[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
PROMOTING AND INCENTIVIZING CYBERSECURITY BEST PRACTICES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND SECURITY
TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
JULY 28, 2015
__________
Serial No. 114-29
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
97-918 PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island
Chair Brian Higgins, New York
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania Filemon Vela, Texas
Curt Clawson, Florida Bonnie Watson Coleman, New Jersey
John Katko, New York Kathleen M. Rice, New York
Will Hurd, Texas Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
Brendan P. Shields, Staff Director
Joan V. O'Hara, General Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
John Ratcliffe, Texas, Chairman
Peter T. King, New York Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania Loretta Sanchez, California
Scott Perry, Pennsylvania Sheila Jackson Lee, Texas
Curt Clawson, Florida James R. Langevin, Rhode Island
Daniel M. Donovan, Jr., New York Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Brett DeWitt, Subcommittee Staff Director
Dennis Terry, Subcommittee Clerk
Christopher Schepis, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies................................................... 1
The Honorable James R. Langevin, a Representative in Congress
From the State of Rhode Island................................. 3
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity, Infrastructure Protection, and Security
Technologies:
Prepared Statement............................................. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 6
Witnesses
Mr. Brian E. Finch, Senior Fellow, Center for Cyber and Homeland
Security, George Washington University:
Oral Statement................................................. 7
Prepared Statement............................................. 9
Mr. Raymond B. Biagini, Partner, Covington and Burling:
Oral Statement................................................. 15
Prepared Statement............................................. 17
Ms. Andrea M. Matwyshyn, Visiting Professor, Center for
Information Technology Policy, Princeton University:
Oral Statement................................................. 22
Prepared Statement............................................. 23
For the Record
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Letter......................................................... 3
PROMOTING AND INCENTIVIZING CYBERSECURITY BEST PRACTICES
----------
Tuesday, July 28, 2015
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to call, at 2:20 p.m., in
Room 311, Cannon House Office Building, Hon. John Ratcliffe
[Chairman of the subcommittee] presiding.
Present: Representatives Ratcliffe, Perry, Donovan, and
Langevin.
Also present: Representative Watson Coleman.
Mr. Ratcliffe. The Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies will come
to order.
The subcommittee is meeting today to examine the potential
benefits of expanding the Support Antiterrorism by Fostering
Effective Technologies Act, referred to as the SAFETY Act, to
clarify that on a voluntary basis cybersecurity products and
services can be reviewed and certified to receive enhanced
liability protections for large-scale cyber incidents.
Right now, our cyber defenses are weak, and, because
addressing cybersecurity vulnerabilities is costly, we need to
find ways to promote and incentivize investment in
cybersecurity. We need to incentivize companies to have a
robust cyber-risk management plan in place. Through this
hearing, we want to hear from our expert witnesses if the
SAFETY Act Office at the Department of Homeland Security could
be leveraged to promote and incentivize cybersecurity best
practices within its existing framework.
By way of history, the SAFETY Act was part of the Homeland
Security Act of 2002 and is a voluntary program that currently
provides incentives for the development and deployment of anti-
terrorism technologies. The SAFETY Act ensures that the threat
of costly litigation does not deter potential manufacturers or
sellers of anti-terrorism technologies at both large and small
companies from developing and putting into the marketplace
products and services that could reduce the risk or mitigate
the consequences of a large-scale terrorist event.
Companies qualify for the protections afforded by the
SAFETY Act by demonstrating through an on-going basis that they
have a comprehensive and agile risk management plan. Applicants
to this voluntary program must submit to a rigorous and
thorough vetting process at DHS' SAFETY Act Office in order to
receive liability protections in the event of an act of
terrorism.
Homeland security and National security challenges are
constantly evolving, and the cybersecurity threat is currently
growing. It is in that capacity that earlier this year we
passed H.R. 1731, the National Cybersecurity Protection
Advancement Act. The goal of that legislation, which passed the
House with a bipartisan vote of 355 to 63 and is now awaiting
Senate action, is to strengthen the sharing of cyber threat
indicators to guard against criminal groups, hacktivists, or
nation-state actors.
Separately, we have been meeting with stakeholders to find
other ways to strengthen cybersecurity, including expanding the
SAFETY Act for cyber purposes. Right now, the SAFETY Act can
only be triggered by an act of terrorism. However, for cyber
attacks, attribution is extremely difficult to determine.
Regardless of whether the hacker was a terrorist, a nation-
state, a cyber criminal, or hacktivist, the impact of a
devastating cyber attack would be the same.
If there is something more that can be done to increase
cybersecurity best practices overall and potentially reduce the
likelihood of a large-scale cyber attack, this subcommittee is
going to examine it. SAFETY Act coverage for cybersecurity will
not solve all of our cybersecurity challenges, but it has the
potential to make a significant improvement in our Nation's
cyber defenses.
In the coming weeks, the Committee on Homeland Security
will consider House-passed legislation from the 113th Congress
that would amend the SAFETY Act to establish a, ``qualifying
cyber incident,'' threshold to trigger SAFETY Act liability
protections for vetted cybersecurity technologies.
The very creation of the Department of Homeland Security
stemmed from the attacks on September 11, 2001. While we must
and will remain vigilant and do everything we can to prevent
another devastating attack on Americans, we must also recognize
that the threat landscape in this country is changing. Cyber
space is, in many ways, the new frontier, and a cyber 9/11 is
only a matter of time if we fail to strengthen our cyber
defenses. So we need to ensure that we are doing everything
possible to harden our defenses left of boom, as they say in
military parlance.
This potential legislation has the potential to increase
investments in the security and resilience of our Nation's
critical infrastructure, including the power grids, air traffic
control, and banking systems.
Much of our Nation's critical infrastructure is privately
owned, and in the 21st Century there now exists an
interconnectedness of physical security and cybersecurity. This
means that someone sitting at a keyboard can now initiate a
physical injury by issuing commands at an office building, an
air traffic control system, or someone's automobile, resulting
in loss of life, not just the theft of personal information
from a database.
Many products and services weren't built with cybersecurity
in mind. This is why we need to incentivize market-driven
solutions to raise the bar on how we manage our cybersecurity
risks. Fortunately, the United States is home to an ingenuous
entrepreneurial culture, and the best high-tech companies in
the world have developed products and services that can help
improve the information security resilience of our critical
infrastructure and for companies that improve our quality of
life.
If amending the SAFETY Act to include qualifying cyber
incidents would better safeguard our Nation and potentially
prevent a cyber attack that could shut things down and bring
commerce to a screeching halt, then we owe it to ourselves and
our constituents to examine the potential benefits it could
provide. This is especially true given the increasing
importance of cybersecurity in the lives of every American.
At this time, I ask unanimous consent to insert into the
record a letter from the American Gas Association, the Edison
Electric Institute, and the National Rural Electric Cooperative
Association in support of testimony submitted by Mr. Brian
Finch on the need to clarify the SAFETY Act to ensure that
significant cybersecurity incidents are clearly covered.
Without objection, so ordered.
[The information follows:]
Letter Submitted by Chairman John Ratcliffe
July 28, 2015.
The Honorable John Ratcliffe,
Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies.
The Honorable Cedric Richmond,
Ranking Member, Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies, Washington, DC 20515.
Dear Chairman Ratcliffe and Ranking Member Richmond: On behalf of
the American Gas Association (AGA), the Edison Electric Institute
(EEI), and the National Rural Electric Cooperative Association (NRECA)
we are writing in support of testimony submitted by Brian Finch on the
need to clarify the SAFETY Act to ensure that significant cybersecurity
incidents are clearly covered under the programs liability protections.
The electric and gas utility industries take cybersecurity threats
very seriously. Any statutory clarification would be beneficial if it
helps to make more explicit that cyber attacks are covered by the
SAFETY Act and that legal defenses will be available to those using its
certified cybersecurity products or processes in the event of a
significant cyber attack. Currently, the SAFETY Act provides that
liability protections are available in the case of an ``act of
terrorism,'' which is usually interpreted to include a significant
cyber attack. To eliminate any doubt, Congress should make clear that
it intends for a significant cyber attack to be covered. This
clarification would likely result in an increase in utilization of the
program and adoption of its certified cybersecurity products or
processes.
We appreciate the subcommittee's continued focus on this important
issue. The changes Mr. Finch has suggested are important and we look
forward to working with you as legislation to clarify the SAFETY Act
moves forward.
American Gas Association.
Edison Electric Institute.
National Rural Electric Cooperative Association.
Mr. Ratcliffe. I am pleased to be joined today by my
colleague from Rhode Island, Mr. Langevin, who is filling in
for Ranking Member Richmond.
The Chair now recognizes the gentleman from Rhode Island
for any statement that he may have.
Mr. Langevin. Thank you, Mr. Chairman.
I, too, want to welcome our witnesses here today.
Before I begin, Mr. Chairman, I would like to ask unanimous
consent that Mrs. Watson Coleman of New Jersey be allowed to
participate in this hearing, although she is not a Member of
the subcommittee.
Mr. Ratcliffe. Without objection.
Mr. Langevin. Thank you, Mr. Chairman.
Next, as you mention, the Ranking Member is traveling with
the President right now, so I am sitting in. I would like to
ask unanimous consent to submit his opening statement for the
record.
Mr. Ratcliffe. Without objection, so ordered.
[The statement of Ranking Member Richmond follows:]
Statement of Ranking Member Cedric L. Richmond
July 28, 2015
Good afternoon Mr. Chairman and thank you for holding this hearing
on cybersecurity best practices.
I want to thank Dr. Andrea Matwyshyn from Princeton who has
traveled to testify for us today.
The Department of Homeland Security, Science and Technology
Directorate, is responsible for operating the SAFETY Act through the
Office of Safety Act Implementation, or the OSAI.
While we are going to hear testimony today about the process for
companies interested in having cybersecurity technologies designated as
qualified anti-terrorism technologies under the SAFETY Act, we are also
going to discuss some of the features of the draft SAFETY Act
legislation that Chairman McCaul has circulated to industry.
The SAFETY ACT provides Government-sponsored immunity from
liability to products or services that have gone through examination by
the Office of Safety Act Implementation, and then designated, or
certified under the SAFETY Act.
Congress has provided this kind of liability protection since 2002
to encourage innovation in the development of products and technologies
for the homeland security enterprise that would help protect us from
the terrorist threats or terrorist events, but only when the Secretary
has determined that a terror event has taken place.
It would seem to me that the large, prime contractors who already
supply the Department of Defense would need little help in providing
the Department of Homeland Security with the kinds of services they
might need in the civilian threat arena.
But small businesses are the backbone of America's workforce and
innovation, creating most of the jobs in America. A SAFETY Act
designation or certification for a new innovative product can improve a
smaller company's bottom line and help resolve their concerns about
liability protections. That was the original intent of the Act in 2002.
We are all concerned about the ability of American businesses,
large and small, to protect their data and networks in today's
amplified cyber threat atmosphere.
The question before us is how to best encourage civilian businesses
to make sure their cybersecurity efforts are state-of-the-art, and how
does SAFETY Act liability protection play a key role in helping us
achieve that goal, in the complex, multi-layered arena of
cybersecurity?
I look forward to the testimony today Mr. Chairman, and I yield
back.
Mr. Langevin. Very good. Thank you, Mr. Chairman.
So let me begin by saying that, as co-chair of the
Congressional Cybersecurity Caucus with Chairman McCaul, I
fully agree that organizations, public and private, must do a
better job adopting cybersecurity best practices, as the
consequences of cyber attacks can be devastating. I certainly
also associate myself with the remarks of the Chairman in his
opening statement, as well.
It is also abundantly clear that network administrators are
not currently employing best practices, given that over 80
percent of cyber attacks could be stopped with simple hygiene
measures like patch deployment or the use of two-factor
authentication.
I understand that some of our witnesses today and the
Chairman believe that applying existing policy, the SAFETY Act,
to this problem may help improve our Nation's cybersecurity
posture. I have great respect for their point of view, and I
certainly believe that incentives are an avenue that we should
explore. However, I do think that there are a number of
questions this committee should answer as part of our
consideration.
First, I think we must ask ourselves what we see as the
underlying purpose of the SAFETY Act. I have always viewed the
legislation as having at its heart the incentivization of
research, design, and development of new technologies. Today,
new information security products are being released at a
prodigious rate, raising questions of whether further SAFETY
Act protections are necessary to spur innovation. While the
shield offered under SAFETY Act certification designation can
certainly also incent deployment of these new, novel
technologies, we at the committee must determine whether the
act is properly tailored to the problem that we are addressing.
Second, we must also look into the implementation of
technologies certified under the SAFETY Act. Network security
is incredibly complex, and users of security products can often
make mistakes in configuration or interpretation of results.
For example, in the Target breach, the company's security
software alerted on the malware that eventually compromised the
point-of-sale terminals; however, the alert was lost in a sea
of other warnings. How limits of liability would apply in such
cases is an important concern.
Finally, we must examine the SAFETY Act in the context of
cybersecurity risk management writ large. I have consistently
fought efforts in Congress to prescribe specific technology
solutions, either legislative or regulatory. Information
technology simply moves too fast a pace to be able to say that
today's best solutions will be viable in 5 years, let alone
even less than that. Instead, I have advocated adoption of risk
management frameworks like NIST that help companies assess
their level of cybersecurity risk and development processes to
reduce that risk.
One of the best practices universally praised under such
frameworks is resilience--the idea that a network should not
rely on a single technology for protection. Part of the reason
that data breaches last for more than 6 months, on average, is
that companies prioritize perimeter security without a similar
focus on detecting anomalies once the network has in fact been
breached. So the committee must explore whether the use of the
SAFETY Act in a cybersecurity context could inadvertently make
networks less resilient.
There are other questions I have--for instance, the
adequacy of the certification process--that I hope the
committee will also explore.
Let me again thank the Chairman for convening this
important hearing. I thank the witnesses for appearing, and I
certainly look forward to their testimony.
Mr. Chairman, before I yield back, I would just ask
unanimous consent that the statement of the Ranking Member of
the full committee, Mr. Thompson, also be entered into the
record.
Mr. Ratcliffe. Without objection, so ordered.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
July 28, 2015
Good afternoon. I want to thank Chairman Ratcliffe for calling
today's hearing on encouraging cybersecurity best practices, and I want
to thank the witnesses for testifying here today.
I especially want to thank Dr. Andrea Matwyshyn from Princeton
University who has come to share her expertise and experience with us.
Today, we will be discussing the prospect of amending the SAFETY
Act law to promote certification of more cybersecurity technologies as
qualified anti-terrorism technologies. Given that there is draft
legislation circulating, prepared by the Majority to amend the SAFETY
Act in this manner, this hearing is timely.
Today, under the SAFETY ACT, DHS provides immunity from liability
to products or services that have been rigorously examined by the
Office of Safety Act Implementation.
