[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] CYBERSECURITY OF THE INTERNET OF THINGS ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON INFORMATION TECHNOLOGY OF THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ OCTOBER 3, 2017 __________ Serial No. 115-40 __________ Printed for the use of the Committee on Oversight and Government Reform [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.fdsys.gov http://oversight.house.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 27-760 PDF WASHINGTON : 2018 ---------------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. Committee on Oversight and Government Reform Trey Gowdy, South Carolina, Chairman John J. Duncan, Jr., Tennessee Elijah E. Cummings, Maryland, Darrell E. Issa, California Ranking Minority Member Jim Jordan, Ohio Carolyn B. Maloney, New York Mark Sanford, South Carolina Eleanor Holmes Norton, District of Justin Amash, Michigan Columbia Paul A. Gosar, Arizona Wm. Lacy Clay, Missouri Scott DesJarlais, Tennessee Stephen F. Lynch, Massachusetts Trey Gowdy, South Carolina Jim Cooper, Tennessee Blake Farenthold, Texas Gerald E. Connolly, Virginia Virginia Foxx, North Carolina Robin L. Kelly, Illinois Thomas Massie, Kentucky Brenda L. Lawrence, Michigan Mark Meadows, North Carolina Bonnie Watson Coleman, New Jersey Ron DeSantis, Florida Stacey E. Plaskett, Virgin Islands Dennis A. Ross, Florida Val Butler Demings, Florida Mark Walker, North Carolina Raja Krishnamoorthi, Illinois Rod Blum, Iowa Jamie Raskin, Maryland Jody B. Hice, Georgia Peter Welch, Vermont Steve Russell, Oklahoma Matt Cartwright, Pennsylvania Glenn Grothman, Wisconsin Mark DeSaulnier, California Will Hurd, Texas Jimmy Gomez, California Gary J. Palmer, Alabama James Comer, Kentucky Paul Mitchell, Michigan Greg Gianforte, Montana Sheria Clarke, Staff Director Robert Borden, Deputy Staff Director William McKenna General Counsel Troy Stock, Subcommittee Staff Director Kiley Bidelman, Clerk David Rapallo, Minority Staff Director ------ Subcommittee on Information Technology Will Hurd, Texas, Chairman Paul Mitchell, Michigan, Vice Chair Robin L. Kelly, Illinois, Ranking Darrell E. Issa, California Minority Member Justin Amash, Michigan Jamie Raskin, Maryland Blake Farenthold, Texas Stephen F. Lynch, Masschusetts Steve Russell, Oklahoma Gerald E. Connolly, Virginia Raja Krishnamoorthi, Illinois C O N T E N T S ---------- Page Hearing held on October 3, 2017.................................. 1 WITNESSES Mr. Matthew J. Eggers, Executive Director, Cybersecurity Policy, U.S. Chamber of Commerce Oral Statement............................................... 2 Written Statement............................................ 5 Mr. Tommy Ross, Senior Director of Policy, The Software Alliance (BSA) Oral Statement............................................... 18 Written Statement............................................ 21 Mr. Josh Corman, Director of the Cyber Statecraft Initiative, Atlantic Council Oral Statement............................................... 30 Written Statement............................................ 32 Mr. Ray O'Farrell, Chief Technology Officer, VMware Oral Statement............................................... 45 Written Statement............................................ 47 APPENDIX Opening Statement of Representative Gerald E. Connolly........... 82 Questions for the record for Mr. Eggers, submitted by Chairman Hurd........................................................... 84 Questions for the record for Mr. Ross, submitted by Chairman Hurd 89 Questions for the record for Mr. Corman, submitted by Chairman Hurd........................................................... 92 Questions for the record for Mr. O'Farrell, submitted by Chairman Hurd........................................................... 102 CYBERSECURITY OF THE INTERNET OF THINGS ---------- Tuesday, October 3, 2017 House of Representatives, Subcommittee on Information Technology, Committee on Oversight and Government Reform, Washington, D.C. The subcommittee met, pursuant to call, at 2:19 p.m., in Room 2247, Rayburn House Office Building, Hon. Will Hurd [chairman of the subcommittee] presiding. Present: Representatives Hurd, Mitchell, Issa, Amash, Gianforte, Kelly, Raskin, Connolly, and Krishnamoorthi. Mr. Hurd. The Subcommittee on Information Technology will come to order. And, without objection, the chair is authorized to declare a recess at any time. The very first hearing we held in the subcommittee just over 2-1/2 years ago was titled, ``Cybersecurity: The Evolving Nature of Threats Facing the Private Sector.'' Since that first hearing, we have held over a dozen hearings on a variety of cybersecurity issues facing the Congress and the country, including encryption technology, the risk posed by insecure legacy Federal IT systems, and the opportunities and challenges posed by connected vehicles. Today's hearing on the Internet of Things builds on all the work we have done over the last 2-1/2 years to better understand the innovations of the digital age and how to implement needed legislative updates to continue protecting consumers and allowing American creativity to grow. The Internet of Things presents an opportunity to improve and enhance nearly every aspect of