[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]



 
           EXAMINING THE PRESIDENT'S CYBERSECURITY 
                  INFORMATION-SHARING PROPOSAL

=======================================================================

                                HEARING

                               BEFORE THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           FEBRUARY 25, 2015

                               __________

                            Serial No. 114-4

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 

                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________



                        U.S. GOVERNMENT PUBLISHING OFFICE
94-108 PDF                  WASHINGTON : 2015                        
                     
_______________________________________________________________________________________                    
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected]  
                 
                     
                     
                     
                     
                     
                     
                     
                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice    James R. Langevin, Rhode Island
    Chair                            Brian Higgins, New York
Jeff Duncan, South Carolina          Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania             William R. Keating, Massachusetts
Steven M. Palazzo, Mississippi       Donald M. Payne, Jr., New Jersey
Lou Barletta, Pennsylvania           Filemon Vela, Texas
Scott Perry, Pennsylvania            Bonnie Watson Coleman, New Jersey
Curt Clawson, Florida                Kathleen M. Rice, New York
John Katko, New York                 Norma J. Torres, California
Will Hurd, Texas
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
                   Brendan P. Shields, Staff Director
                    Joan V. O'Hara,  General Counsel
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Michael T. McCaul, a Representative in Congress 
  From the State of Texas, and Chairman, Committee on Homeland 
  Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Oral Statement.................................................     4
  Prepared Statement.............................................     5

                               Witnesses

Ms. Suzanne E. Spaulding, Under Secretary, National Protection 
  and Programs Directorate, U.S. Department of Homeland Security:
  Oral Statement.................................................     7
  Joint Prepared Statement.......................................     9
Ms. Phyllis Schneck, Deputy Under Secretary, Cybersecurity and 
  Communications, National Protection and Programs Directorate, 
  U.S. Department of Homeland Security:
  Oral Statement.................................................    13
  Joint Prepared Statement.......................................     9
Mr. Eric A. Fischer, Senior Specialist, Science and Technology, 
  Congressional Research Service, Library of Congress:
  Oral Statement.................................................    15
  Prepared Statement.............................................    17

                             For the Record

The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Letter.........................................................    25

                                Appendix

Questions From Ranking Member Bennie G. Thompson for Suzanne E. 
  Spaulding and Phyllis Schneck..................................    47
Questions From Honorable Jim Langevin for Suzanne E. Spaulding 
  and Phyllis Schneck............................................    48
Question From Ranking Member Bennie G. Thompson for Eric A. 
  Fischer........................................................    48
Questions From Honorable Jim Langevin for Eric A. Fischer........    52


  EXAMINING THE PRESIDENT'S CYBERSECURITY INFORMATION-SHARING PROPOSAL

                              ----------                              


                      Wednesday, February 25, 2015

             U.S. House of Representatives,
                    Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to call, at 12:04 p.m., in Room 
311, Cannon House Office Building, Hon. Michael T. McCaul 
[Chairman of the committee] presiding.
    Present: Representatives McCaul, Rogers, Barletta, Clawson, 
Katko, Hurd, Carter, Walker, Loudermilk, McSally, Ratcliffe, 
Thompson, Jackson Lee, Langevin, Richmond, Payne, Vela, Watson 
Coleman, and Torres.
    Chairman McCaul. The Committee on Homeland Security will 
come to order.
    First of all, my apologies to the Members and the 
witnesses. I had a conflict with the--on the Foreign Affairs 
Committee with the Secretary of State on the authorized use of 
military force against ISIS, which I think is a very relevant 
issue to this committee, as well, in terms of dealing with the 
threat where it exists before it can come into the United 
States. Anyway, I just want to thank everybody for your 
patience.
    I will give this opening statement. Been involved in this 
issue for quite some time. To Suzanne and Phyllis Schneck, 
thank you for being here, Dr. Fischer.
    At the dawn of the digital age, our Nation saw endless 
opportunities to generate prosperity by expanding our networks 
and connecting to the world. But today, American prosperity 
depends as much on defending those networks as it does on 
expanding them. Every day, our country faces digital intrusions 
from criminals, activists, terrorists, and nation-states like 
Russia, China, and Iran. The impact of those intrusions are 
felt everywhere; from our National security secrets to the 
personal information of Americans.
    We cannot tolerate acts of cyber vandalism, theft, or cyber 
warfare, especially when they put our Nation's critical 
infrastructure at risk and when they steal American 
intellectual property and innovations. Accordingly, our 
Government must play a leading role in combating threats in the 
digital domain.
    It is clear that safeguarding American cyber space is one 
of the great National security challenges of our time. We are 
confronted almost daily with frightening new precedents, such 
as North Korea's act on Sony Pictures; a cowardly act meant to 
intimidate Americans and stifle freedom of expression. This 
attack came from a nation-state using a digital bomb to target 
and destroy computer systems here in the United States.
    Iranian-backed hackers also demonstrated this capability 
when they attacked Saudi Arabia's national oil company, Aramco, 
and destroyed 30,000 computers. Iran also targeted and 
continues to target major U.S. banks to shut down websites and 
restrict Americans' ability to access their bank accounts.
    Imagine this type of attack on our gas pipelines or power 
grids in the northeast. Such assaults on our critical 
infrastructure could cripple our economy and weaken our ability 
to defend the United States. These scenarios sometimes sound 
alarmist. But we must take them seriously, as they grow more 
realistic every day. Our adversaries are hard at work 
developing and refining cyber attack capabilities, and they are 
using them to intimidate our Government and threaten our people 
in both times of peace and times of conflict.
    But the threat extends beyond the industrial engines that 
drive our economies, to the homes of Americans themselves. 
Criminals and countries alike can use cyber attacks to raid 
Americans' saving accounts or steal their personal health 
records. The recent breach of health insurer Anthem illustrates 
the intrusiveness of these attacks. That assault alone exposed 
the personal information of up to 80 million people, including 
the names, birth dates, and Social Security numbers of tens of 
millions of children.
    But this is just the latest in a long string of cyber 
breaches targeting private citizens, a list that includes 
breaches at Target, Neiman Marcus, Home Depot, and J.P. Morgan. 
Our adversaries are also seeking to steal secrets from our 
Government and our most innovative companies. We know that 
Chinese hackers, for instance, continue to breach Federal 
networks for the purpose of espionage and attack major U.S. 
businesses to give themselves a competitive edge in the global 
economy.
    Make no mistake, these attacks are costing Americans their 
time, their money, and their jobs. General Keith Alexander 
described cyber espionage and the loss of American intellectual 
property as the greatest transfer of wealth in human history.
    Sadly, our laws are not keeping up with the threat. For 
instance, fearing legal liability, many private companies 
choose not to disclose the threats they see on their own 
networks, leaving others vulnerable to the same intrusions. We 
cannot leave the American people and our businesses to fend for 
themselves. Now more than ever, Congress must take aggressive 
action.
    This year I will lead a renewed effort to push 
cybersecurity legislation through Congress. Last year, the 
Ranking Member and I in this committee passed five 
cybersecurity bills. These new statutes lay out the rules of 
the road on how cyber information will be shared between 
Government and the private sector so that the two can work 
together to combat this persistent threat.
    The laws also provide important protections to ensure 
Americans' information and civil liabilities are not 
compromised. But now we must build on that success. We can 
start by creating a safe harbor, where legal barriers to share 
cyber threat information are removed and the private sector is 
encouraged to collaborate. This will allow us to respond to 
cyber incidents more quickly and effectively and will give 
Government and private entities the ability to see the threat 
landscape in real time.
    I am pleased the President has come forward with a proposal 
on this important issue. Our solutions must transcend partisan 
boundaries if we are going to tackle this challenge, and the 
American people are counting on us.
    Again, I want to thank the witnesses. I want to thank the 
Members for their patience here today.
    [The statement of Chairman McCaul follows:]
                Statement of Chairman Michael T. McCaul
                           February 25, 2015
    At the dawn of the digital age, our Nation saw endless 
opportunities to generate prosperity by expanding our networks and 
connecting to the world. But today, American prosperity depends as much 
on defending those networks as it does on expanding them.
    Every day our country faces digital intrusions from criminals, 
hacktivists, terrorists, and nation-states like Russia, China, and 
Iran. The impacts of those intrusions are felt everywhere--from our 
National security secrets to the personal information of Americans.
    We cannot tolerate acts of cyber vandalism, cyber theft, and cyber 
warfare especially when they put our Nation's critical infrastructure 
at risk and when they steal American intellectual property and 
innovation. Accordingly, our Government must play a leading role in 
combating threats in the digital domain.
    It is clear that safeguarding American cyber space is one of the 
great National security challenges of our time. We are confronted 
almost daily with frightening new precedents, such as the North Korean 
cyber attack on Sony Pictures--a cowardly act meant to intimidate 
Americans and stifle freedom of expression.
    This attack came from a nation-state using a digital bomb to target 
and destroy computer systems here in the United States. Iranian-backed 
hackers also demonstrated this capability when they attacked Saudi 
Arabia's national oil company, Aramco, and destroyed 30,000 computers. 
Iran also continues to target major U.S. banks to shut down websites 
and restrict Americans ability to access their bank accounts.
    Imagine this type of attack on our gas pipelines or power grid in 
the Northeast. Such assaults on our critical infrastructure could 
cripple our economy and weaken our ability to defend the United States. 
These scenarios sometimes sound alarmist, but we must take them 
seriously as they grow more realistic every day. Our adversaries are 
hard at work developing and refining cyber attack capabilities, and 
they are using them to intimidate our Government and threaten our 
people in both times of peace and times of conflict.
    But the threat extends beyond the industrial engines that drive our 
economy to the homes of Americans themselves. Criminals and countries 
alike can use cyber attacks to raid Americans' savings accounts or 
steal their personal health records.
    The recent breach of health insurer, Anthem, illustrates the 
intrusiveness of these attacks. That assault alone exposed the personal 
information of up to 80 million people, including the names, birth 
dates, and social security numbers of tens of millions of children. But 
this is just the latest in a long string of cyber breaches targeting 
private citizens--a list that includes breaches at Target, Neiman 
Marcus, Home Depot, and JP Morgan.
    Our adversaries are also seeking to steal secrets from our 
Government and our most innovative companies. We know that Chinese 
hackers, for instance, continue to breach Federal networks for the 
purpose of espionage and attack major U.S. businesses to give 
themselves a competitive edge in the global economy. Make no mistake: 
These attacks are costing Americans their time, money, and jobs. 
General Keith Alexander has described cyber espionage and the loss of 
American intellectual property as the ``greatest transfer of wealth in 
history.''
    Sadly, our laws are not keeping up with the threat. For instance, 
fearing legal liability, many private companies choose to not disclose 
the threats they see on their own networks, leaving others vulnerable 
to the same intrusions.
    We cannot leave the American people and our businesses to fend for 
themselves. Now, more than ever, Congress must take aggressive action.
    This year I will lead a renewed effort to push cybersecurity 
legislation through Congress. Last year, the Ranking Member and I, and 
this committee, passed five cyber bills. These new statutes lay out the 
rules of the road on how cyber information will be shared between 
Government and the private sector so that the two can work together to 
combat this persistent threat. The laws also provide important 
protections to ensure Americans' information and civil liberties are 
not compromised.
    But now, we must build on that success. And, we can start by 
creating a ``safe harbor'' where legal barriers to sharing cyber threat 
information are removed and the private sector is encouraged to 
collaborate. This will allow us to respond to cyber incidents more 
quickly and effectively--and will give Government and private entities 
the ability to see the threat landscape in real time.
    I am pleased the President has come forward with a proposal on this 
important issue. Our solutions must transcend partisan boundaries if we 
are going to tackle this challenge. The American people are counting on 
us.
    I want to thank the witnesses for testifying before this committee 
and I look forward to your testimony.

    Chairman McCaul. I now recognize the Ranking Member.
    Mr. Thompson. Thank you very much, Mr. Chairman. Let me 
also welcome our witnesses and thank them for their patience on 
getting started.
    Earlier, some of us were briefed on some on-going efforts 
by the Department, Mr. Chairman. I might add, it was very 
informative. Thank you all very much for doing it.
    Our hearing today is examining the President's 
cybersecurity information-sharing proposal. Mr. Chairman, at 
its core cybersecurity relies on effective information sharing 
among network operators about indicator, hacks, and cyber 
vulnerabilities.
    This committee has been central in its effort to foster 
better cyber information sharing by producing bipartisan 
cybersecurity legislation that President Obama signed into law 
at the end of last year. As you talked about it, the National 
Cybersecurity Protection Act of 2014 authorizes the National 
Cyber and Communications Integrity Center, NCCIC, within the 
Department of Homeland Security as an information-sharing hub 
for cybersecurity risk and incidents, and erected the NCCIC to 
provide technical assistance, risk management support, and 
incident response capabilities to impacted network operators.
    The legislative proposal that the President unveiled last 
month has again spurred debate. Importantly, the 
administration's proposal would require participating companies 
to comply with certain privacy restrictions, such as removing 
unnecessary personal information and taking measures to protect 
any personal information to quality for liability protection. 
In my view, the President's proposal has some merit.
    As we go forward, we should consider the following 
questions: First, what is being shared? Is it just computer 
code made up of zeros and ones, or does the information contain 
Americans' sensitive personal data? If it does contain personal 
data, I believe that reasonable efforts should be made by 
participating companies to remove personally identifiable 
information from the information shared with the Government 
that will help to preserve Americans' privacy.
    Second, who is doing the sharing? Is it a critical 
infrastructure operator?
    Third, where is the sharing happening? The answer to the 
question has privacy implications, particularly when the 
sharing is between the Federal Government and the private 
sector, as opposed to sharing between private-sector companies.
    I look forward to hearing testimony from our witnesses on 
the potential risks and rewards of a cyber information-sharing 
environment dominated by ISAO, as the President envisions. 
Certainly, I would like to hear how the proposed changes could 
impact NCCIC. The success of NCCIC is dependent on the 
companies' seeing the value of proposition for sharing with the 
Department.
    I look forward to hearing from the Department on how they 
intend to drive traffic to the NCCIC and how implementation of 
a new cyber law is progressing. I would also like to hear more 
about the new education grant program that the President has 
proposed.
    While I am pleased that the President seems to agree about 
the importance of making this investment in growing our cyber 
workforce, I am disappointed that the proposal calls for just 
$5 million a year to be spent over 5 years at 13 historically 
black colleges and universities and two National laboratories 
is disappointing, especially in light of a documented shortfall 
in cyber workforce. Given the billions of dollars spent on 
cybersecurity, much of which is spent on Federal contractors, I 
would have expected a more ambitious plan for developing cyber 
tactics.
    Before I close, I would like to note that on February 11, 
together with the Chairman and the leadership of its Senate 
Homeland Security and Governmental Affairs Committee, we wrote 
to the President about the new Cyber Threat Intelligence 
Integration Center. We look forward to a formal response to our 
questions, particularly as they relate to the NCCIC.
    I look forward to hearing from our witnesses today and 
working with the Chairman on forthcoming legislation to help 
ensure that the networks of our Nation's critical 
infrastructure are more secure.
    With that, I yield back.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                           February 25, 2015
    Over the past decade, we have witnessed an explosion of internet 
use in all aspects of life. As a Nation, we do more business on-line 
than ever before--trillions of dollars a year. For most Americans, 
smartphones, tablets, and other computers have become the platforms on 
which we live, work, and play.
    Unfortunately, these devices and networks have also become targets 
for bad actors.
    Last month's cyber attack on the Nation's second-largest health 
insurer, Anthem, resulted in tens of millions of Social Security 
numbers, birth dates, addresses, and names being stolen from its 
database. Given that Anthem insures 7.5 million people in 14 States, 
the potential damage of this breach is expected to be extensive.
    Last year's attack on Sony destroyed data, disabled thousands of 
computers, and exposed the personal information of Sony employees.
    These attacks underscore that any network that is connected to the 
internet is a potential victim.
    The fact that our Nation's critical infrastructure--including the 
power grid, financial institutions, and health care systems--are all 
connected to the internet make them particularly attractive targets for 
attack.
    Cyber attackers are constantly probing for weaknesses in our 
critical infrastructure which powers much of our electric grid, 
financial institutions, and health care systems.
    The attention that cybersecurity has received in recent years by 
President Obama and Congress is reflective of the increasing awareness 
that the responsibility to address this homeland security threat is a 
collective one.
    At its core, cybersecurity relies on effective information sharing 
among network operators about indicators, hacks, and cyber 
vulnerabilities.
    This committee has been central in efforts to foster better cyber 
information sharing by producing bipartisan cybersecurity legislation 
that President Obama signed into law at the end of last year.
    The ``National Cybersecurity Protection Act of 2014'' authorizes 
the National Cybersecurity and Communications Integrity Center (NCCIC) 
within the Department of Homeland Security as an information-sharing 
hub for cybersecurity risks and incidents, and directed the NCCIC to 
provide technical assistance, risk management support, and incident 
response capabilities to impacted network operators.
    The legislative proposal that the President unveiled last month 
has, again, spurred debate.
    Importantly, the administration's proposal would require 
participating companies to comply with certain privacy restrictions 
such as removing unnecessary personal information and taking measures 
to protect any personal information to qualify for liability 
protection.
    In my view, the President's proposal has some merit.
    As we go forward, we should consider the following questions: 
First, what is being shared?--Is it just computer code made up of 
``zeroes and ones'' or does the information contain Americans' 
sensitive personal data? If it does contain personal data, I believe 
that ``reasonable efforts'' should be made by participating companies 
to remove ``personally identifiable information'' from information 
shared with the Government. This will help to preserve Americans' 
privacy.
    Second, who is doing the sharing?--Is it a critical infrastructure 
operator?
    Third, where is the sharing happening?--The answer to that question 
has privacy implications--particularly when the sharing is between the 
Federal Government and the private sector, as opposed to sharing 
between private-sector companies.
    I look forward to hearing testimony from our witnesses on the 
potential risks and rewards of a cyber information-sharing environment 
dominated by ISAOs, as the President envisions.
    Certainly, I would like to hear how these proposed changes could 
impact the NCCIC. The success of the NCCIC is dependent on companies 
seeing the ``value proposition'' for sharing with the Department.
    I look forward to hearing from the Department on how they intend to 
drive traffic to the NCCIC and how implementation of the new cyber law 
is progressing.
    I would also like to hear more about the new education grant 
program that the President has proposed.
    While I am pleased that the President seems to agree about the 
importance of making this investment in growing our cyber workforce, I 
am disappointed that the proposal calls for just $5 million a year to 
be spent over 5 years at 13 Historically Black Colleges and 
Universities, and two National laboratories, is disappointing.
    Given the billions of dollars spent on cybersecurity, much of which 
is spent on Federal contractors, I would have expected a more ambitious 
plan for developing cyber talent.
    Before I close, I would like to acknowledge that the committee just 
met with the President's cybersecurity advisor, Michael Daniel. I 
appreciate Mr. Daniel's willingness to lay out the administration's 
vision for cybersecurity and to address our questions, particularly 
about the newly-announced cyber center that will be housed in the 
intelligence community.
    On February 11, together with the Chairman and the leadership of 
the Senate Homeland Security and Governmental Affairs Committee, we 
wrote to the President about this new ``Cyber Threat Intelligence 
Integration Center''. We look forward to a formal response to our 
questions, particularly as they relate to the NCCIC.
    In conclusion, I look forward to hearing from our witnesses today 
and to working with the Chairman on forthcoming legislation to help 
ensure that the networks of our Nation's critical infrastructure are 
more secure.

    Chairman McCaul. Thank the Ranking Member.
    Chairman now recognizes the--I would like to briefly 
introduce the witnesses. First, we have the Honorable Suzanne 
Spaulding. She is the under secretary for the National 
Protection and Programs Directorate at the Department of 
Homeland Security.
    Next, we have Dr. Phyllis Schneck. She is a deputy under 
secretary for cybersecurity and communications within the 
National Protection and Programs Directorate at the Department 
of Homeland Security. It is great to have both of you here 
today.
    Finally, we have Dr. Eric Fischer, who is a senior 
specialist for science and technology at the Congressional 
Research Service.
    The witnesses' full statements will appear in the record. 
The Chairman now recognizes Ms. Spaulding for 5 minutes.