Congress directed DHS to establish this program to encourage
innovation in the development of novel anti-terrorism technologies.
As I noted in a previous hearing several years ago on this matter,
the Government does not charge a penny to perform exhaustive reviews of
each company's product that applies for, and is qualified for, SAFETY
Act approval.
Mr. Chairman, I am wondering whether in our current fiscal
situation, Congress should consider requesting a fee from companies
with the means to seek pursue this process and desire to secure the
liability protection and marketing advantage that comes with SAFETY Act
certification.
When this committee first began to examine the activities of the
SAFETY Act Office, I encouraged the Department to perform dedicated
outreach to attract small, minority, and disadvantaged businesses to
obtain SAFETY Act certification, and to help them go through the
complicated and time-consuming SAFETY Act approval process.
The reasoning behind this emphasis was simple. Large multinational
companies who are likely the prime developers of technologies in the
homeland security enterprise, are mostly already involved with
providing the Department of Defense technologies and services in that
sphere.
In contrast, small businesses with promising technologies face
countless barriers to entry in the marketplace. Given that these firms
are often the innovators and the backbone of America's workforce, it is
important that DHS go the extra mile.
A SAFETY Act designation or certification can improve a company's
bottom line and help small, savvy companies create jobs. Large, well-
funded companies need less help, and those companies are usually
stocked with a bevy of corporate lawyers to guide them through any
concerns about liability protections or access to DHS acquisitions.
The draft legislation that is in circulation has no special
emphasis on small businesses. I am hopeful that as the bill moves
through the legislative process, we can come together to ensure that it
does.
I would also put on the record my concern that that the funding to
expand the Safety Act Office would not be ``new money'' but rather
taken from other DHS activities. It is important to know where that
money would be taken from and what capabilities or programs would be
affected or diminished.
More broadly, there are basic questions about how this legislation
would drive innovation with respect to cyber technologies.
We would not want to foster an environment in the marketplace where
companies grow complacent having only an interest in securing blanket
liability protections outweighing the energy of innovation.
I look forward to the testimony today Mr. Chairman, and I yield
back.
Mr. Ratcliffe. Other Members of the committee are reminded
that opening statements may be submitted for the record.
We are pleased today to have with us a very distinguished
panel of witnesses on a very important topic.
Mr. Brian Finch is a senior fellow at the Center for Cyber
and Homeland Security at George Washington University. Mr.
Finch has a diverse background in homeland security issues and
the SAFETY Act.
Thank you for being here, Mr. Finch.
Mr. Raymond Biagini is a partner at Covington and Burling.
He has extensive experience and background in drafting the
original SAFETY Act language and also assists companies in
obtaining SAFETY Act certifications.
Welcome, Mr. Biagini.
Finally, we are pleased to be joined by Professor Andrea
Matwyshyn--did I pronounce that right?
Ms. Matwyshyn. You did.
Mr. Ratcliffe [continuing]. Matwyshyn, who is a visiting
professor at the Center for Information Technology Policy at
Princeton University.
Professor, thank you for being here.
I would now ask each of the witnesses to stand and raise
your right hands so I can swear you in to testify.
Do each of you swear or affirm that the testimony which you
will give today will be the truth, the whole truth, and nothing
but the truth, so help you God?
Let the record reflect that the witnesses have answered in
the affirmative.
You may be seated.
The witnesses' full statements will appear in the record.
The Chair now recognizes Mr. Finch for 5 minutes for his
opening statement.
STATEMENT OF BRIAN E. FINCH, SENIOR FELLOW, CENTER FOR CYBER
AND HOMELAND SECURITY, GEORGE WASHINGTON UNIVERSITY
Mr. Finch. Chairman Ratcliffe, Ranking Member Richmond, Mr.
Langevin, distinguished Members of the subcommittee, my name is
Brian Finch, and thank you for inviting me to testify before
you today on how to effectively promote and incentivize
cybersecurity best practices.
I firmly believe that promoting and incentivizing the use
of cybersecurity best practices is critical to our Nation's
security. The challenge, however, is determining what is, ``the
best,'' or even, ``quite good.'' The SAFETY Act can help us
with that right now.
Let me begin by stating what I will not be promoting in my
testimony. I will not advocate for expanding the liability
protections offered by the SAFETY Act or what triggers those
protections. I will not seek to reinterpret the original intent
behind the SAFETY Act. Rather, I will discuss how cyber attacks
and cybersecurity technologies are covered under the SAFETY Act
as currently written. I will also cover how a minor tweak to
the law will improve its use in the cybersecurity context.
As this committee knows, SAFETY Act protections are
triggered when the Secretary of Homeland Security declares that
an, ``act of terrorism'' has occurred.
Under the SAFETY Act, an act of terrorism is defined as an
event that is, ``one, unlawful; two, causes harm to a person,
property, or entity in the United States; and, three, uses or
attempts to use instrumentalities, weapons, or other methods
designed or intended to cause mass destruction, injury, or
other loss to citizens or institutions of the United States.''
Nothing in that definition excludes cyber attacks.
Further, note that the SAFETY Act already explicitly states
that cybersecurity technologies are eligible to receive
liability protections. All of the above is why the DHS has
already approved cybersecurity SAFETY Act applications.
Despite all of this, too many people are still unsure of
whether the SAFETY Act applies to cyber attacks and
cybersecurity technologies. To cure this, the House should once
again unanimously pass section 202 of the National
Cybersecurity and Critical Infrastructure Protection Act, or
NCCIP. That section clarified the SAFETY Act by adding two new
terms to it, ``cyber incident'' and ``cybersecurity
technologies.'' Those new terms merely made explicit
protections already available under the SAFETY Act.
As we all know, the decision of Executive branch members to
declare a particular event an act of terrorism in any context
is a difficult one. Terms such as ``workplace violence'' and
``cyber vandalism'' are used instead of the ``T'' word. While I
offer no opinions on the language used by the Executive branch
to describe certain events, I can say that preventing or
mitigating the outcomes that occurred in those events is
exactly what Congress intended when it passed the SAFETY Act.
That is why giving the Department of Homeland Security
Secretary a term other than ``terrorism'' to use when bringing
in the liability protections of the SAFETY Act is so important.
Now, if you will allow me, I would like to provide two
examples where, if we could clarify the SAFETY Act, it would
allow for vastly improved cybersecurity best practices.
First, let me talk about cyber risk groups. Companies could
use risk-pooling mechanisms like risk-purchasing or risk-
retention groups to increase their defenses and better mitigate
risks.
Here's how that would work. First, a group of similarly-
situated companies would agree to use certain security
standards or technologies, such as, for instance, detonation
chambers or the NIST Cyber Framework. Next, those companies
would then either jointly purchase a cyber insurance policy or
create a pool of insurance that they would all maintain and
participate in. Third, the risk group would also agree to
pursue SAFETY Act protections for the security standards that
they have agreed to commit to adhering to.
All of this would be possible thanks to the vetting
conducted under a clarified SAFETY Act. I would add that this
pooling-risk purchasing agreement would be of particular value
to small businesses, as well as to companies in historically
underserved communities, as it would allow their dollars to
travel further.
Next, cyber HMOs. I argue that cyber insurers should be
using a health insurance model to promote best practices. Why?
Because, under the cyber HMO model, it promotes wellness
behavior that prevents minor scratches from developing into
serious infections. That cyber HMO plan would also give the
insured access to a vast network of cybersecurity vendors and
professionals, as well as low-cost or free access to basic
cyber hygiene, such as annual physicals, i.e., compromise
assessments, or vaccines, in this case, perimeter defenses.
By encouraging the use of SAFETY Act-vetted products or
services, the HMO and its policyholders would have greater
confidence in the tools they are using to promote cyber health.
Thank you for the opportunity to testify, and I welcome any
questions this committee may have.
[The prepared statement of Mr. Finch follows:]
Prepared Statement of Brian E. Finch
July 28, 2015
Chairman Ratcliffe, Ranking Member Richmond, distinguished Members
of the subcommittee, thank you for inviting me to testify before you
today on how to effectively promote and incentivize cybersecurity best
practices.
My name is Brian Finch, and I am here today testifying in my
capacity as a senior fellow with The George Washington University
Center for Cyber and Homeland Security, where I am a member of the
Center's Cybersecurity Task Force.\1\ I am also a partner with the law
firm of Pillsbury Winthrop Shaw Pittman LLP, a senior advisor to the
Homeland Security and Defense Business Council, and a member of the
National Center for Spectator Sport Safety and Security's Advisory
Board.
---------------------------------------------------------------------------
\1\ While I am testifying in my capacity as a senior fellow with
The George Washington University Center for Cyber and Homeland
Security, please note that my comments represent my personal views and
not necessarily any positions of the Center.
---------------------------------------------------------------------------
Clearly, the implementation of best cybersecurity practices is
critical to our Nation's economic security and physical safety. Our
cyber enemies are numerous, growing, and increasingly sophisticated.
Fortunately there is no lack of will to defend ourselves from the
attacks these enemies launch. Unfortunately, given the scale, scope,
and pace of cyber threats we face, our cybersecurity measures writ
large tend to lag behind the said attacks.
In light of those threats, I firmly believe that promoting and
incentivizing the use of cybersecurity best practices and effective
technologies, policies, and procedures are critical to our Nation's
security. I also firmly believe that the private sector is ready and
willing to adopt those best practices, technologies, policies, and
procedures. Its challenge, however, is determining which of those items
are in fact ``the best'' or even ``quite good.''
Moreover, we should all acknowledge that the private sector will
see all of its cybersecurity decisions second-guessed in the tsunami of
litigation that inevitably follows any cyber attack. Thus, programs
that help companies determine which cybersecurity measures to adopt and
will help them minimize their exposure to unnecessarily expensive and
protracted litigation are desperately needed.
Thankfully, a program already exists in the United States Code that
in fact does promote and incentivize the use of cybersecurity best
practices, technologies, policies, and procedures: The ``SAFETY Act.''
The SAFETY Act, which stands for the Support Anti-Terrorism By
Fostering Effective Technologies, was enacted in 2002 as part of the
Homeland Security Act. The SAFETY Act is one of the most responsibly
designed and effectively implemented liability management programs in
Government today. More importantly, it can and already has been used to
promote improved cybersecurity, and, with the leadership of this
committee, that success can be expanded.
In my testimony below, I will go into greater detail as to how the
SAFETY Act can currently be used promote the increased use of
cybersecurity practices as well as effective technologies, procedures,
and policies. I will also explain why I believe that some very minor
statutory tweaks to the SAFETY Act would be exceptionally helpful in
expanding its use in the private sector. Finally, I will also provide
some examples of how the SAFETY Act could be tied to innovative ideas
that will, in general, promote improved cybersecurity.
important clarification regarding the scope of this written testimony
I believe at the outset that it is exceptionally important to
establish what I will NOT be promoting in my testimony. I want there to
be no misunderstanding with respect to what actions I believe Congress
or the Executive branch should be undertaking in order to allow the
SAFETY Act to reach its full potential with respect to cybersecurity.
Specifically, my testimony:
Will NOT advocate for an expansion of the scope of the
liability protections offered by the SAFETY Act. The SAFETY
Act, as currently drafted, provides to the Department of
Homeland Security (DHS) all of the legal authority needed to
encourage the wide-spread deployment of effective and useful
cybersecurity technologies, policies, and procedures;
Will NOT advocate for an expansion of the types of unlawful
events that may trigger the liability protections offered by
the SAFETY Act. Again, as currently drafted, the SAFETY Act
gives the Secretary of Homeland Security broad discretion to
decide which unlawful acts that cause harm to U.S. persons,
property, or economic interests can trigger its liability
protections;
Will NOT seek to revise or reinterpret the intent of the
Members of the 107th Congress, who drafted and voted to enact
the SAFETY Act;
Will NOT advocate for the ability of the private sector to
excuse itself completely from liability following a cyber
attack, much less disincentivize the private sector from
continually investing in and upgrading its cyber defenses; and
Will NOT seek to undermine the ability of DHS to thoroughly
review applications for SAFETY Act liability protections or
require a dramatic expansion in the size or cost of the Office
of SAFETY Act Implementation (OSAI), such that the program
office will become unwieldy or unnecessarily costly.
Instead, my testimony will advocate for a very simple proposition:
That with the addition of a few well-placed words, it will become
perfectly clear to the private sector that the SAFETY Act applies to
cybersecurity practices, technologies, procedures, and policies.
Moreover, these minor tweaks will permanently clarify that the SAFETY
Act applies to cyber attacks committed by a variety of actors, as well
as attacks where attribution is unclear or impossible.
the safety act as drafted applies to cybersecurity technologies and
cyber attacks
A critical point that must be established immediately is that both
the SAFETY Act statute (see 6 U.S.C. � 441-444) and the implementing
Final Rule (see 6 CFR � 25) establish that cyber attacks can trigger
the law's liability protections and that information technologies
(including cybersecurity systems and services) are eligible to receive
SAFETY Act liability protections. By way of review, please note that
the SAFETY Act provides extensive liability protections to entities
that are awarded either a ``Designation'' or a ``Certification'' as a
Qualified Anti-Terrorism Technology (QATT). Under a ``Designation''
award, successful SAFETY Act applications are entitled to a variety of
liability protections, including:
All terrorism-related liability claims must be litigated in
Federal court;
Punitive damages and pre-judgment interest awards are
barred;
Compensatory damages are capped at an amount agreed to by
both DHS and the applicant;
That damage cap will be equal to a set amount of insurance
the applicant must carry, and once that insurance cap is
reached no further damages may be awarded in a given year;
A bar on joint and several liability; and
Damages awarded to plaintiffs will be offset by any
collateral recoveries they receive (e.g., victims compensation
funds, life insurance, etc.)
Should the applicant be awarded a ``Certification'' under the
SAFETY Act for their QATT, all of the liability protections awarded
under a ``Designation'' are available. In addition, the Seller of a
QATT will be entitled to an immediate presumption of dismissal of all
third-party liability claims arising out of, or related to, the act of
terrorism.
The only way this presumption of immunity can be overcome is to
demonstrate that the application contained information that was
submitted through fraud or willful misconduct. Absent such a showing,
the cyber attack-related claims against the defendant will be
immediately dismissed.
Additionally, when a company buys or otherwise uses a QATT that has
been either SAFETY Act ``Designated'' or ``Certified,'' that customer
is entitled to immediate dismissal of claims associated with the use of
the approved technology or service and arising out of, related to, or
resulting from a declared act of terrorism.
As the SAFETY Act is currently drafted, in order for its
protections to be triggered, the Secretary of Homeland Security must
declare that an ``act of terrorism'' has occurred. The definition of an
``act of terrorism'' is extremely broad and includes any act that:
(i) is unlawful;
(ii) causes harm to a person, property, or entity, in the United
States, or in the case of a domestic United States air carrier
or a United States-flag vessel (or a vessel based principally
in the United States on which United States income tax is paid
and whose insurance coverage is subject to regulation in the
United States), in or outside the United States; and
(iii) uses or attempts to use instrumentalities, weapons, or other
methods designed or intended to cause mass destruction, injury,
or other loss to citizens or institutions of the United States.