our society, economy, and day-to-day lives. But in order for us to be able to fully harness this technology, the Internet of Things needs to be built with security in mind and not as an afterthought. When integrating these devices into our lives, people need to know that they are secure. Unfortunately, we are far from this ideal state because many IoT devices violate basic cybersecurity practices. Some IoT devices lack the ability to be patched or include hard- coded passwords that cannot be changed by the user. This lateral vulnerability was explored in the recent attack on Dyn, which took down Netflix, Spotify, Twitter, and a number of other websites for hours. Senators Mark Warner and Cory Gardner have recently proposed one way of potentially increasing the cybersecurity of these devices by introducing a bill that would set minimum security requirements for devices purchased by the Federal Government. I applaud them for the effort and the thought that went into this legislation. I look forward to getting into the details of that legislation in today's hearing to answer some questions like, is the definition of IoT in the bill too broad? Does the bill apply to mobile devices? Should it? The cybersecurity requirements for devices in the bill might make sense now, but will they soon become outdated? As I have said before, we have great challenges in front of us, but also a tremendous opportunity to be bold and decisive and reform the Federal Government. I thank the witnesses for being here today, and look forward to hearing and discussing bold ideas to increase the level of cybersecurity of the Internet of Things so that we can all benefit from the revolutionary opportunities it offers. And as usual, I'm glad to be able to explore these issues with my friend and ranking member, the Honorable Robin Kelly from Illinois. And when she arrives, we'll recognize her for her opening remarks. Mr. Hurd. But we'll go ahead and make introductions of our witnesses. We have Mr. Matthew Eggers, the executive director for cybersecurity policy at the U.S. Chamber of Commerce; Mr. Tommy Ross, senior director of policy for the Business Software Alliance; Mr. Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council; and Mr. Ray O'Farrell, chief technology officer at VMware. And welcome to you all. And pursuant to committee rules, all witnesses will be sworn in before they testify, so please rise and raise your right hand. Do you solemnly swear or affirm the testimony you're about to give is the truth, the whole truth, and nothing but the truth, so help you God? Thank you. The record will reflect all witnesses answered in the affirmative. In order to allow time for discussion, please limit your testimony to 5 minutes. Your entire written statement will be made part of the record. And as a reminder, the clock in front of you shows your time remaining. And the light will turn yellow when you have 30 seconds left and red when your time is up. And now I would like to recognize Mr. Eggers to give your opening remarks. WITNESS TESTIMONIES TESTIMONY OF MATTHEW J. EGGERS Mr. Eggers. Thank you, sir. Good afternoon, Chairman Hurd, Ranking Member Kelly, and other distinguished members of the IT Subcommittee. My name is Matthew Eggers, and I'm the executive director of cybersecurity policy with the U.S. Chamber of Commerce. On behalf of the Chamber, I welcome the opportunity to testify before this subcommittee. Let me begin by noting our appreciation for your support and leadership regarding the Modernizing Government Technology Act. Its passage is a top chamber of priority. I recognize that you're considering legislation comparable to S. 1691, The Internet of Things Cybersecurity Improvement Act of 2017. I've combined my statements to the Chamber's thinking on IoT and cyber. The Chamber is optimistic about the future of IoT. Many observers predict that the connectivity of the IoT will bring positive benefits through enhanced efficiency and productivity across the economy. The Chamber is advancing roughly five principles to foster valuable outcomes in this area. First, the IoT is complex, and there's no silver bullet to cybersecurity. The IoT includes both devices and services, such as sensors and smartphone apps. It is composed of two major segments: consumer IoT and industrial IoT. There's a distinction emerging between managed and unmanaged IoT. Some IoT services and devices are consumer deployed, while others are administered by third parties, like a cloud provider. The advantages of the IoT will be realized in an environment that prioritizes industry managing cyber risks and government avoiding regulations that would stunt IoT innovation and deployments. Second, managing cyber risk across the internet in communications ecosystem is crucial to growing in the IoT and increasing businesses' gains. The Chamber wants device makers, service providers, and buyers to win from the business community leading the development of state of the art IoT technologies. Sound private sector-led IoT risk management can create a virtual cycle of security in which consumers demand secure devices and services and industry prioritizes security in their offerings. Different risk management practices will be relevant for different IoT audiences and