 STATEMENT OF SUZANNE E. SPAULDING, UNDER SECRETARY, NATIONAL 
    PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF 
                       HOMELAND SECURITY

    Ms. Spaulding. Thank you, Chairman McCaul, Ranking Member 
Thompson, Members of the committee.
    We are very pleased to be here today to discuss the 
administration's proposal to enhance cybersecurity information 
sharing. This proposal recognizes the unique mission and 
capabilities of the Department of Homeland Security's National 
Protection and Programs Directorate. It will facilitate 
information sharing in ways that will significantly advance our 
National security.
    By placing the Department's National Cybersecurity and 
Communications Integration Center, or NCCIC, as the 
coordination center for receiving and disseminating cyber 
threat indicator information, which will be very quickly 
shared. We will receive and disseminate that information to 
Federal and non-Federal entities.
    As this committee knows, we are faced with pervasive cyber 
threats from a variety of actors, including nation-state 
actors. They are motivated by a range of objectives, including 
espionage, political and ideological beliefs, and financial 
gain.
    The National Preparedness and Protection Directorate 
focuses on helping our partners across Government and non-
Government to manage those cyber risks, to reduce the frequency 
and impact of cyber incidents, and to build their own capacity. 
We do this by sharing timely and accurate information and 
analysis, particularly to enable the private and public-sector 
partners to protect themselves. This includes detailed analysis 
about cascading consequences in the physical world that can 
result from cyber incidents.
    We provide technology to detect and block cyber threats 
from impacting the dot.gov networks, the civilian Government 
networks, and enable those agencies to more readily identify 
network security issues and prioritize the actions that they 
must take to address those.
    We enable commercial cybersecurity companies to use 
Government-furnished Classified information to better protect 
their private-sector customers. We provide on-site assistance 
to critical infrastructure and Federal agencies who have been 
impacted by a significant cyber incident. We maintain a trusted 
environment for private-sector partners to share information 
and to collaborate to address cybersecurity threats and trends.
    Congress' support for these activities led to the 
bipartisan action last year to pass critical cybersecurity 
legislation. That legislation enhanced our ability to work with 
the private sector and with other Federal civilian departments. 
As been noted, it strengthened the Department's ability to 
recruit and to retain the kind of cybersecurity exerts that we 
now have on-board.
    Enactment of these bills represents significant progress in 
the Department's cybersecurity mission. I am very grateful to 
Congress, to this committee, and particularly to Chairman 
McCaul and Ranking Member Thompson, who contributed significant 
efforts to ensure the enactment of this legislation.
    But we need to keep moving forward. Additional legislation 
is needed. Carefully updating laws to facilitate cybersecurity 
information sharing is essential to improving the Nation's 
cybersecurity. While many companies currently do share 
cybersecurity information with each other and with the 
Government under existing laws, there is a growing need to 
increase the volume and the speed of such information sharing, 
without sacrificing the trust of the American people or 
individual privacy and civil liberties.
    The President's legislative proposal incentivizes private 
entities to share information with the Government through that 
National Cybersecurity and Integration Center, or NCCIC, that I 
mentioned earlier. That is our 24/7 operations and watch 
center. It brings together currently Government partners from 
across the Government and the private sector. This is 
important.
    The NCCIC's core mission, as stated in this committee's 
unanimously-passed National Cybersecurity Protection Act, is 
coordinating and serving as the interface for cybersecurity 
information across the Government and the private sector. We do 
this with strong protections in place for protecting privacy 
and for protecting sensitive business information.
    Having a single designated entry point into the Government 
makes it easier to ensure that privacy protections are being 
consistently applied across the Government. It reduces the 
complexity for the private sector that wonders where to go. It 
improves our ability to develop a common operating picture of 
the cyber threats that we see daily. It helps us to connect the 
dots, if you will, with regard to cyber threats.
    I understand that Chairman McCaul has invited Members of 
this committee to visit and tour our National Cybersecurity 
Communications Integration Center. I look forward to seeing 
many of you there and continuing this discussion at that time.
    Before I close, I would like to reiterate Secretary 
Johnson's comments on the Department's funding situation. 
Congress still has not passed a fiscal year 2015 appropriations 
bill for the Department of Homeland Security. As long as we 
operate on a continuing resolution, we are hampered by 
uncertainty and the inability to fund vital new homeland 
security initiatives. Without funding, NPBD's cybersecurity and 
critical infrastructure mission will be significantly impacted.
    Let me end by saying that today, our adversaries can 
exploit a fundamental asymmetry in our network infrastructure. 
While nearly all of our systems and networks are globally 
interconnected, our defensive capabilities are not yet. This 
gives the attacker a compelling advantage. They can find and 
exploit weak links in our systems from anywhere around the 
world at machine speed. By sharing cyber threat indicators in 
near real time, we can and will reduce that asymmetry.
    I want to thank you for this opportunity to testify. I look 
forward to your questions.
    I turn it over to my cyber deputy, Dr. Phyllis Schneck.
    [The joint prepared statement of Ms. Spaulding and Ms. 
Schneck follows:]
  Joint Prepared Statement of Suzanne E. Spaulding and Phyllis Schneck
                           February 25, 2015
                              introduction
    Chairman McCaul, Ranking Member Thompson, and distinguished Members 
of the committee, we are pleased to appear today to discuss the 
President's cybersecurity legislative proposal on information sharing.
    In our testimony today, we will highlight the Department of 
Homeland Security (DHS) National Protection and Programs Directorate 
cybersecurity role and capabilities, and describe how the President's 
legislative proposal to facilitate cyber threat indicator information 
sharing will further our National security, with DHS's National 
Cybersecurity and Communications Integration Center (NCCIC) as the 
coordination center to receive and disclose cyber threat indicators to 
Federal and Non-Federal entities.
        the on-going cyber threat and the dhs cybersecurity role
    As a Nation, we are faced with pervasive cyber threats. Malicious 
actors, including those at nation-state level, are motivated by a 
variety of reasons that include espionage, political and ideological 
beliefs, and financial gain. Increasingly, State, Local, Tribal and 
Territorial (SLTT) networks are experiencing cyber activity of a 
sophistication level similar to that seen on Federal networks.
    To achieve our cybersecurity mission, the National Protection and 
Programs Directorate focuses on helping our partners understand and 
manage cyber risk, reduce the frequency and impact of cyber incidents, 
and build partner capacity. We share timely and accurate information 
and analysis to enable private and public-sector partners to protect 
themselves. We provide on-site assistance to Federal agencies and 
critical infrastructure entities impacted by a significant 
cybersecurity incident. We provide technology and services to detect 
and block cyber threats from impacting Federal civilian networks. We 
enable Federal agencies to more readily identify network security 
issues and take prioritized action. We enable commercial cybersecurity 
companies to use Classified information so they can better protect 
their private-sector customers. We perform comprehensive consequence 
analyses that assess cross-sector interdependencies and cascading 
effects, including the potential for kinetic harm that includes loss of 
life, and we maintain a trusted environment for private-sector partners 
to share information and collaborate on cybersecurity threats and 
trends.
DHS's National Cybersecurity and Communications Integration Center
    The NCCIC serves as a 24x7 centralized location for the 
coordination and integration of cyber situational awareness and 
incident management. NCCIC partners include all Federal departments and 
agencies; State, local, Tribal, and territorial governments; the 
private sector; and international entities. The NCCIC continues to 
explore opportunities to expand its liaison capacity from other 
agencies and the private sector. The NCCIC provides its partners with 
enhanced situational awareness of cybersecurity and communications 
incidents and risks, and provides timely information to manage 
vulnerabilities, threats, and incidents. In 2014, the NCCIC received 
over 97,000 incident reports, and issued nearly 12,000 actionable cyber 
alerts or warnings. NCCIC teams also detected over 64,000 significant 
vulnerabilities on Federal and non-Federal systems and directly 
responded to 115 significant cyber incidents.
    The NCCIC actively shares cyber threat indicators to and from 
multiple sources including private-sector partners, the intelligence 
community, Federal Departments and agencies, law enforcement, State, 
local, Tribal, and territorial governments, and international 
governments. This sharing, which has been taking place for many years, 
takes many forms including person-to-person interactions on the NCCIC 
floor, manual exchange of information via e-mail and secure web 
portals, and more recently via automated, machine-to-machine exchanges 
in STIX and TAXII protocols. While all of these sharing methods have 
value, the cybersecurity community has recognized the strategic 
importance of migrating cyber threat indicator sharing to more 
automated mechanisms when and where appropriate.
                       cybersecurity legislation
    Last year, Congress acted in a bipartisan manner to pass critical 
cybersecurity legislation that enhanced the ability of the Department 
of Homeland Security to work with the private sector and other Federal 
civilian departments in each of their own cybersecurity activities, and 
enhanced the Department's cyber workforce authorities. Enactment of 
these bills represents a significant moment for the Department's 
cybersecurity mission, and this committee in particular undertook 
significant efforts to bring the bills to passage. We are thankful for 
your support and we are deploying those additional authorities with 
clarity of mission.
    Additional legislation is needed. We must take additional steps to 
ensure that DHS is able to rapidly and efficiently deploy new 
protective technologies across Federal civilian agency information 
systems. In addition, carefully updating laws to facilitate 
cybersecurity information sharing within the private sector and between 
the private and Government sectors is also essential to improving the 
Nation's cybersecurity. While many companies currently share 
cybersecurity threat information under existing laws, there is a 
heightening need to increase the volume and speed of information shared 
without sacrificing the trust of the American people or the protection 
of privacy, confidentiality, civil rights, or civil liberties. It is 
essential to ensure that cyber threat information can be shared quickly 
among trusted partners, including with law enforcement, so that network 
owners and operators can take necessary steps to block threats and 
avoid damage.
    The NCCIC plays a critical role in the President's recent 
legislative proposal because its core mission--as articulated in the 
National Cybersecurity Protection Act, developed by this committee and 
unanimously passed by the House in December--is to coordinate and serve 
as an interface for cybersecurity information across the Government and 
private sector.
The Administration's Information-Sharing Proposal for Cyber Threat 
        Indicators
    Building on the bipartisan cybersecurity legislation enacted last 
Congress, President Obama visited the NCCIC on January 13, 2015, to 
announce a proposal for additional legislation to improve cybersecurity 
information sharing. The President noted, ``Much of our critical 
infrastructure runs on networks connected to the Internet . . . [a]nd 
most of this infrastructure is owned and operated by the private 
sector. So neither Government nor the private sector can defend the 
Nation alone. It's going to have to be a shared mission--Government and 
industry working hand in hand, as partners.'' This partnership entails 
sharing cyber threat indicators to better enable Government agencies 
and the private sector to protect themselves.
    Information sharing, especially of these technical ``threat 
indicators'' that can be used to identify and block malicious activity, 
is the lifeblood of effective cyber defense and response. Pulling 
together this information allows defenders to identify anomalies or 
patterns and recognize dangerous activity before it can do significant 
damage. The goal of the President's proposal is to increase the sharing 
of this type of information, as quickly as possible, with appropriate 
protection for privacy and of sensitive information and systems.
    Among other things, the administration's proposal would reduce the 
risks for private entities to voluntarily share technical cyber threat 
indicators with each other and the NCCIC by providing protections 
against civil or criminal liability for such sharing. Equally 
important, the proposal narrowly defines the threat indicators that 
will be shared, requires that irrelevant identifying information be 
minimized from these indicators, and generally requires strong 
protections for the privacy and confidentiality of personal 
information. Finally, the proposal calls for the creation of 
Information Sharing and Analysis Organizations (ISAOs). ISAOs would be 
information sharing organizations that would help speed information 
sharing within the private sector and between the private sector and 
Government.
    Our goal is to expand information sharing within the private 
sector, and to build on the existing relationships, processes and 
programs of the NCCIC to enhance cooperation between the Government and 
private sector. The proposal will help us improve the methods that the 
NCCIC already uses to share cyber threat indicators, and leverage 
automation to achieve scalability wherever possible. We look to evolve 
and expand indicator sharing at the NCCIC from human exchanges, 
portals, and written reports to automated machine-to-machine 
communications. Our vision is that this may reduce the time to receive 
and act on indicators from hours to milliseconds, create consistency in 
information provided to interagency partners, law enforcement, and the 
private sector, and free analysts to focus on the threats that require 
human analysis while expediting detection and blocking of new threats.
NCCIC as the Coordination Center
    Cyber threat indicators, which allow Government agencies and the 
private sector to better protect themselves, come from a variety of 
sources, including: Government agencies, private companies, 
international partners, and ISAOs. Given the variety of formats used--
and information that is included--when sharing such information, the 
Government must have a central clearinghouse to ensure that privacy and 
confidentiality protections are consistently applied and that the right 
information reaches the right Government and private-sector entities.
    DHS is a leader within the Government when it comes to the 
development and operational implementation of privacy, confidentiality, 
and civil liberties policies. DHS was the first agency to have 
statutorily established Officers for Privacy and for Civil Rights and 
Civil Liberties. From its creation, DHS has built both privacy and 
civil liberties protections into all of its programs and has dedicated, 
on-site privacy professionals committed to ensuring that its cyber 
mission is carried out in a way consistent with our Nation's values. 
Through statutory protections like Protected Critical Infrastructure 
Information (PCII), DHS will continue to anonymize the identity of 
submitters and other proprietary and sensitive information in threat 
indicator submissions. Moreover, the President's proposal calls for DHS 
to build upon its existing privacy, confidentiality, and civil liberty 
procedures by working with the Attorney General to develop new 
procedures to appropriately limit Government receipt, use, and 
retention of threat indicators. Establishing the NCCIC as the primary 
entry way for cyber threat indicators from the private sector will 
ensure uniform application of these important privacy and 
confidentiality protections, while still allowing cyber threat 
indictors to be shared with law enforcement for the specific purposes 
identified in the legislation.
    NCCIC sits at the intersection of cyber communities, with 
representatives from the private sector and other Government entities 
physically present on the NCCIC floor and connected virtually. This 
diverse participation in the NCCIC was cemented by section 226(d) of 
the Homeland Security Act as added by the National Cybersecurity 
Protection Act. NCCIC's core mission is to enable better network 
defense by assessing and appropriately sharing information on the risks 
to America's critical cyber systems and how to reduce them.
   building capacity to accelerate automated sharing of cyber threat 
                               indicators
    The administration's proposal directs DHS to automate and share 
information in as close to real time as practicable with relevant 
Federal agencies, including law enforcement entities, and with ISAOs. 
For the past 3 years, DHS has led the development in collaboration with 
the private sector of specifications--known as STIX and TAXII--which 
standardize the representation and exchange of cyber threat 
information, including actionable cyber threat indicators. STIX, the 
Structured Threat Information eXpression, is a standardized format for 
the representation and exchange of cyber threat information, including 
indicators. TAXII, the Trusted Automated eXchange of Indicator 
Information, is a standardized protocol for discovering and exchanging 
cyber threat information in STIX. The interagency Enhance Shared 
Situational Awareness initiative has already chosen STIX as the basis 
for sharing cyber threat indicators between the Federal cyber centers, 
ensuring interoperability between these key sources of information.
    Through collaboration between DHS and the private sector, there is 
a solid and rapidly-growing base of commercial offerings supporting 
STIX and sharing indicators via the TAXII, including platforms, network 
protection appliances and endpoint security tools. While the NCCIC has 
in-house systems and tools to assist analysts in generating STIX 
indicators, those indicators are currently analyzed and filtered by 
human analysts and shared back out with the private sector and Federal 
partners through manual methods such as e-mail and secure portals. In 
2014, the NCCIC began a limited pilot with several organizations to 
test automated delivery of STIX indicators via TAXII.
    To inform our plan for achieving automated cyber threat indicator 
information sharing, DHS created a working group between a range of DHS 
offices and the FBI, a critical stakeholder in the NCCIC. We also 
included experts from our Privacy, Civil Rights and Civil Liberties, 
and Science and Technology offices, among others, to ensure that our 
architecture is based on best-in-class technology and is consistent 
with our values and our respect for Americans' privacy and civil 
liberties.
    Implementation will proceed through four major phases: (1) An 
initial operating capability phase in which we will deploy a TAXII 
system that can disseminate STIX cyber threat indicators with increased 
automation capability, enabling the use of human analysis for the most 
complex problems and egregious threats; (2) an expanded automation 
phase in which we will develop and deploy DHS infrastructure that can 
receive, filter, and analyze cyber threat indicators--during this 
phase, we will promulgate guidance for private-sector companies to 
minimize, redact, and tag their data prior to submission to NCCIC, and 
will complete a Privacy Impact Assessment; (3) a final operating 
capability phase in which we will fully automate DHS processes to 
receive and appropriately disseminate cyber threat indicators in a 
machine-readable format and finalize policies for filtering, receipt, 
retention, use, and sharing, including regular compliance reviews; and 
(4) a scaled services capability phase, during which DHS will work to 
enable agencies that lack sufficient cybersecurity resources or 
expertise to receive and share cyber threat indicators with the NCCIC 
in near-real time by providing a turnkey technical solution to ``plug 
in'' to the NCCIC.
  dhs shares information widely with federal agencies and the private 
                                 sector
    Currently, DHS shares information with Federal agencies and the 
private sector. DHS takes a customer-focused approach to information 
sharing, and different types of information require differing response 
times and dissemination protocols. DHS provides information to detect 
and block cybersecurity attacks on Federal civilian agencies and shares 
information to help critical infrastructure entities in their own 
protection; provides information to commercial cybersecurity companies 
so they can better protect their customers through the Enhanced 
Cybersecurity Services program, or ECS; and maintains a trusted 
information-sharing environment for private-sector partners to share 
information and collaborate on cybersecurity threats and trends via a 
program known as the Cyber Information Sharing and Collaboration 
Program, or CISCP. This trust derives in large part from our emphasis 
on privacy, confidentiality, civil rights, and civil liberties across 
all information-sharing programs, including special care to safeguard 
personally identifiable information.
    DHS also directly supports Federal civilian departments and 
agencies in developing capabilities that will improve their own 
cybersecurity posture. Through the Continuous Diagnostics and 
Mitigation (CDM) program, DHS enables Federal agencies to more readily 
identify network security issues, including unauthorized and unmanaged 
hardware and software; known vulnerabilities; weak configuration 
settings; and potential insider attacks. Agencies can then prioritize 
mitigation of these issues based upon potential consequences or 
likelihood of exploitation by adversaries. The CDM program provides 
diagnostic sensors, tools, and dashboards that provide situational 
awareness to individual agencies, and will provide DHS with summary 
data to understand relative and system risk across the Executive 
branch. DHS is moving aggressively to implement CDM across all Federal 
civilian agencies, and Memoranda of Agreement with the CDM program 
encompass over 97 percent of all Federal civilian personnel.
    While CDM will identify vulnerabilities and systemic risks within 
agency networks, the National Cybersecurity Protection System, also 
known as EINSTEIN, detects and blocks threats at the perimeter of those 
networks or at an agencies' Internet Service Provider. EINSTEIN is an 
integrated intrusion detection, analysis, information-sharing, and 
intrusion-prevention system. The most recent iteration, Einstein 3 
Accelerated (E3A), supplements EINSTEIN 2 by adding additional 
intrusion prevention capabilities and enabling Internet Service 
Providers (ISPs), under the direction of DHS, to detect and block known 
or suspected cyber threats using indicators.
                               conclusion
    We are working together to find new and better ways to share 
accurate, timely data in a manner consistent with fundamental American 
values of privacy, confidentiality, and civil rights. While securing 
cyberspace has been identified as a core DHS mission since the 2010 
Quadrennial Homeland Security Review, the Department's view of 
cybersecurity has evolved to include a more holistic emphasis on 
critical infrastructure which takes into account the convergence of 
cyber and physical risk.
    Today our adversaries exploit a fundamental asymmetry in our 
network infrastructure: While nearly all of our systems and networks 
are globally interconnected, our defensive capabilities are not. This 
gives the attackers a compelling advantage as they can find and exploit 
the weak links in our systems from anywhere around the world--at 
machine speed. By sharing cyber threat indicators in near-real time, we 
reduce that asymmetry.
    As our defensive cybersecurity capabilities become more 
interconnected, we greatly reduce the likelihood that an adversary can 
re-use attack infrastructure, tools, tactics, techniques, and 
procedures. In addition, we greatly reduce the time window in which new 
and novel attacks are effective because the ecosystem shares those 
indicators and develops a type of ``herd immunity,'' improving defenses 
as indicators are shared and events are correlated in near-real time. 
These two factors do not eliminate all cyber threats, but they hold the 
promise of significantly increasing the time and resources (both 
technical and human) that attackers must expend to achieve their goals. 
Moreover, the STIX data format and the TAXII transport method are 
increasingly compatible with commonly-used commercial information 
technology (IT) products. This means more entities are able to send 
indicators automatically to the NCCIC, creating an ecosystem of 
indicators which will in turn provide greater context to malicious 
cyber activity and rapidly increase situational awareness per Executive 
Order 13636, Improving Critical Infrastructure Cybersecurity and 
Executive Order 13691, signed February 13, 2015, Promoting Private 
Sector Cybersecurity Information Sharing.
    DHS will continue to serve as one of the Government's primary 
resources for information sharing and collaborative analysis, at 
machine speed wherever possible, of global cyber risks, trends, and 
incidents. Through our leadership role in protecting civilian 
Government systems and helping the private sector protect itself, DHS 
can correlate data from diverse sources, in an anonymized and secure 
manner, to maximize insights and inform effective risk mitigation.
    DHS provides the foundation of the U.S. Government's approach to 
securing and ensuring the resilience of civilian critical 
infrastructure and essential services. We look forward to continuing 
the conversation and supporting the American goals of peace and 
stability; in these endeavors, we rely upon your continued support.
    Thank you for the opportunity to testify, and we look forward to 
any questions you may have.

    Chairman McCaul. Thank you, Ms. Spaulding. We appreciate 
your service and dedication to this important issue.
    The Chairman now recognizes Dr. Schneck.