The Secretary has broad discretion to declare that an event is an
``act of terrorism,'' and once that has been declared, the SAFETY Act
statutory protections will be available to the Seller of the QATT and
others.
Critically, nothing in the SAFETY Act statute or Final Rule
requires that there be a finding of a ``terrorist'' intent in order for
the Secretary to declare that an ``act of terrorism'' occurred. Indeed,
the only discussion of ``intent'' when defining an ``act of terrorism''
comes in the third part. There, all Congress drafted was that the
attack must have used a weapon or other instrumentality ``intended'' to
cause some form of injury.
Congress had every opportunity to explicitly or implicitly limit
qualifying ``acts of terrorism'' to politically, religiously, or other
ideologically motivated actions by specifically-defined groups or
persons. It chose not to do so, instead stating that, for purposes of
the SAFETY Act, an ``act of terrorism'' was simply an intentional
unlawful act intended to cause harm to U.S. persons, property, or
economic interests.
It can only follow then that the SAFETY Act statute can (and is)
interpreted to include cyber attacks as an act that can be considered
an ``act of terrorism'' and may serve as a trigger for the protections
of the SAFETY Act.
Further, it is vital to note that the SAFETY Act Final Rule
includes cybersecurity products and services in its definition of
``Qualified Anti-Terrorism Technologies,'' or ``QATT,'' or technologies
that are eligible to receive SAFETY Act protections.
This point is readily demonstrated by the fact that DHS, through
its Office of SAFETY Act Implementation, has already approved a number
of cybersecurity products and services. By that measure alone, we know
that the SAFETY Act applies to a variety of cybersecurity products and
services.
Still, it is important to understand the statutory and regulatory
basis for the coverage of cybersecurity products and services under the
SAFETY Act.
We can start with the SAFETY Act itself, specifically in 6 USC �
444(1), defines a ``Qualified anti-terrorism technology'' as follows:
``For purposes of this part, the term ``qualified anti-terrorism
technology'' means any product, equipment, service (including support
services), device, or technology (including information technology)
designed, developed, modified, or procured for the specific purpose of
preventing, detecting, identifying, or deterring acts of terrorism or
limiting the harm such acts might otherwise cause, that is designated
as such by the Secretary.'' (emphasis added).
Note that this definition specifically covers ``information
technology'' and, further, that the only characteristic needed by any
product, equipment, service, device, or technology in order to be
considered as a QATT is that the item ``is designed, developed,
modified, or procured for the specific purpose of preventing,
detecting, identifying, or deterring acts of terrorism or limiting the
harm such acts might otherwise cause.''
Thus, by its explicit terms, information technologies--a term that
includes cybersecurity products and services--are eligible to be
considered as a QATT under the SAFETY Act.
We should also consider the QATT definition set forth in 6 CFR Part
25.2, which reads as follows:
``Qualified Anti-Terrorism Technology or QATT--The term `Qualified
Anti-Terrorism Technology' or `QATT' means any Technology (including
information technology) designed, developed, modified, procured, or
sold for the purpose of preventing, detecting, identifying, or
deterring acts of terrorism or limiting the harm such acts might
otherwise cause, for which a Designation has been issued pursuant to
this part.'' (emphasis added).
DHS also explicitly refers to information technologies when
defining Qualified Anti-Terrorism Technologies and also links
``information technologies'' to any Technology designed, etc. to combat
an ``act of terrorism.''
Therefore, any Technology designed, developed, modified, procured,
or sold for the purpose of preventing, detecting, identifying, or
deterring ``acts of terrorism'' will be eligible to be defined as a
QATT. That includes cybersecurity products and services.
I would also refer the committee to the SAFETY Act Final Rule's
definition of ``Technology,'' which is as follows:
``Technology--The term `Technology' means any product, equipment,
service (including support services), device, or technology (including
information technology) or any combination of the foregoing. Design
services, consulting services, engineering services, software
development services, software integration services, threat
assessments, vulnerability studies, and other analyses relevant to
homeland security may be deemed a Technology under this part.''
(emphasis added).
Please note that here again DHS specifically used the term
``information technology,'' once again establishing that cybersecurity
products, equipment, or services will be considered a ``Technology''
for purposes of the SAFETY Act.
Please note too that when elaborating on the types of ``design
services'' that may be considered a ``Technology'' (a definition that
includes various types of software development and support services),
DHS stated that ``analyses relevant to homeland security may be deemed
a Technology under this part.'' See 26 CFR Part 25.2.
The use of the general term ``homeland security'' is of great
import to this hearing. As this committee is well aware, DHS's
``homeland security'' mission is an ``all hazards'' one, which includes
protecting against cyber threats in all forms. Indeed, in recent years
the cybersecurity mission--whether related to terrorist groups, nation-
states, organized crime, individuals, or others--has become a primary
mission area for DHS. It follows then that when DHS defined
``Technologies'' for SAFETY Act purposes to include software services
related to ``homeland security,'' it intended that term to encompass
cyber attacks in their myriad of forms.
In summary, then, there is no question that cyber attacks,
regardless of who conducted them or why, and cybersecurity products and
services are eligible to receive SAFETY Act protections under the plain
language of the SAFETY Act statute and the Final Rule as originally
drafted.
the nation would benefit if congress were to amend the safety act in a
way that makes its coverage of cyber attacks cybersecurity technologies
even more explicit
Despite the fact that the SAFETY Act, as already drafted,
encompasses both cybersecurity products and services and cyber attacks
unconnected to specific ``terrorist'' groups or motivations, too many
people are unsure of whether the SAFETY Act applies to exactly those
items and situations. In short, the only way to rectify the situation
is for Congress to slightly amend the SAFETY Act to make explicit its
coverage of cyber attacks and cybersecurity products and services.
Thankfully, the path and process for clearing up the SAFETY Act's
application in the cyber context has already been blazed, and all this
committee and the House of Representatives need to do is retrace its
steps.
In the 113th Congress, Members of this committee, including
Chairman McCaul, Ranking Member Thompson, Representative Meehan, and
Representative Clarke introduced the National Cybersecurity and
Critical Infrastructure Protection Act (NCCIP).
Section 202 of the NCCIP would have slightly altered the SAFETY Act
by essentially adding two new terms to the existing law: ``Cyber
incident'' and ``cybersecurity technologies.'' These new terms would be
inserted after the words ``act of terrorism'' and ``anti-terrorism
technologies,'' respectively, in the existing SAFETY Act law.
The purpose of these new terms was simple and straightforward: Make
it 100% clear to potential users of the SAFETY Act that the law applies
to cybersecurity products and services as well as to cyber attacks that
one might not colloquially put in the same category as the terrible
events of Sept. 11, 2001 or the Boston Marathon bombings.
These changes were apparently not controversial to this committee
or this Chamber, as H.R. 3696 passed the House by unanimous voice vote.
Unfortunately, due to timing issues that prevented the resolution of
some concerns by a few Senators, Section 202 was not included when the
final version of H.R. 3696 passed the Senate and was signed into law.
Still, I remind this committee again that Section 202 was passed
unanimously by the House, and so this committee should pass the SAFETY
Act clarifying language once again.
This clarification continues to be absolutely vital for a variety
of reasons. First, I can state without qualification to this committee
that the vast majority of eligible SAFETY Act applicants do not realize
after reading its statutory language that the SAFETY Act covers non-
``terrorist''-related cyber attacks or even cybersecurity products and
services in general.
Rather, most people who are not steeped in the nuances and history
of the SAFETY Act simply see the words ``act of terrorism'' and
``Qualified Anti-Terrorism Technologies'' and think only in terms of
al-Qaeda, ISIS, right-wing militias, and the like.
The statute or Final Rule evidences no such limitations, and,
further, there is no legislative history that I am aware of that would
definitively limit the application of the SAFETY Act to such groups,
their actions, or items designed to deter, defeat, or combat them.
Inclusion of Section 202 language would eliminate that confusion.
All parties would now be fully on notice of the application of the
SAFETY Act to cyber incidents and cybersecurity technologies, thus
allowing everyone to get on to the business of deciding whether the
SAFETY Act is right for them or if the product or service merits the
liability protections it offers.
Second, inserting the term ``cyber incident'' would be of great
value to the Executive branch, particularly the Secretary of Homeland
Security. Under the SAFETY Act, the decision to declare an incident an
``act of terrorism'' is assigned to the Secretary of Homeland Security.
Thus she or he is the person who decides whether a company that holds a
SAFETY Act award may actually assert the defense in Federal court.
Without that designation, the defenses of the SAFETY Act are not
available under the law to the SAFETY Act awardee.
As the past few years have demonstrated, the decision of Executive
branch members to declare a particular event an act of terrorism in any
context is a difficult one. From the shootings at Fort Hood to the
cyber attack on Sony Pictures, and even to the recent cyber attack on
the U.S. Office of Personnel Management, the Executive branch treads
very cautiously when deciding how to describe an incident. Creative
terms such as ``workplace violence'', ``cyber vandalism'', or even
references to a general ``security breach'' are used instead of the
``T'' word.
I offer no opinions on the terms used by the Executive branch in
those incidents, yet I would dare say we all agree that there is no
disagreement on their impact on American lives and our economy. Lives
were lost, businesses were crippled, and Government programs have been
crippled for years to come. It is those outcomes--or more specifically
preventing or mitigating them--that Congress was focused on when it
passed the SAFETY Act in 2002.
That is why adding the term ``cyber incident'' as defined in
Section 202 of NCCIP is a vital tool to give to the Homeland Security
Secretary. The Secretary should have the same flexibility to
acknowledge the seriousness of a given incident, and, in the case of
the SAFETY Act, trigger specific liability protections, without having
to utilize a term that may cause a larger than necessary impact.
Section 202 thus represents a simple tool with which to wield the
SAFETY Act with greater delicacy.
Finally, I must emphasize that the language of Section 202 only
clarifies the SAFETY Act and is entirely consistent with the original
intent of the law. Section 202 does not expand the SAFETY Act, as have
argued.
When one looks back at the creation, implementation, and use of the
SAFETY Act, it has always been clear that the purpose of the law has
been to promote the use by the private sector of useful and effective
security products and services in order to deter or mitigate massively
damaging unlawful events.
The SAFETY Act was designed to help mitigate those events by
providing the possibility of limited liability protections following
the unlawful ``act of terrorism.'' These liability protections were
deemed needed because of concerns about potentially endless litigation
following a major attack.
Time has borne out those concerns. The attacks of 9/11 spurred
litigation that lasted more than a decade and whose costs ran well into
the hundreds of millions of dollars. Similar litigation arising out of
the 1993 World Trade Center attack also lasted for more than a decade,
and now every new terrorist incident spurs numerous new lawsuits.
Cyber attacks are no different. High-profile attacks spur multiple
lawsuits, and indeed the cost of managing litigation post-cyber attack
is beginning to represent one of the most expensive consequences of a
cyber attack. Considering that millions of cyber attacks occur daily,
and that these attacks are growing more sophisticated and successful
with each passing moment, liability protections for cybersecurity
vendors and users are absolutely critical.
This is especially true given that many of these attacks are
conducted by foreign governments and are essentially unstoppable by the
private sector. That fact will not deter plaintiffs' counsel, however,
and so no matter how good a product is or how much is invested in
defensive programs, companies will still face massive litigation. That
trend cannot continue, and so it is only proper to use the SAFETY Act
as originally intended to control that outrageous trend.
In summary then, clarifying--but not amending--the SAFETY Act so
that it explicitly covers cyber incidents and cybersecurity
technologies is not only appropriate given the seriousness of the cyber
threat. It is also appropriate given the general misunderstanding of
how the SAFETY Act works and the need to provide flexibility to the
Homeland Security Secretary when determining whether to let the
protections of the SAFETY Act be applied.
optimizing use of a clarified safety act
Clarifying the SAFETY Act so that it clearly applies to non-
``terrorist'' cyber attacks and cybersecurity products and services
will have multiple benefits. Please allow me to highlight two examples
of improved cybersecurity this committee would likely support that
would benefit from a clarified SAFETY Act.
(1) ``Cyber Risk Groups''
One challenge facing private-sector companies when implementing
cyber defenses is how to effectively cooperate with other companies to
protect themselves and best use their limited resources. Particularly
using a clarified SAFETY Act, companies could use risk-pooling
mechanisms to increase their defenses and better mitigate risk.
Risk-pooling mechanisms come in a number of forms, including ``risk
purchasing'' and ``risk retention'' groups. Those groups allow
collections of companies (usually similarly situated in terms of
industry sector) to jointly purchase or create insurance coverage that
would otherwise be unavailable or excessively expensive.
Here's how it can work:
1. A group of similarly-situated companies agree to form a risk
purchasing or retention group in order to obtain cybersecurity
insurance.
2. The companies agree to use certain security standards or
technologies (for instance SANS 20 controls, ``detonation
chambers,'' information sharing via dedicated ``private
clouds,'' the recent National Institutes of Standards and
Technologies voluntary cybersecurity framework, etc.)
3. The companies then pool their resources to either jointly
purchase an existing cyber insurance policy or to create a pool
of insurance that they would maintain.
4. The risk group also agrees to pursue SAFETY Act protections for
the standards it has created and committed to adhering to.
5. As part of the agreement, any company that fails to adhere to
the security standards will be asked to leave the group at the
next renewal period.
Using a clarified SAFETY Act on top of the insurance pool
effectively limits the exposure of the group to the amount of insurance
they have purchased, or even a portion thereof.
Further, this arrangement also potentially allows more of the
insurance funds to be used for losses the company has directly suffered
(damaged equipment, lost data, business interruption, etc.) rather than
losses suffered by third parties.
The pool arrangement allows companies to collaborate and establish
a baseline of security that each would commit to maintaining, all of
which fall under the umbrella of a review by DHS. None of this would be
possible without a clarified SAFETY Act.
I would add the pooling/risk purchasing agreement would be of
particular value to small businesses or ones that serve historically
underserved communities. For instance, cooperatives that provide
utility services would benefit greatly from this arrangement as it
would allow them to provide broader cybersecurity at reasonable costs
to their members. Considering that their members are in historically
underserved communities, this would be an excellent public benefit
every member of this committee could support.
(2) ``Cyber HMOs''
A challenge this committee and others have faced is how to use
cyber insurance to promote best cybersecurity practices. That problem
remains unsolved, but I contend a clarified SAFETY Act can help the
Nation better utilize insurance solutions.