situations. Third, the business community will promote policies favorable to the security and competitiveness of the digital ecosystem. Businesses cannot expand to create jobs if they are burdened by complex and expensive regulations. Leading industry stakeholders are attuned the importance that cybersecurity brings to the marketplace. Perfect security of network- connected devices is ambitious, but the Chamber urges all stakeholders to make the cybersecurity of the IoT a priority, not simply for security's own sake, but for the IoT ecosystem as a whole. It is crucial that policymakers approach new technologies with a dose of regulatory humility. Fourth, IoT cybersecurity is best when it's embedded in global and industry-driven standards. Cyber standards and guidance are optimally led by the private sector and adopted on a voluntary basis. They are most effective when developed and recognized globally. Such an approach averts burdening multinational enterprises in IoT adopters with the requirements of multiple and often conflicting jurisdictions. Fifth, public-private collaboration needs to advance industry interests. Two examples are worth highlighting. One, the NTIA. The telecom and information arm of the Commerce Department is working with businesses to assess what actions stakeholders should take to advance the IoT, including cyber. The agency is leading a multistakeholder process to address IoT security upgradability and patching of consumer devices. Two, missed, the department's standards body did an admiral job of convening many organizations to develop the popular cybersecurity framework, which was released in 2014, and the Chamber's built the national education campaign around it. The Chamber strongly believes the Commerce Department is well positioned to bring together stakeholders to identify existing standards and best practices to enhance the security and resilience of the IoT. Thank you for giving me a chance to convey the Chamber's views, and I'm happy to answer any questions. Thank you. [Prepared statement of Mr. Eggers follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, Mr. Eggers. And now it is an honor and indeed a pleasure to introduce my friend and our ranking member, the Honorable Robin Kelly from the great State of Illinois. Ms. Kelly. Well, thank you, Mr. Chair. Chairman Hurd, thank you for calling today's hearing, and thank you to our witnesses for being here today. We are here to talk about a critically important bill and the security of IoT devices that the Federal Government uses. Senators Warner and Gardner recently introduced S. 1691, the Internet of Things Cybersecurity Act, to help ensure that Federal agencies procure secure IoT devices. I have been working on the discussion draft of the companion bill. I want to thank the Senators for their continued leadership on this important cybersecurity issue. IoT devices are incredibly helpful for American citizens, businesses, and our Federal Government. From drones to smart light bulbs to connected cars, hundreds of millions of Americans benefit from these devices every day. In fact, we expect to have more than 20 billion internet connected devices online by 2020. Unfortunately, the high demand and lucrative market for IoT devices has also attracted bad actors who crank out cheap products that are insecure, unreliable, and vulnerable to malware. We all know the dangers posed by unsecured devices. Even the least tech savvy among us learned about the consequences last October when a distributed denial-of-service attack, or DDoS, attack on DNS service provider Dyn shut down internet access for millions on the East Coast. We learned that the attack was carried out by a bot that composed of thousands of compromised IoT devices. It was a sobering reminder that everyday appliances like web cams, smart TVs, and even thermostats can be turned into cyberweapons. There is no doubt that these attacks are growing in frequency and severity. The proliferation of IoT devices makes these attacks that much easier. It is estimated that October's Dyn attack only used a fraction of the botnets' capabilities. We can only imagine the disruption that a larger cyber attack would cause. Lives are at stake in this matter. Given the gravity of this situation, Congress must be concerned about both disruptive cyber attacks and protecting sensitive data. Comprised devices can become access points for malicious actors to gain entry into the Federal Government's network. S. 1691 and my draft companion bill bakes security into the procurement process. These bills ensure that procured devices meet minimum security requirements. We are talking about basic cyber hygiene, like ensuring that devices are patchable, that they do not contain known vulnerabilities or hard-coded passwords. The legislation also provides agencies with flexibility to waive these requirements if they employ similar requirements or use third-party device certification standards. These requirements make our agencies more secure, while providing flexibility to vendors and agencies. We cannot predict the future of technology, which is why my discussion draft also includes the creation of emerging technology's advisory board to review and provide recommendations to update guidelines