrastructure
can, as we know, have cascading effects that ripple through our
communities, our lives. For example, if the power goes out for
an extended period of time, our communications, our
transportation, our drinking water might all be negatively
impacted in some way. Should something terrible happen like
that--and it probably will--I am not so sure we have clearly
defined the roles and the responsibilities of the Federal
Government, States, and the private sector to respond.
Two questions, if I could. One, are you confident that you
will know who to turn to for help if there is a major cyber
incident that takes down some of our most critical
infrastructure for an extended period of time? And the second
question would be: Are there any roles and responsibilities
that need to be more clearly defined in law so you know what to
expect and from whom? Elayne, if you would like to take a shot
at that?
Ms. Starkey. Part one is extremely confident. I would like
to think that I should not be in the job I am in if I was not
confident in that. The reason I am so confident is because we
practice. We simulate. We have held nine consecutive annual
exercises involving examples like you just gave. They are
simulations, granted. It is different when it is the real
thing. But we pull together those folks. Not only am I
confident of knowing who to contact, I am reasonably
comfortable with what their response is going to be and what
their readiness level is. So, that is what drills are all
about. So definitely for part one.
Part two is additional roles and responsibilities. Yes, I
think that comes out of every exercise, is areas for
improvement, action items, corrective action items,
communication is always one that comes out in various channels
that can always be improved, and we try to do that on an annual
basis.
Chairman Carper. OK. thanks.
Mr. Chabinsky, I do not know if you have a comment here,
but if you do in response to either questions, please feel
free.
Mr. Chabinsky. I do appreciate the opportunity, Chairman
Carper. From my time in government, I believe that the
government actually is very well situated with specific
discrete roles and responsibilities that it has communicated
effectively to the private sector. The National Cyber
Investigative Joint Task Force, for example, that is led by the
FBI but includes DHS and other agencies, has a clear
responsibility for organizing the investigative approach to
find out who the bad guy is and to try to bring that to an end.
The Department of Homeland Security, both on the
vulnerability mitigation side, has gone out to owners and
operators and has provided on-the-ground assistance with
mitigation efforts, and in the worst-case scenario, if FEMA
were needed to be brought in under DHS for consequence
management, I believe that those roles are actually quite well
understood.
The issue that I pointed out in my written testimony,
though, is I think there really has not been a very effective
coordination in the area of emerging threats, and one of those
threats that I wanted to bring to the attention of this
Committee is the emerging threat of purposeful interference.
Whether it is GPS signals or just regular communications
jamming that could impact first responders, that is an area
where there is currently no centralized place for reporting
information, no central analysis of data that is coming off of
purposeful interference events, and law enforcement not at this
moment coordinating its response with education and
technologies that would be necessary to quickly isolate and
identify from where the interference events are coming. So I
think that there are certainly areas to extend public-private
partnership specifically focused on emerging threats.
Chairman Carper. Good. Thank you.
Mr. Johnson, if you could be fairly brief, I have other
people waiting for me, so I do not want to cut you off, but
just be brief, if you will. And David as well.
Mr. Johnson. What Mr. Chabinsky said. [Laughter.]
Mr. Velazquez. The only thing I would add is we very much
know who to turn to. Our concern is more in a major event
having too many different agencies turning to us, and the
coordination and the clear roles defined so that we do not have
the FBI, DOE, DHS, and three other agencies showing up on our
doorsteps all wanting the same thing. And I think tremendous
advances have been made, and the Grid-Ex exercise pointed out
some of those advances, but also pointed out the need to
continue to define those roles more clearly.
Chairman Carper. OK, great.
Mr. Johnson. I do think that the NCCIC provides an
opportunity for collocation that can solve some of those
problems as well. So that would be the comment that I would
make, is try to find a way to really have security operations
centers to effect the kind of trusted network you need to
really have the proper level of response in a lot of instances.
Chairman Carper. All right. Thank you. Thanks for adding
that.
We are in your debt for a lot of reasons: one, for the good
work that you have done and continue to do with your lives; we
are in debt to you for being here today and preparing for this
testimony and giving it and responding to Dr. Coburn's
questions in writing.
We will keep the record open for about 15 more days, until
April 13 at 5 p.m., for the submission of statements and for
questions for the record. If you get some questions, I would
just ask that you respond to them promptly, and that will be
much appreciated.
Again, great to see you all, and thank you so much for
being a part of this. I apologize you had to wait. Sometimes we
have to vote on things over on the floor, and we had about four
of them today, and so it disrupted our hearing. But thank you
for going with the flow.
Thanks, and with that we are adjourned.
[Whereupon, at 1:13 p.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
DATA BREACH ON THE RISE: PROTECTING PERSONAL INFORMATION FROM HARM
----------
WEDNESDAY, APRIL 2, 2014
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10:12 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Thomas R.
Carper, presiding.
Present: Senators Carper, Coburn, McCain, and Johnson.
OPENING STATEMENT OF CHAIRMAN CARPER
Chairman Carper. The hearing will come to order.
I just want to say good morning, everyone. Thank you very
much for joining us. For our first panel and for anyone on our
second panel who is actually in the audience, thank you for
coming, as well. To the audience, we are happy to see all of
you.
I really want to extend a warm welcome to Senator Blunt,
with whom I have been working on data breach issues and some
others for a while. We really appreciate his participation. He
is one of those people who is always interesting. He is a
glass-half-full guy. He is always looking to find the middle
and to figure out how we can use some common sense and
collaborate.
Whenever I ask, Roy, whenever I ask people who have been
married a long time, I ask them, what is the secret to being
married, like, 50, 60, 70 years, and I get really hilarious
answers. The best answer I ever got was two Cs, communicate and
compromise. Communicate and compromise. And I would add a third
C. The two Cs are also--communicate and compromise--the secret
to a vibrant democracy. But if you add a third one,
collaborate, I think that is the secret for us actually having
some success with respect to data breach. Communicate, find
principal compromises, collaborate, and the hearing today here
is really designed to move us in that direction.
Senator Blunt and I have introduced a bill, the same bill,
actually, for the last couple of Congresses. Is it perfect?
Probably not. Could it be improved? Probably so, and what we
want to do is work with the other sponsors of legislation in
the Senate, and there are a number of them who have their own
bills, other Committees with jurisdiction, and just work
together and see if we cannot get something done, which is
really what the American people sent us here to do.
There is no doubt that technology has evolved rapidly,
particularly over the last decade, and these advances will
continue to grow exponentially in the coming years. Technology
that 10 years ago could have been something out of a science
fiction movie is now a part of our daily lives. In fact, I saw
a science fiction movie last night starring Woody Allen, and I
am trying to remember the name of it. It came on really late at
night. I turned it on as my wife was getting ready for bed and
she said, ``What is that?'' And I said, it is a Woody Allen
movie. Does anybody in the audience remember the name of it? It
is just a great--pardon? ``Sleeper''? Yes, I think maybe that
is it. Oh, what a---- [Laughter.]
But, anyway, some of the technology in that movie, it
seemed pretty outrageous then, but today, it is coming true,
with a sense of humor.
But, as we embrace the latest technology both at home and
in the workplace, there is little doubt that more of our
sensitive personal information is at risk of being compromised.
Whether it is stored in our electronic devices we use daily or
on company servers, this data can be vulnerable to the threat.
As the way we communicate and do business has evolved, so
have the tactics used by criminals to steal our money and steal
our personal information. And today, cyber criminals run
sophisticated operations and are discovering how to manipulate
computer networks and make off with troves of our personal
data. These data breaches have become much more prevalent, with
a new one seemingly reported almost every day.
My wife now teaches at the University of Delaware and they
had a breach last year. I think the State of Delaware--as an
old Governor, I know the State Treasury had a breach in the
last couple of years. I get these monthly reports from, I think
it is Experian, telling me they are monitoring my accounts and
personal data, and I was one of those people who had a credit
card that we used at Target. We ultimately ended up getting a
new credit card and replacing my old credit card just 3 months
after I had gotten a new credit card, and I got the new credit
card and it did not work. So, we know personally how it is not
just inconvenience, but how this can damage our financial well-
being and really cause a lot of distress.
But data breaches can put our most valuable and personal
information at risk, causing worry and confusion for millions
of individuals and businesses. The impact of a data breach on
the average American can be extremely inconvenient and
sometimes results in serious financial harm. Data breaches can
also be extremely expensive for banks and other entities to
respond to and remediate, including to merchants.
Although several high-profile retailers have recently come
face to face with data breaches, they are not the only victims
of these cyber intrusions. Hackers are targeting all types of
organizations that people trust to protect their information,
from popular social media platforms to major research
universities, including the University of Delaware. The
pervasiveness of these incidents highlights the need for us to
find reasonable solutions to prevent attacks and protect
consumers and businesses if a breach occurs.
We will hear in the testimony today that many retailers,
financial institutions, payment processors, and the groups
representing them are coming together to find common sense
solutions that the private sector can undertake proactively
without the help of Congress. These are groups which oftentimes
find themselves on different sides of this issue.
I recognize, though, that there are many existing areas
where Congress can and should play a constructive role. An
important area where Congress can play a constructive role is
answering the call for implementing a uniform national
notification standard for when a data breach occurs. Currently,
when a breach happens, notification occurs under a patchwork
quilt, as we know, of 46 separate State laws. While some of
these laws have common elements, creating a strong uniform
national standard will allow consumers to know the rules of the
road and allow business to invest the money saved from
compliance into important upgrades and protections.
That is why I joined Senator Blunt to introduce our Data
Security Act of 2014. We think this common sense legislation,
along with other good legislation that has been introduced, as
I mentioned earlier, would require a national standard for
entities that collect sensitive personal information. It would
require these entities to enact a cohesive plan for preventing
and responding to data breaches, plans that would detail steps
that will be taken to protect information, investigate
breaches, and notify consumers (PIN). I will say those three
things again: Protect information, investigate breaches, and
notify consumers.
Most importantly, these plans would provide consistency
throughout the Nation and allow consumers to have a greater
level of confidence that their information will be protected
and they will be notified if a breach occurs, despite whatever
protective measures have been put into place. We are never
going to be able to prevent every breach, I know that. We all
know that. But we owe it to our consumers, we owe it to our
taxpayers, we owe it to businesses and other entities that have
been and will be victims of breaches to put into place the best
system possible to grow with this growing threat.
We look forward to hearing from our witnesses today who are
leading the voices on cybersecurity and data breach in both
government and the private sector. I am sure that your insights
will be valuable as we continue our efforts to fix this
problem, and I am encouraged that a number of our colleagues
share our interest in advancing our efforts to address data
breaches.
I hope we can raise the 80/20 rule. The 80/20 rule, to our
visitors here, a guy named Mike Enzi, a very good guy, a
Senator from Wyoming, has this 80/20 rule. And I once asked him
how he and Ted Kennedy got so much done when they took turns
leading the Health, Education, Labor, and Pension Committee and
he said, ``Well, Ted and I subscribe to the 80/20 rule.'' And I
said, what is that? He said, ``Ted and I agree on 80 percent of
the stuff. We disagree on 20 percent of the stuff. And what we
do is just focus on the 80 percent where we agree and we set
the 20 percent aside to another day,'' and I think that is what
we need to do here. I hope we will keep that in mind as we go
forward, is focus on that 80 percent where we can agree.
I think it is in everyone's interest to ensure that we
minimize the occurrence and impacts of data breaches, and I am
sure you agree.
I am happy to turn to Dr. Coburn and then to Senator Blunt
for any comments that they would like to make.
Senator Coburn. Let me defer to Senator Blunt and then I
will followup.
Chairman Carper. Senator Blunt, welcome aboard.
OPENING STATEMENT OF THE HONORABLE ROY BLUNT, U.S. SENATE
Senator Blunt. Well, thank you.
Chairman Carper. A former Secretary of State, I just
learned today.
Senator Blunt. as we were talking about that, both you and
I, as former Statewide elected officials, have a predisposition
to think that many of these things are handled better at the
State and local level and that should be where we look first.
I have a prepared statement\1\ I am going to leave, but I
would like to say, first of all, this is an issue that has been
around longer than it should have been around. You and I
introduced legislation over 2 years ago, but it got a lot more
attention after what happened at the end of last year and the
beginning of this year.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Blunt appears in the Appendix
on page 220.
---------------------------------------------------------------------------
But, I am persuaded on this topic that we cannot expect
people to successfully comply with 49 different standards, and
I think that is where we are now, 46 States and another three
standards in Territories and other places that you have to
comply with. That is an unreasonable thing to do and it is
probably an impossible thing to do successfully every time you
need to do it.