     STATEMENT OF PHYLLIS SCHNECK, DEPUTY UNDER SECRETARY, 
   CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND 
   PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Schneck. Good morning and thank you Chairman McCaul, 
Ranking Member Thompson, and distinguished Members of the 
committee.
    Let me echo Under Secretary Spaulding's thanks for 
convening this meeting today. Thank you for your tireless 
support to our cyber mission and thank you for making it a 
constant between my time in the private sector and my time now 
in Government, the impact that our work and our legislative 
process can have on good things.
    The under secretary explained the Department of Homeland 
Security's role and capabilities in cybersecurity and explained 
why our National Cybersecurity and Communications Integration 
Center, our NCCIC, is key and at the forefront of the 
President's proposal for increasing the volume and speed of 
information sharing.
    I would like to amplify that and tell you how we are going 
to do this and how we are building that capability. First, to 
the Ranking Member's question; what is being shared and what do 
we need most? We need information sharing and especially the 
technical threat indicators; the bare bones information of, for 
example, what is an address of a machine that is doing 
something bad that we see? What is the specific code of 
software that is being sent to hurt good people? By identifying 
these indicators, that is the life blood of cyber defense; by 
being able to very quickly recognize them and put them 
together.
    Pulling together this information, it builds on the rules 
of statistics. We have to understand good behavior and bad 
behavior to identify anomalies. Identifying those anomalies at 
the speed of machines will help us in our cyber defense 
initiatives.
    The President's proposal defines the kind of information, 
specifically, that can be shared and requires very strong 
protections around privacy and civil liberties to protect our 
personal information and protect those privacy and civil 
liberties and American ways of life that we seek to protect and 
defend through our cybersecurity mission.
    The proposal narrowly defines categories of technical 
information used to define and mitigate these threats so that 
we can then pull them together. But it does not, for an 
example, include exfiltrated information; which means the 
information, for example, that someone might have tried to 
steal, which could include proprietary information or someone's 
private information. So very narrowly-defined information on 
what we need to share and share quickly.
    The President's ISAO Executive Order will enhance the 
information-sharing efforts. The order focuses specifically on 
encouraging the formation effectiveness of information sharing 
and analysis organizations. They can be profit or nonprofit, 
private sector, and they can be composed of any combination of 
public and private sectors. The Executive Order directs DHS to 
strongly encourage the development of these formations to bring 
people together in trusted relationships to share information 
that transcends competition to enable those cyber threat 
indicators to come together and show us, again at machine 
speed, what enemy might be trying to hurt our systems and be 
able to see at that 50,000-foot level all over the world what 
actions are happening dispersed that we could use to protect 
somebody right now.
    DHS--this is a very important point--is already sharing 
information in real time with Federal agencies and the private 
sector. We share with people and machines using people and 
machines. We provide information to detect and block 
cybersecurity threats to our Federal civilian government 
agencies and, as the under secretary mentioned, within that, 
using Government-Classified information.
    We also provide information to commercial companies so that 
they can better protect themselves as well, also with some 
systems using that Classified information. We maintain key 
trusted information-sharing partnerships at a scientist level 
and at policy levels with parts of the private sector so we can 
enable us--ourselves and them to understand what is the science 
and what are the key things we need to be looking for? So trust 
between people and machines.
    Where are we going and why is this so important? We need to 
up our game to automate. We need to take the machines and 
remember that machines are not smart, they are just fast, and 
use that very machine speed that the adversary uses to steal 
and hurt us in our cyber systems and use that machine to 
understand what is happening all over the world and enable our 
machines in addition to other technologies to sense bad 
behavior before it hurts.
    In doing that, part of that is pulling those automated 
cyber threat indicators together so that we can start looking 
at behavior all over the world and work--and this is very, very 
important--in partnership. So no one can do this alone. We need 
DHS, we need the FBI, we need the Secret Service, we need the 
intelligence community, and we need the private sector.
    I thank you, Chairman, as well for all the work you have 
done with the private sector to engage them with your committee 
and how important it is to work with Government.
    We have developed a common language and a common way of 
writing cyber threat indicators so that anyone who wants to 
share with us can, that can be transported at machine speed, 
and that machines can readily read the information; and it 
limits itself to what is required to be a cyber threat 
indicator. We need to continue to work with our privacy and 
civil liberties experts constantly; with the FBI, with the 
Secret Service, with law enforcement, with the intelligence 
community to manage all the expectations and all of the 
equities.
    But we are building protocols and structured language to 
equalize and normalize with what a cyber threat indicator is, 
to have the machines get a lot of the noise out of the way so 
our top minds can look at the most egregious threats, and to 
have our networks become more self-healing and more resilient.
    Finally, I would like to reemphasize the importance of our 
NCCIC, our National Cybersecurity Communications Integration 
Center, and point out that that is the interface for sharing 
cyber information across the Government and private sector. But 
we do this in clear cooperation, and as we develop these 
protocols, it is with the Secret Service and the FBI and all 
the law enforcement and the intelligence community and the 
private sector.
    This can't work if we do it alone. It has to respect 
everyone's equities and all privacy and civil liberties. Having 
that single designated entity in the Government reduces 
complexity, as the under secretary stated and streamlines our 
ability to develop that common picture of the threats we see 
daily.
    Thank you for this opportunity to testify. I look forward 
to any questions you might have.
    Chairman McCaul. Thank you. Just let me say that you have 
really done an outstanding job standing up the NCCIC, bringing 
the capabilities of the NCCIC to the current threats that we 
have. Your experience at McAfee is well-served. I thank the 
Department.
    With that, the Chairman now recognizes Dr. Fischer.

 STATEMENT OF ERIC A. FISCHER, SENIOR SPECIALIST, SCIENCE AND 
TECHNOLOGY, CONGRESSIONAL RESEARCH SERVICE, LIBRARY OF CONGRESS

    Mr. Fischer. Good afternoon, Chairman McCaul, Ranking 
Member Thompson, and distinguished Members of the committee.
    On behalf of the Congressional Research Service, I would 
like to thank you for the opportunity to testify today on 
information sharing and cybersecurity. Barriers to sharing of 
cybersecurity information are considered by many, as we heard, 
to be a significant hindrance to effective protection of 
information systems.
    That is especially true for critical infrastructure, even 
though most recent prominent cases of successful cyber attacks 
have not involved such organizations. Many examples have been 
cited of legal, technical, and other barriers. In addition, 
traditional approaches to security and confidentiality would 
themselves impede sharing of information.
    There is some disagreement among experts about whether 
Federal legislation is needed. Nevertheless, there appears to 
be a fairly broad consensus that legislation could be useful if 
crafted appropriately. However, there is disagreement also 
about what the key characteristics should be. Proposals to 
reduce or remove barriers have raised concerns, some of which 
are related to the purpose of the barriers; that the barriers 
are thought to currently impede sharing.
    A key challenge appears to be how to achieve the proper 
level of balance that fosters the sharing of useful information 
efficiently and effectively, while ensuring avoidance of 
adverse impacts. I will touch on five questions that the debate 
has tended to focus on.
    Question No. 1: What are the kinds of information for which 
barriers to sharing make effective cybersecurity more 
difficult? Information sharing can involve a wide variety of 
materials communicated on a wide variety of time scales. The 
level of sensitivity of information can vary. For example, it 
may be Classified, proprietary, or personal, or open public 
information. Information of any class will also vary in its 
value for cybersecurity and the degree to which it needs human 
processing to be useful.
    To the extent that the goal of information sharing is to 
defend information systems against cyber attacks, the focus has 
been on actionable information. Such information may often need 
to be shared very quickly, as Dr. Schneck has mentioned, with 
little or no time for human examination.
    Broader information contributing to shared situational 
awareness may also be useful; for example, among companies 
within a sector. Such information might not be technically 
actionable, but helps organizations to analyze their current 
security postures and inform their responses.
    A key point is that addressing what should be shared, how 
and when, is not as straightforward as it may seem. This is 
true not only for cybersecurity information, but more broadly 
with security information.
    Question No. 2: How should information sharing be 
structured to ensure that it is efficient and effective? 
Information sharing can conceivably lead to information 
overload. That can include not only information of uncertain 
quality and use, but also similar or redundant information from 
a variety of sources.
    Various legislative proposals have approached the structure 
information sharing differently. The White House proposal would 
use information sharing and analysis organizations, which were 
created in the Homeland Security Act, but few of which appear 
to exist today. It might be useful to clarify the roles of 
these and other entities as the committee considers 
legislation.
    Question No. 3: What are the risks to privacy rights and 
civil liberties of individual citizens, and how are they best 
protected? Such concerns have been a significant source of 
controversy and debate about information sharing and 
legislation. They have arisen in part because proposals would 
permit sharing of specific information or specified information 
by covered private entities, notwithstanding any other 
provision of law. That particular phrase has certain 
implications that would be worthy of--perhaps of additional 
consideration. Now, the various legislative proposals address 
privacy concerns in various ways, but there are also many 
similarities among them.
    Fourth question is: What, if any, statutory protections 
against liability are needed? Concerns about liability has 
often been cited as a significant barrier to private-sector 
information sharing, both with other private entities and with 
the Federal Government. There are--in addition to the 
notwithstanding provisions, there are also various proposals to 
prohibit court actions to protect organizations against such 
actions--or against liability concerns and reduce that barrier.
    The fifth question, finally, is: What improvements to 
current standards and practices are needed to ensure that 
information sharing is useful and efficient for protecting 
information systems, networks, and their contents? As the other 
witnesses have testified, standards for exchange of threat data 
have been developed and their use is growing. But there are 
also calls for additional standards and best practices. There 
are some concerns among observers that such work is needed, 
particularly with respect to--well, for example, evaluating the 
effectiveness of information sharing.
    That concludes my testimony. Once again, thank you for 
asking me to appear before you today.
    [The prepared statement of Mr. Fischer follows:]
                 Prepared Statement of Eric A. Fischer
                           February 25, 2015
    Chairman McCaul, Ranking Member Thompson, and distinguished Members 
of the committee: Thank you for this opportunity to discuss legislative 
proposals on information sharing in cybersecurity.\1\ In January of 
this year, the White House announced a revision of its 2011 
information-sharing proposal as part of a set of updated proposals and 
other actions relating to cybersecurity:\2\
---------------------------------------------------------------------------
    \1\ This statement is limited to a policy analysis of the proposals 
and initiatives discussed and is not intended to reach any legal 
conclusions regarding them.
    \2\ The White House, ``Securing Cyberspace: President Obama 
Announces New Cybersecurity Legislative Proposal and Other 
Cybersecurity Efforts,'' Press Release (January 13, 2015), http://
www.whitehouse.gov/the-press-office/2015/01/13/securing-cyberspace-
president-obama-announces-new-cybersecurity-legislat.
---------------------------------------------------------------------------
   A draft bill to enhance information sharing on cybersecurity 
        within the private sector and between the private sector and 
        the Federal Government. Most of my testimony today will focus 
        on this proposal and related bills in the 113th and 114th 
        Congresses.\3\
---------------------------------------------------------------------------
    \3\ The White House, Updated Information Sharing Legislative 
Proposal, 2015, http://www.whitehouse.gov/sites/default/files/omb/
legislative/letters/updated-information-sharing-legislative-
proposal.pdf.
---------------------------------------------------------------------------
   A draft bill to amend Federal statutes relating to cyber 
        crime by creating or increasing criminal penalties for certain 
        types of offenses and providing some other authorities to law-
        enforcement agencies and the courts.\4\
---------------------------------------------------------------------------
    \4\ The White House, Updated Administration Proposal: Law 
Enforcement Provisions, 2015, http://www.whitehouse.gov/sites/default/
files/omb/legislative/letters/updated-law-enforcement-tools.pdf.
---------------------------------------------------------------------------
   A draft bill to harmonize State laws requiring companies 
        holding personal information on customers to notify them of 
        data breaches involving such information.\5\
---------------------------------------------------------------------------
    \5\ The White House, The Personal Data Notification & Protection 
Act, 2015, http://www.whitehouse.gov/sites/default/files/omb/
legislative/letters/updated-data-breach-notification.pdf.
---------------------------------------------------------------------------
   A 5-year, $25 million grant to create a new cybersecurity 
        consortium consisting of 13 Historically Black Colleges and 
        Universities (HBCUs), the Lawrence Livermore and Sandia 
        National Laboratories of the Department of Energy, and a South 
        Carolina school district. The object of the program is to help 
        fill demand for cybersecurity professionals while diversifying 
        the pipeline of talent for this and related fields of 
        expertise.\6\ This program can be seen as a complement to 
        legislation enacted by the 113th Congress that addresses 
        cybersecurity workforce needs in the Department of Homeland 
        Security \7\ (DHS) and more broadly.\8\
---------------------------------------------------------------------------
    \6\ The White House, ``Vice President Biden Announces $25 Million 
in Funding for Cybersecurity Education at HBCUs,'' Press Release 
(January 15, 2015), http://www.whitehouse.gov/the-press-office/2015/01/
15/vice-president-biden-announces-25-million-funding-cybersecurity-
educatio.
    \7\ H.R. 2952, the Cybersecurity Workforce Assessment Act (Pub. L. 
No. 113-246), and S. 1691, the Border Patrol Agent Pay Reform Act of 
2014 (Pub. L. No. 113-277), requiring assessments of workforce needs 
within the Department of Homeland Security and providing enhanced 
authorities to the Secretary for recruitment and retention of 
cybersecurity personnel.
    \8\ S. 1353, the Cybersecurity Enhancement Act of 2014 (Pub. L. No. 
113-274), establishing in statute a National Science Foundation program 
for educating cybersecurity professionals for Government agencies, and 
an interagency program of challenges and competitions in cybersecurity 
to stimulate identification and recruitment of cybersecurity 
professionals more broadly as well as cybersecurity research and 
innovation.
---------------------------------------------------------------------------
    The announcement also included a description of the White House 
cybersecurity summit held on February 13 at Stanford University.
    Barriers to the sharing of information on threats, attacks, 
vulnerabilities, and other aspects of cybersecurity--both within and 
across sectors--have long been considered by many to be a significant 
hindrance to effective protection of information systems, especially 
those associated with critical infrastructure.\9\ Examples have 
included legal barriers, concerns about liability and misuse, 
protection of trade secrets and other proprietary business information, 
and institutional and cultural factors--for example, the traditional 
approach to security tends to emphasize secrecy and confidentiality, 
which would necessarily impede sharing of information.
---------------------------------------------------------------------------
    \9\ See, for example, The Markle Foundation Task Force on National 
Security in the Information Age, Nation At Risk: Policy Makers Need 
Better Information to Protect the Country, March 2009, http://
www.markle.org/downloadable_assets/20090304_mtf_report.pdf; CSIS 
Commission on Cybersecurity for the 44th Presidency, Cybersecurity Two 
Years Later, January 2011, http://csis.org/files/publication/
110128_Lewis_CybersecurityTwoYearsLater_Web.pdf.
---------------------------------------------------------------------------
    A few sectors are subject to Federal notification requirements,\10\ 
but most such information sharing is voluntary, often through sector-
specific Information Sharing and Analysis Centers (ISACs)\11\ or 
programs under the auspices of the Department of Homeland Security 
(DHS) or sector-specific agencies.\12\
---------------------------------------------------------------------------
    \10\ Notable examples include the chemical industry, electricity, 
financial, and transportation sectors.
    \11\ See, for example, ISAC Council, ``National Council of ISACS,'' 
2015, http://www.isaccouncil.org/. ISACs were originally formed 
pursuant to a 1998 Presidential Directive (The White House, 
``Presidential Decision Directive 63: Critical Infrastructure 
Protection,'' May 22, 1998, http://www.fas.org/irp/offdocs/pdd/pdd-
63.htm).
    \12\ See also CRS Report R42114, Federal Laws Relating to 
Cybersecurity: Overview and Discussion of Proposed Revisions, by Eric 
A. Fischer; CRS Report R42409, Cybersecurity: Selected Legal Issues, by 
Edward C. Liu et al.; CRS Report R42984, The 2013 Cybersecurity 
Executive Order: Overview and Considerations for Congress, by Eric A. 
Fischer et al.; CRS Report R4381, Legislation to Facilitate 
Cybersecurity Information Sharing: Economic Analysis, by N. Eric Weiss.
---------------------------------------------------------------------------
    While there is some disagreement among experts about whether 
Federal legislation is needed to address the problem, there appears to 
be fairly broad consensus that such legislation could be useful if 
crafted appropriately but potentially harmful if not. However, there is 
disagreement about what the key characteristics of useful legislation 
would be. Proposals to reduce or remove such barriers, including 
provisions in legislative proposals in the last two Congresses, have 
raised concerns, some of which are related to the purpose of barriers 
that currently impede sharing. Examples include risks to individual 
privacy and even free speech and other rights, use of information for 
purposes other than cybersecurity, such as unrelated Government 
regulatory actions, commercial exploitation of personal information, or 
anticompetitive collusion among businesses that would currently violate 
Federal law.
    More broadly, debate has tended to focus on questions such as the 
following:
    1. What are the kinds of information for which barriers to sharing 
        exist that make effective cybersecurity more difficult, and 
        what are those barriers?
    2. How should information sharing be structured in the public and 
        private sectors to ensure that it is efficient and effective?
    3. What are the risks to privacy rights and civil liberties of 
        individual citizens associated with sharing different kinds of 
        cybersecurity information, and how can those rights and 
        liberties best be protected?
    4. What, if any, statutory protections against liability are needed 
        to reduce disincentives for private-sector entities to share 
        cybersecurity information with each other and with Government 
        agencies, and how can the need to reduce such barriers best be 
        balanced against any risks to well-established protections?
    5. What improvements to current standards and practices are needed 
        to ensure that information sharing is useful and efficient for 
        protecting information systems, networks, and their contents?
    The White House information-sharing proposal would attempt to 
address such questions in several ways. The discussion below includes a 
summary of how the proposal would address them in comparison to the 
following bills addressing information sharing:
   H.R. 234, the Cyber Intelligence Sharing and Protection Act 
        (CISPA), in the 114th Congress, identical to H.R. 624 as passed 
        by the House in the 113th Congress;
   S. 2588, Cybersecurity Information Sharing Act of 2014 
        (CISA) as reported to the Senate in the 113th Congress;
   S. 456, the Cyber Threat Sharing Act of 2015, as introduced 
        in the 114th Congress.
                      kinds of information shared
    Information sharing can involve a wide variety of material 
communicated on a wide range of time scales, ranging from broad 
cybersecurity policies and principles to best practices to descriptions 
of specific threats and vulnerabilities to computer-generated data 
transmitted directly from one information system to another 
electronically. The level of sensitivity of information can also vary--
for example, it may be Classified, proprietary, or personal. 
Information of any class will also vary in its value for cybersecurity 
and the degree to which it needs human processing to be useful.\13\
---------------------------------------------------------------------------
    \13\ See, for example, Kathleen M. Moriarty, ``Transforming 
Expectations for Threat-Intelligence Sharing,'' RSA Perspective (August 
3, 2013), https://www.emc.com/collateral/emc-perspective/h12175-transf-
expect-for-threat-intell-sharing.pdf.
---------------------------------------------------------------------------
    To the extent that the goal of information sharing is to defend 
information systems against cyber attacks, there appears to be a 
consensus that shared information needs to be actionable--that is, it 
should identify or evoke a specific response aimed at mitigating 
cybersecurity risks. To be meaningfully actionable, information may 
often need to be shared very quickly or even in an automated fashion. 
There may therefore be little or no time for human operators to examine 
a specific parcel of data to determine whether sharing it could raise 
privacy, liability, or other concerns.
    The White House proposal would limit the scope of shared 
information covered under the proposal to ``cyber threat indicators,'' 
which includes information needed to ``indicate, describe, or 
identify'' malicious reconnaissance or command-and-control activities, 
methods of social engineering and of defeating technical or operational 
controls, and technical vulnerabilities, and from which ``reasonable 
efforts'' have been made to remove personally identifying information 
if the person is thought to be unrelated to the threat. The definition 
in S. 456 is largely identical.
    The definition in the White House proposal and S. 456 are arguably 
the narrowest in scope. S. 2588 also focuses on ``cyber threat 
indicators,'' with a definition that is similar to that in the White 
House proposal, but is somewhat broader, including other attributes, 
such as the actual or potential harm caused by an incident. It also 
expressly permits sharing of information on countermeasures--measures 
to prevent or mitigate threats and vulnerabilities.
    H.R. 234 uses the term ``cyber threat information,'' characterized 
as information ``directly pertaining to'' efforts to gain unauthorized 
access to information systems or to effect negative impacts on systems 
or networks, threats to the information security of a system or its 
contents, and vulnerabilities of systems and networks. The bill also 
defines a related term, ``cyber threat intelligence,'' with 
characteristics similar to those of cyber threat information but is in 
the possession of the intelligence community.
                    structure of information sharing
    Information sharing can conceivably lead to information overload, 
where an entity receives much more information than it can reasonably 
process. That could include not only information of uncertain quality 
and use, but also similar or redundant information from a variety of 
sources. In addition, a proliferation of sharing mechanisms could lead 
to stovepiping, which could reduce sharing across sectors, for example, 
and lack of clarity with respect to responsibilities, which could lead 
to gaps in sharing useful information. In contrast, a narrow, tightly-
defined structure for information sharing could lead to logjams or 
impede innovation in response to continuing evolution of cyberspace.
    The White House proposal and S. 456 would create a structure for 
information sharing that includes the National Cybersecurity and 
Communications Integration Center (NCCIC) as the Federal hub for 
receipt and distribution of cybersecurity information, and fostering 
the use of private information sharing and analysis organizations 
(ISAOs) as recipients of information from private entities.\14\ ISAOs 
could presumably also share such information under the provisions of 
the Homeland Security Act, but the proposal does not specifically 
address that function for them. The proposal would require the DHS 
Secretary to ensure that indicators are shared in a timely fashion with 
other Federal agencies. S. 456 would require that procedures for such 
sharing be established and would specifically require the Secretary to 
ensure that both useful Classified and Unclassified information is 
shared with non-Federal entities.
---------------------------------------------------------------------------
    \14\ ISAOs were defined in the Homeland Security Act (6 U.S.C.  
131(5)) as entities that gather and analyze information relating to the 
security of critical infrastructure, communicate such information to 
help with defense against and recovery from incidents, and disseminate 
such information to any entities that might assist in carrying out 
those goals. The proposal covers receipt of indicators by ISAOs but 
does not mention communication or dissemination of information by them, 
except, by inference, to the NCCIC. Information Sharing and Analysis 
Centers (ISACs) are more familiar to most observers. They may also be 
ISAOs but are not the same, having been originally formed pursuant to a 
1998 Presidential directive (The White House, ``Presidential Decision 
Directive 63: Critical Infrastructure Protection,'' May 22, 1998, 
http://www.fas.org/irp/offdocs/pdd/pdd-63.htm).
---------------------------------------------------------------------------
    H.R. 234 would create an entity at DHS (presumably the NCCIC \15\) 
to share threat information and an entity at the Department of Justice 
to share cyber crime information. It would require individual agencies 
that receive threat information to develop procedures for sharing it. 
In contrast to S. 456, it would require the Director of National 
Intelligence to establish procedures for sharing Classified threat 
information. It would also designate specific classes of private-sector 
entities as those permitted to monitor systems and share threat 
information under the bill. Those include entities that provide 
cybersecurity goods and services to others or to themselves.
---------------------------------------------------------------------------
    \15\ The text in the bill was originally drafted before the 
enactment of the National Cybersecurity and Communications Integration 
Center Act of 2014 (Pub. L. No. 113-282), which established the NCCIC 
by statute.
---------------------------------------------------------------------------
    S. 2588 would require DHS to create a ``capability and process'' 
for sharing both threat indicators and countermeasures. It would 
establish an interagency process to develop procedures for sharing 
Federal information with the private sector. It would require 
development of an interagency process for sharing Classified threat 
indicators.
                         timeliness of sharing
    The time scale on which shared information will be most useful 
varies. That is especially an issue in an environment where the 
relevance of timing for shared information may be measured in seconds 
or even milliseconds in many cases.\16\ The White House proposal and S. 
456 would address this concern by requiring the NCCIC to share 
indicators ``in as close to real time as practicable'' and by requiring 
establishment of a program to advance automated mechanisms for such 
sharing.
---------------------------------------------------------------------------
    \16\ See, for example, M.J. Herring and K.D. Willett, ``Active 
Cyber Defense: A Vision for Real-Time Cyber Defense,'' Journal of 
Information Warfare 13, no. 2 (April 2014): 46-55.
---------------------------------------------------------------------------
    H.R. 234 and S. 2588 would also require ``real-time sharing.'' The 
meaning of this term is not explicitly defined or described in the 
bills, but it presumably refers to sharing that occurs rapidly, for 
example, by machine-to-machine transmission. That is consistent with 
the stated purposes of the legislative proposals, in that threat 
information would likely need to be disseminated quickly in order to 
detect or prevent incoming cyber attacks, which can occur very quickly. 
This raises the question of whether this term should require any 
particular mode of sharing, for example, by machine-to-machine 
transmission without or with minimal intervening processing by human 
operators, and how different interpretations of the term may impact 
operational effectiveness, privacy interests, and competition for 
technical and financial resources. The White House proposal appears to 
address that through its proposed development of automated mechanisms, 
and S. 2588 would require development of a process to receive 
indicators and countermeasures electronically, including via an 
``automated process between information systems.''
                      privacy and civil liberties
    Concerns relating to privacy and civil liberties, especially the 
protection of personal and proprietary information and uses of shared 
information, have been a significant source of controversy in debate 
about information-sharing legislation. Such concerns have arisen in 
part because the White House proposal and the bills would permit 
sharing of specified cybersecurity information by covered private 
entities ``notwithstanding any other provision of law.'' That would 
arguably remove barriers to sharing stemming from concerns that 
information would inadvertently violate laws such as those on privacy 
and anti-trust.
    However, it also raises concerns about privacy and civil liberties. 
In particular, personally identifying information might be included in 
the shared information but might not be related to the threat. In 
addition, data analytics might conceivably be used to draw inferences 
about identity from data sets even if any given piece of the shared 
information would not be identifying. Second, if access to shared 
information is not strictly controlled and restricted, or is used for 
purposes other than cybersecurity, risks to civil liberties may arise. 
Concerns have also been raised about regulatory use of shared 
information and disclosure of proprietary business information.
    The White House proposal would address such concerns by:
   limiting application of the ``notwithstanding'' provision to 
        indicators disclosed to the NCCIC and ISAOs;
   limiting private-sector use of shared indicators to purposes 
        relating to protection of information systems and their 
        contents;
   requiring minimization of personally identifiable 
        information and safeguarding of any such information that 
        cannot be removed;
   requiring development of guidelines by the Attorney General 
        on limiting the acquisition and sharing of personally 
        identifiable information and establishing processes for 
        anonymization, safeguarding, and destruction of information;
   exempting information received by the Federal Government 
        from disclosure under the Freedom of Information Act;
   prohibiting use of shared information for regulatory 
        enforcement;
   requiring penalties for Federal violations of its 
        restrictions relating to information sharing; and
   an annual report to Congress on privacy and civil liberties.
    S. 456 includes those provisions but would also permit a private 
entity to receive indicators under the ``notwithstanding'' provision.
    H.R. 234 and S. 2588 have related provisions except as follows: 
Both bills explicitly limit Federal use of shared information to 
cybersecurity purposes and uses relating to protection of individuals 
and investigation and prosecution of cyber crimes and certain other 
offenses. They both require various activities to reduce the degree to 
which personal information is shared and other means of safeguarding it 
from unauthorized sharing and use. H.R. 234 requires that guidelines be 
developed through an interagency process.
                         liability protections
    Concern about liability has often been cited as a significant 
barrier to private-sector sharing of cybersecurity information, both 
with other private entities and with the Federal Government. In 
addition to the protections granted by the use of ``notwithstanding any 
other provision of law'' with respect to provision of information by 
private-sector entities, the White House proposal would address this 
issue by prohibiting civil or criminal actions in Federal or State 
courts for covered activities with respect to lawfully obtained cyber 
threat indicators disclosed to or received from the NCCIC or a 
certified ISAO. However, it also specifies monopolistic actions such as 
price fixing that are not permitted.
    The prohibition on civil or criminal actions in H.R. 234 covers 
acquisition and sharing of cyber threat information, or decisions for 
cybersecurity purposes based on such information. The bill stipulates 
that actions must be taken in good faith. The S. 2588 prohibition 
covers only private defendants, and includes monitoring systems or 
sharing information. S. 2588 states that a good-faith reliance that an 
activity was permitted under the bill's provisions will serve as a 
complete defense against any court action. It also stipulates that 
private-sector exchange of cyber threat information or assistance for 
cybersecurity purposes does not violate anti-trust laws, but further 
specifies monopolistic actions such as price-fixing that are not 
permitted.
                improvements to standards and practices
    The concerns discussed above about what information would be most 
useful to share and how raise the question of whether better standards 
and best practices are needed for improving the effectiveness and 
efficiency of information sharing.\17\ The White House proposal and S. 
456 would require the DHS Secretary to establish a process for 
selecting a private entity that would determine best practices for 
creating and operating private ISAOs. The recent Executive Order on 
information sharing has a similar provision.\18\ There are no similar 
provisions in the other bills.
---------------------------------------------------------------------------
    \17\ See, for example, Moriarty, Transforming Expectations for 
Threat-Intelligence Sharing.
    \18\ Executive Order 13691, ``Promoting Private Sector 
Cybersecurity Information Sharing,'' Federal Register 80, no. 34 
(February 20, 2015): 9349-53.