in realtime to address emerging threats. Importantly, these bills are not meant to provide extensive in-depth regulation. Sector-specific regulators will devise more precise rules to address the unique risks to each sector. Instead, they would establish minimal flexible standards for government procurement of IoT devices. I've long said that the Federal Government must be a leader in cybersecurity. This legislation takes us closer to that goal, but my bill draft is not finished. We need the input of people like our witnesses, other stakeholders, and the public to make my bill as strong as possible so that our Federal agencies can be safe and secure. It is a fine line to walk to secure our IT systems while encouraging innovation. I hope that at the end of this process we have struck that perfect balance. I look forward to hearing the witnesses' ideas and contributions to strengthen this bill. And again, thank you, Mr. Chairman. Mr. Hurd. I'd like to thank the ranking member. I always say that cybersecurity is one of the final remaining bipartisan issues in Washington, D.C. Ms. Kelly. No. Have hope. No, there's more. Mr. Hurd. There we go. I like that. PMA, positive mental attitude. So I'd like to now recognize Mr. Ross for your 5-minute opening remarks. TESTIMONY OF TOMMY ROSS Mr. Ross. Chairman Hurd, Ranking Member Kelly, members of the subcommittee, it's a real honor for me to be here with you today. My name is Tommy Ross, and I'm here on behalf of BSA/The Software Alliance. With operations in over 60 countries around the world, BSA is the leading advocate for the global software industry, which contributes over 10 million American jobs and over a trillion dollars to the U.S. economy. Our members are among the world's leading innovators of software and analytics capabilities that undergird the Internet of Things, or IoT. They are deeply invested in the success of the IoT because of its potential to transform and improve our lives. The Internet of Things is already generating new and improved business models and business processes in nearly every sector of the economy, from agriculture to cutting edge scientific research. And it's delivering unprecedented conveniences and opportunities to individual citizens. At the core of the Internet of Things is the ability to analyze, process, and move data in novel ways. If we are to realize the tremendous potential of the IoT, we must secure that data against malicious cyber activity. As the chairman said in his opening remarks, products must be developed with security in mind and not with security as an afterthought. For that reason, BSA's members are deeply committed to advancing strong cybersecurity throughout the IoT market. In fact, as we celebrate National Cybersecurity Awareness Month, BAS is launching a new cybersecurity policy agenda entitled, ``Security in the Connected Age,'' and our agenda asserts cybersecurity for the Internet of Things as a high priority for policymakers. I've included a copy of this agenda in my written testimony. Our agenda emphasizes five categories for policy development: promoting a secure software ecosystem, strengthening the government's approach to cybersecurity, driving international harmonization, developing a 21st century cyber workforce, and embracing emerging technologies to strengthen security. Drawing on this agenda, I offer several principles in concrete policy recommendations for securing the IoT in my written testimony. In my time before you now I'd like to focus on three of those recommendations. First, the calibrated approach to capturing the complexity of the Internet of Things will be essential to crafting effective IoT policies. IoT devices and the systems they support come with a broad range of characteristics, including widely varying levels of vulnerability and risk, a diversity of functions, and target markets of different types. An IoT- enabled pacemaker, for example, carries a much different set of risks than a connected toothbrush. Some devices, if compromised by malicious cyber activity, could pose direct risk to an individual's safety or the public health. Others are unlikely to cause physical damage, but could be commandeered by botnets, as the ranking member mentioned. Rather than a one-size-fits- all approach, we need a risk-based policy framework that accounts for these differences. Second, IoT policies should build on existing software industry best practices. We should not treat the Internet of Things as some wholly new and unexplored realm demanding new and different policies. IoT devices are built around hardware and software that have been regular features of the technology landscape for years, even decades. In the software industry, the private sector and the government have worked closely over many years to develop a robust set of guidelines, best practices, and international standards for developing and sustaining secure software. As you consider cybersecurity in the IoT we should begin here. Finally, effective IoT cybersecurity policies will recognize that the government has an important role, but it should be cautious in how it exercises its role to avoid interventions that will stunt the development of innovative products, including new cyber tools. In general, it should focus on