The other thing I would see as a hallmark of whatever we do
would be that the Congress cannot be too prescriptive in how we
secure this important information. I am absolutely confident
that the hackers and the criminals will be more nimble than the
Congress, and if you put the code in the law, you just tell
them the code that has to be broken and then you have to change
the law before somebody can protect themselves adequately
against the code itself.
So, I would think those two things are principal goals that
we should try to achieve. As Senator Carper says, there are a
number of different people talking about this, and different
Committees of jurisdiction. Some of you were at the Commerce
Committee just the other day to talk about this same topic. But
we need to move beyond talking about this to finding the
solution, and I think it is really pretty simple.
If a financial institution, retailer, or a Federal agency
determines that sensitive information was or may have been
compromised, the bill that Senator Carper and I have proposed
would simply require them to investigate the scope of the
breach and determine whether the information will likely be
used to cause harm or fraud, and then if the answer is yes, to
notify law enforcement, to notify appropriate Federal agencies,
consumer reporting agencies, and the consumers themselves.
There is clearly some discussion in the many discussions we
have had on this about what level of breach has to be reached
before you have to notify, and we are willing to have lots of
input on what that number should be. I think the bill calls for
one number, but that is probably not the perfect number, and
frankly, whatever number we agree on probably will not be the
perfect number. But, 49 different compliance regimens, an area
that has driven us from one of the most secure places to do
business and commerce as individuals in the world to way higher
on the list of less secure than we would like to be is
something that the Congress should be able to figure out a
solution to.
Senator Toomey has a bill that could very well be, many
elements of it, added to the bill that Senator Carper and I
have proposed now for two different Congresses. I look forward
to this Committee playing a real leadership role in working
toward a conclusion. Surely, we have talked about this long
enough and now it is time to find that solution. I am sitting
here wondering if actually Senator Carper and Senator Coburn
agree on 80 percent of everything, but they agree on some
percent of everything and they will be the ones to figure out
what percent that is, and hopefully, we can work together and
get this done.
Thank you for letting me come by this morning.
Chairman Carper. We are delighted that you are here. Thanks
so much.
Dr. Coburn and I agree on about 78 percent of everything.
[Laughter.]
We are closing in on 80.
Senator Coburn. Point-six-six-seven. [Laughter.]
Senator Blunt. Point-eight percent.
OPENING STATEMENT OF SENATOR COBURN
Senator Coburn. Well, thank you, Senator Blunt and Senator
Carper.
I would note, this is the fourth hearing on data breach in
the Senate this year. And although it is an important topic, we
are talking about vulnerability mitigation instead of
deterrence. This Committee has had lots of testimony that we
are going in the wrong direction. There is no question, I agree
that we need to have some type of uniform set of standards, and
I am not opposed to that. What I am opposed to is to not
recognize the legitimate exposure that businesses see and why
it would be in their own best interest to make sure they do not
have data breaches, and I think all of them are looking at that
now.
I also understand that when you spend money for
vulnerability mitigation, it does not increase sales. It does
not produce new products. It does not do anything to add to the
bottom line. It reduces the bottom line. But, it is a necessary
expenditure, just like water and heat and light and other
areas.
There is no question that we have seen some serious
problems in terms of data breach, but what we are not talking
about today are the data breaches in the Federal Government.
And to me, it is ironic that we can, as a Congress, sit and
tell people, here are the rules, and we cannot even manage our
own backyard in terms of data breaches. And I will not go into
it. I will put my whole statement into the record.\1\
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Coburn appears in the
Appendix on page 217.
---------------------------------------------------------------------------
But I think one of the important things is that we ought to
be setting a good example on our own cyber within the
government, and the multitude of breaches that have occurred in
the Federal Government's networks would say that we are not
doing that. And so we do not speak with authority on this
subject until we have a track record that we, in fact,
ourselves have accomplished what is necessary on our own
responsibilities.
I am happy that Mr. Wilshusen is here today from the
Government Accountability Office (GAO), who can really talk
about what these issues are within the Federal Government and
also some discussion on the EINSTEIN program, on which the
Inspector General (IG) released a report just this last week.
It is poorly managed and is not meeting milestones, and
actually does not have the milestones and the management
capabilities to get where they need to with that. Although I am
a supporter of that effort, we lack that.
So, I look forward to our witnesses. I will have to leave
for a period of time, but I am appreciative of the openness to
talk about the whole area of data breaches, not just in the
private sector. Thank you.
Chairman Carper. Thank you, Tom.
I am going to just offer a brief introduction for each of
our witnesses and then turn it over to you.
Our first witness is Edith Ramirez, Chairwoman of the
Federal Trade Commission (FTC). In this capacity, she aims to
prevent business practices that are anti-competitive or
deceptive to consumers and enhance consumer choice and public
understanding of the competitive process. Prior to joining the
Commission, Ms. Ramirez was a partner in a Los Angeles law firm
where she handled a broad range of complex business litigation,
successfully representing clients in intellectual property,
antitrust, unfair competition, and Lanham Act matters. What law
firm was that?
Ms. Ramirez. Quinn Emanuel.
Chairman Carper. And how long were you with them?
Ms. Ramirez. For 13 years.
Chairman Carper. OK. Our second witness is William Noonan.
Mr. Noonan, nice to see you. He is Deputy Special Agent in
Charge of the Secret Service Criminal Investigative Division,
Cyber Operations. Throughout his career at the Secret Service,
he has focused on both protective and investigative missions of
the agency. In his current position, he oversees the Secret
Service's cyber portfolio. Mr. Noonan has over 20 years of
Federal Government experience, and throughout his career, he
has initiated and managed high-profile transnational fraud
investigations involving network intrusions and theft of data
information and intellectual property. Thank you for joining
us.
Our final witness is Greg Wilshusen, Director of
Information Security Issues at GAO, where he leads
cybersecurity and privacy-related studies and audits of the
Federal Government and critical infrastructure. We have not
seen you for almost a week, so it is nice you have come back.
We are going to have to start paying you per visit. That would
break the bank.
Mr. Wilshusen has over 30 years of auditing, financial
management, and information systems experience and has held a
variety of public and private sector positions. He is a
Certified Public Accountant, Certified Internal Auditor, and a
Certified Information Systems Auditor.
We thank all of you for joining us today. Your testimonies
will be made part of the record. Feel free to summarize, and we
will get started. I am not aware of any votes that are
scheduled. Tom, are you? Ron? OK. So, I think we are good to
go.
Ms. Ramirez, please proceed.
TESTIMONY OF HON. EDITH RAMIREZ,\1\ CHAIRWOMAN, FEDERAL TRADE
COMMISSION
Ms. Ramirez. Chairman Carper, Ranking Member Coburn, and
Members of the Committee, thank you for the opportunity to
appear before you to discuss the FTC's Data Security
Enforcement Program. I am pleased to be testifying with my
colleagues from the Secret Service and the Government
Accountability Office.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Ramirez appears in the Appendix
on page 227.
---------------------------------------------------------------------------
As this Committee is well aware, consumers' data is at
risk. Recent well-publicized breaches at major retailers remind
us that consumer data is susceptible to compromise by those who
seek to exploit security vulnerabilities. This takes place
against the background of the threat of identity theft, which
has been the FTC's top consumer complaint for the last 14
years.
The Commission is here today to reiterate its bipartisan
and unanimous call for Federal data security legislation. Never
has the need for such legislation been greater. With reports of
data breaches on the rise, Congress needs to act, and I would
like to thank you, Chairman Carper, for your longstanding
attention to the issue of data security.
The FTC supports Federal legislation that would strengthen
existing data security tools and require companies, in
appropriate circumstances, to provide notification to consumers
when there is a security breach. Reasonable security practices
are critical to preventing data breaches and protecting
consumers from identity theft and other harm. And, when
breaches do occur, notifying consumers helps them protect
themselves from any harm that is likely to be caused by the
misuse of their data.
Legislation should give the FTC authority to seek civil
penalties where warranted to help ensure that FTC actions have
an appropriate deterrent effect. In addition, enabling the FTC
to bring cases against nonprofits, such as universities and
health systems, which have reported a substantial number of
breaches, would help ensure that whenever personal information
is collected from consumers, entities that maintain such data
adequately protect it.
Finally, Administrative Procedure Act (APA) rulemaking
authority, like that used in the Controlling the Assault of
Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM),
would allow the Commission to ensure that as technology changes
and the risks from the use of certain types of information
evolve, companies would be required to give adequate protection
to such data. For example, whereas a decade ago, it would have
been difficult and expensive for a company to track an
individual's precise location, smartphones have made this
information readily available. And in recent years, the growing
problem of child identity theft has brought to light that
Social Security numbers alone can be combined with another
person's information to steal an identity.
Using its existing authority, the FTC has settled 52 civil
actions against companies that we alleged put consumer data at
risk. In all these cases, the touchstone of the Commission's
approach has been reasonableness. A company's data security
measures must be reasonable in light of the sensitivity and
volume of consumer information it holds, the size and
complexity of its data operations, and the cost of available
tools to improve security and reduce vulnerabilities.
The Commission has made clear that it does not require
perfect security, and the fact that a breach occurred does not
mean that a company has violated the law.
A number of the breaches that have prompted FTC civil
enforcement action have also led to investigation and
enforcement by criminal authorities. For example, in 2008, the
FTC settled allegations that security deficiencies of retailer
TJX permitted hackers to obtain information about tens of
millions of credit and debit cards. At the same time, the
Department of Justice (DOJ) successfully prosecuted a hacker
behind the TJX and other breaches.
As the TJX case illustrates, the FTC and criminal
authorities share complementary goals. FTC actions help ensure,
on the front end, that businesses do not put their consumers'
data at unnecessary risk, while criminal enforcers help ensure
that cyber criminals are caught and punished. This dual
approach to data security leverages government resources and
best serves the interests of consumers, and to that end, the
FTC, the Justice Department, and the Secret Service have worked
to coordinate our respective data security investigations.
The TJX case is also a good illustration of the
Commission's approach to data security enforcement. In our case
against TJX, the FTC alleged a failure to implement basic,
fundamental safeguards with respect to consumer data. More
specifically, the Commission alleged that the company engaged
in a number of practices that, taken together, were
unreasonable, such as allowing network administrators to use
weak passwords, failing to limit wireless access to in-store
networks, not using firewalls to isolate computers processing
cardholder data from the Internet, and not having procedures to
detect and prevent unauthorized access to its networks.
In addition to the Commission's enforcement work, the FTC
offers guidance to consumers and businesses. For those
consumers affected by recent breaches, the FTC has posted
information online about steps they should take to protect
themselves. These materials are in addition to the large stable
of other FTC resources we have for ID theft victims. We also
engage in extensive policy initiatives on privacy and data
security issues.
In closing, I want to thank the Committee for holding this
hearing and for the opportunity to provide the Commission's
views. Data security is among the Commission's highest
priorities, and we look forward to working with Congress on
this critical issue. Thank you.
Chairman Carper. Ms. Ramirez, thank you so much for that
testimony.
Mr. Noonan, welcome. Please proceed.
TESTIMONY OF WILLIAM NOONAN,\1\ DEPUTY SPECIAL AGENT IN CHARGE,
CRIMINAL INVESTIGATIVE DIVISION, CYBER OPERATIONS BRANCH, U.S.
SECRET SERVICE, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Noonan. Thank you, sir. Good morning, Chairman Carper,
Ranking Member Coburn, and distinguished Members of the
Committee. Thank you for the opportunity to testify on behalf
of the Department of Homeland Security (DHS) regarding the
ongoing trend of criminals exploiting cyberspace to obtain
sensitive financial and identity information as part of a
complex criminal scheme to defraud our Nation's payment
systems.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Noonan appears in the Appendix on
page 239.
---------------------------------------------------------------------------
Our modern financial system depends heavily on information
technology (IT) for convenience and efficiency. Accordingly,
criminals, motivated by greed, have adapted their methods and
are increasingly using cyberspace to exploit our Nation's
financial payment systems to engage in fraud and other illicit
activities. The widely reported payment card data breaches of
Target, Neiman Marcus, White Lodging, and other retailers are
just recent examples of this trend. The Secret Service is
investigating these recent data breaches and we are confident
we will bring the criminals responsible to justice.