    Chairman McCaul. Thank you, Dr. Fischer.
    I now recognize myself for questions.
    Ms. Spaulding, I think as you mentioned, we have 
extraordinary offensive capabilities that we--you and I have 
seen and Dr. Schneck. That kind of capability turned against us 
could be very destructive. It is the defensive capability that 
I think is where we are trying to improve here through 
additional legislation.
    I am very proud of this committee's work last Congress in 
passing really the first cybersecurity legislation, landmark 
cybersecurity legislation, that I think the Ranking Member--I 
can speak for him as well--is both pro-security but pro-
privacy. We had that support from two groups that don't always 
agree on how to get things done.
    Mr. Thompson. Oh, really?
    Chairman McCaul. Well, I am not talking about you. I am 
talking about the pro-privacy and pro-security.
    You know, as I have studied this--and I have studied it 
extensively--it seems to me that there is--the Department of 
Homeland Security is really the ideal place for the safe 
harbor. It is the civilian interface to the private sector. It 
also has a robust privacy office and can protect personal 
information.
    Some would argue it should be another portal in the Federal 
Government. I think that the safe harbor at DHS is--again, 
should be the lead portal, if you will, for the sharing of this 
information.
    But there are other opinions on that. I wanted to elicit 
first from Dr. Schneck and Ms. Spaulding, what are your 
thoughts on how to integrate the other portals that exist 
today? We have, of course, NSA, the intelligence community, we 
have Treasury Department that the financial world, as I talk to 
people in that sector seem to--they like that portal, as well. 
I know that you would be taking it--you know, information from 
the intelligence community, FBI, and other agencies to 
basically funnel that threat information through the DHS 
civilian interface.
    But can you speak to these other portals and how they 
factor into the President's proposal and what do you think 
would be the best idea here?
    Ms. Spaulding. Yes, thank you, Mr. Chairman.
    First, I think it is really important to emphasize what 
this legislation does and does not cover. So this is narrowly 
focused on network defense and the kind of information that is 
most important for specifically defending networks; and that is 
this cyber threat indicator information. It is in no way 
intended to get in the way of existing relationships that 
companies might have today with other parts of the Federal 
Government, whether it is the FBI or Treasury or elsewhere in 
the Federal Government.
    Calls to say we think we see something odd going on in our 
system should continue to be made wherever those companies are 
most comfortable going in. We have mechanisms in place to 
ensure that a call to one is effectively and appropriately a 
call to all; and that we put together the appropriate 
interagency teams to respond to those kinds of requests for 
assistance and information coming in.
    So this is by no means intended to cover all kinds of 
information sharing between the private sector and the 
Government. Those relationships are very important.
    Chairman McCaul. I think that is an important point. As I 
talk to the private sector--and it is very important to me to 
have their buy-in on this--I think that is a very important 
point to make; is that we are not saying you can't have contact 
with these other portals. It is just that DHS is, you know, the 
lead interface.
    Dr. Schneck, do you have any thoughts on that?
    Ms. Schneck. I would only add at a technical level, we are 
working day in and day out with our----
    Ms. Spaulding. Push to talk.
    Ms. Schneck. Sorry. At a technical level, we are working 
constantly with our peers, across with the FBI and with the 
Secret Service and with the intelligence community to look at 
how do we make sure that information that comes in is handled 
and distributed exactly the right way in real time, as if it 
had come into them, so that we can have it. The important thing 
here is that it is not a fragmented weather map, if you would. 
The way to see a tornado--and I used to work tornado modeling. 
The way you do this is to see all the information at once.
    That is one of the key reasons why we think this is so 
important, to have the NCCIC do this. But we are working 
constantly with our partners to make sure that no one is 
deprived of any information. That is what takes so long. It is 
not just a technology problem. This is a policy puzzle of how 
do we preserve the privacy, civil liberties, and equities, 
continue to maintain all the existing relationships and make 
sure information gets to the right people at the right time at 
light speed.
    Chairman McCaul. Let me just echo the comments made 
earlier, and that is that in the last 5 years, I have seen the 
capabilities at Homeland Security go way up. The sharing of 
this threat information in real time has increased 
exponentially, I think, under your leadership. That makes a 
difference. Because there were doubters, you know, 5 years ago 
about whether DHS could stand up and have that capability. I 
think you have demonstrated and proved that they can.
    So last question. Well, I have two quick ones. But on the 
liability protection, I commend the Secretary for coming 
forward with this piece. It is sometimes a bone of contention 
between both sides of the aisle. But I think it is absolutely 
essential to incentivize the private sector to participate in 
the safe harbor; for without that, they will not do so. I think 
they have to have the assurance that if they share information, 
they are not open to a lawsuit.
    So I have talked to the private sector. They like the 
liability protections that are presented here. I think they 
have some concern about private-to-private sharing and the 
certification process and all this. How would that work under 
this proposal?
    Ms. Spaulding. So the liability protections, as you know, 
apply not only to sharing of these cyber threat indicators with 
the NCCIC, with the Department of Homeland Security, but also 
to sharing with these information sharing and analysis 
organizations, these--we call them ISAOs. Many of those are the 
ISACs that exist today for the various sectors; the financial 
services ISAC, the multi-State ISAC, and others.
    So what the legislation provides is that the private sector 
can share among themselves through these appropriate 
organizations and enjoy the same liability protection for 
providing that information to those organizations.
    Chairman McCaul. I think the safe harbor at DHS is a 
construct within--where we want to incentivize most of the 
sharing of information. But I do think the private sector's 
private-to-private sharing also should be protected as well. We 
can discuss that more as this legislation unfolds.
    Last question. I get asked this question probably the most. 
That is, you know, what keeps you up at night? I talk about 
cybersecurity quite a bit. But within this space, to both Ms. 
Spaulding and Dr. Schneck, what keeps you up at night the most?
    Ms. Spaulding. So clearly, what I worry most about is cyber 
activity that would significantly disrupt our critical 
infrastructure. So we spend a lot of time thinking about those 
consequences and making sure we understand interdependencies 
within the physical world. Because this is not just about 
protecting machines, this is about protecting our ways of life.
    So we need to make sure that we understand what are those 
consequences that would be most devastating, and that we are 
working most closely with those parts of our critical 
infrastructure to make sure that we can mitigate those 
consequences and try to prevent, as Dr. Schneck said, bad 
things--bad things from doing bad harm.
    Chairman McCaul. Thank you.
    Dr. Schneck.
    Ms. Schneck. Thank you. I would echo the interface of the 
physical world. No one ever tried to keep a machine safe to 
keep a machine safe. Our job at Homeland Security is to keep 
people safe. The Secretary always tells us that cybersecurity 
is a key part of homeland security.
    Another piece that really does keep me up at night as well 
is our small-to-medium business and our State and local. They 
don't typically have enough budget to focus on cybersecurity. 
Part of the elegance that will come from our teamwork with our 
partners and the FBI and the intelligence community and across 
the private sector and Government is to pull those threat 
indicators together to be able to, in final phases, make them 
available to the greater 99 percent of our business fabric that 
is not a big company and to our State and locals, and to have 
that system learn by participating and make all of us smarter 
and safer.
    If I would just add, I thank you for your gracious comments 
about my leadership earlier. I think about the team back at the 
NCCIC and back across DHS that really makes it happen, and I 
want you to know about that. I walked into the finest team on 
the planet.
    Chairman McCaul. Well, thank you. Your boss just arrived. I 
want to recognize the Secretary. I will reiterate my comments 
about Ms. Spaulding and Dr. Schneck and their tremendous 
performance in standing up DHS with the capabilities with the 
respect it deserves, and I think the ability to move forward 
with the proposal from you, sir.
    I also commended you before you came in on your proposal of 
liability protection, which I think will incentivize the 
private sector to fully participate in this safe harbor. So 
thank you for your leadership. You got two really good 
employees right here.
    So with that, the Chairman now recognizes the Ranking 
Member.
    Mr. Thompson. Thank you, Mr. Chairman.
    Very rarely do we agree 100 percent on anything. But the 
two employees referenced here today absolutely have 
distinguished themselves. Not just here, but in their careers 
in general.
    I would like unanimous consent to have entered into the 
record the letter that you co-authored with me and our 
colleagues on the Senate to the President referencing some 
concerns we had about the new cyber center.
    Chairman McCaul. Without objection, it is ordered.
    [The information follows:]
  Letter Submitted for the Record by Ranking Member Bennie G. Thompson
                                 February 11, 2015.
The Honorable Barack Obama,
President of The United States, The White House, Washington, DC 20500.
    Dear Mr. President: Thank you for your dedication and leadership on 
the important national and economic security issue of cybersecurity. As 
the leaders of the Committees that developed legislation to codify the 
Department of Homeland Security's role as the lead Federal agency for 
helping to protect private sector networks, principally through the 
National Cybersecurity and Communications Integration Center (NCCIC), 
we have several questions regarding your newly-unveiled proposal for a 
new cybersecurity information integration center.
    We were pleased that you signed ``National Cybersecurity Protection 
Act of 2014'' (P.L. 113-282) into law less than two months ago, on 
December 18th, and implementation of that law is underway. At this 
time, the NCCIC, with its newly codified authority, is working to 
establish itself as an effective partner with the private sector to 
meet evolving cybersecurity challenges. Pursuant to the ``National 
Cybersecurity Protection Act of 2014,'' among the functions of the 
NCCIC are the following:
    ``(1) being a Federal civilian interface for the multi-directional 
        and cross-sector sharing of information related to 
        cybersecurity risks, incidents, analysis, and warnings for 
        Federal and non-Federal entities;
    ``(2) providing shared situational awareness to enable real-time, 
        integrated, and operational actions across the Federal 
        Government and non-Federal entities to address cybersecurity 
        risks and incidents to Federal and non-Federal entities;
    ``(3) coordinating the sharing of information related to 
        cybersecurity risks and incidents across the Federal 
        Government;''
    Additionally, the NCCIC is ``a 24/7 cyber situational awareness, 
incident response, and management center that is a national nexus of 
cyber and communications integration for the Federal government, 
intelligence community, and law enforcement.'' We understand that 
increasing private sector participation and improving the quantity and 
quality of information received at this Federal civilian center was a 
priority for you, as it is for us and DHS Secretary Jeh Johnson.
    Therefore, we have questions about your new proposal to establish 
another information sharing hub, the Cyber Threat Intelligence 
Integration Center (CTIIC) that was unveiled this week, as the 
activities outlined for the center seem to resemble the functions 
authorized in law for the NCCIC. We are concerned that the introduction 
of the CTIIC at this moment in the NCCIC's evolution may complicate 
those efforts and introduce uncertainty for the private sector and 
other partners. It also risks driving away activity to the new CTIIC, 
which would be operated by the Office of the Director of National 
Intelligence (ODNI).
    Accordingly, we request that you please answer the following 
questions:
   Why is the CTIIC needed at this time? How is it supposed to 
        differ from the NCCIC? Do you intend to submit a legislative 
        proposal to Congress to authorize this center? If so, when?
   Some have observed that functions of the CTIIC are 
        duplicative with those of the NCCIC.\1\ Others have said that 
        it introduces unnecessary bureaucracy.\2\ Is the CTIIC 
        duplicative? Specifically, what are the responsibilities and 
        activities of the CTIIC and are they already covered by the 
        NCCIC or, for that matter, the FBI's cyber center?
---------------------------------------------------------------------------
    \1\ Sean Lyngaas, ``New Cyber Agency Modeled on Counterterrorism 
Center,'' FEDERAL COMPUTER WEEK (FCW), February 10, 2015, wrote that 
Chris Cummiskey, the former DHS under secretary for management, said 
his first reaction to the news of the CTIIC's establishment was that 
``its prescribed functions sounded quite a bit like NCCIC's.''
    \2\ Melissa Hathaway, former White House cybersecurity coordinator 
and president of Hathaway Global Strategies told Ellen Nakashima in 
``New Agency to Sniff Out Threats in Cyberspace,'' WASHINGTON POST, 
February 10, 2015, that said ``We should not be creating more 
organizations and bureaucracy . . . we need to be forcing the existing 
organizations to become more effective--hold them accountable.'' 
Further, Stephen Cobb, a security researcher at ESET North America, 
told National Public Radio's Marketplace Tech that ``the only real 
difference between NCCIC and CTIIC is that NCCIC reports to the 
Department of Homeland Security, whereas the new agency answers to the 
Office of Director of National Intelligence,'' at http://
www.marketplace.org/topics/tech/two-cybersecurity-agencies-diverged-
wood.
---------------------------------------------------------------------------
   Why are you establishing this center at the ODNI, 
        particularly in light of your longstanding interest in 
        bolstering DHS as the interface for the private sector on 
        cybersecurity? What interactions will the new center have with 
        the private sector?
   Given that the CTIIC will be housed in the Intelligence 
        Community, please explain how it will relate to the National 
        Security Agency and the degree to which it will be involved in 
        the collection of intelligence?
   As you roll out this new center, how do you plan to ensure 
        that the private sector shares timely cyber threat information 
        with the statutorily-authorized NCCIC?
   To what degree does the effectiveness of the CTIIC depend on 
        enactment of information-sharing legislation? The protections 
        for personally identifiable information are well-established 
        with respect to private sector information sharing at the 
        NCCIC. What, if any, privacy protections would be required for 
        information sharing with the CTIIC?
    As partners in efforts to bolster the nation's cyber posture, we 
have a keen interest in ensuring efficiency and effectiveness of the 
Federal government's efforts and seek opportunities to minimize 
duplication and get the best results for our money.
    Thank you, in advance, for your timely response to our questions. 
Should you or other members of your team need to follow up on this 
request, please feel free to contact Hope Goins, Chief Counsel for 
Oversight (Committee on Homeland Security, Minority), Brett DeWitt, 
Senior Policy Advisor for Cybersecurity (Committee on Homeland 
Security, Majority), Matt Grote, Senior Professional Staff Member 
(Senate Homeland Security and Governmental Affairs Committee, Minority) 
or William McKenna, Chief Counsel for Homeland Security (Senate 
Homeland Security and Governmental Affairs Committee, Majority).
            Sincerely,
                                        Bennie G. Thompson,
                    Ranking Member, Committee on Homeland Security.
                                         Michael T. McCaul,
                          Chairman, Committee on Homeland Security.
                                          Thomas R. Carper,
Ranking Member, Homeland Security and Government Affairs Committee.
                                               Ron Johnson,
      Chairman, Homeland Security and Government Affairs Committee.