convening and facilitating, rather than dictating solutions. The government can be most effective when it takes action to foster market-driven solutions, particularly those that can impact markets globally. The government can play a critical role by driving multistakeholder processes to confront the most critical or most challenging questions and to seek to harmonize policy frameworks across sectors based on the outcomes of those multistakeholder processes. Beyond that, though, the government must lead by example. As Ranking Member Kelly said in her opening remarks, the Federal Government must be a leader in cybersecurity. It must drive the market by demanding the most innovative security solutions private industry can provide and invest in emerging technologies that can reshape security architectures. Too often government acquisition is driven towards the lowest cost solutions rather than those that provide the best value. That must change. In summary, we argue that policies for the Internet of Things will be most effective when they are risk-based rather than one-size-fits-all, when they build on existing best practices instead of reinventing the wheel, and when they facilitate collaboration between government and industry to tackle a shared challenge. Thank you again for the opportunity to appear before you today. I look forward to your questions. [Prepared statement of Mr. Ross follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, Mr. Ross. Mr. Corman, you're up. Five minutes for your opening remarks. Thanks for being here. TESTIMONY OF JOSH CORMAN Mr. Corman. Thank you. Chairman Hurd, Ranking Member Kelly, distinguished members of the committee, thank you for the opportunity to testify today. My name is Joshua Corman. I am a founder of iamthecavalry.org, a grassroots volunteer cyber safety initiative focused on where bits and bytes meet flesh and blood. Until yesterday I was the director of the Cyber Statecraft Initiative for the Atlantic Council, a nonprofit international policy think tank. And as of yesterday I am now the chief security officer for PTC to drive more maturity and safety into the industrial IoT sector. And lastly, relevant to today, I was testimony to the 2016 Presidential Commission for Enhancing National Cybersecurity and had the privilege of serving on the congressional task force for healthcare cybersecurity, which published in June. Beyond my written testimony, I'd like to highlight three things. One is the cost of inaction and the urgency of time. While some want to wait, time really is the enemy here, and delayed response will have consequences in breaches; in effect, public safety; in the confidence in our government; and in very large parts of our economy, and could cede our leadership position in the international policy response after the next major attack in ways I fear through my work at the Atlantic Council would be very deleterious to U.S. interests and to our economic interests. Number two, the Senate bill is promising because it focuses on an 80/20 rule type backbone of maximum benefit from minimum burden or on hovering around known vulnerabilities and reasonable cyber hygiene. These reasonable evergreen expectations both preserve and enable free market choice by definition. They are more descriptive than prescriptive, focusing on what is required versus how to do it, despite industry talking points. Further, they may even serve as a very necessary safe harbor rubric for inevitable software liability when we have our first casualties due to where bits and bytes meet flesh and blood. And then third, this rubric could be made even better with a software bill of materials. Enhancing the Senate bill with a software ingredients list, or also referred to as a software bill of materials, would add significant protections and better reflect insights and findings from prior initiatives like the Presidential Commission, which highlighted the need for food labels and transparency to enable better free market choice; our healthcare Cybersecurity Task Force, which is strongly urging a software bill of materials to reflect what Philips Medical and others are voluntarily doing to make medical equipment safer in life critical use cases. And while the industry has reacted negatively to such approaches in the past, many of those arguments have been weak or have failed to fully appreciate the benefits of such an approach, both of which I'd be happy to speak to in Q&A or followup. Further, we continue to misidentify as a Nation, especially when talking about the NIST cybersecurity framework, that cybersecurity is not only about confidentiality of data. It is about public safety, human life, capital expenditures, physical harm. And I think what we're seeing with NotPetya and other attacks is property damage, severe interruptions to our supply of vaccines for a national supply, et cetera. And while I appreciate, especially from the technology community, the need--the reluctance to regulate technology, it's hard to argue that private sector is doing a good job here even on the regulation of data. About 100 of the Fortune 100 have lost intellectual property and trade secrets. Nearly every retailer has had a breach of credit card data several times, despite adhering to industry best