This year is the 30th anniversary of when Congress first
defined as specific Federal crimes both unauthorized access to
computers and access device fraud, while explicitly assigning
the Secret Service authority to investigate these crimes. Over
the past three decades, the Secret Service has continuously
innovated in how we investigate these crimes and defeat the
criminal organizations responsible for major data breaches.
In support of the Department of Homeland Security's
missions to safeguard cyberspace, the Secret Service has
developed a unique record of successes investigating cyber
crime through the efforts of our highly trained special agents
and the work of our growing network of 35 Electronic Crimes
Task Forces, which Congress in 2001 assigned the mission of
preventing, detecting, and investigating various forms of
electronic crimes, including potential terrorist attacks
against critical infrastructure and financial payment systems.
As a result of our cyber crime investigations, over the
past 4 years, the Secret Service has arrested nearly 5,000
cyber criminals. In total, these criminals were responsible for
over a billion dollars in fraud losses, and we estimate
investigations prevented over $11 billion in fraud losses.
Data breaches like the recently reported occurrences are
just one part of the complex criminal scheme executed by
organized cyber crime. These criminal groups are using
increasingly sophisticated technology to conduct a criminal
conspiracy consisting of five parts.
One, gaining unauthorized access to computer systems
carrying valuable protected information.
Two, deploying specialized malware to capture and
exfiltrate this data.
Three, distributing or selling this sensitive data to their
criminal associates.
Four, engaging in sophisticated distributed frauds using
the sensitive information obtained.
And, five, laundering the proceeds of this illicit
activity.
All five of these activities are criminal violations in and
of themselves, and when conducted by sophisticated
transnational networks of cyber criminals, this scheme has
yielded hundreds of millions of dollars in illicit proceeds.
The Secret Service is committed to protecting our Nation
from this threat. We disrupt every step of their five-part
criminal scheme through proactive criminal investigations and
defeat these transnational cyber criminals through coordinated
arrests and seizure of assets.
Foundational to these efforts are our private industry
partners as well as the close partnerships that we have with
the State, local, Federal, and international law enforcement.
As a result of these partnerships, we are able to prevent many
cyber crimes by sharing criminal intelligence regarding the
plans of cyber criminals and by working with victim companies
and financial institutions to minimize financial losses.
Through our Department's National Cybersecurity and
Communications Integration Center (NCCIC), the Secret Service
also quickly shares technical cybersecurity information while
protecting civil rights and civil liberties in order to enable
other organizations to reduce their cyber risks by mitigating
technical vulnerabilities.
We also partner with the private sector and academia to
research cyber threats and publish the information on cyber
crime trends through reports like the Carnegie Mellon CERT
Insider Threat Study, the Verizon Data Breach Investigations
Report, and the Trustwave Global Security Report.
The Secret Service has a long history of protecting our
Nation's financial system from threats. In 1865, the threat we
were founded to address was that of counterfeit currency. As
our financial payment system has evolved, from paper to plastic
to now digital information, so, too, has our investigative
mission. The Secret Service is committed to continuing to
protect our Nation's financial system, even as criminals
increasingly exploit it through cyberspace.
Through the dedicated efforts of our special agents, our
Electronic Crimes Task Forces, and by working in close
partnership with the Department of Justice, in particular, the
Computer Crimes, Intellectual Property Section, and local U.S.
Attorney's Offices, the Secret Service will continue to bring
cyber criminals that perpetrate major data breaches to justice.
Thank you for the opportunity to testify on this important
topic, and we look forward to your questions.
Chairman Carper. Thank you so much. I enjoyed meeting with
you last week and learned a lot from that conversation, and I
am sure we will learn a lot more here today. Thanks.
Mr. Wilshusen, welcome aboard.
TESTIMONY OF GREGORY C. WILSHUSEN,\1\ DIRECTOR, INFORMATION
SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Thank you. Chairman Carper, Ranking Member
Dr. Coburn, and Members of the Committee, thank you for the
opportunity to testify at today's hearing on data breaches. My
testimony today will address Federal efforts to protect its
information and to respond to data breaches that occur.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Wilshusen appears in the Appendix
on page 250.
---------------------------------------------------------------------------
Before I begin, if I may, I would like to recognize several
members of my team, including John de Ferrari and Jeff Knott,
who are sitting behind me, and Larry Crosland and Marisol Cruz,
who conducted the work underpinning my testimony today.
Chairman Carper. Would they raise their hands, please?
Thank you.
Mr. Wilshusen. In addition, Lee McCracken was instrumental
in crafting my written statement.
Mr. Chairman, as you know, the Federal Government collects
and retains large volumes of sensitive information, including
personal information on American citizens. The loss or
unauthorized disclosure or alteration of this information can
lead to serious consequences and substantial harm to
individuals, as well as the Nation.
Over the past 4 years, the number of information security
incidents reported by Federal agencies involving personal
information has more than doubled, to 25,566 in fiscal year
(FY) 2013.
Agencies continue to face challenges in securing their
information. They have had mixed results in addressing the
eight components of an agency-wide information security program
called for by law, and most of the 24 agencies covered by the
Chief Financial Officers Act have had weaknesses in
implementing key security controls.
In fiscal year 2013, for example, 18 of the 24 agencies
reported a significant deficiency or material weakness in
information security controls for financial reporting purposes.
IGs at 21 agencies cited information security as a major
management challenge for their agency. And GAO once again
designated Federal information security as a Governmentwide
High-Risk Area.
Mr. Chairman, even when agencies have implemented effective
information security programs, data breaches can still occur,
so it is imperative that agencies respond appropriately. At the
request of this Committee, we issued a report in December on
agency responses to breaches of personally identifiable
information (PII). We determined that agencies included in our
review had generally developed policies and procedures for
responding to data breaches and had implemented key preparatory
practices that should be performed in advance of specific
incidents, and these include establishing a Data Breach
Response Team to oversee response activities and training
employees on the roles and responsibility for breach response.
However, agencies' implementation of key operational
practices that should be performed in response to specific
incidents was inconsistent. Although all the agencies reviewed
had prepared and submitted reports of incidents to appropriate
authorities, they did not consistently implement other key
response practices.
For example, of the seven agencies we reviewed, only the
Internal Revenue Service (IRS) consistently assigned a risk
level for each data breach reviewed and documented how that
level was determined.
The seven agencies documented the number of individuals
affected by a breach in only 46 percent of the 363 incidents we
reviewed. And only the Army and Securities and Exchange
Commission (SEC) notified all affected individuals for each
breach determined to be high-risk. In total, individuals were
not notified in about 22 percent of the high-risk incidents.
The seven agencies also did not consistently offer credit
monitoring to individuals affected by PII-related breaches, and
none of the agencies consistently document lessons learned from
data breaches, including corrective actions to prevent or
detect similar incidents in the future.
We also reported that the Office of Management and Budget
(OMB) requirement for agencies to individually report each PII-
related incident involving paper-based information or the loss
of hardware with encrypted data to U.S. Computer Emergency
Readiness Team (US-CERT) within 1 hour of discovery added
little value beyond what could be achieved by periodic
consolidated reporting. We recommended that OMB revise its
reporting requirements and update its guidance to improve the
consistency and effectiveness of agency data breach response
programs. We also made 22 recommendations to agencies to
improve their data breach response practices.
At the request of this Committee, we also studied Federal
agencies' ability to respond to cyber incidents. We determined
the extent to which Federal agencies are effectively responding
to cyber incidents once they have been detected and the extent
to which DHS is providing assistance to agencies. We plan to
issue our report later this spring.
Chairman Carper, Dr. Coburn, and Members of the Committee,
this concludes my statement. I would be happy to answer any
questions.
Chairman Carper. Greg, thanks so much for joining us again
this week.
You have mentioned and Dr. Coburn has mentioned the ability
of the Federal Government to protect its own sensitive
information. There is an old law called the Federal Information
and Security Management Act which needs desperately to be
updated. One of the things--Dr. Coburn is threatening to leave
us at the end of this year, as you may know, and one of the
things I am very hopeful that we will be able to do is update
that legislation. We are working on it, our staffs are working
on it, and we appreciate very much your help in doing that.
I think it was Abraham Lincoln who once said the role of
government is to do for the people what they cannot do for
themselves. With that thought in mind, what I really hope we
can accomplish here today--I do not want to have a hearing just
to have another hearing on data breach. We have all these
different ideas, legislation from good people, Democrats,
Republicans, and we have to get on the same page. We have to
stop talking past each other. And, I think as the retailers, as
the card issuers, as the card processors are coming together,
creating their own coalition to look for ways to collaborate,
that, I think, helps us to better figure out what we need to do
and to guide us.
But, here is what I am going to ask this panel, each of
you, and I am going to ask the second panel, as well, is what
does the Congress need to do? And to the extent that we can
find some concurrence on that question, that would be hugely
helpful. What do we need to do? Let me just start off with
Chairwoman Ramirez, please. What does the Congress need to do?
And maybe the second half of my question is, what do we need
not to do?
Ms. Ramirez. Let me focus on the first question that you
posed, which I think is the central question to ask today. From
our perspective at the Federal Trade Commission, we think that
it is absolutely time for Congress to enact comprehensive
Federal legislation in this area, setting robust standards and
data breach notification requirements. And specifically, what
we ask is that this legislation provide civil penalty authority
to the FTC to augment our existing work in this arena and to
ensure that there is appropriate deterrence and that companies
invest appropriately and institute reasonable security measures
to protect consumer information.
We also think it is important for any legislation to give
the FTC APA rulemaking authority, which----
Chairman Carper. I am sorry. APA----
Ms. Ramirez. Administrative Procedure Act. This would
enable us to make rules to implement any legislation, and the
reason that we think it is so necessary to have this authority
is that it is really critical that we be provided the tools so
that any legislation can be adapted to changing and evolving
technology. And I mentioned in my opening statement today,
geolocation information is readily available. A decade ago,
that certainly was not the case, and we need to be able to
adapt to changing times, both to be able to, if necessary,
redefine what constitutes personal information, but then also,
perhaps, to lift any requirements that may no longer be
necessary, given the evolution of technology.
And then, finally, we also ask that we be provided
jurisdiction over nonprofits, which we currently lack. Today,
we also know that university systems and nonprofit hospitals
that are currently outside of our jurisdiction also have
suffered breaches and we think it is important that the FTC
have authority in this area.
Chairman Carper. OK. Thanks.
Mr. Noonan, if you and Mr. Wilshusen--feel free to react to
what Ms. Ramirez has said, points that you agree with, maybe
those that you do not. But again, the idea is for us to better
understand today what the Congress needs to do and what we do
not need to do and looking for consensus here. If we can find
some of that, that would be great.
Mr. Noonan. I think, generally, the consensus that I have
is that we do need to establish a national bill where
disclosure is made. Important to the Secret Service, and, I
think, to the country, is there should be a piece there where
there is notification or disclosure of data breaches to law
enforcement with jurisdiction. Law enforcement plays a critical
role in data breach investigations, both in law enforcement
going after the criminal piece as a deterrent, but also as an
information sharing piece, what we learn out of these data
breaches and then how we are able to take that information and
share it back with critical infrastructure.
So, I think that is a critical piece of any national
legislation that should potentially go forward, as well as
increasing the penalties for these types of activities. If
Congress were to increase the penalties of 18 USC 1030,
potentially, that would act as a deterrent for criminals from
coming into protected computer systems, as well as having 1030
act as a predicate offense to Racketeering and Organized Crime
standards, so we can get higher-level prosecution.
So, in our exposure and in what we have learned, too, is
that the higher the level of penalties, the higher the level of
cooperation sometimes is amongst some of the people that we
bring to justice, and they are able to share information back
with the government so we can prevent further acts from
occurring.
Chairman Carper. OK. Mr. Wilshusen, same question, please.
Mr. Wilshusen. I would say one thing that Congress can do
is to look at the Federal Information Security Management Act
(FISMA) reform within the Federal space. As you know, FISMA
gives OMB several responsibilities for overseeing and assisting
agencies in their implementation of information security
controls. OMB has delegated or transferred many of those
responsibilities to the Department of Homeland Security, and so
clarifying the roles and responsibilities of those two
organizations for overseeing information security within the
Federal space could be very helpful.
I also think, that this Committee and others should
continue to provide the oversight necessary within the Federal
space and to assure that proper attention is given to
protecting information security, not only within the Federal
Government, but also in its interactions with critical
infrastructure protection and other roles in helping our
citizens protect information that they also have out on the Web
and Internet.
One thing Congress should not do is to turn a blind eye.