First, I start with the proposition that cyber attacks are a
constant threat, much more akin to medical claims than property or
casualty claims. We know they will occur on a regular basis, and so
insurers need to establish an infrastructure that supports constant
care over a lifetime.
Following on the health care analogy, cyber insurers should view
their policies through the lens of a health insurance model and not a
general liability or casualty policy. In my mind, it follows then that
cyber insurers should develop cyber policies using a ``HMO'' model.
Under that model, the insurer's goal will be to promote the
``right'' kinds of claims--ones that encourage healthy behavior. Yet
even with the incentivizing of healthy behavior, inevitably some sort
of disease will work its way into the blood stream. The cyber HMO model
works well here too as it will support interventional care that
prevents minor scratches from developing into a serious infection.
A best-case scenario would work out this way: A ``cyber HMO'' is
established, which companies can gain access to by paying monthly
premiums along with associated ``co-pays,'' ``deductibles,'' and
similar expenses typically associated with a health insurance plan.
That cyber HMO plan would give the insured access to a vast network
of cybersecurity vendors and professionals at discounted rates that
could be called upon in the event of a problem (the ``co-pays'' and
``co-insurance'' equivalents).
The cyber HMO plans would also provide low-cost or even free access
to basic ``cyber hygiene'' care, such routine diagnostic examination of
information technology systems, perimeter defense systems, and other
basic defense systems (the ``annual physical'' and ``low-cost or free
vaccine'' equivalents).
More ``advanced'' defense systems could be subject to a higher co-
pay and deductible, and companies could even chose to go ``out of
network'' if they want, but they would have to shoulder more of the
cost.
The clarified SAFETY Act would help here, too, by helping decide
whether a cybersecurity product or service should be ``covered'' under
this insurance model. By encouraging the use of products or services
vetted by DHS through the SAFETY Act, the HMO and its policyholders
would have greater confidence in the tools they are using to promote
cyber health.
The ``cyber HMO'' is one that actively rewards healthy cyber
behavior--a Gordian knot that no carrier has been able to untie yet
using traditional insurance models. That's a critical piece of the
cybersecurity puzzle, as the challenge has been how to get companies to
engage in effective cybersecurity, rather than any form of
cybersecurity.
conclusion
Thank you for the opportunity to testify before the committee
today. I will be happy to answer any questions you might have.
Mr. Ratcliffe. Thank you, Mr. Finch.
The Chair now recognizes Mr. Biagini for 5 minutes for his
opening statement.
STATEMENT OF RAYMOND B. BIAGINI, PARTNER, COVINGTON AND BURLING
Mr. Biagini. I thank you, Mr. Chairman. Thanks for having
me here. I thank the Members of the committee for this
opportunity. Indeed, it's a privilege to speak with you about
the possible expansion of the SAFETY Act to cover qualifying
cyber incidents.
Let me address in short what I see as the key questions for
this committee's consideration.
First, are liability protections needed to incentivize
companies to enhance their own cybersecurity systems and to
incentivize providers of cyber solutions to design more
effective technologies? I believe the answer is yes.
In short, we face a potentially devastating existential
cybersecurity threat. As I outline in my written remarks, the
magnitude of this threat cannot be overstated. The 9/11
Commission authors likened a cyber attack on U.S. critical
infrastructure to the terrorist threat before September 11,
calling the cyber domain as the battlefield of the future.
Those distinguished authors of the Commission report
recommended legislation to incentivize the design and
deployment of cybersecurity. We only have to look at the recent
hack at OPM to confirm that the cyber wolf is knocking at our
critical-infrastructure door.
There is also a sense that corporations are moving too
slowly to upgrade and enhance their own cybersecurity within
their corporate walls.
Regarding cyber insurance, carriers often lack the data
they need to quantify losses from cyber attacks. When they do
write cyber insurance, it often has large deductibles,
inadequate limits, and exclusions for attacks by nation-states.
This is particularly concerning for companies involved in
cybersecurity in the critical infrastructure arenas of health
care, financial, electrical, and energy.
The laudable efforts by NIST to get companies to
participate in the basic cyber hygiene program may be
progressing too slowly. So I believe the enormity of the risk,
coupled with the slowness of corporations' self-policing, and
with some softness in the insurance markets, a surgical,
legislative, incentivizing solution is appropriate.
But the second question is: Why turn to the SAFETY Act as a
vehicle to be used for this incentivizing approach?
I have had the fortunate experience over the past 13 years
to not only witness but to play an active role in the
significant evolution of the SAFETY Act, as itself a truly best
practice among homeland security companies big and small. The
SAFETY Act has, in fact, stimulated companies to do cutting-
edge research, design, development, and deployment of anti-
terror technology and to incur the end-users to buy and deploy
SAFETY Act technologies.
From the very beginning of the act, small companies have
benefited. The first recipient of SAFETY Act coverage was a
small company, Michael Stapleton Associates, who got SAFETY Act
coverage for their anti-terror training regimen for bomb-
sniffing dogs.
Fast-forward to today. DHS is granting SAFETY Act coverage
to the likes of the Port Authority of New York and New Jersey
for a complement of highly sophisticated anti-terror
technologies to protect the new Freedom Tower. They have
provided SAFETY Act coverage to the Kentucky International
Airport and its cybersecurity programs and to a small and
growing number of cybersecurity companies providing
vulnerability assessments and resiliency testing of cyber
networks.
The SAFETY Act Office has shown that they can expedite
coverage when deployments are subject to Federal contracts and
give great weight to technologies that have preexisting
positive track records in the Federal or military space.
In short, the SAFETY Act and its implementers have shown a
demonstrable ability to evolve and address emerging
technologies of increasing complexity. Properly resourced, I
believe they can do so in the SAFETY Act if it is expanded
through this amendment.
I want to mention that I know--that, indeed, the SAFETY Act
is helping to improve the technology that is out there, and
here is why. Every day, almost every week, I get approached by
companies that would like to pursue SAFETY Act coverage, and
many, many times I tell them they are not ready. They are not
ready for SAFETY Act coverage at this time, because they don't
have the bona fides yet. They may not have had sufficient
testing done or self-evaluation of their technologies. They may
not have done important hazards analysis or risk analysis. They
may not have done the operational and training manuals that the
SAFETY Act Office will require them to have.
Many, many times, those same applicants come back around
about 2 months later or 3 months, and they have the bona fides,
and they have improved their technology, and now they are ready
to seek SAFETY Act coverage. So, in this sense, the SAFETY Act
has, indeed, acted as a gatekeeper.
The last point I would like to make, Mr. Chairman, is that,
as you mentioned, oftentimes the SAFETY Act--amending the
SAFETY Act to cover cyber attacks. Cyber attacks cannot often
be attributed to terrorists. It just makes sense to amend the
SAFETY Act, because cyber attackers, by nature and often
deliberately, do not leave behind the ``whodunnit'' signature
that terrorists crave, in fact proclaim, after they commit a
horrific attack. The amendment here properly focuses on the
``what,'' did the cyber attack cause material damage severely
affecting the United States, not on the ``who,'' in terms of
whether it was a terrorist or not.
I believe that the cause here is worthy, the circumstances
are sufficiently compelling, and I believe the results will be
salutary.
Thank you, Mr. Chairman.
[The prepared statement of Mr. Biagini follows:]
Prepared Statement of Raymond B. Biagini
July 28, 2015
Good afternoon. Thank you, Chairman Ratcliffe, and the Members of
this subcommittee, for the opportunity--indeed privilege--to speak with
you today about this important topic of potentially expanding the U.S.
SAFETY Act to provide needed liability protections arising out of
``qualifying cyber incidents,'' as that term is described in the
proposed amendment. I support the proposed approach.
I have a particularly keen interest in this topic, and note that I
have always been hesitant to engage in activities that might lead to
the amendment of the SAFETY Act, because I am the original author of
the core liability protection provision of the SAFETY Act. I wrote that
provision in June 2002 at the request of some of our law firm's
homeland security contractor clients. Together, we examined the legal
landscape and homeland security marketplace immediately following the
horrific attacks of 9/11 and quickly recognized the need for new
legislation to address key public policy needs:
To stimulate companies, large and small, to research,
design, develop, and deploy cutting-edge anti-terror technology
without fear of enterprise-threatening liability suits.
To stimulate the terror insurance market which had stopped
providing terror coverage after the 9/11 attacks.
To enhance homeland security in the United States and
abroad.
Guided by these policy considerations, I drafted in June 2002 the
``Certification'' section (now Section 863(d)(1), (2), and (3)) of what
became the U.S. SAFETY Act, passed by Congress in November 2002 as part
of the Homeland Security Act. In short, the SAFETY Act is landmark
legislation, eliminating or minimizing tort liability for sellers or
providers of anti-terror technology (``ATT'') approved by U.S.
Department of Homeland Security (``DHS'') should suits arise in the
United States after an act of terrorism.
As described more fully below, DHS has awarded SAFETY Act coverage
for hundreds of cutting-edge anti-terror products and services since
its inception in 2002, thereby satisfying many of the policy concerns
described above. In fact, in many respects, the SAFETY Act has become a
homeland security industry ``best practice'' risk management technique,
spurring companies, including small businesses, to research, design,
develop, and deploy anti-terror technology to protect America without
fear of ``enterprise-threatening'' tort liability should there be
another 9/11 terror incident. But given the remarkably rapid expansion
over the past several years of increasingly penetrating cyber attacks
on key sections of the American economy and Government infrastructure,
it is time to thoughtfully consider a surgical upgrade of the SAFETY
Act so that that law can ``catch up'' to the realities of the cyber
threat we now face. In short, the proposed legislation recognizes a
fundamental principle: The ``trigger'' of liability protections for a
``qualifying cyber attack'' should turn not on the identity of the
attacker, i.e., is he or she a terrorist, but on the severity of the
attack on critical U.S. interests. Moreover, this amendment will begin
to requite the public policy concerns that existed in 2002 and exist
today--the need to incentivize companies to further develop cutting-
edge cyber solutions and to upgrade and enhance their cybersecurity
systems; and the need to stimulate the availability of cyber insurance,
particularly for key high-value cyber targets in the energy, aviation,
electrical, and health care industries. These public policy and
marketplace dynamics auger for thoughtful consideration of this
proposed legislation.
a. key features of the safety act
1. Liability Protections
Should a company obtain SAFETY Act tort protection from DHS, these
protections fall into one of two categories:
``Certification--the highest form of protection--creates a presumption
that the seller of ATT is immediately dismissed from suit unless clear
and convincing evidence exists that the seller acted fraudulently or
with willful misconduct in submitting data to DHS during the
application process. Certification coverage also eliminates punitive
damages claims; requires that any suit after an act of terrorism be
filed in Federal court; and caps the awardee's liability, usually at
its terror insurance limits.''
Certification coverage is usually awarded by DHS when the
applicant's technology has been widely deployed and has a track record
of ``proven effectiveness.''
The lesser form of SAFETY Act coverage is known as ``Designation''
coverage and is usually provided when the anti-terror technology has
limited actual deployment in the field:
``Designation--provides all of the protections under Certification
coverage except the presumption of dismissal.''
Importantly, certification and designation protections apply ``up
and down'' the supply chain, i.e., the awardee's subcontractors,
vendors, and distributors ``derivatively'' obtain the same SAFETY Act
tort protections as the awardee. But most important, those that buy or
deploy SAFETY Act-approved technology--whether they are commercial or
Government customers--also are protected derivatively from tort
liability arising out of an act of terror.
2. Limits on the Liability Protections
The SAFETY Act's liability protections are triggered only if DHS's
Secretary designates a particular incident an ``act of terrorism''
under the SAFETY Act. ``Act of terrorism'' is defined as an unlawful
act causing harm to a person, property, or entity in the United States,
using or attempting to use instrumentalities, weapons, or other methods
designed or intended to cause mass destruction, injury or other loss to
citizens or instrumentalities of the United States. The Secretary of
DHS will determine on a case-by-case basis whether a particular
terrorist attack is covered under the SAFETY Act. This threshold
statutory requirement to first designate a particular attack as an
``act of terrorism'' under the SAFETY Act before the liability
protections are applicable is an obvious limitation that may not be
necessary or appropriated in considering whether to expand the SAFETY
Act to ``qualifying cyber incidents.''
The SAFETY Act can also apply ``extraterritorially,'' i.e., even if
the act of terror occurs outside the United States, the SAFETY Act can
apply to suits filed in the United States so long as the ``harm,'' to
include financial harm, is suffered by U.S. persons, property,
instrumentalities, or entities. And SAFETY Act protections can also
apply ``retroactively'' to cover anti-terror technologies that an
applicant has already deployed and which are substantially equivalent
to those technologies for which it has obtained coverage.
The SAFETY Act defines ``loss'' as death, injury, or property
damage, including business interruption loss. The definition of ``anti-
terror technologies'' includes ``any product, equipment, service
(including support services), device, or technology (including
information technology)'' which has a material anti-terror purpose.
Finally, in order to obtain the tort liability protections, an
applicant for SAFETY Act coverage must carry terror insurance which
will respond to third-party tort liability suits arising out of a
covered act of terrorism. The cost of the insurance cannot unreasonably
distort the pricing of the anti-terror technology. The terror coverage
limits usually become the applicant's ultimate ``cap'' on liability. In
practice, if an applicant does not have terror coverage, the SAFETY Act
Office will work with the applicant to find terror coverage at a price
that the applicant can afford.
b. the safety act as implemented since 2002
Over the past 13 years, particularly in the last 7-8 years, DHS has
vigorously implemented the SAFETY Act, providing coverage to hundreds
of companies--from small businesses to some of the largest corporations
in the world--for the anti-terror products or services they provide in
the United States and abroad. In fact, the first SAFETY Act award went
to a small company, Michael Stapleton Associates, for its bomb-sniffing
dog training regimen, its X-ray screening, and bomb detection system.
Representative SAFETY Act awards over the past 13 years include
coverage for:
threat and vulnerability assessment protocols;
airport baggage handling systems;
biometrically-secured airport identification and access
system under the Registered Traveler Program;
perimeter intrusion detection systems;
cargo inspection systems deployed at ports and borders;
physical security guard services;
secure broadband wireless communications infrastructure and
command-and-control systems;
lamp-based infrared countermeasure missile-jamming systems;
anti-IED jamming systems.
In some of these cases, the SAFETY Act Office was able to
``expedite'' its review and award of coverage by giving weight to the
fact that these anti-terror products and services had proven
effectiveness through long-term deployments with Federal and military
customers.
Importantly, DHS has also awarded SAFETY Act coverage to private
and quasi-Governmental entities for their security protocols,
procedures, and policies used to determine the nature and scope of
security they deploy to protect their own facilities and assets.