practices, and I think the fact that we have a broad history of software security practices is part of the problem. We have failed secure low consequence use cases like replaceable data, and now we're increasingly dependent upon technologies where the consequences of failure could have a national security or public safety impact. The breaches are getting bigger, like Ashley Madison and Target. They're affecting government, like the Pentagon and the OPM breach. And now they're affecting hospitals. Initially, last February, with Hollywood Presbyterian shutting down patient care for a week due to an accidental ransomware infection, and more recently, 65 hospitals in the U.K., 65 hospitals in one day were shut down, and it was 20 percent of their national capacity. And while we have been reluctant, the primary reason to be reluctant to regulate software IoT, including my own reluctance, has been a fear that doing so may stifle innovation or hurt the economy. And I think these uncomfortable truths are showing a failure to have some reasonable regulation of software and IoT is stifling innovation and hurting the economy. If we are cavalier about this, I do fear the international response. There's severe appetite to do things in Germany, in the U.K., and there are even attempts to break up the free open internet to have a U.N. takeover of governments. And the easiest solutions, the next Mirai botnet that we can't stop, are very dangerous to U.S. interests and may cede our current model and economic engagement with the internet. Lastly, on a personal level, I'm very encouraged to see the enthusiastic support for the value of white hat research in coordinated vulnerability disclosure, and there's been significant strides there, which are already bearing fruit for the voting hacking machines, for medical devices, and for automobiles, and I'd like to see that continue. I'd be happy to answer your questions. In closing, time is the enemy. The bill focuses on maximum benefit for minimum burden, and could be even strong with a bill of materials. I am encouraged by this hearing and the bill as a turning point that we might have the courage and will to do the technical solutions we've had available. Thank you. [Prepared statement of Mr. Corman follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, Mr. Corman. Mr. O'Farrell, you're now recognized for 5 minutes. TESTIMONY OF RAY O'FARRELL Mr. O'Farrell. Chairman Hurd, Ranking Member Kelly, thank you for the opportunity to testify today at this important hearing. I am Ray O'Farrell, chief technology officer at VMware. I am head of VMware's IoT team. VMware is headquartered in Palo Alto, California, and is one of the largest software companies in the world, and is also part of the Dell Technology family of companies. The emergence of IoT, or the Internet of Things, is a technological step in which more and more aspects of the physical world, from manufacturing to banking to home monitoring to healthcare, transportation, and even smart cities are interconnected and coupled with analytics and intelligence. Some consider the Internet of Things to be the basis of the next industrial revolution. This level of IoT interconnect will lead to exciting new opportunities for American innovation and job growth. However, with the increased interconnect there is also a threat of cyber attack on this new infrastructure. We've already witnessed some of the security challenges for IoT. For example, just a year ago, an IoT distributed denial-of-service attack took down major internet platforms and disrupted the internet services of millions of Americans. And in May of this year, the WannaCry attack is estimated to have affected 100,000 organizations in 150 countries, and in the context of IoT, that included healthcare-related IoT systems. The threat and the impact of IoT-based cyber attack is not theoretical, it is real. VMware is a leader in data center and IT infrastructure management, including the management of end-user devices such as cell phones. We do this for the Federal Government and the largest companies in the world. We extend this management and security approach to the world of IoT and to the IoT industry. We applaud Senators Warner and Gardner for introducing this proposal of the Internet of Things Cybersecurity Improvement Act of 2017, and the committee for releasing a discussion draft and holding today's hearings. There are several provisions of the proposal that VMware specifically supports. Firstly, we believe that IoT devices should from the outset be designed with vulnerability patching capabilities built in.A simple patching requirement would have drastically reduced or eliminated the WannaCry breach. Secondly, we support several of the cyber hygiene concepts in the proposal, including microsegmentation and multifactor authentication. The concept of microsegmentation plays a critical role in ensuring that IoT-related data and information are segmented and properly protected against IoT cyber breaches. Thirdly, we also support the consideration included in the proposal that leverages security benefits introduced by properly managed IoT gateways, eight systems which act as isolation and management gateways to help prevent and remediate any compromise of connected