Keep attention focused on this area.
Chairman Carper. OK. Thanks very much.
Senator McCain, welcome.
OPENING STATEMENT OF SENATOR MCCAIN
Senator McCain. Well, thank you, Mr. Chairman.
Ms. Ramirez, so that people and perhaps Members of Congress
can understand better what is going on here, let us talk a
little bit about the data breach at Target Corporation.
Apparently, there was some Russian input into it, or there may
have been that there was Russian language or something like
that into what we were able to ascertain about these hackers,
is that right?
Ms. Ramirez. Senator, let me just emphasize, the FTC
focuses on the civil law side of this, and on the front end.
And this is an investigation that Target has confirmed that the
FTC is looking at it. I cannot comment on any pending
investigation----
Senator McCain. Mr. Noonan, can you comment? It is in the
public record, I mean. It is not a secret. Is there----
Chairman Carper. Can I just interject something, John? Mr.
Noonan came and met with us in my office last week. He gave a
great explanation of what happened at Target that even I could
understand, and----
Senator McCain. Go ahead. And I am also interested in the
financial loss there so that people can understand better the
magnitude of this breach, which is symptomatic of many others.
Go ahead, Mr. Noonan.
Mr. Noonan. Sure, sir. I just want to kind of crosswalk you
across these data breaches, these major data breaches, exactly
how these intrusions occur and the nationality that we are
talking about. These are transnational organized criminals. To
say that it is one country that these people are from, it would
be inaccurate if I told you that. I would like to say that----
Senator McCain. But there are some allegations that some of
this has come from Russian sources.
Mr. Noonan. So, a majority of these people that are
attacking these systems are from Eastern Europe. They use the
Russian language as a means to be able to communicate in----
Senator McCain. I got you.
Mr. Noonan [continuing]. As an operations security (OPSEC),
if you will, to keep domestic law enforcement out of their
wares.
So, the way it works it is not one criminal, it is not one
criminal group, it is a loosely affiliated group. So, there are
people out there that are gaining access to computer systems
and they are potentially selling access on criminal
undergrounds to one another.
There are other people that are developing malware and that
malware is then used by another person or another group that
may insert that malware into the compromised system.
There are other pieces of the organization that will test
that malware to make sure that that malware is not susceptible
to our antivirus means that are out there to stop this.
You have to understand, these people are motivated by
greed. So, when they go into a system, they have to be quiet.
They cannot be found or discovered. Otherwise, they are not
going to achieve their goal, and that is to exfiltrate out the
data which they can sell. Exfiltrate, in the cases of a lot of
the data breaches that are in the media right now, are related
to payment cards, but that is just not what they are after.
They are after whatever it is that they can monetize. So, I
think that we have brought up the fact that personally
identifiable information, is a piece that can be monetized and
such.
So, in the underground, once that data is exfiltrated out,
there is a criminal underground that works on vending that
data. So, they sell to other criminals across the world who
then use that for their personal gain.
And then there is a money laundering system where the money
flow goes back, and when we talk about money flow, we are not
talking about currencies. We are talking about digital
currencies on how the money is moved back, where it is not
traceable. It is very difficult for law enforcement to trace
the movement of that money where it is not regulated.
So, that is the type of criminal organizations we are
talking about----
Senator McCain. So, in the case of Target, how much money
are we talking about?
Mr. Noonan. We are not at the point in our investigation
where we can lock down a dollar amount, but we believe it is
probably going to be several million dollars were at risk.
Senator McCain. And no matter who is responsible,
eventually, that cost is passed on to the consumer, and Target
is just one of many, perhaps one of the more visible, but
Neiman Marcus and others, this has happened. And there is no
reason to believe this is going to stop, would you agree?
Mr. Noonan. I believe that with the assistance of law
enforcement, we are moving toward getting certain individuals
to be able to stop this action as a deterrent. I would hope
that we would be able to bring these criminals to justice. So,
I think it is a long string, a long history of attacks that
have occurred, and I think what our--and to your point,
wherever we raise the fence, I think these criminals, because
of their motivation, will always be looking for the edge of the
fence. So, there is no silver bullet that is going to be able
to take care of the problem.
Senator McCain. And you would, as you have already stated,
Ms. Ramirez, that different State laws obviously does not get
it, that there needs to be Federal legislation.
Ms. Ramirez. State laws only address the breach
notification aspect of this, so I think there does need to be a
Federal standard. And based on our own experience and what we
look at, which is the measures that companies have in place, it
is clear that companies are not investing adequately in the
area of data security and that more needs to be done.
Senator McCain. Mr. Wilshusen, you stated in your testimony
that in a 2013 GAO report, GAO made 22 recommendations to
Federal agencies which aim to improve data breach response
activities. How are these agencies responding to those
recommendations?
Mr. Wilshusen. Well, we made recommendations to nine
agencies. Four of them agreed and concurred with all the
recommendations that we made. Three neither concurred or non-
concurred. And we had two that agreed with one of our
recommendations each to them, but disagreed, non-concurred,
with the other recommendations we made to them.
Senator McCain. Mr. Chairman, we ought to find out the
reason why several of these agencies did not concur. They may
have had some reason that I cannot detect, but this GAO report,
I think, were common sense addressing some of these issues.
So, you have not seen the kind of compliance or
implementation of your recommendations that you think are
adequate?
Mr. Wilshusen. We just made the recommendations back in
December. In the responses, six of the agencies indicated some
of the actions that they were taking to implement our
recommendations, and we will followup over the course of the
year, and we will do so annually, to assess the status of their
corrective actions in implementing our recommendations.
Senator McCain. When do we expect to hear from you next?
Mr. Wilshusen. Whenever you invite me.
Senator McCain. I mean, as far as the assessment is
concerned.
Mr. Wilshusen. That would be later this year.
Senator McCain. Like----
Mr. Wilshusen. Toward the end of the year, when we will
check to see if--the first time we will hear something back
from them will be in their 60-day letter to us on the status of
their actions and final determinations of concurrence with our
recommendations.
Senator McCain. Thank you, Mr. Chairman.
Chairman Carper. Dr. Coburn.
Senator Coburn. Chairwoman Ramirez, in your oral testimony,
you talked about civil penalties creating the deterrence
effect. You were talking about a deterrence for businesses to
be compliant with what they need to be. The deterrence I am
talking about is what Mr. Noonan--so, of the 52 cases that you
had authority in, and one of your statements is that you needed
greater authority to hold them. Of those 52 cases, in how many
were the perpetrators prosecuted?
Ms. Ramirez. Senator, I am going to need to get back to you
with a particular figure, but what I can tell you is that we
work very closely with the criminal authorities. We coordinate
with Mr. Noonan and his team on a number of different matters.
So, even though we focus on what we call the front end, the way
businesses are implementing data security measures, we do, of
course, understand it is absolutely critical that criminal law
enforcers go after----
Senator Coburn. Well, that is the real answer, because as
soon as--here is the problem. When it is all regulatory
authority to make compliance versus punishing the people who
are violating the compliance, in other words, the people who
are probing the networks, we are never going to get ahead of
this. And we have had very strong testimony before this
Committee that if you focus on mitigation vulnerabilities,
mitigating the vulnerabilities in your network, and you do not
put 60 to 70 percent of your time in terms of prosecuting the
mal-actors, we are never going to win this battle. We can have
the strongest networks in the world and there is always going
to be somebody who goes after it.
So, if we create the expectation in this country that if
you are violating a network, you are going to get hammered,
what we are going to do is markedly increase not only the
events that happen, but the costs associated with protecting
networks. And so I think it is really important that we look at
that, and it bothers me a little bit, even though you say you
work with them, the point is, you need to have a balanced
approach. It needs to be both. It cannot just be businesses
comply with this regulatory regime and you are fine, because we
will never stop it.
Ms. Ramirez. Senator, if I may, just so that I can clarify
this point, my view is that this is a very complex problem that
requires multiple prongs. At the FTC, we only have certain
authority. We have civil law authority and our authority goes
to the businesses that put data security measures in place. We
think there is under-investment in that arena and that needs to
be addressed. But, absolutely, all the points that you raise
are absolutely valid, and we do collaborate with the other
agencies that have another part to play in this arena.
Senator Coburn. One other question. Of the 52 cases where
you had the authority to work, how many other cases have you
had greater authority? Where were you limited by not having
additional authority? Can you name examples of places where you
saw a problem but you did not see the authority to get the
problem corrected?
Ms. Ramirez. Well, the additional authority that we seek is
very targeted. So we are asking for civil penalty authority,
because today, we do not have, under our Section 5 authority,
we do not have the ability to impose penalties, and we do think
that it is necessary to have greater deterrence in this arena.
We are also asking for----
Senator Coburn. Well, you really mean compliance. You do
not mean deterrence. Deterrence is going after the bad actors.
Compliance is what you really----
Ms. Ramirez. Well, we----
Senator Coburn. Is that right?
Ms. Ramirez. No. We view deterrence also in terms of
companies providing reasonable security measures and providing
adequate protection to consumers.
Senator Coburn. OK. Mr. Noonan, I am proud of the work that
you all do and appreciate all of you being here. One of the
other things that we had in our testimony was that we have very
few Federal Bureau of Investigation (FBI) agents with which you
can work that cooperate overseas on investigating. Do you see
that as a problem as you all work these cases?
Mr. Noonan. To have the number of agents that are overseas
in our overseas offices?
Senator Coburn. Well, not just your agents, but also FBI
agents. Do you not work in conjunction with FBI on a lot of
this stuff?
Mr. Noonan. Yes, sir. So, we do coordinate with the FBI on
a lot of these cases.
Senator Coburn. But the testimony was there is really a
slim number of those people with which to work. Do you see that
as a problem as you try to execute prosecution and
investigation on these cases? Do you see a lack of resources,
as far as coming from the FBI, coordinating with you, with our
partners overseas as we try to prosecute these events?
Mr. Noonan. What I see is that we, together, have a unique
history of bringing cyber criminals to justice. What I do think
is that our relationship building is probably the most critical
piece that we in Federal law enforcement have overseas. We do
not have jurisdiction to really work in these overseas
environments, but I think in Federal law enforcement, it is
based on the relationship building and our efforts of
coordinating with Federal--with other international law
enforcement.
So, as far as the numbers of people, could we always have
more to assist in building that liaison and building on that
coordination? Absolutely. But, I think it is based on our
efforts, the Secret Service efforts, in our international
offices and our working groups in developing those
relationships with those international partners that is aiding
us in bringing those different criminal actors in Eastern
Europe to justice here domestically. We have a great----
Senator Coburn. I understand that, but here is what I am
trying to get at. Mr. Chabinsky testified last week, Steve
Chabinsky, that we have few FBI agents working overseas to try
to coordinate to help you do that. And my question is, do you
see that as a problem or not a problem? Do you dispute his
testimony?
Mr. Noonan. No, I would not dispute the Director's
testimony.
Senator Coburn. So, we do need more resources on the FBI to
coordinate with you, with our partners overseas?
Mr. Noonan. I think with all of Federal law enforcement, we
would--and not just necessarily the FBI, but also with the
Secret Service in our international capacities over in the
international footprint, as well.
Senator Coburn. OK. Mr. Wilshusen, would you clarify.
Twenty-five-thousand-five-hundred-and-sixty-six events in 2013.
Describe what you mean by ``event.''
Mr. Wilshusen. OK. Those would be incidents reported by
Federal agencies to the US-CERT, and those can include various
different types of security incidents. These all involved
personal information or personally identifiable information, as
opposed to other incidents which do not. And----
Senator Coburn. So, all 25,000 of these were PIIs?
Mr. Wilshusen. Yes, that is correct----
Senator Coburn. OK.
Mr. Wilshusen [continuing]. As reported by Federal agencies
to the US-CERT. About 25 percent of all incidents including
non-PII incidents were non-cyber incidents. Another 16 percent
of those could be due to equipment loss or theft of equipment
which contained PII data. Some of that data may have been
encrypted on those machines, some perhaps not. And others
included the implementation of--or installation, excuse me, of
malicious code onto devices and onto the systems. It could also
include, for example, policy violations, where individuals may
have violated their agency's policy related to protecting or
using personal information.
Senator Coburn. OK. The other part of your report is that
operational practices were inconsistent pretty well throughout
the government.