Specifically,
a major chemical company obtained coverage for its facility
security services, including its vulnerability assessments,
cybersecurity, emergency preparedness and response services,
and its perimeter security, at its facilities that were
governed by the Maritime Transportation Security Act;
the Cincinnati/Northern Kentucky Airport obtained coverage
for its security management plan, its operations and training
procedures for its airport police, rescue, and firefighting
personnel, its emergency operations center, and airport
security plans;
the New York/New Jersey Port Authority obtained coverage for
the security assessments and design/architectural engineering
services incorporating security-related design features at the
New Freedom Tower and World Trade Center site;
the NFL obtained coverage for the stadium security standards
and compliance auditing program;
three large professional sports venues obtained coverage for
their security practices and protocols;
the New York Stock Exchange Security System obtained
coverage for its command-and-control and integration of a
multi-layered security system.
These significant awards, as well as the fact that the Federal
Acquisition Regulations now require Federal agencies issuing homeland
security solicitations to first consult with the DHS SAFETY Act Office
to determine if expedited coverage is appropriate, have helped the
SAFETY Act toward reaching its full potential.
c. the proposed legislation: a limited but appropriate expansion of the
safety act to cover qualified cyber incidents
1. Current Atmospheric Conditions
The cyber threat to U.S. Governmental institutions and critical
infrastructure as well as to commercial entities is increasing at an
alarming rate. Examples include:
the recent hack into OPM affecting over 22 million
individuals, apparently by China;
the 2014 attack on J.P. Morgan involving cyber theft of data
belonging to 76 million households, likely by Russia;
the attack on Sony Pictures, apparently by North Korea;
the indictment of 5 Chinese military officials for hacking
proprietary data held by Westinghouse and U.S. Steel.
Indeed, on July 22, 2014, the 9/11 Commission authors likened the
threat of a cyber attack on U.S. critical infrastructure to the
terrorist threat before September 11, 2001, calling ``the cyber domain
as the battlefield of the future.'' These authors urged legislation to
incentivize enhanced cybersecurity. Further, the United States has
identified cyber attacks as the single greatest threat to National
security and at the forefront of the Nation's defense and critical
infrastructure, characterizing cyber attackers as undeterred by the
threat ``we'll shutdown your systems'' if you attack ours.
In addition to these policy-level concerns, market dynamics are at
work. Many companies are slow to improve their systems to prevent or
mitigate against an attack. Cyber insurance for key sectors of the
economy, especially critical infrastructure, e.g., health, financial,
can be hard to get and expensive, often containing significant
exclusions. The U.S. goal to strengthen cybersecurity resilience by
having industry voluntarily follow NIST guidelines is progressing
slowly. DHS, Commerce, and Executive branch agencies have suggested
that tort mitigation legislation may be necessary to stimulate industry
to enhance cybersecurity and the insurance industry to increase its
footprint in the cyber market.
2. Why Amend the SAFETY Act to Cover Non-Terror-Based ``Qualifying
Cyber Incident?''
There are numerous reasons that a discriminate expansion of the
SAFETY Act makes sense as a means to mitigate increasing cyber threats.
The first has to do with the inherent characteristics and differences
between a cyber versus terrorist attack. In the latter, public
ownership and notoriety of who the perpetrator is, remains a distinct
goal and desire of those perpetrating a terrorist attack. Also, while
their methods of accomplishing the terror attack are usually simple and
``low-tech,'' what matters to the terrorist is that the victims (as
well as his competitors) know WHO committed the heinous act. By
contrast, the cyber attacker prefers to be cloaked in secret, to act
stealthily, not revealing highly-complex methods, sources, or
signatures, while being able to suddenly and massively disrupt broad
technological networks. As such, the proposed SAFETY Act amendment
appropriately focuses on whether a qualifying cyber incident causes
``material levels of damage'' and ``severely affects'' the United
States, as the ``trigger'' for coverage, not on whether the attacker
can be labeled a ``terrorist.''
Second, over the past 13 years, pursuit of SAFETY Act coverage has
become a ``best practice'' for companies in the homeland security
market, which necessarily requires such companies to demonstrate
``proven effectiveness'' of their anti-terror products or services.
Indeed, DHS already has awarded coverage for certain cybersecurity
solutions and technologies. DHS's focus on ``proven effectiveness''
will apply equally to cyber solution providers and those companies that
are deciding on the quality and scope of their cyber threat protections
program. As such, the SAFETY Act should have the salutary benefit of
improving the quality of cyber technology and use, thereby hardening
networks and enhancing the level of cybersecurity generally throughout
the United States.
Third, as a prerequisite to obtaining SAFETY Act protection, the
Act has always required an applicant to maintain terror insurance
coverage; the amendment would similarly require an applicant to
maintain cyber insurance to obtain the protections. This combination of
liability protections and insurance requirements spurred the terror
insurance markets to open up and will likely have the same effect on
cyber insurance markets, particularly in the highly-vulnerable
aviation, health, electric, and energy critical infrastructure arenas.
Similarly, if SAFETY Act liability protection is provided to those
companies providing proven cyber solutions, especially to high-value
targeted industries, the insurance markets will likely respond
positively because of the layer of immunity and claims-elimination
protection afforded to its insureds if they are sued after a
``qualifying cyber incident.''
Fourth, the procedures for obtaining SAFETY Act coverage have been
demonstrated to be reasonably predictable and, when needed, nimble.
These procedures include protocols for expediting or ``fast-tracking''
applications; modifying a coverage award when a company's technology
has materially changed; and renewing coverage after an initial award.
Companies who fail to update DHS with material changes to their
technology or fail to provide the technology or service as outlined to
DHS in obtaining SAFETY Act coverage could find themselves without
protection should a lawsuit arise.
That said, the challenge for the SAFETY Act Office will be to
obtain the necessary resources and expertise to handle an increased
number of cyber-based SAFETY Act applications and to be able to nimbly
but meaningfully review cyber applications which inherently involve
changing technologies and threat environments.
Finally, the proposed legislation does not conflict with the Senate
information-sharing and monitoring bills. These bills focus on the
important need to enhance a specific critical activity--the sharing of
cyber threat information between and among commercial and Governmental
entities--by providing protection for such sharing and monitoring
companies from liability arising out of these specific activities. The
proposed House legislation is focused on those companies that design,
develop, and deploy and use cyber solutions, e.g., threat and theft
protection; vulnerability assessments; fraud and identity protection,
etc. The House legislation is meant to incentivize a broad swath of
providers and users of such cyber technology by providing significant
tort protections afforded under the SAFETY Act should a ``qualifying
cyber incident'' occur.
conclusion
The proposed legislation to discriminately expand the SAFETY Act is
reasonably calculated to address both policy-based concerns and market
dynamics. Its emphasis on the severity and impact of the cyber attack
and not on the identity of the attacker as the trigger for protection
is appropriate. DHS's continued requirement that a technology--cyber or
otherwise--have a record of ``proven effectiveness'' and the statutory
requirement to carry cyber insurance, will likely spur higher quality
technology and more available insurance. The challenge for the DHS
SAFETY Act Office will be to have sufficient qualified resources who
can conduct meaningful and timely reviews in an atmosphere of rapidly-
changing technology and threats. In the end, this amendment, like the
original SAFETY Act, should be driven by a common spirit and intent: To
take proactive legislative incentivizing steps now--to avoid a
catastrophic debilitating incident involving a major critical
infrastructure or economic sector of the United States. This proposed
discriminate amendment of the SAFETY Act is a step in the right
direction.
Mrs. Watson Coleman. Mr. Chairman.
Mr. Ratcliffe. Thank you, Mr. Biagini.
The Chair now recognizes Mrs. Watson Coleman.
Mrs. Watson Coleman. Thank you, Mr. Chairman, and thank
you, Mr. Langevin.
I just want to take this opportunity to acknowledge and
welcome and thank Dr. Andrea Matwyshyn for being here today and
being a part of this very impressive panel.
Dr. Matwyshyn is currently the Microsoft visiting professor
at the Center for Technology Policy at Princeton University,
which is part of the 12th Congressional District that I am
proud to serve.
She is a legal academic studying technology innovation and
its legal implications, particularly corporate information. In
2013 to 2014, she served as a senior policy advisor and
academic in residence at the U.S. Federal Trade Commission,
focusing her work on corporate information security issues.
She is a full professor of law at Northeastern University
and a faculty affiliate of the Center for Internet and Society
of Stanford Law School. She has had many very impressive
appointments at many very impressive schools, from the Wharton
School, the University of Pennsylvania, all the way to the
Singapore Management University, Cambridge University,
University of Oxford, and Notre Dame.
Prior to entering academia, she was a private attorney,
focusing her work on technology transactions. She has
previously testified on issues of information security, and she
is called upon and often quoted on these issues.
We are delighted to have her today, and thank you for
having this hearing and providing this opportunity for us to
hear from her.
Thank you.
With that, I yield back.
Mr. Ratcliffe. The gentlelady yields back. I thank the
gentlelady for that introduction, and also glad to have you as
part of our subcommittee today. A number of the Democratic
Members of this subcommittee are traveling with the President
presently overseas, so we very much appreciate you being here
with us today.
With that, the Chair recognizes Dr. Matwyshyn for 5 minutes
for her opening statement.
STATEMENT OF ANDREA M. MATWYSHYN, VISITING PROFESSOR, CENTER
FOR INFORMATION TECHNOLOGY POLICY, PRINCETON UNIVERSITY
Ms. Matwyshyn. Thank you.
Chairman Ratcliffe, Member Langevin, and other
distinguished Members of the subcommittee, it is my great honor
to be with you here today to discuss the topic that I have
devoted my academic career to studying: Information security
and the National crisis that we face in working toward making
our Nation more secure, both in terms of our defense and in
terms of our economy in particular.
The SAFETY Act was passed in 2002, and, at that time, it
undoubtedly served as a critically-stimulating impetus for the
emergence of physical space products from entrepreneurs to
enable our society to move toward a more secure physical
environment. However, the SAFETY Act in 2015 is, unfortunately,
not an optimal fit for the information security ecosystem.
The information security ecosystem is one that is driven by
constant, frequently overnight, innovation. As such, expanding
or interpreting the SAFETY Act to provide liability limitation
for product, certain products only, in the information security
ecosystem will disrupt rather than encourage an already
successfully burgeoning market of cutting-edge information
security products and services.
The market is projected to reach approximately $93 billion
worth of information security products and services in the next
2 years. We are seeing many successful IPOs; we are seeing
venture capitalists investing heavily.
Expanding or including information security within the
SAFETY Act liability limitations will, in essence, negatively
shift the purchasing behaviors of companies away from
determining products based on the recommendations of their
information security engineers and code quality toward the
recommendations of CFOs, general counsel, and other perhaps
less technologically-sophisticated individuals who are
concerned about risk mitigation rather than information
security first and foremost.
As such, the certification period is not a fit for
information security technologies. Instead, it is likely to
engender a false sense of security in enterprises and may,
unfortunately, incentivize them to, for example, fail to comply
with the new ISO standards in information security or to obtain
the relevant information security policies that the insurance
industry increasingly offers, with over 50 major insurance
companies now having robust offerings set in this space.
The next few points I will briefly mention are elaborated
upon more thoroughly in my written testimony.
As I was preparing for this hearing, the availability of
information regarding the transparency of the process of
certification was, in my opinion, not as thorough as I would
have hoped to be able to have an objective assessment of it. In
particular, it is critical that any certification that provides
the substantial benefit of a limitation of liability be driven
by an independent, rigorous, third-party testing, including
penetration testing and all the state-of-the-art technology
measures that would be best suited to this kind of
certification.
With DHS having, unfortunately, limited capability in
enforcement, this means that companies may be unwilling to
correct their technologies in a timely manner when DHS even
finds a problem. In fact, we see this behavior from companies
in the current marketplace.
So the expansion or inclusion of the SAFETY Act limited
liability framework for information security products would,
unfortunately, I believe, create disincentives to fix, timely
patch, and well-disclose in security advisories the types of
information that is absolutely critical to companies and to our
agencies in defending us in a holistic approach with respect to
the information security threats that we face.
Context is everything, and the only way that we will
succeed in defending our Nation and our economy is through a
multi-lateral, coordinated approach between the public sector
and the private sector that is sensitive to this set of moving
pieces that need to be coordinated simultaneously.
Finally, the expansion of this limited liability could
impair the work of other agencies, including the FCC and the
FTC. I have Federalism concerns, where the States, I believe,
are the appropriate laboratories of experimentation first for
any liability limitation approach.
Thank you.
[The prepared statement of Ms. Matwyshyn follows:]
Prepared Statement of Andrea M. Matwyshyn
July 28, 2015
Chairman Ratcliffe, Ranking Member Richmond, Representative
Langevin, and other distinguished Members of the committee, it is my
honor to be here with you today to discuss the future of information
security in the United States and the SAFETY Act. My testimony today
reflects cumulative knowledge I have acquired during my last 16 years
as both a corporate attorney and academic conducting research on the
legal regulation of information security. My testimony also reflects
the practical business knowledge I have obtained through long-standing
relationships with insiders at Fortune 100 technology companies,
technology entrepreneurs, consumer rights advocates, and independent
information security professionals. Finally, this testimony is informed
by insights acquired during my service as the Federal Trade
Commission's Senior Policy Advisor/Academic in Residence, advising on
matters of information security.
During the last decade, awareness of information security has
dramatically increased in both the public and private sector, and State
data security statutes have contributed significantly to this
improvement. However, the field of information security is still in its
early years, and the overall level of information security knowledge
and care that currently exists in the United States is still
inadequate. As high-profile data breaches such as the security failures
of organizations such as OPM and Sony permeate the news, citizen
confidence in the data stewardship capabilities of both companies and
Government agencies is eroding. Dramatic information security
improvements are necessary throughout both the public and private
sector, and it is this social context that frames today's legal and
policy conversation around the SAFETY Act.
The SAFETY Act's primary feature--a grant of limited liability to
companies whose products are certified by the Department of Homeland
Security and to their customers--is a poor fit for stimulating
improvements and incentivizing adherence to best practices in
information security. SAFETY Act certifications for information
security products are not likely to lead to improved information
security in either the public or private sector. Instead, such grants
of limited liability for information security products and services are
more likely to have the inverse effect. They are likely to
unintentionally create incentives for lower quality in information
security products and services, indirectly undermining National
security and consumer protection advancement.
1. Limitations of liability are likely to disrupt information security
innovation in the marketplace--an outcome that contradicts the goals of
the SAFETY Act--and to create disincentives for corporate purchasing
based on information security technical efficacy
The marketplace for information security products and services has
dramatically evolved since the passage of the SAFETY Act. While the
SAFETY Act's liability limitation incentives for creation of new
information security products may have been helpful in 2002, in 2015
they are unnecessary. The market for information security is robust and
has matured significantly: According to some estimates, sales of
digital security products and services are likely to approach $80
billion worldwide in 2015 and rise to $93 billion in the next 2
years.\1\ Information security company companies are successfully
obtaining venture capital easily and engaging in IPOs,\2\ and high-
quality information security products are successfully appearing in the
market. Because of this healthy market growth, any selective liability
limitation incentives injected today by the SAFETY Act are likely to be
undesirably disruptive and damagingly counterproductive to the
successfully blooming market for information security products and
services.