    Mr. Thompson. Thank you.
    Ms. Spaulding, I referenced the letter in my opening 
statements. I would hope that at some point we will have an 
answer back on that. Thank you very much.
    In 3 days, unless a miracle happens, we will be, as a 
Department, out of money. We have talked here about the cyber 
threat and what that means to this country, what keeps us up at 
night and all of that.
    Ms. Spaulding, can you enlighten the Members of this 
committee, if 3 days come and DHS is without money to go 
forward, what that would mean for our cyber defense here?
    Ms. Spaulding. Absolutely, Ranking Member Thompson. Thank 
you, and let me just reassure you that we are working 
diligently on the response to your letter, and it will arrive 
promptly. It is a priority of the Secretary's that we be prompt 
in our response to Congressional inquires. This is one we take 
particularly seriously. We will get back to you very quickly on 
that.
    With regard to the impact of a potential funding hiatus, I 
can say it will--as I said in my testimony, it will have an 
impact on our cyber mission. Let me give you a few examples. So 
we are in the process of deploying the latest iteration of our 
sensors in the dot.gov, in our civilian government networks and 
systems. That is our Einstein program. This is Einstein 3A, 
which is the technology that will help us not just detect, but 
block the intrusions coming in; and Einstein 2, which is the 
detection capability.
    These activities of rolling this out will have to stop in 
the event of a funding hiatus. I will say a week of stoppage we 
could probably make up. But with each week that continues, that 
is another couple of agencies that are not brought on-board and 
receiving the protection at a time when the adversary is not 
taking any break in their efforts to penetrate our civilian 
government systems.
    Our other dot.gov technologies is our continuous 
diagnostics and mitigation program, which looks inside that 
civilian government networks and systems to look at their 
health. That--deployment of that also will be delayed if we 
have a funding hiatus. That has an impact on our ability to 
quickly address--identify and address vulnerabilities like the 
JASBUG vulnerability that has been most recently in the media.
    With regard to our enhanced cybersecurity services program, 
where we make sensitive Government and Classified information 
available to cybersecurity providers to better protect private-
sector companies, the on-boarding of new providers will be 
delayed if we have a funding hiatus. So our ability to protect 
critical infrastructure owners and operators will be impacted.
    On the communications side, our ability to keep up with the 
next generation of communication technologies that the private 
sector is going full-speed-ahead to implement, our ability to 
continue to provide priority interoperable communication for 
National security and emergency response will be impacted, will 
be delayed. As I say, in the mean time, the private sector is 
rolling out that new technology. If we don't keep up, we will 
not be able to provide that prioritized interoperable 
communications that is so essential.
    Mr. Thompson. Well, thank you very much. A follow-up to 
that, all of us want to work with the business community. What 
constraints would a lack of money impact the Department's work 
in interfacing from a cyber standpoint with the business 
community?
    Ms. Spaulding. So the work we do on a daily basis to build 
those essential trusted relationships would be put on hold. All 
of that outreach, we are--have done a campaign across the 
country, for example, to educate critical infrastructure owners 
and operators about threats to their industrial control systems 
in cyber space. Critically important; you asked what keeps me 
awake at night, those are the kinds of things that do. Those 
activities would not be able to continue.
    The guidance from the President, the direction to the 
President to have--for the Department to set up the standards 
body to facilitate the establishment of these appropriate 
information-sharing mechanisms between private-sector entities, 
these information sharing and analysis organizations, our 
ability to issue that grant and get that going forward would be 
hampered by both a continuing resolution and certainly by a 
funding hiatus.
    Mr. Thompson. Thank you, Mr. Chairman. I yield back.
    Chairman McCaul. Let me just say for myself that I don't 
think we should be playing politics with the National Security 
Agency, given the high-threat environment that we are in today, 
both from a cybersecurity standpoint and also from al-Qaeda and 
ISIS, as well. I certainly hope that Congress can resolve this 
and avoid a shutdown of the Department.
    With that, the Chairman now recognizes Mr. Clawson.
    Mr. Clawson. Thank you for coming today and for your 
service. Thank you--both of y'all for holding this important 
session.
    So I imagine myself on the top of a large multi-national 
company. I have got employee--I have got stakeholders all over 
the world, a board of directors that is not all Americans. I 
have got an ERP system, maybe it is--could be Triton Bond, 
could be Oracle, could be--you know, could be SAP, could be 
anything. I have worked years to get it integrated around the 
world. Factories everywhere. I accept that cybersecurity is an 
important public good, and that if we don't have it, we are 
dead. I also accept that the liability insurance that you y'all 
talk about here protects one stakeholder, and that is the 
shareholder.
    But my world is much more complicated. I have data centers, 
regional data centers, all over the world, with customers and 
suppliers integrated in those data centers. Now as CEO, I am 
gonna go out and say look, y'all, in the name of cybersecurity 
for the world, but mainly for America, we are gonna start 
sharing data. You kind of have to trust us on what we are gonna 
share, when we are gonna share it. The devil will be in the 
details actually. We are gonna--you know, those specifics will 
be defined later. But don't worry, none of this data will get 
into the wrong hands; your privacy will not be violated, even 
though you grew up in the Czech Republic or Russia, where they 
were spied upon their whole lives, and the last thing they want 
is another big brother.
    It feels to me like y'all got a tough sale. It feels to me 
liability insurance or not, that my world is all about multiple 
stakeholders. It is not just about profit; big, bad 
corporations making more money. We are trying to protect our 
customers, our suppliers, the communities that we live in. What 
I have read so far about what y'all propose just doesn't feel 
like a very compelling case that I can take to my multi-
national board of directors.
    What am I missing, and what data can you give to make this 
more palatable? Because if you can't get me, I know what my 
friends back in the private sector are gonna say. It is not 
just about profit. Go ahead.
    Ms. Spaulding. No, Congressman, you have very well 
articulated the concerns that we hear when we are out talking 
to our partners in the private sector. You are absolutely 
right. There is a wide range of reasons that companies have--
legitimate reasons--for having concerns about sharing 
information with the Government.
    Mr. Clawson. It is not just lack--it is not lack of 
patriotism.
    Ms. Spaulding. Right. No, I totally agree. Throughout my 
career, interacting with CEOs of companies, I find them to be 
an extremely patriotic bunch. So I absolutely agree.
    I will say, with respect to this legislative proposal and 
the sharing of cyber threat indicator information, you are 
correct, the devil is in the details. The good news is that as 
we move to automated information sharing, those details will be 
apparent. There will be total transparency about the specific 
kinds of information that we are seeking and receiving.
    Because we are creating a structured way of presenting that 
information that will detail very specifically the kind of 
information that we want to get. We will also work through the 
policy and protocols for protecting that sensitive information, 
both in terms of proprietary information and privacy 
information. So those things will be transparent.
    Mr. Clawson. Can you imagine if, in one of the countries 
that I operate in, the government of that country telling me 
that I had to share this same sort of information? How would we 
respond?
    Ms. Spaulding. Again, I--think the--limiting this to cyber 
threat indicator information, which is fairly technical 
information about the IP addresses that are sending malware, 
for example, to disrupt equipment, this is the kind of 
information that is less sensitive. Each company will make its 
own decisions. I think you are right.
    One of the things we have tried to be clear about, this is 
not a silver bullet, this is not a panacea, this is not gonna 
make every company open its doors. But it does address concerns 
that we have heard from the private sector. There will be a 
fair amount of detail about precisely what we are talking about 
sharing here. The legislation defines it fairly----
    Mr. Clawson. I think that without that detail, any private-
sector CEO would be negligent to go along on the basis of 
trust.
    Chairman McCaul. Dr. Schneck, would you like to answer 
that?
    Ms. Schneck. Yes, very briefly. So I was in a very large 
company about 18 months ago. I hear you. I lived that. I was 
not at the level you describe. But I was a key technology 
officer for the global government. I was the one that shared 
information or didn't. I was the subject of a storied phone 
call from a former FBI executive and executive assistant 
director, three down from the top, who I consider a very close 
friend, who yelled at me at 11:00 at night on my home phone 
because he found out something he didn't know, and I couldn't 
share it with him.
    We are going to have to earn your trust. This sharing is 
not required. It is my scientific belief that there will be 
benefits in getting our data. You don't have to give anything 
at first to get it. I think what the under secretary points out 
is very important, it is key. These are just scientific 
indicators. But you--the companies will see that. We will work 
to earn your trust. It is voluntary.
    Mr. Clawson. I am nonpartisan on this issue. Anything I can 
do to help you, you know, with my background, I urge you to 
seek me out. I am always worried about people on the telephone. 
I am even more worried about people in my ERP system. So with 
that as a starting point, y'all--you know, use--anything I can 
do to help, I am here.
    Ms. Spaulding. Thank you very much, Congressman. We will 
definitely take you up on that. Thank you.
    Chairman McCaul. If the gentleman would yield, we do have a 
field trip, if you will, to the NCCIC facility. I would 
encourage you to attend that. I think it is important to note 
also this is not a mandatory sharing system. It is voluntary. 
This authorization that we authorized the Department's cyber 
operations last Congress had the support of industry, the 
chamber, the privacy groups.
    All I think in moving forward what we want to do is provide 
liability protection so that they can fully participate. 
Because I think there is a reluctance, as you point out. 
Because you have a duty to the shareholders to not want to 
participate until you have that assurance that you wouldn't 
open yourself up to a lawsuit. So I look forward to you--you 
obviously have tremendous experience on this issue. I look 
forward to working with you on this.
    Chairman recognizes the gentlelady from Texas, Ms. Jackson 
Lee.
    Ms. Jackson Lee. Mr. Chairman, thank you very much. I might 
say to my good friend, Mr. Clawson, with his experience but 
also his demeanor. I truly believe that we have common ground 
on these very important issues.
    I gave an old story that I hope will be very brief. I 
indicated that when I chaired the transportation security 
committee, we had included infrastructure, which was then 
cybersecurity. The point was that it was all embracing an 
infrastructure that we had not yet hit, if you will, the 
epicenter of fear and epicenter of hacking. But we did look at 
the infrastructures that are governed by cybersecurity and 
realized that we were vulnerable.
    So I want to thank all of you for bringing us up into the 
21st Century as it relates to home homeland security and this 
very crucial issue. I want to add my appreciation for those of 
you who have come from the private sector for serving your 
Nation.
    Let me acknowledge the Secretary in his absence and thank 
him for being, as he has indicated, everywhere and all over on 
the basis of National security.
    I want to thank the Chairman of this full committee. I hope 
that his efforts will be heard in his Republican conference 
that we should be dealing with National security and not 
political security. Clearly, on the issue of where we are in 
this time and date and what we are facing, I can't imagine a 
more important component. There are many important components 
at DHS. But certainly, what we are discussing today has far-
reaching impact.
    So I want to just take the words that were presented when 
the President offered his thoughts on January 13 and he said 
when public and private networks are facing an unprecedented 
threat from rogue hackers, as well as organized crime and even 
state actors, the President is, of course, unveiling the next 
steps in his plan to defend the Nation.
    At that time, then he unveiled the White House proposal. 
That is, of course, the Cyber Threat Intelligence Integration 
Center. Many of you know that we have worked so hard on the 
efforts to have the National Cybersecurity and Communications 
Integration Center.
    So my questions are going to be--I know we had some earlier 
discussions--the pointed synergism, if you will, of those two 
entities and the concern about confusion between the broader 
public. My interpretation--I have some privacy questions--is 
that the CTIIC will be not gathering, but analyzing; will be 
the high-level threat entity. My concern is, will that 
information of their analysis be accessible to DHS, Members of 
the respective homeland security committees? Because it looks 
as if there is an attempt to put a wall between the very agency 
that then has to act on trying to save the Nation.
    Then, of course, the NCCIC will be the face to the private 
sector. We will have to engender their trust. They will have to 
know well, this is an agency that can help me, or do I need to 
try to bang down the doors of the CTIIC, even though that is 
not the intent?
    So let me just end right there so that I can ask you, Madam 
Secretary Spaulding, our Ranking Member gave you the 
opportunity for a long litany. Let me for the record speak to 
this defunding or no funding of Department of Homeland Security 
in the backdrop of--let me try not to use the word ``crisis''--
but the increasing threats that are viable through hacking, 
through other efforts as it relates to security.
    Does this put us, the Department of Homeland Security and 
the security of this Nation, in a position of jeopardy if all 
of the functions in your area are either halted, stalled, 
people laid off because of the actual moment in history that we 
are in? Are we at a serious moment in history that you need all 
hands on deck?
    Ms. Spaulding. Congresswoman, I think that is an accurate 
statement. I mean, we are--as this committee knows as well as 
anyone, we are, as I said, under daily moment-by-moment efforts 
by adversaries to penetrate our networks and systems across the 
Federal Government, State, local, territorial, Tribal 
government systems, and the private sector.
    There is no pausing, no slowing down, in that range of 
actors' efforts to penetrate our systems and to do us harm. So 
anything that hampers, we are running on a daily basis full 
speed ahead to try to keep ahead of those--efforts of those 
adversaries. Anything that hampers and slows us down creates 
risk for us and for the Nation.
    Ms. Jackson Lee. If I could get these last two questions 
in, I would greatly appreciate it.
    I started out by offering my assessment of the CTIC--CTIIC 
and the NCCIC. So if I could get the question answered as to 
how the public is to decipher between these entities. Then I 
want to add a question of my colleague here on privacy.
    Will the information shared that is going to be shared with 
the Government identify the identity of law-abiding citizens? 
Will it be the responsibility of the company--companies--for 
removing personal information for what is shared with DHS?
    So first, how are they gonna interface with these two 
entities? I am concerned about the confusion. Then the privacy 
question.
    Ms. Spaulding. Great. I very much appreciate the question. 
We welcome the establishment of the Cyber Threat Intelligence 
Integration Center. Those two ``I''s are actually important to 
help make this distinction. Because what the CTIIC will do for 
us is to pull together intelligence information from across the 
16 different entities that make up that intelligence community 
over which the DNI, the Director of National Intelligence, has 
purview.
    So that is a very useful function for us. Part of their 
articulated, explicit mission is to support the NCCIC, our 
operations in watch center, and the other centers across 
Government; the FBI's NCIJTF and the other centers out there 
across Government. They are--in military terms, they are 
supporting command and we are the supported demand. So they 
will provide that integrated analysis for us, which will be 
very useful.
    They also will be one place where we can go to work with 
the intelligence community to get information cleared for wide 
dissemination. So whether that is continuing to press 
intelligence agencies to write or release, to create products 
from the very beginning that can be widely disseminated or to 
go back to them to get things declassified that we think are 
important to disseminate widely. Instead of having to go to 16 
different entities, we can go to this one place who will be an 
advocate for us, because that is their mission in making sure 
we can disseminate this information.
    Those two key functions will be really helpful for us. It 
is a very distinct mission from our mission, which is to 
interact with the private sector. That is not the mission of 
the CTIIC. Our mission is to interact on a daily basis with our 
partners across the Federal Government and the private sector 
and to receive information from them; and most importantly, to 
get information out as broadly as we the can so that those who 
are trying to defend their networks can do so effectively.
    I will ask the deputy to address the privacy issue if----
    Mr. Clawson [presiding]. Quickly, if that is okay.
    Ms. Schneck. I will make it very quick, sir.
    The privacy issue cuts to the core of why we do what we do 
and why I came here to the Department to serve in Government. 
The story I shared about the call from the FBI, this is one of 
the finest investigators on the planet. I wanted to answer him. 
I couldn't. If we had a system like this in place that night, I 
could have. My lawyer would have given us the ability to share 
just the indicators. So what we are building----
    Mr. Clawson. That I understand.
    Ms. Schneck. So what we are building is with a team, 
working every day with the FBI, their assistant director of 
cyber. He called me last night just to make sure we were in the 
loop on things. This is the kind of relationship that we have. 
He called me on my cell phone a couple of weeks ago. We have--
--
    Ms. Jackson Lee. Are you answering--I am sorry. I don't 
want to interrupt. But are you answering my question, which is 
will the information----
    Ms. Schneck. Yes.
    Ms. Jackson Lee [continuing]. Shared identify--because I 
want to--abide by the Chairman----
    Ms. Schneck. No. Working with----
    Ms. Jackson Lee [continuing]. Identify law-abiding citizens 
and is the companies have the responsibility of removing the 
personal data?
    Ms. Schneck. The companies have a responsibility to make a 
good-faith effort. This is a policy puzzle that which is being 
solved each day by working together with each different equity 
with the private sector, with law enforcement, with the 
intelligence community. We are doing our best to get everybody 
to design that.
    Ms. Jackson Lee. Mr. Chairman, I am just gonna say this for 
the record and then yield back.
    You all issued $25 million in cybersecurity education 
grants. I noticed that States to the west of the Mississippi, 
including Texas, have not been included. I would like to meet 
with whoever is appropriate to talk about these important 
grants. Because we need a vast array of representation. So 
would someone let me know who I should be meeting with?
    Ms. Spaulding. Absolutely, Congresswoman. That was 
announced by the Department of Energy for historically black 
colleges and universities. We will absolutely make sure that 
you get a full briefing on that and hear your thoughts.
    Ms. Jackson Lee. I thank the gentleman for his courtesy. 
Thank you. I yield back.
    Mr. Clawson. The Chairman recognizes the gentleman from 
Texas, Mr. Hurd.
    Mr. Hurd. I would like to also thank y'all for being here. 
This is an important topic. I know a little something about it. 
I spent 9 years as an undercover officer in the CIA. My job was 
collecting intelligence on threats to the homeland. But I also 
did some offensive cyber operations and I recognize the 
dangerous threat that is out there. Helped start a 
cybersecurity company, as well. I have been doing that for the 
last 5 years. It is pretty scary, the folks that y'all have to 
help defend against. So it is a difficult job. But I appreciate 
you all being here.
    My question is, you know, when you look at Border Patrol 
and ICE, they have difficulty sharing information amongst each 
other. A lot of it is structural issues; right? You know, it 
is--and then you talk about, you know, having DHS sharing with 
FBI or CIA or NSA. Even more difficult. Then also trying to do 
it with the private sector. I know this is one of the areas 
that these new entities have been created to do.
    My question is, you know, in an attack of the magnitude 
that we are starting to see, one of the most important things 
that you need is you need timely information. What is the 
system--how are y'all trying to design this so that the 
information is timely?
    Ms. Schneck. So as information comes in, it will go through 
a process that is automatic. So that is fractions of a second 
for a machine. Indicators will be available through those 
standard protocols that every machine can read and every 
machine can send. So right now, we are depending our real-time 
sharing on people to all be in the room to get it at once to 
create a report and to fan it out. Now you will have machines 
do it at their speed, which is the speed of the adversary.
    This already works in pockets in the private sector, 
protecting against bot-nets. A few tens of thousands of 
machines light up with bad behavior, and the rest of the world 
can block against them. We will do that for extended threats, 
as well as the ability to combine what we see of protecting the 
Government, combining it with what we see which may be 
partnered or bought from private sector, and creating a large 
set of data that can be provided to all.
    Mr. Hurd. So how do you plan on sharing tactics, 
techniques, and procedures that the bad guys are using; right? 
It is one thing to have an IP address or a piece of digital 
code that you can share, that you can share quickly. But some 
of the--you know, they are looking at certain, you know, ports 
or the style of the attack. How is that gonna be shared with 
the broader community?
    Ms. Schneck. I think two ways. One is, that is currently 
shared today across the agencies and with the private sector 
through trusted relationships. The other way is as we see those 
indicators coming in, we build patterns that can be combined. 
Again, this is where the CTIIC can help, as well. That can be 
combined with the intelligence they would give us and creating 
an even broader picture for then people to disseminate that 
context.
    Mr. Hurd. Thank you. Thank you for that. The other area is, 
you know, the stuff that you are talking about, obviously, the 
level of classification of the data, you know, is not going to 
be a problem because you are sharing it, you know, with folks. 
But how do we address the classification of threat information 
that is gathered by, you know, elements throughout the entire 
Federal Government to push that down to the private sector?
    Ms. Spaulding. So this is also an issue that we deal with 
on a regular basis currently. We have a couple of ways we 
address this. One is, as I mentioned, the enhanced 
cybersecurity services program that we are implementing and 
have implemented, where we work with managed security providers 
to build systems that can take Classified information and, 
while protecting sources and methods, use that information to 
provide enhanced cybersecurity solutions to their customers.
    So this is a way for us to use Classified information, to 
protect private-sector entities, without having to clear all of 
those private-sector entities to receive the information. So 
that is one way.
    The other thing that we do is we do interact on a very 
regular basis with the help of our intelligence and analysis 
I&A directorate, headed by General Frank Taylor, with the 
intelligence community to help them understand what is the 
information that we need to get out more broadly and what is 
the information we don't need to share that might implicate 
sources and methods.
    That granularity we are able to achieve because we bring in 
cleared private-sector folks who look at the intelligence and 
say as a network defender, this is the piece I need. I don't 
need to know where it came from. I don't need to know all of 
these other things that are very sensitive. But this bit I 
need. Then we can go back to the intelligence community and say 
this is the piece we really need to get out to folks.
    That equities review process is actually working fairly 
well. We have shortened the amount of time that it takes to run 
through that process significantly. We also have ways of, 
again, working to mask sources and methods and be able to 
disseminate that information.
    So these are issues we are working through, but would love 
to sit down and talk with you. You might have some additional 
insights and ideas for us to continue to push that boundary.
    Mr. Hurd. Thank you. I yield back.
    Chairman McCaul [presiding]. Thank you, Mr. Hurd.
    The Chairman now recognizes my fellow co-chair of the 
cybersecurity caucus, Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman. I thank you, Mr. 
Chairman, and Ranking Member Thompson for the attention and 
support you have been giving to this topic for many years. In 
many ways, you and I were pioneers on this--in the Congress on 
the challenges we face in cyber space.
    I want to thank our panelists for their testimony today, 
for the work you are doing on this issue. I applaud your work 
and the Department's work, and especially the President's 
leadership on trying to better protect the Nation's cyber 
space, close the glaring vulnerabilities that we face.
    Of the range of things that we could do in this area and 
clearly, we face significant challenges, I have often said that 
this is never a problem, unfortunately, that we are going to 
solve. It is a problem to be managed. Right now, the aperture 
vulnerability is wide open. What we need to do is shrink this 
down to something that is much more manageable.
    I have often said that the single most important thing we 
can do in closing that aperture vulnerability is information 
sharing. Right now in many ways we are fighting this battle 
with both hands tied behind our back. If we can inform, the 
Government can share the information that it has with private 
sector more easily and private sector can share the threat and 
the hacks that they are experiencing, we can disseminate that, 
we are going to be light years ahead of where we are right now.
    So with that point--and maybe, Dr. Fischer, I will start 
with you. Information sharing is in many ways, it is a means to 
an end. It is undoubtedly an important means. However, as has 
been demonstrated, even at DHS, for example, during Heartbleed, 
perfect information is useless without appropriate processes, 
protocols, and people to act on it.
    So based on your scholarship, can you give a base 
assessment of the proportion of cyber incidents that only 
suceeded because information about a known threat was not 
disseminated? How substantial an impact do you foresee cyber 
information sharing legislation, such as the President's 
proposal, having on the overall state of cybersecurity?
    Mr. Fischer. Well, Congressman, I would have to get back to 
you on the specifics with respect to what there might be--what 
the proportion of attacks that have been, say, prevented 
specifically with respect to--because of cybersecurity 
information sharing.
    The question, though, with respect to--I mean, part of the 
problem here is that there are--information sharing, as a 
number of people have said, is no silver bullet. It is an 
important tool for protecting systems and their contents. As 
long as organizations are not implementing even basic cyber 
hygiene, there are going to be some significant difficulties.
    So companies--there are demonstrated cases of companies 
that have had the information which--but nevertheless, did not 
pay sufficient attention to it. They have had information they 
could have used to prevent an attack.
    If a company is not prepared to implement sort of threat 
assessments that they receive, then that is going to be a 
problem. A recent study by Hewlett Packard I think indicated 
like 45 percent of companies do not actually have sufficient 
basic cyber hygiene. So those sorts of companies are not going 