Mr. Wilshusen. Throughout the seven agencies that we
reviewed as part of that review, and those agencies included
the Army, Centers for Medicare and Medicaid Service (CMS), IRS,
Department of Veterans Affairs, Federal Deposit Insurance
Corporation (FDIC), the Federal Reserve Board, Securities and
Exchange Commission, and the Federal Retirement Thrift
Investment Board.
Senator Coburn. OK. Chairman Carper and I, as well as the
Commerce Committee and the Intelligence Committee, have the job
of putting together a cyber bill this year. Hopefully, we will
get that done. Any comments from any of you all on things that
we should look at that will make your job easier and at the
same time make us more effective as a Nation in terms of
cybersecurity?
Mr. Noonan. Yes, sir. In fact, we spoke earlier in the week
about an issue regarding notification. We believe it is
important to allow law enforcement to have an active role in
these types of investigations.
The late notification is a piece that we talked about as it
relates to notification out to victims. So, when we potentially
identify a victim company, the victim company, of course, has
an obligation where they would like to inform its victims of
the exposure, if you will.
There are many times where law enforcement has ongoing
operations, whether they are undercover operations or working
with sources, which have the ability to get at the potential
root that we talked about in a deterrent factor to try to
gather more evidence and to identify who the criminal actors
potentially are. So, in a case where law enforcement would work
with the victim company and allow them to have a delay in their
notification out to the individual victims----
Senator Coburn. It would give us an advantage to travel
back.
Mr. Noonan. Potentially, yes, sir.
Senator Coburn. OK.
Mr. Noonan. So, I think it is very important--in fact, I
can crosswalk you through a case that we not too recently, but
we have recently had, where we were engaged in an undercover
operation where we had the opportunity to not only advise that
company of their data breach, but after we had advised them of
their data breach, we entered into an operation where we could
actually obtain that data and get that data. The company was
very quick and wanted to notify its consumers to the point
where it was interfering with the operation. So, that is what--
--
Senator Coburn. So, we need to have the flexibility in any
data act or cyber bill we have to protect the law enforcement
to be able to do their job and continue a sting or something
similar to that. In other words, there needs to be a variance
if and when law enforcement says, please wait one week until we
finish what we are doing.
Mr. Noonan. Yes, sir. So, the word I would use is a
compromise. So, there must be a compromise. When I use the word
``compromise,'' I mean notification should not be delayed by
months and years. It should be a reasonable amount of time.
Senator Coburn. All right. Anybody else?
Mr. Wilshusen. I would just add, as it relates to FISMA and
within the Federal space, just to clarify the roles and
responsibilities of the Office of Management and Budget and the
Department of Homeland Security with overseeing and assisting
Federal agencies in implementing information security.
Senator Coburn. Well, the only way you are going to get it
implemented is have some teeth in it, and the only organization
that has teeth right now is OMB. Homeland Security is coming on
strong. They are improving rapidly, thanks to Senator Carper
and the new Secretary and some of the work that was done before
they got there. But it is important that we get a bill that
causes people to buy into what we need to do on a timely basis.
Thank you, Mr. Chairman.
Chairman Carper. You bet.
I want to go back to the questioning that was going on with
Dr. Coburn and really with you, Mr. Noonan, on notification. I
think I said earlier in my comments, I said there are three
things we are focused on here. One, how do we protect
information? Two, how do we investigate when there are
problems? And, three, how do you go about notification? Another
one would probably be, do we continue to have 40-some standards
or do we compress that to one national standard, or something
in between 49 and one that we should do.
But, let us just stick with notification for a little bit.
I heard from some sources that if people get notified too
often, consumers get notified repeatedly for even minor
breaches, that they come to a point where they become almost
numb to the notifications. Can any of you comment on that,
trying to figure out when should the notification occur for an
individual to avoid that, if that is a legitimate concern?
Ms. Ramirez. Chairman, I am happy to answer your question.
I think it is a balance. We at the FTC are certainly very
sensitive to the concern that you raise about potential over-
notification. What we think needs to be done is that consumers
need to be notified if there is a reasonable risk of harm. So,
the----
Chairman Carper. How do we go about----
Ms. Ramirez. Well, it is a fact-specific test, but I think
it is important that a company that holds consumer data have an
opportunity before there is any notification to assess and
determine exactly what data might have been compromised, and
then based on that information, and based on the sensitivity of
the information, that, in turn, can be used to determine when
and who ought to be notified. So, I do think it is a balance,
but I think the test ought to be a reasonableness test, and if
there is a reasonable risk of harm to consumers, there ought to
be notification.
Chairman Carper. OK. Others, please.
Mr. Wilshusen. Yes.
Chairman Carper. Mr. Wilshusen.
Mr. Wilshusen. Yes. Within the Federal space, agencies are
supposed to assess the risk and level of impact that could
occur once a data breach occurs; that is the level of harm that
could occur to the affected individual. There are a number of
factors that they take into account, or should take into
account to determine that level of risk.
Those include one the type of information that was actually
compromised, whether it is just a name or is it the name and
Social Security number and other personal information, and the
two nature of the breach. Is it one in the case of where, for
example, the PII is on a laptop for which the data is
encrypted? The risk would be lower than if someone had intruded
on a network and was exfiltrating this information out of the
network.
And so taking those factors and considering the risk of
harm that could occur with the information that was compromised
would be another factor in determining the level of risk, and
also just the number of people that may be impacted by that
incident.
And based on that, make a determination on whether
notification should be made to the affected individual, because
as you point out, you do not want to unnecessarily or unduly
notify someone who will really have a very minor or limited
risk of their information being compromised. But if that risk
is reasonable or high, certainly, notification should probably
be made.
Chairman Carper. Mr. Noonan, anything else you want to
mention on this?
Mr. Noonan. Yes, sir. I think it is also important to give
a company the opportunity to look at its own systems. So, a lot
of times, you are going to understand, in the report that we
have worked with--the Verizon data breach, on the Verizon Data
Breach Report, just last year, together, Verizon reported that
over 70 percent of the disclosures to a victim company were
made by an outside source, so, by law enforcement or another to
the victim company saying that they have a problem. So, when
that occurs, the company needs to take a look at itself within
and determine if and when it actually did have a compromise and
an exfiltration of that data.
That being said, companies do need to have a window of time
to be able to do an internal investigation to determine if
there is actually a problem from the notification from law
enforcement. So, it is not an instant occurrence where law
enforcement comes to them and says, we believe you have a
problem. They still have to take an opportunity to work with
third-party forensic companies to take a look at their systems
to determine if they do have a problem. So, by requiring too
quick of a notification, it could damage the company or the
company's reputation, as well. So, we think that is an
important part, to give leverage to companies.
Chairman Carper. OK. Good. One last question, and then we
will excuse this panel and invite our second panel to join us.
But in our next panel, we are going to hear from Governor
Pawlenty, representing the Financial Services Roundtable, Ms.
Kennedy from the Retail Industry Leaders Association about
common sense solutions that the private sector can undertake
proactively without the help of Congress. And these are groups
which oftentimes find themselves, as you know, on different
sides of an issue, and certainly this issue, so it is actually
quite encouraging that they are taking steps to work together
to get their arms around this very difficult issue.
Can each of you just offer some advice to the new Working
Group that has been formed in recent weeks. Just give them some
advice, if you will. And, also, what should they be focusing
on? What should they be focusing on? Who should they be talking
to in order to make sure they are getting all the information
that they need?
Mr. Noonan. Yes, sir. So, the Secret Service and law
enforcement work together collaboratively, especially since
Secret Service has been so engaged in the area and the lane of
the financial services sector. We work very closely with the
Financial Services Information Sharing and Analysis Centers
(FS-ISAC).
We have developed a very close relationship, not just at
their headquarters level, but throughout the country in our
field offices. So, we have a group of 35 Electronic Crimes Task
Forces throughout the country that those task forces have
active members of the FS-ISAC sitting with them in these task
force environments sharing information back and forth. Not to
mention that the ability of the FS-ISAC, the Information
Sharing and Analysis Center for the Financial Services Sector,
they also sit up at the NCCIC. They sit on the NCCIC floor,
where information flows freely and the FS-ISAC is able to take
that information that they learned on the NCCIC floor and share
that out with its different members.
So, again, any new Information Sharing and Analysis Center,
should do a couple of different things. It should develop a
robust relationship with the Department of Homeland Security
and the NCCIC and try to secure a position on that floor so
they can gain access to that valuable information to share with
its members, as well as develop a relationship with the law
enforcement, Federal law enforcement. We believe that
relationship is done through the network of our 35 Electronic
Crimes Task Forces, which its members can join through any one
of those task forces or through one of the local Secret Service
offices.
Chairman Carper. OK. Thank you.
Just briefly, Mr. Wilshusen, please.
Mr. Wilshusen. OK. I would just piggyback on what Mr.
Noonan mentioned, and that is, and as we testified at last
week's hearing, is to remove the barriers that would allow for
effective information sharing of these threats, alerts, as well
as other incidents that occur in this space.
Chairman Carper. Good. Thanks.
Ms. Ramirez, just very briefly, please.
Ms. Ramirez. Let me just say that I applaud all of these
efforts. From our perspective, anything that could be done to
increase protection for consumer information is a good step.
Chairman Carper. OK. Good.
We are going to excuse you now, but we want to continue
this conversation and we very much appreciate your input. You
are part of the solution and we are, too, and we need your help
and we appreciate the kindness and the counsel you have given
us today. And we are determined to communicate, to find
principal compromises, and to collaborate, and we look forward
to doing all those things with you. Thank you so much.
With that, we are going to have a brief recess while the
next panel comes forward. Again, it is great to see you all.
Thanks so much for your help.
[Recess.]
Hello. From one recovering Governor to another, welcome
aboard.
Ms. Kennedy, nice to see you again.
Tiffany Jones, thank you so much for coming.
You heard a little bit of advice there from the first panel
to each of you and I hope you will take it to heart. We will,
as well.
But, our first witness is the Honorable Tim Pawlenty.
Governor Pawlenty he used to be Chief Executive Officer for his
State, and I still say that is the best job around, at least
for a guy in our business--but, Chief Executive Officer now for
the Financial Services Roundtable, an advocacy organization for
America's financial services industry. Prior to joining the
Financial Services Roundtable, Governor Pawlenty served, as we
know, as the Governor of Minnesota for two terms. We are happy
to see you.
Our second witness is Sandra Kennedy. I have not talked
with her since yesterday, and it is good to see you again this
soon. She is President of the Retail Industry Leaders
Association, the trade association for America's largest and
most innovative retail brands. In this position, Ms. Kennedy
works to promote the public policy interests of its members to
ensure continued growth in the retail industry. Ms. Kennedy
previously served as the Director of Leadership Dialogue Series
for Accenture, a global management consulting and technology
services company, and as the Senior Vice President of Member
Services for the National Retail Federation.
Our final witness is Tiffany Jones. Ms. Jones is the Senior
Vice President of Client Solutions and Chief Revenue Officer
for iSIGHT Partners, a cyber threat intelligence firm, where
she leads the development of business strategies and field
execution. Prior to joining iSIGHT Partners, Ms. Jones worked
in senior roles at Symantec and served as Deputy Chief of Staff
at the White House Office of Cybersecurity and Critical
Infrastructure Protection. All I can say is you must have
started really early in that work, early in your life.
All right. We are glad you are here. Your whole testimonies
will be made part of the record, and feel free to summarize as
you wish and then we will just have a good conversation.
Again, my charge to you, as it was to the first group, we
talked enough about the different people's legislation,
introducing legislation, the problem, why we need to do
something. Everybody agrees we have to do something. There is a
role for the private sector. There is a role for us here. What
we have to do is figure out our role here, what to do, what not
to do, so we need your help. I think this is, actually, two
good panels to help us to accomplish those goals.
So, Governor, take it away.
TESTIMONY OF HON. TIM PAWLENTY,\1\ CHIEF EXECUTIVE OFFICER,
FINANCIAL SERVICES ROUNDTABLE
Mr. Pawlenty. Chairman Carper, good morning, and thank you
for the opportunity to appear here today to address the
important topic of data breaches and the further steps needed
to better protect personal information and the payment system
from cyber threats. We appreciate your leadership and your
concern and your commitment to these very important issues.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Pawlenty appears in the Appendix
on page 267.
---------------------------------------------------------------------------
In my testimony this morning, I would like to address two
major points. First, the financial services and retail
industries are working together to aggressively address
cybersecurity and the threat of cyber breaches. And second, and
importantly, we cannot optimally address these challenges
without congressional action, so we want to urge that, and I
will touch upon that more in detail in just a second.