---------------------------------------------------------------------------
\1\ http://www.betaboston.com/news/2015/07/17/cybersecurity-firm-
rapid7-raises-103m-in-years-first-boston-tech-ipo/.
\2\ Id.
---------------------------------------------------------------------------
Because of the fast pace of innovation in information security, it
is likely that the liability protection offered to certified products
by the SAFETY Act will outlive the optimal technical efficacy of those
certified products. Yet, any technology deployed during the period of
designation is protected for the lifetime of designation. Indeed, the
older a certified product becomes, the more outdated and potentially
vulnerable it is likely to become, particularly because material
changes may require DHS notification/refiling to maintain
certification. Meanwhile, the SAFETY Act liability shield remains
constant across time. Thus, it is precisely the older, potentially more
vulnerable certified technologies that may command a lower pricepoint
and superficially appear most cost-effective to corporate decision
makers without technical expertise.
As a consequence, business purchasing incentives could undesirably
shift away from maximizing best practices in information security in
favor of maximizing liability limitation. Corporate CFOs and general
counsels will be likely to override the technical judgement of the CISO
and their information security engineers in at least a portion of
corporate information security products purchasing decisions. Companies
will therefore likely shift away from purchasing based primarily on
technical efficacy toward purchasing information security products
based on whether they are certified under the SAFETY Act, even when
those certified products may be of inferior technical quality or a
worse business fit. In granting limitations of liability to only
certain information security companies under the SAFETY Act, DHS would
unnecessarily manipulate an already-competitive information security
marketplace, potentially hindering adoption of new information security
technologies in favor of older ones.
A significant and growing portion of the information security
expert community does not view the use of liability limitation
approaches as the correct path to improving public and private-sector
information security. As vulnerabilities will increasingly lead to
potential loss of human life,\3\ code quality and information security
rigor in products become paramount. Similarly, sophisticated technology
companies with heavy investments in information security in many cases
do not necessarily support limitations of security liability, and they
are concerned that less ethical companies are misrepresenting the
quality of the security in their products and services. Due to low
enforcement and lack of information security liability, the market
currently inadequately sanctions misrepresentations of information
security quality in products and services. Liability limitation for
information security products will only exacerbate this code quality
problem, unfairly disadvantaging the companies who purchase the best-
of-breed information security products based on technical information
security concerns and enterprise fit rather than based on DHS
certification.
---------------------------------------------------------------------------
\3\ http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-
vehicles-bug-fix/.
---------------------------------------------------------------------------
Selective liability limitation through the SAFETY Act also
disadvantages information security start-ups. Start-ups are most likely
to be allocating resources to code development at the expense of
allocating budget to the legal resources necessary to apply for a
certification under the SAFETY Act. Yet, security start-ups sometimes
offer the most appropriate product for a particular information
security corporate need from a technical perspective.
2. The level of technical rigor in procedures in the SAFETY Act
certification process are suboptimally transparent
Pursuant to my review of available information regarding the SAFETY
Act certification process, the process of certification is currently
suboptimally transparent. Available DHS materials raise material
concerns regarding the technical rigor and thoroughness of the vetting
process for certification of information security products and
services. DHS states in informational materials on its website
regarding the certification process that it views itself as
``nonregulatory'' and that a body of unidentified ``technical experts''
will provide ``suggestions.'' The process appears to be largely
applicant self-reported with respect to product and services
performance and quality. It is not clear from available DHS materials
that DHS performs any independent penetration testing, analysis of code
quality, assessment of patching speed or quality review of self-
reporting through prior applicant security advisories during the
process of evaluating applications. Members of the information security
research community have also raised various concerns regarding the
process.\4\ For example, my consultations with private-sector
vulnerability database experts have yielded potentially important
unanswered questions regarding the quality of currently-certified
information security products' advisory release history.\5\
---------------------------------------------------------------------------
\4\ http://www.csoonline.com/article/2918614/disaster-recovery/
fireeye-offers-new-details-on-customer-liability-shields-under-the-
safety-act.html.
\5\ Interview with content managers at OSVDB.
---------------------------------------------------------------------------
An applicant-driven, non-transparent process is not optimal for a
Governmental process culminating in the substantial privilege of a
grant of limited liability for harms resulting from information
security inadequacy. When these process ambiguities are added to the
sub-optimally precise definitions in the SAFETY Act regarding the
classification of security incidents and the broad discretion afforded
to DHS in interpretation, substantial concerns exist regarding the
current structure of the certification process.
3. Grants of limited liability for information security products are
likely to negatively impact timely patching, code integrity vigilance,
and the quality of advisory disclosures in certified information
security products
DHS currently lacks adequate enforcement authority to require
correction of corporate information security inadequacies or to stop
companies from selling dangerously vulnerable products in the
marketplace. In fact, as expressly stated with visible frustration in
DHS advisories, companies feel at liberty to brazenly disregard DHS's
demands for correction of even serious security vulnerabilities in
their products and services.\6\ Adding a layer of liability protection
under the SAFETY Act for information security products would only
exacerbate this bigger DHS enforcement problem, creating additional
incentives for certified companies to neglect or delay patching or
updating of their products.
---------------------------------------------------------------------------
\6\ https://ics-cert.us-cert.gov/advisories/ICSA-14-084-01 (``Festo
has decided not to resolve these vulnerabilities, placing critical
infrastructure asset owners using this product at risk.'')
---------------------------------------------------------------------------
Removing risk of liability eliminates an important corporate
incentive for timely patching, internal vigilance regarding code
quality, and release of adequate security advisory notices. The primary
information security challenge faced in the marketplace today is
policing the consistent quality of information security products and
services in light of their increasing vulnerability across time.
Deteriorating quality and unpatched information security products
create a false sense of security and leave their users vulnerable to
attack. The liability limitations of the SAFETY Act do nothing to
improve the quality and integrity of information security products.
Instead, they potentially create perverse incentives for lower levels
of product and services vigilance through a liability buffer for
certified companies.
4. Grants of limited liability under the SAFETY Act for information
security products may indirectly disrupt information security
enforcement work of other agencies, harming our economy and National
security
DHS's selective certification of particular information security
technologies and grants of liability limitation may hinder the work of
other agencies working to improve information security. In particular,
the work of the Federal Trade Commission, Federal Communications
Commission, Securities and Exchange Commission, and Consumer Financial
Protection Bureau may be impacted. These and other agencies are
currently expanding efforts to police the quality of information
security and data stewardship offered by businesses to consumers and
business partners. These agency efforts are still in their nascence in
many cases, but ramping up swiftly. A limitation of liability would
potentially meaningfully circumscribe these agencies' efficacy in using
fines or disgorgements to obtain redress for consumer, businesses, and
National security harms arising from information security inadequacy.
This is an undesirable limitation on important work by other agencies
aimed at improving information security in our economy.
5. Limiting States' rights to impose liability for corporate
information security misconduct will further erode consumer trust and
damage innovation in the United States
Information is only as secure as the weakest link in the chain of
possession. Therefore, it is essential that the highest possible floor
of information security be created across organizations in both the
public and private sector. However, the field of information security
law is very young, and best practices of conduct continue to evolve
rapidly. As such, determining the best legal regime for addressing
information security liability will require experimentation on the
State level to arrive at an optimal legal framework. A broader social
and scholarly conversation on information security policy is
desperately needed, and it requires time to develop. At this juncture I
believe strongly that it is dramatically premature and undesirable to
Federally limit liability for information security misconduct
demonstrating a lack of due care in any form, including through the
SAFETY Act.
States have traditionally been the laboratories of experimentation
for novel legal approaches to liability. The best course of action with
respect to any consideration of limitation of liability is one
exercising deference to Federalism concerns and States' regulatory
interests in redressing the harms of their citizens for information
security harms. Different States engage with consumer protection
questions in different ways, and no National consensus currently exists
with respect to the best course of action for information security
liability. Federally imposing the model of the SAFETY Act liability
limitations undesirably breaks with the Federalist tradition of
deference to State liability determinations. It also disrupts the
traditional deference of allowing State contract law to be the primary
source of liability shifting determinations between contracting
parties. Information security companies are usually represented by
attorneys who may lack SAFETY Act expertise but who are amply capable
of negotiating contractual limitations of liability with business
partners, as are, in turn, the attorneys of the companies that rely on
those information security. Contract and tort law are already beginning
to adequately rise to the challenges presented by the information
security marketplace, and Federal intervention into software liability
limitation is not necessary and premature at this juncture.
Thus, I strongly urge this committee to exclude information
security products and services from the SAFETY Act and avoid legal
approaches driven by limitations of liability in information security.
Selectively granted limitations of liability through the SAFETY Act
will hinder innovation in information security and negatively disrupt
the information security marketplace. They are also likely to
indirectly damage National security and stifle consumer protection
efforts of other agencies.
Instead, I urge this committee to engage with a number of untried
and more promising approaches likely to stimulate wide-spread
information security improvements in the private sector. One approach
that holds significantly greater promise is the repurposing of SAFETY
Act funding toward phased-out information security tax incentives
across 10 years for small businesses and entrepreneurs. These tax
benefits would offer incentives for enterprises that are operating on
tight budgets to invest in information security education, hire
security personnel, and purchase information security goods and
services. A tax incentive approach does not suffer from the significant
negative secondary consequences described above, and it offers a more
immediate and direct impact on improving private-sector information
security.
Mr. Ratcliffe. Thank you, Dr. Matwyshyn.
The Chair now recognizes myself for 5 minutes for
questions.
So I think, as I listen to the testimony of all three of
you, where I found agreement is that you all believe that the
SAFETY Act itself is working very well or as it was originally
intended, and the SAFETY Act Office, likewise, is a very
properly functioning part of DHS currently.
I think you would all probably also agree, as we all would,
that we do need to incentivize the creation of cyber
technologies to provide solutions and protections for what is a
very obvious and public threat to our cybersecurity right now
across this country.
Obviously, where I did hear disagreement was Dr. Matwyshyn,
essentially, her testimony is--or your opinion, Doctor, as I
understand it, is you don't think that the SAFETY Act or the
SAFETY Act Office is the best place for this and could be
disruptive, I think as you said, to the information security
ecosystem.
So let me start with Mr. Finch and Mr. Biagini and give you
an opportunity to comment on that.
Mr. Finch. Well, I would disagree for several reasons.
First of all, first, when it comes to cutting-edge
technologies being introduced into the marketplace, I actually
think that one of the critical problems that we see when it
comes to information security is that too many companies, as
well as the Federal Government, rely on outdated technologies
for far too long.
A critical problem that I have seen on a regular basis, for
instance, is that far too many organizations rely on outdated
signature-based technologies, standard anti-virus technologies.
Part of the reason that is, particularly in the private sector,
is that companies are extremely concerned about liability when
they switch technologies. If they switch from a proven
technology to one that is, ``advanced'' or ``experimental,''
they are concerned that they can face liability for making a
``wrong decision,'' and that there would be allegations of
negligence or failure to exercise due diligence.
The SAFETY Act would give a level of comfort that: (A) The
product has been vetted, and, (B), that there is some measure
of liability protection associated with its use.
The other point I would make is that, when you go through
the SAFETY Act certification process--and I know Mr. Biagini is
exceptionally familiar with this, as am I--it is one of the
most rigorous processes that you will ever encounter when it
comes to determining whether or not there is a rigorous quality
control, quality analysis, and continuous improvement process
in place. You will not receive SAFETY Act protections unless
you have in place a rigorous program to ensure that your
product continues to work once it is deployed and that you
continue to match threats. It is not fire and forget.
In addition, when the Department grants you liability
protections, it clearly defines the threats that the device
will protect against and what the liability protections will
protect against. So if you have a standard signature-based
anti-virus program, it will not offer you protections against
non-signature-based, polymorphic, heuristic, behavioral-based
malware with constantly-changing software.
So simply having a SAFETY Act-approved anti-virus
signature-based defense isn't going to protect you and is not
going to be an incentive to not adopt new protections.
Mr. Ratcliffe. Thank you, Mr. Finch.
Mr. Biagini.
Mr. Biagini. Yes, Mr. Chairman. Just a couple of additional
points. I agree with what Mr. Finch said, and I would add, you
know, the comment that there is lots of investment going on,
money is pouring into this area and so forth, what will happen
to all of that if and when there is a giant enterprise-
threatening attack on a critical infrastructure and liability
is massive and is spread around--deaths, injuries, business
disruption, companies' very existence is threatened?
That is what we don't want to have happen. We have to take
the natural next steps to evolve the SAFETY Act to move toward
that full implementation and protect companies to keep that
investment going, No. 1.
No. 2, as Mr. Finch mentioned and you mentioned, Mr.
Chairman, at the beginning about the SAFETY Act process being
an on-going process once you get SAFETY Act coverage,
absolutely correct, it is not a static situation.
You, as an applicant, once you get SAFETY Act coverage, if
you are upgrading your technology, if you are changing your
technology in any material way, you need to go to the SAFETY
Act Office. They are open for business to take on any
modifications. They will do it in real time. The modifications
will occur. Your SAFETY Act coverage will be upgraded to cover
the next versions of what you are making.
So it is a very on-going process that is well done at the
SAFETY Act Office.
Mr. Ratcliffe. Thank you, Mr. Biagini.
In your testimony, you emphasize that severity and impact,
not the identity of the attacker, should be the operative
consideration in triggering SAFETY Act protections.
Can you give a scenario of how coverage for a qualified
cyber incident would be triggered? In answering that, would you
comment on whether or not you think any of the cyber incidents
that have occurred to date rise to that level of severity and
impact?
Mr. Biagini. Well, certainly, I think an attack on the
electrical grid of the United States, nuclear plants, our
energy sources, our water treatment sectors, any attacks like
that that would debilitate, take down our ability to deliver
those kinds of absolute necessities to the American citizenry
would constitute the kind of severely impactful incidents that
would receive coverage under this amendment.
Do any of the ones that have occurred to date, in my mind,
rise to that level? Possibly. Possibly.
But where I think the emphasis ought to be is on critical
infrastructure--as I say, the health care system, the financial
system, the energy systems, the water treatment systems, and so
forth, those that make up the bread and butter, if you will, of
keeping America and the populace well and safe. Attacks on
those that cause great impact and material damage are the types
of attacks I think should be recognized under this amendment.
Mr. Ratcliffe. Thank you, Mr. Biagini.
My time has expired. The Chair now recognizes Mr. Langevin
for 5 minutes.
Mr. Langevin. Thank you, Mr. Chairman.
I again want to thank our witnesses for being here.