to be able to actually implement information sharing 
effectively. So--and what was the second part of your question, 
sir?
    Mr. Langevin. I wanted to know the substantial impact that 
you perceive that information-sharing legislation would have on 
the--such as the President's bill would have on the overall 
state of cybersecurity.
    Mr. Fischer. Right. That is something--there is a 
fundamental sort of issue about the effectiveness of 
information sharing. It is very difficult to measure--and there 
have been attempts by a number of folks. I saw a recent study 
by the Rand Corporation, for example, to try to analyze what 
the effectiveness of information sharing is.
    So you start out with a baseline. So the question is well, 
what is the current baseline for information sharing? How much 
would actually improving information sharing improve 
cybersecurity? There are plenty of examples, specific examples. 
It is very--I think one could make a fairly compelling case on 
principle as to why improving information sharing is important.
    But to really be able to determine its actual effectiveness 
will require, I think, additional information and study, and 
perhaps some information that is not readily available now. So 
I am sorry I can't give you a--you know, a definite answer to 
it. But it is an important challenge, and one I think that a 
number of people are thinking about.
    Mr. Langevin. Well, my time is expired. But I will have 
additional questions for our witnesses. I just want to thank 
you for the expertise you bring to the table, the work you are 
doing in this, and I look forward to supporting you in your 
efforts.
    Thank you, Mr. Chairman.
    Chairman McCaul. Thank you. Thank you for your strong 
interest and leadership on this issue.
    The Chairman now recognizes the gentleman from Georgia, Mr. 
Carter.
    Mr. Carter. Thank you, Mr. Chairman. Thank you to each of 
you for being here.
    This is obviously something that is very needed. I want to 
speak about small businesses, in particular. I am a small 
business owner, or I was. My wife is now. But, you know, I have 
three independent retail pharmacies, have 19 employees. This is 
important. This is important to my business, just as it is 
important to a big corporation. But it is tough. It is tough 
for us to adhere to some of the procedures, some of the 
policies that we are gonna be forced to adhere to. Do you take 
that into account at all?
    Ms. Spaulding. We absolutely pay, as the deputy said, 
particular attention to small and medium-sized businesses. So 
the first thing that I want to point out is that even with this 
information-sharing legislation, it is all voluntary. So there 
are no new requirements being imposed on businesses of any size 
pursuant to this legislative proposal.
    But that said, even a company that wants to voluntarily 
participate in this may be challenged by a lack of resources 
and the ability to bring on the human resources.
    So we do look at how can we facilitate better cyber hygiene 
by small and medium-size businesses. Because they make up the 
important part of that cyber ecosystem in which our critical 
infrastructure swims. We all swim in the same ocean. As we saw 
in the Target breach, those small companies can be an opening 
for an adversary.
    So I will let the deputy address a request for proposals 
for information that we put out to the cybersecurity solution 
providers to say, what ideas can you give us from your 
innovation in the private sector to specifically address the 
needs of small and medium-size businesses? Because we 
understand that is a real challenge, but it is critically 
important.
    Mr. Carter. Well, and thank you for recognizing that.
    Ms. Schneck. So as I mentioned earlier, it is the small 
businesses and State and locals that also keep me at night. Two 
initial things I did when I came here. First is we put money to 
protect the State and local governments and gave them 
management security services that we paid for. We couldn't do 
that for small businesses.
    So what we did was put out a request for information, which 
is basically asking all the companies to please tell us how 
would you use your innovation and use your desire for revenue, 
use the market to drive better, faster, safer, cheaper 
solutions that can enable, whether you are a small business 
that makes the solution, makes money off it, or whether you are 
one that gets the protection from it.
    The other piece I want to make very, very clear is in all 
this technical talk, the main thing is that as we as a 
Government are able to put together this indicator information, 
that is available for you. You don't have to give us anything. 
So you will inevitably, as any business, buy a few widgets to 
protect yourself. Whatever those widgets are in our vision--and 
I don't mean in 5 years, I mean hopefully in 1, if not sooner--
will be able to start to talk to our big database and get what 
we have. We are not asking you to necessarily deliberately 
share things. So we are trying to just make it available to you 
because we recognize that.
    Mr. Carter. Well, good. Thank you for that. But let me ask 
you, thus far have you had a good participation rate from small 
and medium-sized businesses?
    Ms. Schneck. I have a binder literally that thick full of 
responses to that proposal and requests for information that 
could lead to a request for a proposal. The team is looking at 
how we act on that. It will go into a larger strategy in the 
name of efficiency in cybersecurity really across DHS with all 
the components, the two pieces of cyber.
    But our State and local and Tribal territorial is--and our 
small-to-medium business work--is huge to us. This is homeland 
security, not big business security. It is everybody.
    Mr. Carter. Right. Right. Well, let me ask you this: 
Specifically to health care, do you see any specific threats in 
that? I mean, you know, we have insurance information. We have 
Social Security numbers, birth dates. I mean, we have 
everything that is essential that would use in a patient's 
information. What are the real threats there?
    Ms. Schneck. So I think that any time you have a computer 
that is connected to the internet, somebody can see whatever it 
stores. So the adversaries are looking for whatever the motive 
that was mentioned earlier, they can get that information. So 
what you have to do, no matter what the information, is find 
the best way to secure those assets. We will work with you on 
that. We have people in each of the areas that can work with 
you on that and partnerships with the U.S. Chamber of Commerce 
to get this message out.
    Ms. Spaulding. We are absolutely seeing activity in the 
health care arena. Some of which appears to be for financial 
gain. It is a target-rich environment with very rich 
information; beyond just Social Security numbers or credit card 
numbers, for example; but information that can perpetrate other 
criminal schemes, such as Medicare fraud. So----
    Mr. Carter. Exactly.
    Ms. Spaulding. Right? So we are watching that very 
carefully. The FBI and others in law enforcement are looking at 
this.
    Mr. Carter. Well, great. Thank you very much for what you 
are doing. We appreciate this.
    Mr. Speaker, I yield back.
    Chairman McCaul. Appreciate the promotion in my title. But 
I am not sure I would want to be Speaker right now, to be 
honest.
    The Chairman now recognizes Mrs. Watson Coleman.
    Mrs. Watson Coleman. Thank you, Mr. Chairman. Thank you for 
the generosity you demonstrated with the information sharing 
that we have been doing here today.
    First of all, let me just acknowledge the fact that this 
has been an incredible experience for me, information that you 
have given me today. I am really very, very proud that there 
are two women at this helm. I get to say that without possibly 
being a discrimination complaint, being a woman. But it is 
unusual, and it is an illustration that women should really be 
in these areas much more. You all are fantastic. So are you, 
Mr. Fischer. You are fantastic too.
    But even so, I have so many questions I just don't even 
know where to begin.
    First of all, let me ask this. There is the--this CTIIC, 
which is being proposed. There is the NCCIC, which exists. 
Thank you so--oh, NCCIC. Sure enough is. CTIIC and NCCIC.
    So what is the guarantee that the new proposal, this CTIIC, 
doesn't wander out there and become the face of the interaction 
with businesses and companies and stuff and basically infringes 
upon the NCCIC?
    Ms. Spaulding. Congresswoman, first of all, let me echo 
your plug for encouragement for more women to get into STEM 
fields. I think it is critically important. So thank you for 
that.
    With regard to the CTIIC and the NCCIC, the CTIIC is very 
clearly defined in the President's roll-out of this, which I 
believe occurred this morning, just a couple of hours ago. As a 
place for integrating the intelligence information, it is 
really to help Government. It is a Government-to-Government. To 
help the centers that exist already, including the NCCIC, to 
have a common operating picture and all sorts of intelligence 
analysis that we can provide to the private sector.
    Again, we will also be taking in information from the 
private sector and with appropriate safeguards for privacy and 
civil liberty, sharing that with both the intelligence 
community and law enforcement as appropriate to help enrich the 
common picture that we all have.
    So it--its responsibilities and its role are pretty clearly 
defined, and I think very distinct from the role of the NCCIC 
which, again, has been defined both by this committee and again 
in the President's legislative proposal as the central place 
for interacting with the private sector with regard to 
indicator information.
    Mrs. Watson Coleman. Should we not come up with the 
funding, should there not be a funding solution on the 27th of 
February? Will the two of you be working on the 28th?
    Ms. Spaulding. We will, Congresswoman. We will be working 
without a paycheck. But we are under the statutory definition. 
But I will tell you in my organization, the National Protection 
Programs Directorate, which is responsible for critical 
infrastructure security and resilience, we will be down to 57 
percent of our workforce.
    Mrs. Watson Coleman. Are you at full force right now?
    Ms. Spaulding. Right now we are at full force. But of our a 
little over 3,000 employees, if there is a funding hiatus, we 
will be down to 1,748. So it will be, again, 57 percent. I want 
to point out that those numbers include--most of those numbers 
are the Federal Protective Service, which engages on a daily 
basis in the critical mission of protecting Federal facilities, 
and our office of biometrics and identity management, which 
uses biometrics to particularly keep known and suspected 
terrorists out of the country.
    Mrs. Watson Coleman. That is pretty scary.
    Ms. Spaulding. Two critical important missions, they will 
be on the job. But the rest of my workforce that worries about 
critical infrastructure in the private sector, cyber, will be 
down to about 9 percent--normal strength----
    Mrs. Watson Coleman. So I have two quick questions, because 
that is pretty scary. I need to know the difference between 
ISAOs and ISACs.
    Ms. Spaulding. Yes.
    Mrs. Watson Coleman. My other questions is to Mr. Fischer 
real fast. What is it that this new proposal that the White 
House has put out, what does it address that is deficient in 
what exists now? Did we need to do this in an entirely new 
legislative approach, or could there have been some tweaking to 
what already existed? Thank you.
    Ms. Spaulding. So I should point out under the--in a 
funding hiatus, our--again, we are gonna make sure that we have 
in place everything we need to have in place to protect lives 
and property on a daily basis. So our NCCIC will continue to 
function. But the analytic support that feeds that and helps 
prioritize those activities will be hampered, and the roll-out 
of the things that I mentioned earlier will be hampered.
    The ISAC, ISAO--ISACs information and analysis centers are 
a kind of information sharing and analysis organization. So 
they are a subset, ISACs share a subset of ISAOs. What the 
administration's Executive Order hopes to do is to encourage 
additional coming together of private-sector entities to share 
information.
    Mrs. Watson Coleman. Thank you. Mr. Fischer.
    Mr. Fischer. So what the--there are, I should preface by 
saying that there are some observers who would argue that, in 
fact, new legislation is not really necessary; that current 
mechanisms are sufficient. But there are plenty of people who 
actually think the opposite, as well.
    With respect to what the new legislation would do, the 
White House proposal, it would create some mechanisms, 
including the establishment of these ISAOs for the receiving 
and sharing of information that don't really exist now, or that 
exists in another form; like, for example, the ISACs exist now 
but they are--the ISAOs are somewhat different from that. It 
specifically designates the NCCIC as a particular role with 
respect to receiving and sharing this kind of information.
    It also would provide certain--it tries to remove these 
barriers that have been mentioned that private-sector 
organizations may have for sharing information and make sure 
to--and provide protections for things like privacy and----
    Mrs. Watson Coleman. So you said, I believe, that there is 
both the issue of barriers, and there is the issue of 
incentives; incentives perhaps doing something, eliminating or 
minimizing some of the barriers. So is the incentive just 
simply the value of the sharing of the information, or is there 
some other kind of incentive that needs to use to encourage 
these businesses to engage in this?
    Mr. Fischer. Right. So, I mean, one of the questions is 
what would the--why would a company want to share information? 
One way, of course, to encourage them to share information is 
to reduce the risks to them of sharing that information. But at 
the same time, what are they going to get out of sharing it? 
Are they doing it as simply a--something that they think is for 
the public good, or are they gonna get something back?
    So one of the ways that they might get something back is 
through reciprocity. So, for example, if they are a member of 
an ISAC or perhaps an ISAO, they may have some relationship 
with that organization that ensures that if they provide 
information, they will be able to get information.
    But of course, with respect to the Federal Government, 
there have been enough concerns about, you know, forcing 
organizations to give information to the Federal Government 
that, in fact, all of the legislative proposals say that they 
are voluntary.
    Mrs. Watson Coleman. Thank you, Mr. Chairman. I yield back.
    Chairman McCaul. The Chairman now recognizes the Chairman 
of the Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, Mr. Ratcliffe.
    Mr. Ratcliffe. Thank you, Mr. Chairman.
    Ms. Spaulding, I would like to start with you. The 
administration's proposal discusses how Federal agencies--and I 
will quote--``through an open and competitive process will 
choose a private entity to identify and develop a common set of 
best practices for the creation and operation of private 
information sharing and analysis organizations.''
    The NIST, the National Institute of Standards and 
Technology led a collaborative process last year to develop the 
cybersecurity framework. Why isn't this NIST framework, why 
isn't it being utilized in the process here?
    Ms. Spaulding. Congressman, I think it will be utilized in 
the process here. What the NIST framework does is provide a 
framework, a way for companies to think about their 
cybersecurity and how to achieve better cybersecurity. So it 
breaks it down into five key functions; identify, identify the 
assets you want to protect and the risks that it faces, ways to 
protect, ways to detect, ways to respond, and ways to recover. 
It pulled together from the private sector their best practices 
in each of those categories. So that is the cybersecurity 
framework.
    What this standards organization will do is to look at what 
are the best practices for these ISAOs. Of the ISACs, of the 
ISAOs, of the information-sharing organizations that are out 
there today, which are the best ones, what are the best 
practices that we see out there? Let's pull that together as a 
guideline for private-sector groups that want to come together 
to say here are some of the best practices in terms of ways in 
which they are protecting the information that has been given--
that is being shared in there. So that I know that if I give it 
to you, you are only going to share it within this ISAC, for 
example. Or ways in which you are going to protect privacy 
information, et cetera; ways in which you are gonna get it out 
quickly to me, get back to me, so that I get information for 
information I give in. How do I know I am going to get 
something good back from it?
    So it is a different set of best practices. But the process 
for developing that will be very similar to the one NIST used. 
This third-party standards organization, will be canvassing the 
private sector, the existing public and private-sector sharing 
organizations to say to them tell us what you think are the 
best practices. Very collaborative is what we envision.
    Mr. Ratcliffe. Sure. So I want to talk a little bit about 
this--a single portal for information sharing. As a former 
terrorism prosecutor after 9/11, while we would have liked the 
information to come through one single avenue, what was more 
important was that people would share information. So whether 
it was with the FBI or whether it was with Secret Service, we 
encouraged information sharing.
    So I am wondering if you can expound on the process here, 
the thought process behind there just being one single portal 
for sharing information.
    Ms. Spaulding. Yes, absolutely. We totally agree. The 
highest priority is on information sharing. Again, that is such 
a high priority, that even if it is only sharing between 
private-sector companies and they don't share with the 
Government, we think that is worth promoting, because sharing 
of information is gonna significantly advance the ball here.
    But with respect to sharing with the Government, again, we 
want to make sure that existing relationships are not disrupted 
here. So companies that have relationships with the FBI, with 
Treasury, with other parts of the Government and are 
comfortable picking up the phone and calling them, they should 
continue to reach out and say we think we see something, you 
know, that looks a little strange on our system; we think we 
may have some intrusion activity here. That kind of information 
sharing across Government we hope will continue to take place.
    What we are trying to do--and even sharing of cyber threat 
indicators can be shared--you know, we are not saying you can't 
share it with other departments and agencies.
    We are creating a newly-incentivized program. If we are 
doing that, we want to use that to help us create a common 
operating picture. So rather than have that information coming 
in in a distributed, dispersed way all across the Government 
and hope that it comes together somewhere at some point, 
sometime, we want to say we would really like to incentivize 
you to bring it in to this one place, and we will take 
responsibility for making sure that it gets to the people who 
need it very quickly.
    But this way, we are--greater confidence, both that we have 
a common operating picture and that privacy protections are 
clearly in place.
    Mr. Ratcliffe. Terrific. Thank you, Ms. Spaulding.
    Very quickly, Dr. Schneck, I wanted to give you an 
opportunity. Ms. Spaulding and Dr. Fischer were able to expand 
on Congresswoman Watson Coleman's question about privacy.
    Just very quickly, I want to give you an opportunity. Can 
you explain the processes in which NCCIC protects privacy and 
explain that relationship with DHS privacy office?
    Ms. Schneck. So thank you. Very quickly, DHS has one of the 
first statutory privacy officers. We work not only with the 
front office at that level, but the under secretary has for our 
directorate her own privacy officer that reports up. Every 
program that we have engages them. When I came in I actually 
asked--because I write code. Or I used to--the people that 
write code, I asked them; are you getting rid of the extra 
memory so that there isn't--because this is one of the famous 
ways that attackers attack--so that there isn't a gap that we 
didn't know about that is actually storing information that we 
didn't know about.
    Every step of the way in how we build our programs, we work 
with those teams on privacy. We also do impact assessments, 
which means a document is published on our website. What we do, 
what we collect, what we are doing with it, and why we do it. 
As we grow these capabilities, that is an ingrained philosophy 
in who we do at DHS.
    There has never been a harder time to want companies, as we 
heard before and it is true, to share with Government. There 
has also never been a more urgent time to put the indicators 
together to respond to an adversary that candidly has an 
infinite appropriation and does whatever they want.
    We need to make sure that we have our defensive 
capabilities as strong as they are. That means putting this 
data together. It is speed and privacy and the balance therein. 
It takes all hands on deck, everybody to work this. Part of the 
reason it is taking us more than just a few months to build 
this capability is because we have to build it with the right 
privacy, the right policy, and the right equities to make it 
light speed and get it right. Does that answer your question?
    Mr. Ratcliffe. It does. Thank you. I am out of time. But I 
do want to thank you all of you for being here and for better 
informing the committee Members so that we can hopefully move 
forward with cyber legislation in this Congress. I yield back.
    Chairman McCaul. Thank the gentleman. Excuse me.
    The Chairman now recognizes Mrs. Torres.
    Mrs. Torres. Thank you, Mr. Chairman. and I also want to 
join my colleagues in thanking the panel--or the witnesses for 
being here. Most of all, for spending an entire hour with some 
of us, ensuring that we understand and that we somehow feel at 
peace that you are collecting data that is absolutely 
necessary, but actually being very cautious at ensuring that 
individual privacy rights are being abided by.
    We have also heard a lot from the perspective of corporate 
America. But what I haven't heard yet coming from you is how 
you plan to communicate everything that you are doing with the 
general public. So someone like myself at home, where my 
computer gets hacked and my IP address gets duplicated 15 
times, how is my information as an individual victim or 
survivor of a hack attack in my personal network, how are you 
going to protect me from sharing my personal information with 
anyone else?
    I haven't heard it from a perspective that I think the 
general public can relate to. We have been speaking at this 
level, and we haven't really simplified it in a way that my 
constituents could be comfortable with what we are doing here.
    So could you explain a little bit as to--in the private 
session, you know, we heard specific information of what would 
be pulled. Can you speak to that here?
    Ms. Spaulding. Congresswoman, thank you for the question. 
As I hear it, it involves at least two aspects. One is as a 
private citizen, what does this mean to me; right? How is what 
you have just been describing here for the last couple of hours 
relevant to protecting my identity information----
    Mrs. Torres. Right.
    Ms. Spaulding [continuing]. For example, my PII?
    What I would say to that is that by protecting the networks 
and systems that hold your information, we are protecting you--
and your--against identity theft, for example. One of the 
pieces of legislation that the administration proposed--we have 
talked about their information-sharing legislation, but they 
also proposed breach notification legislation. That is very 
much designed to protect consumers; to make sure that companies 
have a single standard across the country for being required to 
notify individuals when there is reasonable basis to believe 
that their personal information may have been stolen, and to do 
so promptly. So that is very much geared toward the individual 
and the consumer.
    In terms of how do we reassure them that this work that we 
are doing on their behalf is not interfering with their privacy 
interests? As we have talked today, we are very much focused on 
the specific information that we need to defend networks. We 
are very precise. The legislation the administration has 
proposed defines that information very carefully.
    The automation that we are building will have a structured 
way of providing that information that will minimize the 
likelihood that information we don't need could be included. We 
place a very high priority on making sure that we are--we have 
no interest, it does not help our network defense to gather a 
lot of personal information about Americans or others.
    I will let the deputy address that, as well.
    Ms. Schneck. I would only add that it is my hope that we 
can use campaigns like our ``Stop. Think. Connect.'' messaging 
or the awareness that we do every October in cybersecurity 
awareness month. I think every month should be cyber awareness 
month. But we focus that month to get out on the road and talk 
to everyone.
    I am hoping that the public will start to understand this. 
We have to work to take some of our technical terms and make 
them actually English. But start to understand that Government 
is working very hard to protect them. It starts with getting 
our own agencies talking, which we are doing. It starts with 
building into the private sector. Then making sure that through 
its providers of theirs of other programs with agencies in the 
Federal Government that work directly with citizens, that we 
get that right. But we need to really enhance the trust 
relationship in the cyber area.
    Mrs. Torres. So I am almost out of time. I just want to 
make sure that I get my two other questions answered.
    To this issue though, my final word on this is that we need 
to ensure that that community outreach is part of whatever 
legislation that we can produce; that community grants and 
opportunities to include the public in this discussion happens.
    Mr. Fischer, the fair information practice principles we 
have been talking about, mentioned in the President's--in his 
security Executive Order, how are they incorporated into the 
Department procedures, from your perspective?
    Mr. Fischer. Well, I think the Department people would 
probably be better-situated to answer the specifics with 
respect to that. But I think on the question of how privacy is 
incorporated, it is a--one of the difficulties--and this also 
gets back to your earlier question a little bit--that the 
general public has various views of what privacy means. There 
isn't any one really universal kind of understanding. I mean, 
there is something called, you know, ``personally identifiable 
information,'' which is kind of interpreted as being something 
that, you know, could actually identify a person specifically.
    But when people think about privacy, they don't necessarily 
think about it in the same way as Government may think about 
privacy. So, you know, if one is going to develop a set of 
principles or use a set of principles or, in fact, incorporate 
something like privacy by design, which has been around for a 
long time, or something that people have tried to do, it is--
there--it can become very complicated very quickly.
    I think one of the things that is very important is to be 
able to create a way of letting people understand specifically 
what the issues are so that there can become really a consensus 
among consumers about what it is that we are really trying to 
protect.
    Because one more point here, which is, you know, people are 
always worried about--understandably, about Government and its 
role. But, in fact, people willingly give huge amounts of 
information to private companies.
    Mrs. Torres. We do.
    Mr. Fischer. If you get software that is free, it just 
means you are the product. Because the company is getting 
something out of it. Usually, that means they are getting 
information from you; right?
    Well, people don't even often realize this. You know, the 
service agreements that we sign, I mean, who has time to read 
through them or can understand them? So I think it is very 
important that there be a--you know, a dialogue, really, about 
how to characterize privacy more clearly for everybody so there 
can be consensus.
    Mrs. Torres. Thank you. I think I am out of time. I yield 
back.
    Chairman McCaul. Recognize the Ranking Member for closing 
comments.
    Mrs. Watson Coleman. Thank you. I just want to thank the 
entire panel for giving us this time today and the information. 
Particularly, I want to thank you, Honorable, Honorable, 
Honorable Spaulding and Dr. Schneck, because you have given us 
the majority of the day when I knew you could be doing some 
other things, including preparing for what might be a furlough 
of some very important people. I hope you don't have to do 
that. But I want you to know and I thank you, Chairman, for 
guiding me through this very moment of being next to you. Thank 
you.
    Chairman McCaul. Well, you did quite well, I must say.
    Let me thank the witnesses. Let me thank Ms. Spaulding and 
Dr. Schneck for your service to our country on a very important 
issue. I think the education process is very important for 
Members of Congress and for the American people to identify 
that this is a real and valid threat that we need to defend the 
Nation from. The hearing will be open for 10 days, the record I 
should say.
    Without objection, the committee stands adjourned.
    [Whereupon, at 1:51 p.m., the committee was adjourned.]