The financial service sector is better prepared than other
sectors to defend and respond to cyber attacks, but we also
have more work to do as these threats continue to evolve. We
have the strongest information sharing process of any critical
infrastructure sector. Industry-wide initiatives are underway
to identify and take action on information sharing, tactical
operations, stronger Internet controls, and more research and
development. We also plan and run simulations to improve
defense and resiliency.
As you know, financial institutions are also regulated and
examined to ensure compliance with comprehensive data security,
privacy protection, vendor management, and resiliency
requirements. The financial service sector proactively works
with the Treasury Department, regulators in government, and law
enforcement agencies to improve cyber defenses. We also worked
with the National Institute of Standards and Technology (NIST)
as they developed the standards, and we support directionally,
of course, the cybersecurity framework that was recently issued
through the NIST process. We do all of this because we owe it
to our customers to protect them and to maintain and keep their
trust.
You have already heard about and touched upon the scale and
nature of the problems that our industry and the economy more
broadly is facing, so rather than focus on that, I will focus
on the future in the remainder of my time.
In the wake of the recent data breaches at Target and other
places, Sandy Kennedy and I got together and decided it would
be best for our consumers and for our industry to collaborate
with our other industry partners to strengthen our defenses and
keep the focus on the real enemy, our cyber attackers, and try
to minimize the finger pointing back and forth about who could
or should be doing what.
Chairman Carper. And maybe we should take a lesson from
that here. [Laughter.]
Mr. Pawlenty. So, along with 17 other trade associations,
Mr. Chairman, we established the Merchant and Financial
Services Cybersecurity Partnership. That partnership overall
has two major goals, first, to improve overall security across
the entire payments ecosystem, and second, to bolster consumer
confidence in the security of their data and the payment system
overall.
The partnership consists of a number of things, but at
core, it is five working groups that will focus on the
following five topics: One, threat information sharing; two,
cyber risk mitigation; three, advanced card present security
technology; four, card not present and mobile security
technology; and, five, cybersecurity and data breach
notification.
Our progress, however, is going to remain inadequate unless
we have some additional help in partnership with further
actions needed from Congress.
Institutions need to have the ability and the necessary
liability protections to share threat information with other
private partners and the government when they act in good faith
to defend consumers and the financial system.
As was mentioned, we also need robust data breach
notification legislation setting a strong national notification
standard. This standard should be clear so that customers can
understand what happened and companies know what actions to
take. These standards should be uniform so that customers can
be treated similarly, regardless of what State they live in.
Mr. Chairman, your Data Security Act of 2014 and the Cyber
Intelligence Sharing and Protection Act (CISPA), which was
recently passed by the House, are both terrific efforts. We are
very pleased with those efforts and we want to make sure that
they advance and do all that we can to help you in your efforts
to advance that legislation.
In the end, all of us, retailers, financial service
companies, the government, want to stop attacks in real time
and prevent them, and we also want to make sure that if in the
event attackers do break through, that they find nothing of
value and cannot leave our system with things of value.
Mr. Chairman, we believe the partnership between the retail
industry and the financial service industry will help us get
closer to achieving these goals. We will certainly keep you
informed of our efforts and our progress. We do not view this
as a multi-year framework. We would like to get this up and
running with results over the next 6 to 12 months.
And we also hope that the legislation that I referenced
will pass the U.S. Congress. It is overdue. It is urgently
needed. And we appreciate your efforts and leadership in that
regard, and I certainly welcome any questions once the panel
comments are complete.
Chairman Carper. Great. Governor, thanks for those
comments, and we appreciate your work on this and look forward
to being your partner. Thank you. Ms. Kennedy.
TESTIMONY OF SANDRA L. KENNEDY,\1\ PRESIDENT, RETAIL INDUSTRY
LEADERS ASSOCIATION
Ms. Kennedy. Chairman Carper, Ranking Member Dr. Coburn,
and Members of the Committee, thank you for the opportunity to
testify today before the Committee.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Kennedy appears in the Appendix
on page 273.
---------------------------------------------------------------------------
The Retail Industry Leaders Association (RILA) represents
the Nation's largest and most innovative retailers. Together,
our members employ millions of Americans, generate more than
$1.5 trillion in annual sales, and operate more than 100,000
stores and distribution centers around the world.
I welcome the opportunity to talk today about cybersecurity
threats we collectively face and steps that the retail industry
is taking to address them in order to better protect our
customers. I am pleased to be testifying alongside Governor
Pawlenty, a person with whom I have developed a strong working
relationship as we pursue this very important partnership.
The threat of cyber attacks is all too common. Though we
place a premium on security, cyber criminals are persistent and
their methods of attack are increasingly sophisticated. As we
have seen, no organization, be it business, nonprofit, or
government agency, is immune from attacks. Given the scale and
impact of the threats, and with strong support of our Board of
Directors, RILA launched a comprehensive initiative in January.
The initiative is intended to enhance the industry's existing
cybersecurity efforts, inform the public dialogue, and build
and maintain consumer trust.
We have identified three main components relevant to
today's hearing: Strengthening threat information sharing in
cybersecurity; engaging with Congress on breach notification
legislation; and collaborating to pursue enhancements to
payment security.
There is widespread agreement that merchants should have
had an information sharing mechanism through which retailers
can communicate with each other about threats. To that end,
RILA formed a council made up of the top security executives at
our member companies. The council has formed a partnership with
the National Cyber Forensics and Training Alliance, and we met
last week at its headquarters to begin the important work of
establishing a trusted forum. The forum will allow retailers to
share threat information and collaborate with businesses and
government agencies on solutions to combat cyber criminals. We
have already begun to study the threat sharing model used by
the financial services industry and believe there is a great
deal that we can learn from that industry.
The initiative also calls on Congress to pass a national
breach notification law. Following a breach, retailers secure
their systems and make every effort to provide timely
notification and actionable information to their customers.
RILA urges that Federal breach notification legislation, one,
preempt the State laws in place today; two, take into account
the practical realities of notification, such as providing
adequate time to secure the breached environment, investigate
and analyze the breach, and comply with any law enforcement
direction; and, finally, be proportional and linked to the risk
of harm, be it financial fraud or identity theft.
We applaud Chairman Carper, Senator Blunt, and other
Members of this Committee, for pursuing breach notification
legislation. We want to work with you on a Federal bill that
will be consistent with the goals I have outlined.
Finally, RILA's initiative recognizes the need to
strengthen security within the electronic payment system. The
initiative spells out near and long-term actions that can be
taken to improve payment security, including retiring the
magnetic stripe, adding PIN authentication to all credit and
debit card transactions, migrating to chip and PIN cards, and
collaborating on solutions to online, mobile, and other
transactions where the physical card is not present.
While retailers believe these goals are reasonable,
achieving them will be challenging and require substantive
collaboration across the entire payments ecosystem. The need
for collaboration was the genesis behind are partnership with
Governor Pawlenty.
The tasks of these working groups, which Governor Pawlenty
described, are significant, but we believe that they are
achievable and we are committed to pursuing significant
progress over the course of the next 9 to 12 months. While we
expect there to continue to be issues on which we disagree, we
have a shared obligation to consumers to find ways to improve
payment security.
In closing, we believe by working together with public and
private sector stakeholders, we can maintain the strongest
defenses against cyber attacks and render stolen data largely
valueless to cyber criminals.
Again, I very much appreciate this opportunity, Mr.
Chairman, and welcome your questions.
Chairman Carper. Thank you, Ms. Kennedy. Thank you.
Tiffany Jones, welcome. Please proceed.
TESTIMONY OF TIFFANY O. JONES,\1\ SENIOR VICE PRESIDENT AND
CHIEF REVENUE OFFICER, iSIGHT PARTNERS, INC.
Ms. Jones. Chairman Carper, Ranking Member Coburn, and
distinguished Members of the Committee, thank you for the
opportunity. My name is Tiffany Jones. I represent iSIGHT
Partners, a leading cyber threat intelligence firm. Over the
last 7 years, we have built a team of over 220 experts
dedicated to studying cyber threats in many nations across the
globe and enabling organizations to protect themselves against
these threats.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Jones appears in the Appendix on
page 278.
---------------------------------------------------------------------------
There are a variety of different threat domains that make
up the cyber threat landscape today. Each of these threat
domains is motivated differently. For example, Cyber Espionage,
targeted intrusion operations aimed at corporate and government
entities to collect information for the purpose of strategic
advantage, can be politically motivated or economically
motivated. Cyber hacktivism focuses on the intentions and
capabilities of politically or ideologically motivated actors.
And then you have cyber crime focusing on cyber threats from
primarily financial motivated actors.
The intelligence we research, analyze, and disseminate,
coupled with the scope, scale, and duration of the recent
retailer attacks, leads us to one very clear conclusion. We
need to stop thinking about cyber crime like the movie, ``Catch
Me If You Can,'' one clever young man assuming identities and
passing bad checks, and instead, we need to understand that
cyber crime is more like the movie ``Goodfellas,'' an organized
community of bad people intent on crime, economically
motivated, increasingly sophisticated, and operating without
much fear of law enforcement.
Cyber crime is a global industry, with a division of labor.
It involves supply chain as well as a defined value chain. This
chart over here actually gives you an overview of what the
value chain looks like.\1\
---------------------------------------------------------------------------
\1\ The chart referenced by Ms. Jones appears in the Appendix on
page 281.
---------------------------------------------------------------------------
In step one, you have malware. Cyber crime starts with
malware. Think of this like the App Store for hackers.
Thousands of developers craft hacking tools and tool kits with
various features, functions, and capabilities and then sell
them in a broad array of electronic markets. Prices can range
from a few to several thousand dollars. Just like an App Store,
only a fraction of the malware goes on to be popular, depending
upon the features, the targeted vulnerability, usability, and
other characteristics. But at any point in time, there are
probably a few thousand notable pieces of malware on the
market, with 10 new entrants that warrant real analysis in a
given month. At higher prices, subscriptions of $5,000 to
$15,000 per month, there is also private access to malware
developers. These are the more sophisticated designers.
Step two is the infrastructure. Cyber criminals must
obfuscate their operations. This means buying, storing,
computing, and network services from dedicated infrastructure
operators. Think of criminal cloud computing. This is a large
and varied segment of the market, everything from securing $50
domain names to $1,000 per server, per month hosting
arrangements, and some of these organizations can scale to
multi-million-dollar operations serving more than a thousand
criminal clients at a time.
Step three is the cyber crime operators. Like
entrepreneurs, operators assemble temporary teams, acquire
tools, secure infrastructure, and execute against a plan. The
better the plan, the bigger the payout. Like entrepreneurs, the
very best exploit a market need, quickly monetize the value,
and move to the next opportunity. In fact, one recent
observation we have observed netted as much as $3.8 million for
the operator and their team in just a couple of short months.
Step four, the brokerages or intermediaries. To monetize
stolen assets in cyber crime, typically, this is some form of
personal data--credit card, health insurance, Social Security
numbers, PII. The operators take that bulk data to brokers.
Think of these players, again, numbering in the thousands, as
wholesalers. The brokerages pay bulk prices to the operators
for the stolen data and then parcel it up into sizes that a
large number of smaller criminals can use. At the retail level,
this looks like an underworld eBay with prices set by type, the
newness, the quality, and the completeness of the stolen data.
More reliable sellers get higher prices.
In early December, we saw complete U.S. credit cards at
$100 per card. But with the dramatic increase in supply due to
several recent retailer breaches, the price dropped to $50.
Much of that card data is now dated and U.S. cards are selling
closer to $16 per card.
Step five is the card buyers and mules. The transition from
the criminal economy to the traditional economy presents the
biggest bottleneck right now for cyber crime. Using stolen
information involves risks and transaction costs, so most cyber
criminals leave much of the small change on the table while
focusing their efforts on the big quick hits. Card buyers and
mules bear most of the risk. The typical card buyer or mule for
receiving stolen property or bank payments is just a small
time, sometimes even occasionally unwitting, criminal. Think of
them as the intern of the cyber crime industry. They get
relatively small payments for relatively small crimes. They are
typically involved in the illegal activity for a short time and
have no connection with the larger criminal enterprise. Like a
pickpocket who just takes the cash from your wallet, their gain
is small, but your loss in time effort and personal value can
be significant.