Mr. Finch, Mr. Biagini, it seems like you have kind of gone
to the doomsday end of the spectrum on this conversation.
I guess I would like to ask Dr. Matwyshyn if you would
respond and if you would clarify and give your perspective on
that, on the SAFETY Act and liability protection, if that is
the best way, as I touched base in my statement.
But, also, I would like to ask you, and then the panel can
also chime in, does the information security expert community
uniformly support--and I am asking Mr. Richmond's question, to
clarify, on this second half. Does the information security
expert community uniformly support the use of liability
limitation approaches as the correct path to improving public
and private-sector information security?
So we will start with you, Dr. Matwyshyn.
Ms. Matwyshyn. It would be my pleasure to answer those
questions.
Taking the doomsday scenario first and foremost, it would
be devastatingly misguided in protecting our National security
and our economy to allow the general counsel to be selecting
the products that the security team is using in defending our
Nation. When we are talking about that kind of a high-stakes
situation, we need to have the security experts--the engineers,
the chief information security officer--using the state-of-the-
art technology, whether it is certified or not, to defend us
and keep us all safe.
A technology at the end-of-life of certification is still
certified. We could find ourselves with business decision
makers implementing a 5-year-old not-fully-patched technology
in critical infrastructure. That is not the optimal way to
defend us against attack.
Information security changes dramatically, overnight in
some instances. Think about Shellshock; it changed everything.
A technology that hasn't patched for Shellshock 4 years later,
that is a severe problem. That is not the way that we want to
be making these decisions.
The liability doesn't exist yet. The case law hasn't
developed. So the information security ecosystem is not being
crippled by copious liability coming from all directions at
them in the courts. So those concerns are premature.
What is not premature is the significant need to encourage
companies to responsibly implement reasonable security
practices through a holistic analysis of their own enterprise
and to determine the state-of-the-art technologies that best
fit their business needs, particularly in critical
infrastructure.
Members of the information security research community do
not support liability limitation approaches uniformly. In fact,
many of them believe that the best security teams are being
unfairly unrecognized for their efforts because of the weak
enforcement of information security and that companies without
the same degree of care in information security are getting the
benefit of the marketing value of saying that they have top-
notch information security when they actually don't.
So the top-tier information security professionals are not
worried, in many cases, about the risk of liability at present,
because the evolution of the product ecosystem would first
recognize the bottom tier of sub-optimally secure product/
services companies. That ferreting out would be a substantial
benefit to the overall security of our ecosystem and the
economy and our National security.
So the major changes that can happen overnight in security
really require the use of the best technology as it exists in
that moment, not one that is driven by a choice around
liability limitation.
Mr. Langevin. Thank you.
To Mr. Finch and Mr. Biagini, would you care to ask--could
you give us your perspective on that part of the question Mr.
Richmond wanted to ask? Does the information security expert
community uniformity support the use of liability limitation
approaches as the correct path to improving public and private-
sector information security? To your knowledge, have concerns
been raised by technology experts regarding this approach?
Mr. Finch. Well, I obviously can't speak uniformly for the
information security community, Mr. Langevin.
By the way, I very much support and thank you for all your
efforts with respect to cybersecurity. You are truly one of the
leaders in this community. You have done more to bring
attention to this subject than, I think, most people in
Congress, so thank you for that.
But I would say that the information security community is
completely overwhelmed at this point with the number of
threats. I think you would agree that it is really a triage
matter for them at this point. Their problem is just being
overwhelmed with the number of attacks and trying not to get
fired when the incident occurs. It is not an ``if'' the
incident occurs; it is not even ``when.'' It is, how long has
it been occurring? So it's very much, how do we get handle on
this?
Part of the issue that is completely beyond their control
is that they really can't do anything other than try and slow
down the number of events that are occurring. There needs to be
an offensive component of this, which is the responsibility of
the other side of this dais. It's the Executive branch's
responsibility, and that's a subject for another hearing.
But when it comes to liability protection, that's
absolutely a concern of a number of the members of the
information security community, because, remember, now the CIO
and the CISO are getting a seat at the directors and officers
table at this point, and risk management is coming to their
plate. They are sitting in at the board meetings. They are
sitting in at the stockholder meetings. They are learning about
the serious concerns. They are being fired. They are being held
accountable to the boards of directors and to the CEOs and the
CFOs, et cetera.
So, absolutely, liability is of significant concern to them
and how to manage that and, also, how to tell the difference
between what is snake oil and what is not when it comes to
information security technologies.
That's an important consideration when it comes to SAFETY
Act, as well. Even if the liability protections are not
triggered by a declaration from the Secretary of Homeland
Security, whether an act of terrorism or a cyber incident, the
mere fact that it has been reviewed by the Department of
Homeland Security is extremely helpful to a CIO or a CISO.
Mr. Langevin. Mr. Biagini.
Mr. Biagini. Yes, I would add one other concept. I think we
have to be careful not to let the perfect get in the way of the
good, if you will. The SAFETY Act process is a well-established
one. The SAFETY Act Office has shown its ability to review and
approve cybersecurity technologies.
There is great concern about liability in that sphere. It
is on top of mind of many, many companies that I deal with. You
know, the process that has been established over the last 13
years has been a good one; it continues to evolve. I think it
can--I'm certain it can stand and meet and beat the
requirements that might be upon it with this amendment.
So I would second Mr. Finch's remarks that liability is a
driver here among the industry members. Even though there
hasn't been a, if you will, debilitating attack yet leading to
that kind of enterprise-threatening liability, what we don't
want to do is wait for that to happen and then try to act with
appropriate legislation.
Mr. Langevin. Thank you, and yield back.
Mr. Ratcliffe. The gentleman yields back.
The Chair now recognizes the former district attorney from
New York, my colleague Mr. Donovan.
Mr. Donovan. Thank you, Mr. Chairman.
I will just open this up to the panel, because I am not
sure who is the person who would want to answer this or who
would have the expertise.
But don't companies protect their data? Don't nuclear
regulatory power plants protect their systems, and the water
treatment systems, without the incentive of having limited
liability? Why do they need that incentive to do this, take
these measures to protect themselves?
I open that up to anyone who would care to answer.
Or, if no one cares to answer----
Ms. Matwyshyn. I am happy to.
Mr. Biagini. Would you like to?
Ms. Matwyshyn. So I concur with the spirit of your
question. We want our nuclear power plants and water treatment
facilities to engage with the state-of-the-art of security for
the purpose of protecting their operations and be driven by the
desire to defend our Nation and our populace, not by concerns
of limitations of liability and whether they're present or
absent.
That's why the engineering determinations of the state-of-
the-art security technology must take precedence, or we will
inevitably see the data breaches that are permeating our
society currently and the types of serious incidents that are,
unfortunately, regularly happening continue and escalate.
The OPM breach, for example, that was much less the--if we
look at the root causes, it was, yes, we have malicious actors
on one side, but there were some basic, fundamental errors that
could have been caught through a thorough internal audit and
review process.
So we have standards, such as the ISO standards, now that
will encourage companies and other organizations to perform
these rigorous internal audits. We all need to learn and grow
together to defend ourselves together as a country rather than
look for ways to limit liability and just try to engage with
reasonable standards of security.
The liability will, in my opinion, not emerge if companies
simply engage with reasonable security measures. I trust our
federalist structure of letting our courts across various
States work with these issues and letting various States
decide. No officer and director will ever be fired for conduct
that reflects the state-of-the-art use of security practices.
So the risk does not exist when companies engage with these
issues in a rigorous technical manner.
Mr. Donovan. The other two gentlemen, Mr. Biagini or Mr.
Finch.
Mr. Finch. Yes. I think companies are very much invested in
cybersecurity. I know that for a fact. Every director, every C
suite member that I speak to is extremely concerned about
cybersecurity. They know it's a problem; they know they need to
do something about it.
Where they are held up, where they are paralyzed, frankly,
is what do we do? They are hearing so much about, what is
state-of-the-art, what is the best practice? Frankly, it
changes depending on who you're talking to and what the news of
the day is, with respect to a new vulnerability or a new
attack.
Let's remember that our adversaries truly have the
advantage when it comes to cyber attacks. To use military
parlance, they have complete freedom of movement. They can pick
the time, the place, and the manner of their attack, with
absolutely no concern about being prosecuted or having their
actions interfered with. There is no threat that a law
enforcement agency--particularly if you're operating under the
protection of a foreign government or in a lawless area, no law
enforcement agency, no government is going to come after you
and disrupt your planning. So you can take your time and
practice until you get it right.
So, no matter how advanced your defense is, you will be
penetrated. Breach after breach has demonstrated that. In a
world where 500,000 pieces of malware are created on a daily
basis, there is no way any company is going to be able to
defend against that.
To the doctor's point, what is reasonable? That is the
question. That is absolutely the question. I think what we're
forgetting here is that it's not necessarily about whether
there's going to be a liability, finding a liability; it's
about getting to the point of when a determination is made
regarding liability. It's going to be extraordinarily
protracted and expensive in order to get to that point.
Litigation related to the 1993 World Trade Center bombing
went on for over 15 years. Litigation related to the 2001
September 11 terrorist attacks went on for over a dozen years.
Hundreds of millions of dollars were spent in legal fees.
Now, as two lawyers at the table, that sounds really nice,
but, frankly, as an American, I don't want that to happen. I'd
much rather see that we have companies investing in the right
technologies to mitigate those events and likely stop those
events or make sure that the losses are far less significant
than they actually were on those two terrible days.
Mr. Donovan. My time has run out.
Mr. Biagini, if I could just ask you a second--a different
question. Who determines what the best practices are? Is it
DHS? Is it the industry that determines the best practices? If
this amendment to the SAFETY Act is done, what is going to give
those companies the protection under that limited liability?
Who is going to make that determination?
Mr. Biagini. Congressman, a couple responses to that.
Oftentimes, when we file SAFETY Act applications, there are
industry standards involved, there are regulatory standards
involved, there are company standards and internal standards
involved that are in play with an application. When the SAFETY
Act Office gets an application like that, they look at all of
those. They look to see that you're complying with, if not
exceeding, the various standards that may apply.
In the situation with cybersecurity, I think we'll have
something similar. We'll have regulatory standards. We'll
probably have NIST guidelines. We'll have company standards.
We'll have industry standards. The SAFETY Act Office will be
looking at all of that, as they do with any application, to
look for compliance and exceeding compliance.
Back to your initial question about, well, aren't companies
already protecting themselves, what I do for a living is I
defend against tort suits that are filed in court, and I
represent companies that get sued. Oftentimes, when all they
can show is they're complying with minimum standards, whether
it's an industry standard or a regulatory standard, in court,
that doesn't go very far. That won't get them a very good
defense.
So, in order to incent them to go above and beyond whatever
these minimum standards may be, whether they're industry or
otherwise, I think that's why we're talking today about the
possibility of the SAFETY Act providing those additional
incentives.
Mr. Donovan. Thank you.
Mr. Ratcliffe. The gentleman yields back.
The Chair now recognizes my friend from Pennsylvania, Mr.
Perry.
Mr. Perry. Thank you, Mr. Chairman.
Mr. Finch, I think, as has been noted in testimony, many
companies are slow to make improvements to their management of
cyber risk because security costs money, obviously.
How do you think amending the SAFETY Act to cover
cybersecurity gives companies further incentives to adopt cyber
best practices, if so?
Mr. Finch. Well, first of all, utilizing SAFETY Act-
approved technologies and services or going through the process
actually helps contain costs, whether it's the risk-management
cost associated with insurance--and, as Mr. Biagini noted as
well, the actual improvement in processes, policies, and
procedures, this is very much a best practices review
internally as much as it is a liability review.
So you actually obtain efficiencies by going through this
process and identifying problems that you have internally that
are fixed going through the SAFETY Act process. They have to be
fixed in order to obtain SAFETY Act protections. I have had any
number of applicants say to me afterwards, ``We're a better
company for having gone through this process.''
Mr. Perry. But what's the cost? I mean, is there, like, a--
is there some kind of way to measure the cost by either your
revenues or your sales of your personnel or some way to measure
the cost per increment to determine--I mean, at the end of the
day, everybody's got to meet the bottom line, so----
Mr. Finch. Absolutely. It's an individualized analysis. To
be perfectly frank, there are a number of companies that elect
not to go through the SAFETY Act process because they don't
necessarily think that it is in their economic interest to do
so, whether it's because their liability concerns aren't that
significant or they don't have the dollars and they're
satisfied just relying upon insurance.
But the companies that feel that their liability concerns
are so great, they look at the potential expense of this
process--which is free, by the way. It is a free process. The
Department of Homeland Security doesn't charge anything. Where
money is involved, it's internal personnel time involved in
putting together an application. If you need to retain outside
counsel or a consultant, you can have someone work with you in
order to put that application together. That typically runs in
the tens of thousands of dollars. When you amortize that over a
5-year period, it's not very much money for a company to go
through that process.
But, at the end of the day, you know, you did hit on a very
important point, which is that, you know, companies don't have
unlimited amounts of money to spend on cybersecurity. They
still have to operate a successful business. This is actually a
very important point that we need to talk about, as well, which
is that companies could spend as much money as they have in
their treasury on cybersecurity products and services and best
practices, and they will still get breached, and they will
still face litigation after that breach for having negligent
design or negligent implementation of their security program.
In all likelihood, that case will still go to a jury or to
a decision by a court. Companies will say, well, what are we
supposed to do in order to actually prove that we did the right
thing? They may eventually be vindicated in court. I'm sure if
someone like Mr. Biagini is representing them, they will come
out just fine. But, again, they will wind up spending a lot of
money on something like that.
So we want to avoid that kind of situation. We want to give
them confidence and say, look, not only are you doing the right
thing and spending your money wisely, but we'll also give you a
little bit of limited liability protection, not a complete
grant of immunity--that's not what this program is--but we will
give you some liability protections.
One other thing I would like to say very quickly. I think
that if you were to include cyber attacks and cybersecurity
technologies as a small amendment to the SAFETY Act, one of
most exciting opportunities that I see being utilized in this
context is shifting the focus from cyber defenders to other
companies involved in information technology.
When I was in 7th grade, I had a project in wood shop where
we had to take an egg, and, using a few small pieces of paper
and wood sticks, we had to build a crate around the egg and
drop it from 5 feet and hope that the egg didn't break. Of
course, I failed. I'm not very good at technical things, which
is why I'm a lawyer. I'm also not good at math, full
disclosure. But the point is that cybersecurity is like that
brown paper around the egg. What's the underlying egg? It's the
hardware and the software.
That hardware and software has lots of bugs and
vulnerabilities. I think a wonderful application that is
waiting out there is to have the underlying software and
hardware developers go through the SAFETY Act process.