                            A P P E N D I X

                              ----------                              

    Questions From Ranking Member Bennie G. Thompson for Suzanne E. 
                     Spaulding and Phyllis Schneck
    Question 1. According to the testimony of the under secretary, the 
White House legislative proposal on information sharing would immunize 
against civil or criminal liability entities that voluntarily disclose 
to or receive lawfully obtained cyber threat indicators from the NCCIC 
or a private ISAO that has adopted certain best practices. Please 
explain the scope of the liability protection, including a delineation 
of the circumstances in which liability protections would not be 
afforded to an entity that chooses to disclose or receive information 
from the NCCIC or a certified ISAO.
    Answer. The President's information-sharing legislative proposal 
provides targeted liability protection to private entities that 
voluntarily disclose or receive lawfully obtained cyber threat 
indicators from a private information security and analysis 
organization (ISAO) or the National Cybersecurity and Communications 
Integration Center (NCCIC). It affords such entities protection from 
public disclosure, and from use of disclosed indicators as evidence in 
a regulatory enforcement action.
    The proposal directs DHS to select a non-governmental Standards 
Organization for the purpose of identifying a common set of best 
practices for the creation and operation of private ISAOs. The 
Standards Organization will work directly with the public to identify 
and develop best practices. To receive the liability protection 
afforded by the President's proposal, private-sector entities must 
share with the NCCIC or an ISAO that has self-certified that it adheres 
to these best practices.
    Question 2a. To receive liability protection, does a private entity 
need any kind of certification from the NCCIC or an ISAO to which it 
disclosed or from which it received cyber threat indicators?
    If so, what standards would guide an NCCIC or ISAO in issuing such 
a certification?
    Answer. There is no NCCIC- or ISAO-issued certification. The 
proposal directs DHS to select a non-governmental Standards 
Organization for the purpose of identifying a common set of best 
practices for the creation and operation of private ISAOs. The 
Standards Organization will work directly with the private sector to 
identify and develop best practices. To receive the liability 
protection afforded by the President's proposal, private-sector 
entities must share with the NCCIC or an ISAO that has self-certified 
that it adheres to these best practices.
    The proposed independent standards organization for ISAOs would not 
promulgate Government-determined standards or require a compliance 
certification. It would be an independent organization that sets forth 
voluntary standards that it will develop in consultation with the 
public.
    Question 2b. If no certification were required or issued, would a 
court in the first instance have to assess whether a private entity 
deserves immunity under Section 106?
    Answer. ISAOs would have to self-certify under Section 106 of the 
information-sharing proposal. That self-certification is distinct from 
any acknowledgement of receipt that the NCCIC or the ISAO might 
generate as a way to reassure an entity sharing threat indicators that 
it has submitted the information to the correct place.
    Question 3. What are the limitations of the ISAC model that 
necessitate the effort to increase the proliferation of ISAOs?
    Answer. An ISAC is a type of ISAO. In practice, as ISACs have 
evolved, they are sector-specific entities that encourage information 
sharing within specific critical infrastructure sectors. While ISACs 
have had a great deal of success and lessons learned that will serve 
ISAOs as they form, many companies do not fall within a designated 
sector or fall within multiple sectors. And some companies want to 
share with partners outside of their sector for a wider scope of 
situational awareness.
    Encouraging ISAOs beyond just ISACS will provide for more 
organizational flexibility. ISAOs can be organized around a particular 
region, community of interest, or concern about a particular type of 
cybersecurity risk. ISAOs could include companies regardless of their 
sector affiliation.
    Question 4. What are the risks and rewards of an information-
sharing environment that is dominated by ISAOs?
    Answer. Critical infrastructure includes both physical and cyber 
infrastructure, publicly- and privately-owned. The ISAO model builds 
upon the successes of existing models. The formulation of ISAOs allows 
and encourages organizations to participate in cyber threat information 
sharing to proactively detect and prevent cybersecurity incidents 
before they can cause damage to their networks by applying the 
knowledge, capabilities, and experiences of a wider community. Sharing 
cyber threat information broadly and with sufficient timeliness can 
improve the Nation's cybersecurity writ large by reducing our cyber 
adversaries' advantages of speed and stealth.
  Questions From Honorable Jim Langevin for Suzanne E. Spaulding and 
                            Phyllis Schneck
    Question 1. In reviewing the President's information-sharing 
proposal, I was drawn to the phrase ``lawfully obtained'' as it relates 
to cyber threat indicators. Due to ambiguities in anti-hacking 
statutes, courts have not yet settled whether the work of many well-
intentioned security researchers--so-called white-hat hackers--is 
lawfully obtained. How can we work to ensure that information-sharing 
legislation does not chill vital security research while at the same 
time not opening the door to companies ``hacking back''?
    Answer. The President's information-sharing proposal aims to 
emphasize that activities conducted to obtain cyber indicators should 
comply with the law. The Department of Justice is best positioned to 
answer questions pertaining to the relevant statutes and to what extent 
they apply to the activities of cybersecurity researchers.
    Question 2. It is vitally important that we incent private-to-
private information sharing, something the President's proposal does 
through the use of Information Sharing and Analysis Organizations 
(ISAOs). However, ISAOs need only self-certify to be able to receive 
threat indicators. Without any independent oversight to be sure that 
best practices are being followed, are you concerned that this could 
lead to a reduction in privacy?
    Answer. Having publically-available standards for ISAOs, including 
standards for privacy protection, will help ISAO member companies hold 
their ISAO accountable. ISAOs that are transparent and accountable are 
likely to attract more members, providing an incentive to clearly 
demonstrate compliance with the standards.
    Question 3. We know that cyber threat information is most valuable 
when shared expeditiously, which, in this domain, essentially means at 
machine speed. How can DHS lead efforts to ensure that the stripping of 
PII is accomplished as thoroughly and quickly as possible so that the 
information shared is timely?
    Answer. DHS requests that, before sharing cyber threat information 
with the Department, partners filter out any PII, content, and other 
information that is not necessary to describing the cyber threat. In 
addition, currently, DHS Analysts are required to review cyber threat 
indicator information for PII and handle it as outlined in US-CERT 
standard operating procedures. Generally, DHS's policy is to minimize 
or redact any personal information that is not necessary to understand 
or analyze a threat. As we move to automated threat indicator sharing, 
DHS and interagency partners are studying privacy-by-design technical 
safeguards as well as policy and process approaches to minimization 
that include a combination of automated removal and/or filtering of 
sensitive data, oversight capabilities, and where necessary, manual 
review. Technical safeguard requirements may also be required. To 
safeguard Americans' personal privacy, the administration's 
cybersecurity legislative proposal requires private entities to comply 
with certain privacy restrictions, such as removing unnecessary 
personal information and taking measures to protect any personal 
information that must be shared, in order to qualify for liability 
protection. The proposal further requires the Attorney General, in 
coordination with the Secretary of Homeland Security and in 
consultation with the Privacy and Civil Liberties Oversight Board and 
others, to develop receipt, retention, use, and disclosure guidelines 
for the Federal Government.
    Any future cybersecurity legislation will incorporate strong 
privacy, confidentiality, and civil liberties safeguards while 
strengthening our critical infrastructure's security and resilience DHS 
is committed to furthering information sharing and promoting 
cybersecurity standards for critical infrastructure.
  Question From Ranking Member Bennie G. Thompson for Eric A. Fischer
    Question. What are the risks and rewards of an information-sharing 
environment that is dominated by ISAOs?
    Answer.\1\ This question cannot be answered definitively at 
present. Such an answer would depend on several factors that are 
currently unknown or uncertain. However, the analysis below may be 
useful in helping to determine the potential benefits and disadvantages 
of the ISAO model in such an environment.
---------------------------------------------------------------------------
    \1\ Some responses were prepared in consultation with other CRS 
experts.
---------------------------------------------------------------------------
    ISAOs (Information Sharing and Analysis Organizations) are defined 
in the Homeland Security Act (6 U.S.C.  131(5)) as ``any formal or 
informal entity or collaboration created or employed by public or 
private sector organizations'' created to assist in securing critical 
infrastructure and protected systems by acquiring, analyzing, or 
sharing ``critical infrastructure information,'' which refers to non-
public information relating to threats to and defense and recovery of 
critical infrastructure or protected systems.
    Information Sharing and Analysis Centers (ISACs) are more familiar 
to most observers. They may also be considered ISAOs but have a 
different origin, having been initially formed pursuant to a 1998 
Presidential directive (PPD 63) on critical infrastructure 
protection.\2\ The directive called for a single ISAC but also for a 
National Infrastructure Protection Center (somewhat analogous to the 
National Cybersecurity and Communications Integration Center [NCCIC]) 
that would ``establish its own relations directly with others in the 
private sector and with any information sharing and analysis entity 
that the private sector may create.''\3\ Also, the directive stated 
that the ``actual design and functions'' of the ISAC would ``be 
determined by the private sector, in consultation with and with 
assistance from the Federal Government.'' The result was the creation 
of several sector-focused ISACs, rather than a single entity. Many of 
today's ISACs are associated with Federally-recognized critical 
infrastructure sectors. Eighteen are listed as members of the National 
Council of ISACs (NCI).\4\ There are currently 16 Federally-recognized 
critical infrastructure sectors.\5\ The table below shows the 
relationships between those sectors and the ISACs.
---------------------------------------------------------------------------
    \2\ The White House, ``Presidential Decision Directive 63: Critical 
Infrastructure Protection,'' May 22, 1998, http://www.fas.org/irp/
offdocs/pdd/pdd-63.htm.
    \3\ It is not clear what ``others in the private sector'' refers 
to, as the NIPC was a Federal entity. Presumably, this was a drafting 
error.
    \4\ National Council of ISACs, ``Member ISACs,'' 2015, http://
www.isaccouncil.org/memberisacs.html.
    \5\ The White House, ``Critical Infrastructure Security and 
Resilience,'' Presidential Policy Directive 21, (February 12, 2013), 
http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-
policy-directive-critical-infrastructure-security-and-resil.

------------------------------------------------------------------------
                                              Information Sharing and
      Critical Infrastructure Sector              Analysis Center
------------------------------------------------------------------------
Chemical.................................
Commercial Facilities....................  Real Estate ISAC
Communications...........................  Communications ISAC (National
                                            Coordinating Center for
                                            Communications-NCC)
Critical Manufacturing...................
Dams.....................................
Defense Industrial Base..................  DIB-ISAC
Emergency Services.......................  EMR-ISAC
Energy...................................  ES-ISAC (electric sector)
                                           Oil and Gas ISAC
Financial Services.......................  Financial Services ISAC
Food and Agriculture.....................
Government Facilities....................  Multi-State ISAC
Healthcare and Public Health.............  Health ISAC
Information Technology...................  IT-ISAC
Nuclear Reactors, Materials, and Waste...  Nuclear Energy Institute
Transportation Systems...................  Aviation ISAC
                                           Maritime ISAC
                                           Public Transit ISAC
                                           Surface Transportation ISAC
Water and Wastewater Systems.............  Water ISAC
No specific critical-infrastructure        Research and Education ISAC
 sector.                                   Supply-Chain ISAC
                                           ICS-ISAC (industrial control
                                            systems)
------------------------------------------------------------------------
Source.--See text.
Notes.--A Food and Agriculture ISAC and a Chemical ISAC were established
  in 2002 (Government Accountability Office, Critical Infrastructure
  Protection: Improving Information Sharing with Infrastructure Sectors,
  July 2004, http://www.gao.gov/assets/250/243318.pdf) but appear to be
  no longer operational. The NCC, within DHS, has served as the
  Communications ISAC since 2000 (http://www.dhs.gov/national-
  coordinating-center-communications). The ICS-ISAC is not listed as a
  member of the NCI. Other entities such as State governments may also
  have ISACs.