So, as you can see, the scope of the cyber criminal market
is daunting and the money made pales in comparison to economic
value destroyed as a result. At any time, there are tens, if
not hundreds of thousands of independent actors. They are
global. They are unregulated. They are better equipped, better
trained, and more experienced than many of their law
enforcement counterparts, and they are growing bolder. You will
see, like the 2013 retailer breaches, again, with greater
frequency.
Business and government have started to understand the
scope of the problem. They are increasingly shifting to an
intelligence-led cybersecurity approach to improve prevention,
speed response, and solve the cybersecurity risk equation.
There is progress, but there needs to be more of it. Thanks to
government entities like the Department of Homeland Security,
U.S. Secret Service, and others, the severity and scope of the
problem is becoming increasingly evident.
I will be happy to answer any questions that you have
following our discussion here today.
Chairman Carper. Thank you. Thank you all for good, helpful
testimonies.
If you were here for the beginning of the first panel, I
said to that panel--I quoted Abraham Lincoln. The role of
government is to do for the people what they cannot do for
themselves. And I asked them to help us figure out what the
private sector can do in this regard to protect information,
money, things of value, particularly with respect to these
breaches. But, what can the government do and what should the
government do? And there is a broad range of views on what is
the role of the government. We heard a little bit of that this
morning.
But what I am trying to get at is consensus. If I had the
first panel still here, I would put all of you up here and say,
let us just go down the line and tell me where you think you
agree. Tell me where you think you agree on what the government
should do. What is our role? And let me just ask that, and
Governor, I will ask you just to lead off. What is our role?
Mr. Pawlenty. Mr. Chairman, I think there are a number of
things the government can and should do, and we would urge you
to take these actions. First of all, it is appropriate for your
Committee to be focused on these issues. As was mentioned, many
of these instances are not just transnational criminal
elements, but we, of course, through public reports and
otherwise, have reason to believe there is the prospect of
cyber terrorism, self-declared cyber jihadists, and other
elements that you would fall into the category of not just
cyber criminal activity, but potential for cyber terrorism. So,
obviously, your Committee is appropriately focused on these
issues.
At a minimum, Mr. Chairman, we hope that the Senate and the
Congress more broadly would take action promptly on the
national data breach notification laws that will help in terms
of the response to incidents, but we also should realize that
that is just one step and an incomplete step. We also need to
do all that we can to be better prepared and more resilient on
the prevention side.
One thing that would help tremendously, Mr. Chairman, is if
the Congress would pass an information sharing bill that would
be similar, or at least directionally similar to the House
CISPA bill. We realize that post-Snowden, that became more
difficult, but we hope that post-Target, that that becomes more
possible.
Again, we are, as an industry and our sector, in
particular, are extraordinarily dedicated on these issues.
Fortunately, the financial service sector has not yet
experienced a large-scale successful attack, but we are greatly
concerned about these issues and these challenges and we would
be better prepared and could be better on the prevention side
if Congress would allow that threat information sharing bill.
To give you one example, if we have reason to believe, good
faith, a reason to believe that a certain entity or an Internet
Service Providers (ISP) address is preventing threatening
information and we move to constrain or shut off that ISP, even
though we did it in good faith as a way to stop the contagion,
if we do not have some protection around that action, if it is
done in good faith for proper reason, we are going to be less
likely to do that. If we are going to share threat information
with another entity or the government and it is going to get
the Freedom of Information Act (FOIA)-ed, it turns out to be
not what we thought it was and we are going to get sued over
that, or the entity is going to get sued over that, those are
the kinds of things that are deterrents to more high-speed,
more aggressive defensive mechanisms, and a bill like that
would help, sir.
Chairman Carper. OK. That is very helpful. Thank you. Ms.
Kennedy.
Ms. Kennedy. At the risk of being repetitive, Mr.
Chairman----
Chairman Carper. Repetition is good. [Laughter.]
This is one of those instances where repetition is good.
Ms. Kennedy. We support Federal breach notification
legislation, as well, and as you know, it is one of the working
groups that the Governor and I will be working on with our
fellow associations. It is important that such legislation
creates a single national law that preempts the State laws so
that we are not having to comply with a patchwork of 46 or 47
different State laws.
It is also important that notification be proportional to
harm. If someone has stolen my shoe size or the type of cookies
I like, that is one thing. If they have stolen my personal
information related to my payment system, that is another. So,
that is important to us, as well as making sure that it is
reasonable given the operational requirements as well as those
that are placed on us by law enforcement.
Chairman Carper. Give us some--that word ``reasonable'' is
going to be not an easy one to define. Just think out loud
about what, when you say reasonable, what are you thinking?
Ms. Kennedy. I am thinking that----
Chairman Carper. Or maybe some examples.
Ms. Kennedy [continuing]. It takes time for our members to
identify the threat, to stop the threat, to assess the damage
that has been done, and the data that has been stolen. And, of
course, law enforcement has a role in that. So, I think it is
important that that is all considered in terms of the
practicality of the legislation.
Chairman Carper. OK. Ms. Jones, same question.
Ms. Jones. A couple of ``don't''s and then a couple of
``do''s.
Chairman Carper. Umm, I like that.
Ms. Jones. Do not seek to be technically prescriptive, so--
--
Chairman Carper. Chip and PIN. It is not our job to say----
Ms. Jones. So, chip and PIN, I will say, does increase
security, absolutely, so if there is any question about that it
does. But it is not the panacea. And so----
Chairman Carper. Is it our role to prescribe that? I think
not.
Ms. Jones. I do not think so. But I do think it is
absolutely in your authority to look at the overall standards
and make sure that they equate to the threat that is today, all
right.
Chairman Carper. Someone said to me, they said, if you want
to go ahead and prescribe chip and PIN, you can do that, but
the threats change, technology changes. He said that to me, if
you have not noticed, sometimes it is hard to get Congress to
move, and we need to be able to move a lot faster.
Ms. Jones. Yes, and our information technology is
dynamically changing, as well. And so today's cool thing is
going to be tomorrow's, oh, that was so yesterday, right. So, I
think there are other things to consider. I would say, think
about it in the sense of do all that you can to deter the bad
guys from getting in, but also, assume that they are in. How do
you protect the data, assuming that the bad guys are in the
environment? So, things like encrypting data at rest,
encrypting data in transit, those types of things are also
really important to think about.
Chairman Carper. What was the first thing you said,
encrypting data at rest? What does that mean?
Ms. Jones. Correct. So, if it is just sitting there in a
server, in a storage space, in a data center within an
organization's environment, it is sitting there at rest. And in
many cases for a lot of organizations today, they actually are
only encrypting data as it is being transferred from their
environment to another organization or environment. That is
data in transit. So the data at rest is simply when it is just
sitting there within their organization. Is it being properly
protected?
Chairman Carper. OK.
Ms. Jones. And then, do not equate the quantity of arrests
in cyber crime with the quality of arrests. Focus prosecution
higher in the value chain. It makes a significantly bigger
impact. And, again, I applaud the work of Secret Service and
DOJ and what they are doing there. I think they are making the
right steps, for sure.
I would say on the ``do'' side, do increase global
collaboration. Most of these people, these threat actors, are
not inside our borders, and so that global collaboration among
law enforcement is absolutely critical.
And do pass national data breach legislation. It was said
quite eloquently, there is a patchwork of State laws. I think
of my mother and I think of, why does it matter what State she
lives in to determine the level of protection that she has? It
should not.
Chairman Carper. Where does your mother live?
Ms. Jones. She lives in Illinois.
Chairman Carper. OK. Well, if things get too hot there, she
is always welcome to come to Delaware.
Ms. Jones. Delaware. [Laughter.]
Chairman Carper. And when it gets hot, people will come to
Delaware and they will go to our beaches. We have, I think,
more five-star beaches than any----
Ms. Jones. They are beautiful.
Chairman Carper [continuing]. Any State in the country. We
are very proud of them. But, one of them is Rehoboth Beach.
Rehoboth translates literally, Governor, and means room for
all. Is that not nice? Room for all.
All right. Some of you said very nice things about the
legislation that Senator Blunt and I have introduced. I like to
say, everything I do, I know I can do better. I think that is
true of all of us. It is certainly true of the Federal
Government, Federal agencies. But not everyone appreciates
every aspect of our bill and I would just invite you to--you
have heard some of the criticisms of each of the major pieces
that have been introduced in the Senate. But just share with us
some of the criticism, whether they are legitimate or not, of
our legislation. And if you think those are reasonable
criticisms that should be addressed in modifying our
legislation, fine. I would like to hear that. If some of the
criticisms, you think, are just not very well founded, not very
well thought out, then help us rebut those. If you could do
that, that would be much appreciated.
Do you want to go first, Ms. Jones.
Ms. Jones. I have no criticisms on the legislation----
Chairman Carper. But maybe criticisms that you have heard,
because I read some articles where folks have taken some big
potshots at the handiwork of Senator Blunt and myself.
Ms. Jones. I think one of the criticisms, in general, for
not wanting to pass national data breach legislation has simply
been that you create a baseline that is so low, maybe there are
certain State laws today that have higher levels of protection
for their consumers. But, I counter that simply with just
having a consistency across the Nation is more important for
the consumer than the patchwork. And the amount of money that
companies are spending today just on compliance is pretty
unbelievable to deal with the various State laws. So, I think
it is really important that they can reinvest their dollars
that they are spending in compliancy today and actually put it
into information security protection.
Chairman Carper. OK. Thank you.
Ms. Kennedy, what are some of the criticisms you have heard
of our bill that you think are reasonable, should be
incorporated, maybe some that are less thoughtful, and rebut
those. Rebut those for us, if you could.
Ms. Kennedy. I think that as we looked at your legislation,
we certainly support the preemption and the recognition that
businesses have practical operational areas they need to
address before they do notification.
We would welcome the opportunity, I think, to talk to you
about enforcement, to make sure that the FTC has very clear
direction on what enforcement looks like. And that is----
Chairman Carper. All right.
Ms. Kennedy. Otherwise, we are in agreement with a number
of things in your bill.
Chairman Carper. Governor Pawlenty.
Mr. Pawlenty. Mr. Chairman, I would echo those comments and
just say there has been some criticism, not by us but by
others, on the standard that is set in terms of substantial
harm and inconvenience to the consumer. We think that standard
strikes the right balance. Obviously, it is going to be
interpreted, and so some others have expressed concern about
that, but we just reinforce that we think that you and Senator
Blunt have struck the right balance in that regard.
If I might, Mr. Chairman, just for a second jump back to
the issue around mandating technology, for all the reasons that
were mentioned by Ms. Jones, we concur with that. Keep in mind
that there are--as cards get misused, there are fraudulent or
forfeited cards, and, of course, the chip protects the security
of the card and so it cannot be forfeited or it would be much
more difficult to forfeit. And then the PIN authenticates the
user, or a signature does, or in some cases of small
transactions, no signature.
So, technology in the payment space is going to continue to
evolve. It already is evolving rapidly. But also, keep in mind
that relates to card present environments, and as commerce
continues to migrate to the virtual space and e-commerce
platforms, there is a whole another set of concerns and issues
and opportunities around something called tokenization, secure
cloud transactions in the space that will address the card not
present environment that is important to the discussion, as
well, because if you make it much more difficult for the fraud
to occur at the card present environment, it will shift to the
card not present environment and we need to do both.
Chairman Carper. All right. Thank you. Card not present--
that is one I just learned this week. I hear all these new
terms. No wonder my colleagues and I have a hard time figuring
out what to do here. It can get pretty confusing.
One of the things you are trying to do with this new
partnership, though, Governor and Ms. Kennedy, is to try to
take some of the obligation or the work that needs to be done
off of our plates and really put it where it better belongs,
and that is on yours. But we are pleased to see people like you
and the folks you represent working together on these issues,
and the new partnership certainly seems on its surface to be a
step in the right direction. We would like to hear just a
little bit more about it before we close, and if you maybe
could just share with us some of the goals that you see.
Mr. Pawlenty. Sure.
Chairman Carper. These are the goals that we have for this
partnership, and maybe give us a snapshot of the timeline for
the group, please.
Mr. Pawlenty. Sure. Well, again, I want to tip my cap to
Sandy Kennedy and her leadership in the Retail Industry Leaders
Association. They came forward on behalf of that sector and
have been extremely constructive and forward leaning on these
issues.
We have said, to your 80/20 comments earlier, there is some
stuff we are not going to agree on about card replacement costs
and some of the fallout of these previous breaches. That is
going to get litigated and settled, hopefully, in another
forum. But, there is a lot of stuff we can agree on, so we are
focused on that, and we think we can agree and hope to agree on
these things.