devices. In closing, the Internet of Things will have significant positive impact on American innovation and American jobs. Billions of IoT-connected devices will be on the free market for consumers, businesses, and government to consider purchasing. And the U.S. has a ripe opportunity to claim global leadership in this space. But security is the key principle that will enable and advance further adoption of IoT. If consumers, businesses, and government do not feel that IoT products are secure, it will only hinder U.S. global leadership in a growing and innovative IoT industry. The Internet of Things Cybersecurity Improvement Act of 2017 provides a thoughtful framework modeled after the industry-recognized NIST framework. The specific proposal focuses narrowly and appropriately on the procurement process by the Federal Government of IoT technology. If the U.S. Government decides to spend American taxpayer dollars to gain the productivity and efficiency benefits that IoT technologies can bring to the government, then it is reasonable to assume that the government should be confident in the security levels of the IoT devices it is purchasing. Chairman Hurd and Ranking Member Kelly, I applaud the leadership of the committee for holding this hearing today. Thank you for the opportunity to testify. And I look forward to answering the committee's questions. [Prepared statement of Mr. O'Farrell follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Mr. Hurd. Thank you, Mr. O'Farrell. Now, it's with great pleasure to recognize the gentleman from California, Mr. Darrell Issa, for his first round of questions. Mr. Issa. Thank you, Mr. Chairman. And I think the public, in hearing we're doing something on the Internet of Things, probably in spite of your testimony would consider that, well, this must be new. But, Mr. O'Farrell, I'm going to use you and a little bit of our gray hairs to establish something for a moment. When you began in the industry, people were dialing, auto dialing to find modems and then trying to invade people's systems that were connected by modems, correct? Mr. O'Farrell. That's correct, yes. Mr. Issa. And the advent of firewalls and private systems, VPNs, point-to-point connection was in response to that and other challenges, right? Mr. O'Farrell. Yes. Broadly bringing a level of security and protection. Mr. Issa. So is it fair to say that the products that the public is hearing today, the Internet of Things products, could be set aside in totality and we could have this discussion today only about connected--externally connected computers, whether mainframe minis, if they were still around, or micros? Mr. O'Farrell. So there are similarities in the existing data center infrastructure, and, in fact, you would see many of the same issues appearing, how do I secure my infrastructure, how do I protect it, feeding back out into the world of IoT. I think there is one difference, though, to highlight, and the difference is, unlike your typical data center infrastructure, you are not protecting just data; obviously, that's important to protect, but you're protecting physical infrastructure. These devices can be controlling equipment in a hospital. Mr. Issa. Sure. Mr. O'Farrell. So there's different aspects. Mr. Issa. But if you're controlling the electric grid, you're controlling thousands of hospitals, right? Mr. O'Farrell. Correct, yes. Mr. Issa. So using that as a reference, would you all agree, if you can, that, in fact, this is not a new problem, but what we're really dealing with is a problem that goes back to the first connected product that had access even by telephone to the outside? That's fair to say, right? Okay. I'll take no noes as a yes for now. But let me follow up by asking you all a question. When we look at a fully qualified domain name, in the IPv4 world, our problem was we ran out of numbers to distinctly connect points so we could identify a point and its effective location. Is that a fair statement, for those that have been around? And then we went to IPv6 in order to have enough points that we could identify uniquely. Anyone? Mr. O'Farrell? Mr. O'Farrell. Yes, IPv6 increases the number of available addresses enormously. Mr. Issa. So as we're here looking at the question of a lot of things that are going to be done, would it be fair to say that the ultimate solution for point-to-point connections and conversations is, in fact, to eventually have every point in some way be fully qualified and fully identified so that when the chairman has a product that's being addressed by a product asking it to do something, its chances of it being anything other than an approved product reasonably asking for that information can be dramatically reduced? In other words, you can no longer spoof the way the bots do, spoof an event to get somebody to do something that they wouldn't do if they knew who you were? Is that a long but fairly accurate statement? Mr. Corman. Such a maneuver would help certain aspects of the threat model, but not all. And to also respond to your prior point, while things like the NIST cybersecurity framework and things like remotely exploitable modems are familiar and we can glean from the past, there are material differences. The Cavalry has published a framework