    As the table shows, ISACs currently exist for 12 of the designated 
critical infrastructure sectors.\6\ There are also three ISACs that are 
cross-sectoral. There appear to be few organizations that call 
themselves ISAOs at present.\7\ The concept increased in prominence 
following a legislative proposal and an Executive Order from the Obama 
administration in January and February of 2015 fostering their 
development and use.\8\ The White House described the intent as 
``expand[ing] information sharing by encouraging the formation of 
communities that share information across a region or in response to a 
specific emerging cyber threat. An ISAO could be a not-for-profit 
community, a membership organization, or a single company facilitating 
sharing among its customers or partners.'' The Executive Order 
specifies that ``ISAOs may be organized on the basis of sector, sub-
sector, region, or any other affinity,'' that members may be public 
sector, private sector, or both, and that an ISAO may be ``a not-for-
profit community, a membership organization, or a single company 
facilitating sharing among its customers or partners.''\9\ Under the 
proposed legislation, ISAOs that wish to protect members from liability 
risks for sharing information would need to be self-certified according 
to standards to be developed under a process to be established by DHS.
---------------------------------------------------------------------------
    \6\ Some caution should be exercised with respect to the 
completeness of this list, as there may also be organizations that have 
ISAC-like functions but do not call themselves ISACs.
    \7\ One example is the HITRUST Alliance (see Testimony of HITRUST 
Alliance CEO Dan Nutkis, Cybersecurity: The Evolving Nature of Cyber 
Threats Facing the Private Sector, 2015, http://oversight.house.gov/wp-
content/uploads/2015/03/3-18-2015-IT-Hearing-on-Cybersecurity-Nutkis-
HITRUST.pdf). Some organizations may function like ISAOs or ISACs but 
not call themselves that.
    \8\ The White House, Updated Information Sharing Legislative 
Proposal, 2015, http://www.whitehouse.gov/sites/default/files/omb/
legislative/letters/updated-information-sharing-legislative-
proposal.pdf; The White House, ``Fact Sheet: Executive Order Promoting 
Private Sector Cybersecurity Information Sharing,'' Press Release, 
(February 12, 2015), http://www.whitehouse.gov/the-press-office/2015/
02/12/fact-sheet-executive-order-promoting-private-sector-
cybersecurity-inform; Executive Order 13691, ``Promoting Private Sector 
Cybersecurity Information Sharing,'' Federal Register 80, no. 34 
(February 20, 2015): 9349-53, http://www.gpo.gov/fdsys/pkg/FR-2015-02-
20/pdf/2015-03714.pdf.
    \9\ The Homeland Security Act definition is both broader, in that 
ISAOs can be ``any formal or informal entity or collaboration created 
or employed by public or private sector organizations'', and narrower, 
in that under the act, the organizations must be ``created or 
employed'' for ``gathering and analyzing,'' ``communicating or 
disclosing,'' and ``voluntarily disseminating'' critical infrastructure 
information as specified in the act (6 U.S.C. 131(5)). The 
administration proposal does not appear to limit ISAOs to information 
about critical infrastructure, although its focus is on cybersecurity, 
rather than on the all-hazards emphasis in the act.
---------------------------------------------------------------------------
    If this approach were adopted by Congress, ISAOs could possibly 
become dominant entities in the information-sharing environment. Given 
the uncertainties associated with their anticipated impacts, it may be 
best to examine possible effects through a series of questions:
   Would ISAOs lead to more information sharing among private-
        sector entities and between the NCCIC and the private sector? 
        The broad and flexible nature of the ISAOs envisioned in the 
        administration proposal, as opposed to ISACs as currently 
        configured, could lead to the creation of ISAOs for affinity 
        groups for which ISACs are not viewed as applicable--for 
        example, the entertainment industry, with companies such as 
        Sony.\10\ That could lead to much broader information sharing 
        among private-sector entities that join the ISAOs and with the 
        NCCIC. Yet, there is no guarantee that new ISAOs would be 
        established, or, if they were, that they would lead to 
        increased information sharing either among the members or with 
        the NCCIC. Even for a few CI sectors, some former ISACs are no 
        longer in operation, and the degree to which existing ISACs are 
        active in information sharing is considered variable by many 
        observers. Furthermore, the degree to which the NCCIC could 
        process and usefully disseminate the volume and variety of 
        information it may likely receive from a large number of ISAOs 
        is uncertain.
---------------------------------------------------------------------------
    \10\ However, the IT-ISAC already lists Sony as a member (https://
www.it-isac.org/).
---------------------------------------------------------------------------
   Would increases in information sharing through ISAOs improve 
        cybersecurity? The relationship between the volume of 
        information shared and improved cybersecurity is not 
        straightforward. Both providers and recipients--whether they 
        are businesses, ISAOs, or Government agencies--will incur 
        various costs, including developing, assessing, processing, 
        sharing, and applying the information. For sharing to be 
        effective, information from the provider must be relevant to 
        recipients' needs and in forms that can be readily applied in 
        their IT and security environments. Recipients must also have 
        the capacity and willingness to assess and use the information 
        received in a timely fashion. A large increase in the amount of 
        information received may in fact be counterproductive, 
        especially if much of the information proves to be of little 
        use to the recipient. In theory, ISAOs can be closely tailored 
        to the needs of their members and therefore help ensure that 
        those needs are met. However, a closely-tailored ISAO might not 
        provide information relevant to all the lines of business in 
        which members may engage, and membership in several 
        organizations might be preferred.\11\
---------------------------------------------------------------------------
    \11\ For example, Sony is involved in electronics, gaming, movies, 
and music. However, it is not clear whether Sony would have been better 
protected against recent attacks against it if it had been a member of 
ISAOs in any of those subsectors in addition to its membership in the 
IT-ISAC.
---------------------------------------------------------------------------
   Would ISAOs provide overlapping or duplicative services? One 
        potential advantage of the sector-focused approach taken by the 
        ISACs is that it can minimize such duplication. However, it can 
        also create gaps for entities that do not fall clearly into one 
        or another ISAC sector or that are multi-sectoral. Addressing 
        such gaps is one of the stated purposes of the administration's 
        ISAO proposal. In addition, the potential for duplication 
        creates the potential for market competition, and such market 
        forces would ideally yield more innovation and more rapid 
        improvement in information sharing than would a more restricted 
        approach. Market forces might also lead to lower costs, and 
        cost is often cited as an impediment to improved information 
        sharing, especially for small businesses. Yet market forces 
        might also lead to higher costs, and a proliferation of ISAOs 
        might also make decisions about which one or ones to join more 
        difficult for potential members. It also creates the 
        possibility that members could receive conflicting information 
        or even recommendations from different ISAOs. At present, there 
        appear to be few examples of potentially overlapping 
        information-sharing entities. One possible case is in the 
        health sector, which has both the Health ISAC \12\ and an ISAO, 
        the HITRUST Alliance.\13\ Services provided by the two appear 
        to be both complementary and potentially competitive.\14\
---------------------------------------------------------------------------
    \12\ National Health Information Sharing and Analysis Center, ``NH-
ISAC,'' 2015.
    \13\ Nutkis, Testimony at COGR Hearing.
    \14\ See, for example, Marianne Kolbasuk McGee, ``NH-ISAC Offers 
Cyber-Intelligence Tool,'' Data Breach Today, December 5, 2014, http://
www.databreachtoday.com/nh-isac-offers-cyber-intelligence-tool-a-7642.
---------------------------------------------------------------------------
   Would for-profit ISAOs be beneficial or disadvantageous for 
        improving information sharing? The administration proposal 
        states that for-profit entities that share information can be 
        ISAOs. That would presumably include internet and cybersecurity 
        service providers, for example. Such entities might be 
        particularly well-positioned to share information efficiently 
        and effectively with customers and to bring market forces to 
        bear favorably in the information-sharing environment. However, 
        unintended adverse impacts are also possible. For example, for-
        profit companies might have a resource and marketing advantage 
        over non-profit organizations, and some may perceive such an 
        advantage as unfair or counterproductive. It is also possible 
        that competitive pressures may impede information sharing 
        involving more than one company. Some entities that could 
        potentially be ISAOs are currently members of ISACs and could 
        also be members of other ISAOs, creating possible conflicts of 
        interest.
   Would a cybersecurity environment dominated by ISAOs 
        complement or encumber improvement of cybersecurity risk 
        management? The NIST Cybersecurity Framework,\15\ developed to 
        assist critical-infrastructure and other entities in adopting 
        effective cybersecurity risk management, discusses the role of 
        information sharing in cybersecurity, including the roles 
        played by ISACs and other entities in helping organizations 
        determine their desired levels--called tiers--of cybersecurity 
        implementation. Each of the four tiers includes descriptions of 
        risk-management processes and programs, and ``external 
        participation,'' which largely describes the level of 
        information sharing in which the organization engages.\16\ 
        Broad availability of involvement with ISAOs could help 
        organizations that so desire to move to higher tiers with 
        respect to information sharing. However, as the Framework makes 
        clear, that is only one facet of cybersecurity implementation. 
        There may be a risk, therefore, that a proliferation of ISAOs 
        would lead to an overemphasis on information sharing to the 
        detriment of other, possibly more critical cybersecurity needs, 
        thereby resulting paradoxically in a decline in overall 
        cybersecurity preparedness.
---------------------------------------------------------------------------
    \15\ National Institute of Standards and Technology, Framework for 
Improving Critical Infrastructure Cybersecurity, Version 1.0, February 
12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-
framework-021214-final.pdf.
    \16\ A Tier-2 organization ``knows its role in the larger 
ecosystem, but has not formalized its capabilities to interact and 
share information externally,'' whereas a Tier-4 organization `` . . . 
actively shares information with partners to ensure that accurate, 
current information is being distributed and consumed to improve 
cybersecurity before a cybersecurity event occurs (ibid., 10, 11).
---------------------------------------------------------------------------
   Would the proposed ISAO standards process sufficiently 
        address concerns such as those raised above? Both the 
        legislative proposal and the Executive Order call for 
        designation of a nongovernmental organization whose purpose 
        would be to specify a ``common set'' of ``best practices'' or 
        ``voluntary standards or guidelines'' for creating and 
        operating ISAOs. Such standards and practices may help address 
        some but not all of the issues discussed above. For example, 
        standards may be helpful in determining what kinds of 
        information may be most useful to share for different purposes 
        and different kinds of entities, as well as how best to use 
        such information, but it seems unlikely that they can address 
        concerns about overlapping or duplicative services, or problems 
        such as gaps in coverage for key groups caused by economic 
        factors.
    If ISAOs do in fact proliferate, it is very likely that substantial 
changes will occur in the information-sharing environment, but many of 
those effects may be difficult or even impossible to predict 
accurately. However, there appear to be few independent assessments of 
the performance and effectiveness of current information-sharing 
entities and their relationships.\17\ Some studies have concluded that 
measuring the effectiveness of information sharing is difficult in the 
current environment,\18\ and the creation of a large number of ISAOs 
could further complicate any assessments. Such concerns might be 
addressed by options such as on-going independent research and 
evaluation activities designed to determine the effectiveness of ISAOs, 
perhaps as a part of or complementary to the standards-development and 
revision process envisioned by the administration. That could 
potentially be started in conjunction with another option-staged 
implementation of the ISAO model, perhaps including pilot programs.\19\
---------------------------------------------------------------------------
    \17\ One example is Government Accountability Office, Public 
Transit Security Information Sharing: DHS Could Improve Information 
Sharing Through Streamlining and Increased Outreach, September 2010, 
http://www.gao.gov/assets/310/309903.pdf.
    \18\ See, for example, Matthew H. Fleming, Eric Goldstein, and John 
K. Roman, Evaluating the Impact of Cybersecurity Information Sharing on 
Cyber Incidents and Their Consequences (Homeland Security Studies and 
Analysis Institute, March 31, 2014), http://papers.ssrn.com/sol3/
papers.cfm?abstract_id=?2418357; Brian A. Jackson, ``How Do We Know 
What Information Sharing Is Really Worth?,'' Product Page, (2014), 
http://www.rand.org/pubs/research_reports/RR380.html.
    \19\ These options are provided for purposes of illustration. CRS 
does not make recommendations or take positions on legislative issues.
---------------------------------------------------------------------------
       Questions From Honorable Jim Langevin for Eric A. Fischer
    Question 1. In reviewing the President's information-sharing 
proposal, I was drawn to the phrase ``lawfully obtained'' as it relates 
to cyber threat indicators. Due to ambiguities in anti-hacking 
statutes, courts have not yet settled whether the work of many well-
intentioned security researchers--so-called white-hat hackers--is 
lawfully obtained. How can we work to ensure that information-sharing 
legislation does not chill vital security research while at the same 
time not opening the door to companies ``hacking back''?
    Answer. The current cybersecurity environment creates a number of 
dilemmas, and one of them is captured by this question. The problem is 
that the complexities of cyberspace--whether hardware, software, 
networks, or the people using them--combined with its rapid 
technological evolution and the changing threat environment, create 
significant challenges for distinguishing appropriate and inappropriate 
behavior, especially by those pursuing protective and defensive 
activities. Such ambiguity can create problems for legal and ethical 
interpretation of such actions and is believed by at least some 
observers to have a potentially chilling effect on needed research. 
This is not a new issue,\20\ but some legislative proposals to improve 
cybersecurity have led to increased attention to the concern.\21\
---------------------------------------------------------------------------
    \20\ Aaron J. Burstein, ``Conducting Cybersecurity Research Legally 
and Ethically,'' April 4, 2008, https://www.usenix.org/legacy/event/
leet08/tech/full_papers/burstein/burstein_html/index.html.
    \21\ See, for example, Jan Ellis, ``Will the President's 
Cybersecurity Proposal Make Us More Secure?,'' Security Street, January 
23, 2015, https://community.rapid7.com/community/infosec/blog/2015/01/
23/will-the-president-s-cybersecurity-proposal-make-us-more-secure; 
Mark Jaycox and Lee Tien, ``Obama's Computer Security Solution Is a 
Mishmash of Old, Outdated Policy Solutions,'' January 16, 2015, https:/
/www.eff.org/deeplinks/2015/01/obamas-computer-security-solution-mish-
mash-old-outdated-policy-solutions.
---------------------------------------------------------------------------
    In addition, researchers who are part of an established and 
recognized enterprise, such as a university or research institution, 
are likely to have different opportunities and constraints than those 
who operate independently, without either the benefits or the 
strictures of an institutional environment. Also, research may refer to 
many different activities, from the acquisition of fundamental 
knowledge about threats, vulnerabilities, and defenses, to the 
development of hardware, software, and procedures to address 
cybersecurity needs, to the investigation of specific incidents for 
purposes of attribution and response. Constraints on research are 
likely to apply to such different classes of researchers and activities 
in significantly different ways.
    One of the core challenges in finding ways to reduce the risk that 
the legal environment will chill needed research is in reaching a clear 
consensus among stakeholders about what constitutes proper and improper 
research activity. If such a consensus can be reached, legal 
ambiguities might be much more easily resolved. Without a consensus, 
resolution is likely to be very difficult. For example, some may argue 
that a research exception should be provided in communications privacy 
laws,\22\ but without agreement on what is and is not appropriate 
behavior, such an exception may be difficult to scope.
---------------------------------------------------------------------------
    \22\ Burstein, ``Conducting Cybersecurity Research.''
---------------------------------------------------------------------------
    Another issue that may be worth considering is lack of 
understanding and education among researchers about what they can and 
cannot do under current law and regulations. Researchers may be 
reluctant to take some actions that are lawful solely because of 
uncertainty about their legality.\23\ One way to address this issue is 
to provide researchers with access to appropriate education resources 
that can clarify what is permitted and also provide guidance for 
reducing the risk of violating legal requirements.\24\ For example, the 
legal risks associated with the use of honeypots--websites or other 
information resources specifically designed to attract attacks--may 
depend, some have argued, on how they are implemented.\25\
---------------------------------------------------------------------------
    \23\ Ibid.
    \24\ See, for example, Jody R. Westby, Legal Guide to Cybersecurity 
Research (Chicago, IL: American Bar Association, Section of Science & 
Technology Law, 2013).
    \25\ Burstein, ``Conducting Cybersecurity Research.''
---------------------------------------------------------------------------
    Finally, an option available for some research problems is the use 
of isolated testbeds or ``cyber ranges.'' Such facilities are designed 
for research and training, can mimic many features of cyberspace, and 
permit a wide range of actions that could possibly be illegal if done 
in ``the wild.'' However, they are limited in scale and may otherwise 
be unable to mimic the environment of cyberspace sufficiently for some 
kinds of research. In addition, if they are not completely isolated 
from the internet, the risk of impacts on external systems would need 
to be considered.
    Question 2. I think I can safely speak for everyone on this panel 
in saying that we agree that cyber threat information sharing is 
important. I believe that the President's proposal will help lower 
legal barriers to information sharing. What are other obstacles that 
could continue to keep information sharing from being as ubiquitous as 
we'd like?
    Answer. Awareness of the potential utility of information sharing 
in cybersecurity appears to be increasing. As the question points out, 
legal barriers are only one set of obstacles that would need to be 
overcome for ubiquitous and effective use of this cybersecurity tool. 
Several additional potential obstacles are discussed below.\26\
---------------------------------------------------------------------------
    \26\ The list is not intended to be definitive or exhaustive. That 
would require a comprehensive, objective study of all aspects of 
information sharing in the broader cybersecurity context. In addition, 
any such list is likely to change significantly as cyber space and its 
component threat and information-sharing environments continue to 
evolve. The items in this list are not presented in any order of 
priority or desirability.
---------------------------------------------------------------------------
Resources
    The costs of information sharing vary, but may be prohibitive for 
some entities. The costs of obtaining information from an entity such 
as an ISAC may be comparatively low,\27\ but that is only for a 
mechanism to receive information. The information must be processed by 
the recipient and applied where appropriate. That will require staff 
time and perhaps additional hardware and software, especially for 
implementation of so-called ``real-time'' information sharing, which 
often involves machine-to-machine communication and action. Such costs 
may be particularly problematic for small businesses, which may be of 
concern not only because of their broad role in the economy, but also 
because the sector includes many innovators that can be inviting 
targets for cyber espionage, and because many are contractors with 
larger organizations that may be inviting targets for cyber crime.\28\
---------------------------------------------------------------------------
    \27\ See, for example, N. Eric Weiss, Legislation to Facilitate 
Cybersecurity Information Sharing: Economic Analysis, CRS Report 
R43821.
    \28\ In the attack on Target, the criminals accessed the store's 
computer system through a compromised system of an HVAC contractor (see 
N. Eric Weiss and Rena S. Miller, The Target and Other Financial Data 
Breaches: Frequently Asked Questions, CRS Report R43496).
---------------------------------------------------------------------------
Awareness
    Concerns about the lack of awareness about cybersecurity in general 
and information sharing in particular, especially within the private 
sector, have been long-standing. While the NIST Cybersecurity Framework 
\29\ and other efforts, along with media attention to major breaches, 
appear to have resulted in some increased awareness of the need for 
better cybersecurity, it is not yet clear the degree to which awareness 
has improved as a result. Awareness of a problem or need is also not 
sufficient on its own. To be effective, it must be translated into 
appropriate action, which often may not be the case. For example, 
according to a 2012 survey, three-quarters of small businesses believe 
that cybersecurity is important, but only 10% have a written policy on 
it.\30\
---------------------------------------------------------------------------
    \29\ National Institute of Standards and Technology, 
``Cybersecurity Framework,'' August 26, 2014, http://www.nist.gov/
cyberframework/index.cfm.
    \30\ About a quarter have an ``informal'' policy (National Cyber 
Security Alliance, Symantec, and JZ Analytics, 2012 NCSA/Symantec 
National Small Business Study, October 2012, https://
www.staysafeonline.org/ . . . /2012_ncsa_symantec_small_business_ 
study.pdf).
---------------------------------------------------------------------------
Usefulness of Information
    Many kinds of information can be shared, from threat intelligence 
\31\ to business strategies and best practices. In addition, the same 
information may have different utility for different users--for 
example, threat signatures relating to attacks on one critical 
infrastructure sector may be of marginal concern for another, and best 
practices may be much more useful for small businesses than signatures 
associated with advanced targeted threats. Also, shared information may 
prove of little use if it is delayed, provided without relevant 
contextual detail, or provided in a form that requires substantial 
additional processing to determine its applicability. If recipients 
find that the information they are provided is of little use to them, 
they may be less likely to participate in or continue with information-
sharing initiatives.
---------------------------------------------------------------------------
    \31\ This can be described as ``indicators (i.e., an artifact or 
observable that suggests that an attack is imminent, that an attack is 
underway, or that a compromise may have already occurred); the TTPs 
[tactics, techniques and procedures] of an adversary; and recommended 
actions to counter an attack'' Chris Johnson, Lee Badger, and David 
Waltermire, Guide to Cyber Threat Information Sharing (Draft), SP 800-
150 [National Institute of Standards and Technology, October 2014], 4, 
http://csrc.nist.gov/publications/drafts/800-15sp800_150_draft.pdf.
---------------------------------------------------------------------------
Application of Information
    Information sharing by itself is not sufficient to improve 
cybersecurity. Not only must it be actionable--presented in a form that 
can be usefully applied--but the recipient must also have processes, 
including equipment and software, in place to use the information 
effectively. If such processes are not in place and utilized properly, 
the net effect is the same as if the information were not shared at 
all.\32\
---------------------------------------------------------------------------
    \32\ See, for example, Johnson, Badger, and Waltermire, Guide to 
Cyber Threat Information Sharing (Draft).
---------------------------------------------------------------------------
Reliability of Sources
    There are several reasons why sources of information may not be 
considered reliable by potential recipients. For example, the source 
may be a competitor, such as another business. The kinds of information 
the source provides may focus on a set of entities other than the one 
to which the recipient belongs. Or the source might have a reputation 
for providing erroneous, outdated, or otherwise useless information. If 
no sources are available to an entity that it deems reliable, it may be 
reluctant to participate in information-sharing activities.
Mechanisms for Information Sharing
    Currently, there appear to be two general models for information 
sharing--a decentralized, ``peer-to-peer,'' often informal approach 
between entities with complementary needs, and a more centralized 
``hub-and-spoke'' model such as the ISACs.\33\ Organizations such as 
ISACs are generally sector-specific. Not all sectors have such 
organizations, and other affiliations other than sector may also be 
important for some kinds of information sharing. Filling such gaps 
appears to be part of the rationale behind the administration's ISAO 
proposal.\34\ On the one hand, the absence of an appropriate mechanism 
can be a barrier to information sharing for an entity. On the other 
hand, a proliferation of mechanisms, such as some observers fear the 
administration's ISAO model might result in, could also serve as a 
barrier if it makes information sharing inefficient or confusing for 
possible participants.
---------------------------------------------------------------------------
    \33\ Denise E. Zheng and James A. Lewis, Cyber Threat Information 
Sharing: Recommendations for Congress and the Administration (CSIS, 
March 2015), https://csis.org/files/publication/
150310_cyberthreatinfosharing.pdf.
    \34\ The White House, Updated Information Sharing Legislative 
Proposal; The White House, ``Fact Sheet: Executive Order Promoting 
Private Sector Cybersecurity Information Sharing''; Executive Order 
13691, ``Promoting Private Sector Cybersecurity Information Sharing.''
---------------------------------------------------------------------------
Standards
    The adoption of standards for information sharing is one way to 
help address concerns about reliability and utility of information 
received. Dozens of standards exist relating to information 
sharing.\35\ The Department of Homeland Security has been developing a 
single set applicable to sharing of threat intelligence.\36\ Lack of a 
broadly-accepted set of consensus standards or a framework for 
information sharing might impede more wide-spread adoption of 
information-sharing activities.
---------------------------------------------------------------------------
    \35\ European Union Agency for Network and Information Security, 
Standards and Tools for Exchange and Processing of Actionable 
Information, November 2014, https://www.enisa.europa.eu/activities/
cert/support/actionable-information/standards-and-tools-for-exchange-
and-processing-of-actionable-information.
    \36\ Department of Homeland Security, ``Information Sharing 
Specifications for Cybersecurity,'' 2015, https://www.us-cert.gov/
Information-Sharing-Specifications-Cybersecurity.
---------------------------------------------------------------------------
Economic Incentives
    Some observers have noted that the benefits of receiving 
cybersecurity information tend to outweigh the benefits of providing 
such information for many organizations.\37\ In addition to legal 
issues that may be associated with providing information, businesses 
may be concerned about reputation costs, if they provide information 
showing that they have been victims of cyber attacks. In the absence of 
incentives for reciprocity, it is hard to see what benefit an 
organization would gain from providing information, unless it is a 
Government entity whose mission is to provide such data or a provider 
of cybersecurity services. Government measures such as requirements for 
data-breach notification, as enacted in most States, can provide 
incentives for organizations to share information about attacks that 
may be used to help prevent future attacks on other entities or to 
capture and prosecute cyber criminals.
---------------------------------------------------------------------------
    \37\ See, for example, N. Eric Weiss, Legislation to Facilitate 
Cybersecurity Information Sharing: Economic Analysis, CRS Report 
R43821; Zheng and Lewis, Cyber Threat Information Sharing: 
Recommendations for Congress and the Administration.
---------------------------------------------------------------------------
Reducing the Need for Information Sharing
    Some observers have expressed concern about risks associated with 
an overemphasis on the role of information sharing in cybersecurity. It 
is only one of many cybersecurity tools. For example, it is a 
relatively small part of the NIST Cybersecurity Framework, and target 
levels of sharing vary among the tiers the Framework identified.\38\ In 
addition, information sharing tends to focus on immediate concerns such 
as cyber attacks and imminent threats. While those must be addressed, 
that does not diminish the need to reduce risks through design and 
implementation of more secure systems and networks--sometimes referred 
to as ``building security in''--and finding ways to change the 
incentive structure within cyber space to increase the costs and reduce 
the potential for profit from cyber crime and activities of other 
adversaries.
---------------------------------------------------------------------------
    \38\ National Institute of Standards and Technology, Framework for 
Improving Critical Infrastructure Cybersecurity, Version 1.0.
---------------------------------------------------------------------------

                                 [all]