One, come together with a statement of principles, maybe
even a specific statement of support on national data breach
notification legislation.
Two, make sure that we do all that we can to agree upon and
advance cybersecurity information sharing legislation.
But on the things we can do ourselves, we have realized
even in the early inventory of practices, government to
industry, industry to industry, that there is a lot that this
partnership can share without government mandating a
requirement on technology best practices, cyber best practices,
cyber defenses, resiliency, simulations, sector coordinator
councils, and much more. So, we can get that done.
And then, last, there has not really been a good forum for
various players in the payments ecosystem--retailers, card
issuers, merchant acquirers, financial institutions, the banks
on the other end of the transaction, various other cyber
entities--coming together to talk about, can we agree on where
we are headed in the so-called Europay, Mastercard, and Visa
standard (EMV), card present, card not present, next steps on
technology and cyber defenses.
So, at the very least, we hope we can convene that
discussion, but we believe that out of that discussion we can
agree on some next steps that will be very important and
helpful, and our timeline is 6 to 9 months, Mr. Chairman.
Chairman Carper. OK. Thanks. Ms. Kennedy.
Ms. Kennedy. I would just like to elaborate a little bit on
the working groups. As I mentioned, they are comprised of
executives from both the financial services as well as from our
merchant members and they have clear objectives. We are working
with people to help keep us on track, project management. They
have clear deliverables, and they are going to be challenging
deliverables, but we think that it is important for our shared
customer that we deliver on those.
I would also like to say that this has been a very welcome
partnership. The payments system is an ecosystem and you have
to have all the links in place and everyone as strong as they
can be. So, we are going to learn a lot, I think, from our
partners, and I think that we are also going to have an
opportunity to address the future issues that we are going to
face. The way our customers are shopping are changing every
day, whether it is mobile or it could be wearable technology. I
mean, they are adapting so quickly. So, it is very important
that the payment system keep up with that so that confidence is
maintained with our customers and they continue to shop with
us.
Chairman Carper. OK. The words ``information sharing'' have
been mentioned a time or two on this panel, and I think even on
the first panel, and I am not sure--Governor, I think it might
have been you who mentioned what we might need to do to
facilitate information sharing. Can you just drill down on that
for me a little bit, please.
Mr. Pawlenty. Sure, Mr. Chairman. One of your previous
witness on the panel before us made reference to a recent study
that I think is worth just camping on for a minute. The
Washington Post recently reported that the Federal Government
notified 3,000 businesses last year that they were breached,
and the Verizon study indicated that 70 percent of those
companies did not know they were breached until the Federal
Government told them.
So, when you think about these issues from a Federal
Government knowledge standpoint and capacity standpoint, of
course, that knowledge resides, oftentimes, in the FBI, Secret
Service, Department of Defense, the National Security Agency
(NSA), Homeland Security, Treasury, and others. So, there is an
opportunity and a challenge to better integrate and coordinate
intergovernmental information sharing and it is not optimized
at the moment. But then, also, there is a need for that
information to flow to the private sector in appropriate ways,
respecting privacy rights.
The FS-ISAC, and I know the Financial Services Sector
Coordinating Council (FSSCC) which you are speaking to later
today, are examples of portals between government and the
private sector that allow that information to flow. But, unless
we have the legal changes that I mentioned earlier that provide
those protections for information sharing done in good faith--
again, threat information, not personal information--we cannot
move this to the place that it needs to go. And so that is
really needed and it is really helpful and it is one of the
best things that we can do. The NSA, for example, is viewed by
many as the best entity when it comes to cyber and they were
breached. They had a massive breach, internal, insider threat.
It crossed numerous platforms.
So, the point is, the government has great knowledge they
can share with private industry, but private industry, if one
of our members shares it with the government and then it
becomes a FOIA request and you have knowledge that is
proprietary and/or you misstate something, even though it is
done in good faith, the lawyers get a hold of that, class
action suits start, regulators might want to be interested in
that. Unless you have some rules of the road going into that,
you are going to be less likely to share the information lest
you know what is going to happen to it.
Chairman Carper. All right. Ms. Kennedy, as you know, in
this Committee, we work a fair amount on cybersecurity. We work
on other things, too. But particularly with the defensive side,
we often hear that technical collaboration and information
sharing are essential parts to a strong cyber defense. Talk to
us just a little bit here on information sharing, and I am
going to give you a chance to ask you to come back and just
revisit it with us here again, but do you think that the recent
series of breaches has impacted the level of information
sharing between companies, the willingness to share information
between companies, the willingness to share information with,
we will say, law enforcement, with Federal agencies?
Ms. Kennedy. Absolutely, Mr. Chairman. We think it is
imperative, and it was really key to our initiative that was
approved by our Board of Directors, and we have already started
that process. I think information sharing has been occurring
within our industry, but we think it is important that we
formalize that in some way and we are looking at different ways
to do that now. We had, I believe, 30 of our member companies
in Pittsburgh last week for a meeting where that was one of the
central discussions, of how we can effectively share
information to make sure that we are doing all that we can to
protect our customer.
Chairman Carper. OK. Ms. Jones, are you up for one more
question?
Ms. Jones. Absolutely.
Chairman Carper. OK. This is really more of a focus, I
guess, for law enforcement, but we will deputize you----
Ms. Jones. Thank you.
Chairman Carper [continuing]. And ask you to step up to the
plate. But, I think in your testimony, you provide a fair
amount of background on the criminal networks that are often
behind the data breaches that we are talking about here today.
I was especially interested to learn about all the different
steps that are needed to monetize the personal information that
is stolen from an organization.
And before I ask the question, as it turns out, one of the
credit card banks that is involved in the Target breach is TD
Bank and their credit card operation is in Wilmington,
Delaware. We actually visited with them, and this was a month
or so ago. We are interested in learning just how most of the
losses are absorbed, I think, by banks, not by the merchants in
these cases--trying to just get them to give us a sense for how
much money was at stake here and at risk here to be lost. And I
was struck by one of the things they said, and I think we heard
it here, as well.
The folks who actually figured out how to get in and steal
the data or the information from Target were pretty good at
doing that. They were less adept at monetizing and figuring
out, once they had all this information, what to do with it and
an effort to make money. The banks reacted very quickly. They
immediately sent out to people like me new credit cards and
responded. There is a lot of cost to this stuff, I am sure.
But, the losses were, I think, a good deal less than certainly
I ever expected them to be. And, again, the reason that was
explained to me, they are better at stealing the data than
actually monetizing, which is a good thing. It is a good thing.
Where in the process are cyber criminals most vulnerable?
In other words, where in the process should U.S. law
enforcement be targeting our limited resources? This is
something Dr. Coburn talked about quite a bit.
Ms. Jones. Yes, absolutely.
Chairman Carper. Go back and revisit that.
Ms. Jones. So, pertaining to where law enforcement needs to
focus, I think as I had talked about the ecosystem, lots of
different players, loosely affiliated, or highly organized
crime cells, I think you have to move up into the supply chain.
Do not be going after the mules, necessarily, the small petty
theft folks. I mean, yes, you want to try to gather all that
you can and go after them all, but if you have limited
resources, you really want to go after the highly organized
kind of crime organizations that are really ultimately trying
to monetize all of this, right.
The operators, the infrastructure providers, they are just
small pieces in all of this. Now, if you can start going after
different points in the supply chain, you are going to get
further along. But, ultimately, you get one infrastructure
provider, pull him away, another will show up, because the
demand is there. It is very low cost overall and low skill to
establish those capabilities. You just have to have the
resources to go buy them.
Chairman Carper. OK. The last question is, we asked you to
give an opening statement, and sometimes, if we have time, I
like for our witnesses to give us a closing statement,
especially when we are trying to develop consensus on an issue
about which there is not absolute consensus. You can take
advantage of this opportunity if you would like and give us a
short closing statement. But if you have something you want to
reiterate, a point that has been made, something that one of
your colleagues has said that sort of triggered a thought, that
would be fine, as well. But, just a very brief closing
statement, maybe a minute or so.
Mr. Pawlenty. Just very briefly, Mr. Chairman, thank you
again for your leadership and your commitment to these issues.
I would just try to impress upon you and the Committee a
sense of urgency. The nature and sophistication and pace of
these attacks is evolving daily, weekly, and it is concerning.
And I hope that we do not find ourselves a year from now or 2
years from now waking up to a bigger problem, wishing action
would have been taken earlier.
So, if I were to just emphasize one theme, it would be a
sense of urgency. As the threat increases, the pace of response
needs to increase from us, from our partners, and, candidly,
from the Congress.
Chairman Carper. Good. Thank you. Ms. Kennedy.
Ms. Kennedy. Cybersecurity is a top priority for the retail
industry, and we are working in an ecosystem. The data that has
been stolen was payment data, so it is important that we have
our partners on board and it appears that we are going to make
some great progress in that area.
I think it is also important in this ecosystem to
understand that we also share in the loss, share in the fraud.
The Federal Reserve, in fact, puts it at almost 50/50. So, as
we look at this, we all have a stake in this game.
Chairman Carper. Good. We all have a dog in this fight.
Ms. Kennedy. We do.
Chairman Carper. Yes. Ms. Jones.
Ms. Jones. Everybody is using the term ``cybersecurity'' as
the buzz term of the day, but at the end of the day, what this
is is just simply a risk management problem, like many problems
out there today. But, we are not treating it like a risk
management problem, typically. We are typically treating it
like, let us throw more technology at the problem.
And I think one of the things that we are recognizing in
speaking--I am going around the country, speaking to a lot of
retailers right now who have lots of questions--they are really
trying to wrap their arms around, what is the threat? They
actually do not have a good sense for their threat profile,
many of these companies. And so you cannot solve for risk if
you do not understand the threat profile.
So, I would say, as we look at things like the NIST
framework that I know there has been a lot of work that has
gone into, making sure, threat is really brought in more
effectively into the risk equation is going to be critical.
Otherwise, we are continuing to solve for vulnerability
mitigation.
Chairman Carper. Well, that is a good note to end on.
About a year ago, a fellow named Pat Gallagher sat right
where you are sitting and he is now the Deputy Secretary of
Commerce. But, for a while, he was the person--in fact, he may
be double-hatted, I do not know, dual-hatted, and still running
NIST. But, he sat right there where you sit and he said in his
testimony, we will know we are in the right place in this arena
when good cyber policy is synonymous with good business policy.
That is what he said. We will know we are in the right place
when good cyber policy is synonymous with good business policy
and where the government has less of a need to, like, to
command and control, to dictate, whether it is technology or
best practices and so forth. But when the folks that are either
controlling the critical infrastructure, our merchants, our
banks, whatever, when good cyber policy is good business
policy, we will know we are in the right place.
I think we are actually moving in that direction, of which
I am pleased. I think Pat and the folks at NIST did a very nice
job working on the framework. I call it a blueprint or a
roadmap. They got a lot of good support, a lot of good input,
including from the folks at the table here and your member
organizations, and we are grateful for that.
One of the other things I learned from that effort is, we
will say on the day that the framework was put out there, best
practices, it was out of date, because the nature of the
attacks change all the time and we continue to have to evolve.
It has to be a dynamic framework, if you will, dynamic
blueprint, and we will seek to do that.
I think we will probably wrap it up here. This has been
helpful, and we are going to be calling on you some more as Dr.
Coburn, he said he is going to leave us at the end of the year,
cutting his term short by 2 years, and I said--and he said he
wants to finish strong. I want him to finish strong. I want us
to finish strong and this would be a great area for not just
the two of us to collaborate with John McCain and with Roy
Blunt, but also Pat Leahy, Senator Leahy, with Jay Rockefeller,
with John Thune and with Pat Toomey, all of our colleagues,
Democrat and Republican, working with a lot of folks like you.
And we look forward to doing that.
I am going from here to a luncheon, not a cyber luncheon,
but a luncheon that Senator Reid, our Majority Leader, hosts
every couple of weeks of Committee Chairs, and the first thing
on our agenda is going to be to talk about this issue, data
breach, and maybe how can we collaborate, how can we
communicate, and how can we find principal compromises that
advance the security of our Nation's citizens and our
businesses.
With that, the hearing record will remain open for 15 days.
I think that is until April 17, at 5 p.m. for the submission of
statements and questions for the record. I suspect you will
have some, and we would very much appreciate your responding to
them in a timely way.
Again, thank you all very, very much.
And with that, this hearing is adjourned.
[Whereupon, at 12:12 p.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]