As Mr. Biagini knows--he talked about it with the airports,
the port authority, et cetera--the infrastructure itself, not
necessarily the defensive technologies, is now actually
applying. Wouldn't it be great if Adobe Flash actually built
security into its own product so we didn't have to design all
these security products to stop it from having vulnerabilities
that are exploited by the Chinese and the Russians?
Mr. Perry. Thank you, Mr. Chairman. I yield.
Mr. Ratcliffe. The gentleman yields back.
Because we have a number of questions that haven't been
answered, the Chair will entertain a second round of questions.
I recognize myself for 5 minutes.
So, Mr. Finch, to the points that you were just making with
regard to litigation and limited liability and the costs
associated with that, I guess I would like to hear a little bit
about how the SAFETY Act Office currently works with insurance
companies.
Then, separately, can you discuss how adding cyber
incidents as a trigger to the SAFETY Act would potentially spur
growth in the cyber insurance marketplace? You know,
underwriters and actuaries grapple with risk analysis, and it
would seem to me that this change would help with that, but I
would like your perspective on that.
Mr. Finch. Sure.
With respect to the SAFETY Act Office working with the
insurance community, it works with a number of carriers as well
as brokers to help determine what the marketplace is for
insurance. Because, remember, under the SAFETY Act statute,
there are actually statutory limitations as to the types of
insurance or the amounts that the SAFETY Act can impose as a
requirement on applicants. There are two. No. 1, an application
cannot be forced to carry more insurance than is available on
the world market. Second, an applicant cannot be forced to
carry an amount of insurance that would unreasonably distort
the price of their product, i.e., make them uncompetitive.
So the SAFETY Act Office has to stay somewhat in contact
with the carrier and broker community in order to understand
what the terrorism insurance marketplace will look like and
will now also have to stay in contact with the cyber insurance
marketplace to understand what that looks like.
Again, it is an interesting one, because the cyber
insurance marketplace mostly relates to data breaches, at this
point. It is actually a fairly limited marketplace, only about
$3 billion in global capacity. The most insurance that any one
company can obtain is maybe $200 million, $250 million for a
data breach. Note what is missing: Physical damage, personal
injury, loss, et cetera. That is not an insurance marketplace
that is really available.
Having the SAFETY Act out there, having carriers know that
they can sell this insurance but, with the SAFETY Act, they
will actually be insuring products and services that they know
have been vetted, will help them. It will help them collect
data that will be useful for actuarial purposes and actually
provide a more stable marketplace that will support their
business model at the end of the day.
I would also add, too, that I was recently at an insurance
conference, and it's a fairly obvious point but not one I had
necessarily thought of--and, again, another failing of mine is
sometimes I miss the very obvious things right in front of my
face. But we as individuals do not carry one insurance policy
for everything in our life. We have life insurance, we have
disability insurance, we have health care insurance, we have
automobile insurance, we have homeowners insurance, et cetera.
For some reason, we have been thinking about cybersecurity
insurance as a one-policy-fits-all program. I don't think that
is correct. I think there are multiple cyber insurance policies
that need to be available.
I think the SAFETY Act would actually help stimulate that,
whether it is my cyber HMO model, whether it is the
reimbursement policies that we're currently taking about or
some other types of cyber insurance programs that we haven't
even thought about at this point. The problem is so broad and
so significant that the SAFETY Act could help serve as a
stimulus to really diversify the insurance marketplace.
Mr. Ratcliffe. Mr. Biagini.
Mr. Biagini. Yeah, just a few comments on that.
Think about it in this sense. If an insured has these
liability protections and they end up being a first line of
defense should there be a cyber incident that results in
lawsuits, the carrier is going to be more willing to sell
insurance into that scenario, into that potential situation, if
it already knows that the insured could defend itself in those
lawsuits well with these kind of tort protections.
That is exactly what has happened when the SAFETY Act was
passed initially, is it granted these presumption of dismissal
protections, it capped liabilities, and so forth. That
stimulated the insurance market back into action, along with
the passage of TRIA. So I've seen a direct connection over the
years in that sense.
Also, you know, when an applicant comes to the SAFETY Act
Office and is trying to get SAFETY Act coverage and doesn't
have insurance--terror insurance, in this case--the SAFETY Act
Office will work with that applicant, will look for quotes in
the insurance market that would be consistent with the revenues
that this applicant is generating from this particular
technology.
It is a very synergistic process whereby the SAFETY Act
Office is being very responsive to that applicant. It is also
pulsing insurance and getting insurance involved and ultimately
writing insurance for that--having that applicant get a modicum
of insurance in order to get the SAFETY Act coverage. So it is
a very--there's a lot of synergy with the whole process of
getting SAFETY Act coverage with the insurance industry.
Mr. Ratcliffe. Thank you, Mr. Biagini.
Dr. Matwyshyn, as I read your testimony, your written
testimony, it seemed to me that your perspective is that the
liability limitation that would be granted through the SAFETY
Act would be a disadvantage for cybersecurity start-ups.
It would seem to me that most folks would see a SAFETY Act
designation or a certification that comes with the rigorous
vetting that DHS would do--would see that as an advantage. So I
want you to comment on how you see it as a disadvantage.
Ms. Matwyshyn. I'd be happy to.
The first step in being able to file for the certification
requires hiring a very expensive attorney. When two high-level
information security engineers get together in a garage to
start a start-up, they don't have that money. They are
frequently the ones who are creating the state-of-the-art
security products.
So we are disadvantaging their new, fledgling start-up,
which may be the state-of-the-art technology and best capable
to defend us and our infrastructure, in the purchasing decision
of a corporate decision maker who looks at the choice of
security technologies not solely through the lens of the
technical rigor of a security engineer but perhaps primarily
through the lens of liability limitation, broadly speaking, and
other corporate concerns.
Getting the state-of-the-art technologies in place is the
paramount goal, to the extent we can achieve it inside our
economy and inside our infrastructure. So that's my concern
with the entrepreneurship limitations that would result, I
think, from an expansion of this act.
Mr. Ratcliffe. Thank you, Dr. Matwyshyn.
Gentlemen, I want to give you--my time has expired, but I
want to give you an opportunity to respond to what you just
heard from Dr. Matwyshyn and that perspective that she has.
Mr. Biagini. Well, the doctor may be interested in knowing
that, oftentimes, we take on clients that we don't bill and
that have a technology that would make a difference in the
marketplace. They need to be able to get it off the ground.
They need to be able to sleep at night that, if they do sell it
into the marketplace, they won't get sued out of existence if
there is a terrorist attack or, in this case, a cyber incident.
Having SAFETY Act coverage has been the difference, many
times, between that small company that decides to just sit on
the sidelines and not do any further development and getting
the coverage which gives them a boost in the marketplace,
confidence to sell their technology into the marketplace
without the fear of being sued out of existence. That has
happened many times in my practice.
Mr. Ratcliffe. As a follow-up to that, do you happen to
know what percentage of SAFETY Act certifications right now go
to small businesses?
Mr. Biagini. I would not. I would just be guessing.
Mr. Finch. Mr. Chairman, I think that would actually be a
question for the Office of SAFETY Act Implementation, which
actually leads me to a point I'm rather remiss in not making
earlier, which is that I do think what's been left out of this
discussion is how well the Office of SAFETY Act Implementation
operates. I would dare say that they are the best-functioning
element within the Department of Homeland Security.
You know, we may have our disagreements with them at times,
but I've always found them to be fair and reasonable. They are
extremely dedicated to their work. To Dr. Matwyshyn's point,
they are exceptionally helpful to small businesses and are
very, in fact, proud of the fact that they will work with small
businesses to help guide them through the process without the
aid of counsel or a client.
It is, of course, a voluntary program. There is no
obligation to retain an attorney. The clients that Mr. Biagini
and I represent typically want to retain an attorney because
this is fundamentally a legal process and the general counsel
wants to have a counsel involved. But there are also plenty of
companies that do this on their own. I know, in particular,
that there are any number of small companies that have gone
through this process and have done so quite successfully on
their own, working with the SAFETY Act Office, which is
dedicated not to approving applications just for the sake of
approving them but helping applicants be successful.
Mr. Ratcliffe. Thank you, Mr. Finch.
The Chair now recognizes Mr. Langevin for his questions.
Mr. Langevin. Thank you, Mr. Chairman.
Before I begin, just to answer the Chairman's question,
from CRS, in 2013, 60 technologies were approved under the
SAFETY Act, including 22 from small businesses, that's 37
percent; 14 from medium-size businesses, that's 23 percent; and
24 from large businesses, or 40 percent.
So, if I could, I will go to Dr. Matwyshyn before I have a
couple questions I'd like to ask.
This has obviously been a wide-ranging discussion today and
great point-and-counterpoint, which is how I would like to
debate. So I will ask if there is anything that really stands
out that you would like to mention for the record. Then I have
a couple questions.
Ms. Matwyshyn. Yes, just a few points.
First and most fundamentally, the question of whether an
enterprise is compromised or attacked goes to whether there are
underlying vulnerabilities. So the first step in a strong
information security program of any sort is the self-analysis
to identify those vulnerabilities. Buying a product that has a
certification will not address the underlying corporate
information security problems that exist in various
enterprises.
Also, those purchased products are frequently
misimplemented. So having the in-house staff necessary to
engage with the technical-rigor piece of this is absolutely
essential.
But one historical fact that, if I may, I'd like to bring
to our attention is that there is a robust evolution happening
in contracting practices across various entities with respect
to information security liability shifting. So we have private-
sector, private-ordering solutions that are getting at some of
these problems that we're talking about today. We just need to
let the market work through some of these problems in private-
ordering ways.
So some of the liability concerns, to the extent they
exist, are being addressed contractually now. That's exactly
what happened after September 11. I was a practicing corporate
attorney at that time, and we modified our contracts. So there
were new provisions that were incorporated as needed to shift
liability to address some of these types of new risks that were
emerging.
To the extent that the information security insurance
market is emerging, it's my understanding that there is some
granularity in the types of policies based on the types of
enterprise that the particular insurance companies are
targeting.
So I think the major point that I'd like to emphasize is
that the underlying defensive posture of the vulnerable
enterprises needs to be the focal point of any successful
holistic information security improvement program and ensuring
that they are fixing the challenges that they face, the
problems that they have in terms of vulnerabilities in the code
that's implemented inside their organizations, first and
foremost. Then the secondary concerns of purchasing various
products to assist them, that is a second-tier concern. The
underlying problematic flaws that they may have in their
enterprise is where we start, in terms of the approach.
The last point I'll just quickly mention. To that end, I
think we have not yet tried certain other types of incentive
programs, such as, for example, tax incentives to small
businesses to encourage them to engage with education in
information security, hire more information security staff, or
to conduct meaningful self-audits and get auditors in.
So, personally, I think that tax incentives would be a
stronger way to go to raise the bottom level of the floor of
information security across our economy. So I'd submit that as
a potential other avenue.
Mr. Langevin. Sure. Thank you. I like that point, as well.
So, as a matter of fairness, I want to give both to Mr.
Finch and Mr. Biagini the opportunity to say--to ask if there's
anything in particular that you've been champing at the bit to
clarify or add.
But before I could do that, if I could just ask this one
question. Hopefully, we can do this very briefly. Following up
on the Chairman's earlier question, I'd like to ask each of you
specifically, is there a cyber incident since 2002 that you
believe should be Classified under a definition of
``cybersecurity incident''?
Mr. Finch. Oh, there could be several. I think that the
data breach at USIS theoretically could be a cyber incident.
While that was targeted and only involved 250,000 or so
records, that was conducted by a nation-state, and that was
done purposefully for espionage purposes and to commit harm. It
could cause all sorts of National security and other types of
harm. So that, theoretically, could be a cyber incident.
If there was actual dollar losses associated with the
distributed denial-of-service attacks by the Iranian Government
and its cohorts against the banking industry, I believe it was
about 2 years ago now, theoretically, that could be a cyber
incident, as well.
We've been fortunate in that there's been no kinetic events
that have occurred within the United States, but they have
occurred. There's been gas pipeline explosions in Turkey. There
has been destruction of furnaces in industrial plants in
Germany, I believe it was. Those would certainly qualify as
cyber incidents.
I also think, though, that, you know, we're fortunate in
that, you know, I'm sort-of struggling a little bit to identify
some particular cyber incidents. That shows that--one concern
that I've heard is that this may be overused. It actually
demonstrates that this is something that wouldn't necessarily
be used that often. Much like there has been no declared act of
terrorism because, knock on wood, we haven't truly had a
significant act of terrorism on United States soil since 9/11.
In situations where we have had some, such as the Boston
bombing or if you want to call the recent events in Chattanooga
an act of terrorism, which, again, is beyond my purview, there
really weren't any SAFETY Act-approved technologies or services
in the area such that there was a need to designate the event
an act of terrorism.
But I do feel confident in saying that, with the spread of
advanced cyber attacks capabilities, it's coming. When you can
go out on the Dark Web and buy malware for $30, when you can
buy zero-days for a couple hundred dollars or maybe $1,000 or
$2,000, and you can buy the services of hackers for less than
the cost of getting one of my daughters to clean her room,
which is not a lot of money--and, in my case, my daughters
still don't do it--the point is that there will be some
significant, significant events that will occur in the near
future, and we will all, unfortunately, realize that we live in
a very dangerous cyber era.
Mr. Langevin. With the Chairman's indulgence, if you'd have
any points that you are champing at the bit to clarify or add?
Mr. Biagini. No. Just that, prior to 9/11, I remember a
number of companies doing a lot of investment in anti-terror
devices and homeland security activity, and then 9/11 occurred,
and all of a sudden there was things that dried up. The
insurance dried up for terror coverage. Companies were not
willing to do any more investment in R&D for homeland security
technology. We had to stimulate that, and we did, through the
SAFETY Act and TRIA and so forth.
I just don't want us to be in that situation, where we do
nothing here, we say status quo; an attack occurs that we can
all agree on is of the kind that we're talking about; and then
we're standing here saying, why didn't we do something when we
had a chance?
We have a chance to be proactive and to get out ahead of
this and do the kinds of things that will stimulate and make
sure that we are belt-and-suspendering all of this, as the
doctor alluded to. I think this is one of the tools to do that.
Mr. Langevin. Okay. Very good.
My time is way over. I will yield back.
But, if I could, Mr. Chairman, I know that Mr. Richmond had
additional questions, and I have additional questions. If I
could, without objection, I'd like to submit those for the
record. If our witnesses would respond to those in writing,
we'd be grateful.
Mr. Ratcliffe. Absolutely.
The gentleman yields back.
I thank all of the witnesses here for your valuable
testimony and the Members for all of their questions.
As Congressman Langevin said, some Members have additional
questions, which we'll ask you to respond to in writing.
Pursuant to committee rule 7(e), the hearing record will be
held open for a period of 10 days.
Without objection, the subcommittee stands adjourned.
[Whereupon, at 3:45 p.m., the subcommittee was adjourned.]
[all]