of six differences, which are at least good questions to marshal yourself through, and succinctly they are--they're different adversaries with different motivations. They're different consequences of failure, including public safety human life. Different environmental contexts where you're not going to have layered defenses. Different composition of goods. Different economic realities for margins and costs to goods, and different time scales for time delays. Mr. Issa. You know, I appreciate all of that, but that's sort of like saying that the horse and buggy has nothing in common with the car when you're just trying to get to church. The reality is that--the reason I asked this line of questioning with my limited 5 minutes is, what it appears to this member, who has been around since the 1970s as a manager of a computer facility in the military, is we have old problems that have never been resolved. We now are in a position where quicker, faster, and with greater devastation the problems can lead to catastrophic problems for our society, for human life, and yet in a sense we've never resolved that great question, which started off with the modem that said you can call me, but I'm only going to call back to the number that's programmed in me, that two-way authentication that came out back in the modem day. In a sense, the reason I ask the question, and I'll close, Mr. Chairman, is it appears as though unique and thorough, fully qualified identity with the appropriate authentications is going to have to be part of any solution or you're going to have exactly what happened to Jared Kushner's lawyer who emailed ``forward'' to a spoofer what he was supposed to send to the son-in-law of the vice president only a few days ago, because you've got to know who you're talking to or, inevitably, all the security in the world won't do you any good when you send it to the wrong place. Mr. Chairman, I'll take that as a yes if they don't revise and extend on it, but it's an area of concern, and thank you for continuing this. Mr. Eggers. You know, if I may, let me just throw in a couple of thoughts that, A, we share your concerns about security and making sure that as we go from, let's say, device to end user, as we expand and we want to the Internet of Things, we're doing it in a way that minimizes those risks. Authentication is a key topic. I know we at the Chamber, we have supported the TENS stick, the trusted authentication concept and effort that was launched in 2011. But I think to your bigger point, we do share your concerns about security and the need for increased security and risk management. One thing I think we would look to is some kind of a layered approach, right? No single one thing is going to get us to where we want to be. And I would also want to look closely at what kind of measure metric we look to get there. We at least in--at the Chamber, there are private sector-led efforts to look at whether or not a device, widget, gadget is more secure, let's say, than another. We probably would be a little skeptical or at least want to proceed with caution if government's going to put a thumb on the scale. It may be premature to at least select one certification model versus another. I'll finish there. Thanks. Mr. Hurd. Ranking Member Kelly is now recognized for her opening questions. Ms. Kelly. Thank you. As the IoT market continues to grow rapidly, there are concerns that it has grown without proper security standards or market incentives to safeguard against bad actors. We haven't done a good job of rewarding good actors who bake in security. But for the Federal Government uses, an unsecured device poses a great threat to information security and sensitive data. A 2017 report by the Government Accountability Office found that IoT device vulnerabilities can be caused by, and I quote, ``a lack of security standards addressing unique IoT needs.'' Mr. O'Farrell, would you agree that IoT devices pose a unique cybersecurity challenge? Mr. O'Farrell. Yes, I would. Partially because the impact of a cybersecurity breach on an IoT device, as we've noted, can affect something very real in the physical world, including human life. Second of all, IoT devices by their nature are not behind a brick wall in a data center. They're at the bottom of oil wells. They're in factories. They're in buildings, which means the ability to physically attack them or interface with them becomes possible. Therefore, I think that a layered approach as to how you secure it becomes more important. So the bill mentions, for instance, use of IoT gateways and microsegmentation. These are second order of protection, which can be used to protect those devices themselves, even if they become compromised in some way. Ms. Kelly. And so you agree that establishing at least minimal cybersecurity standards would help prevent IoT device vulnerabilities? Mr. O'Farrell. Yes. I think in the context of the bill, which is essentially highlighting the existing NIST standards from a cybersecurity point of view and applying them to IoT in the context of the Federal Government procuring those devices, yes, I do. Ms. Kelly. And, Mr. Corman, would you agree? Mr. Corman. I do. And there's several things we could do. We wanted to focus on things that were 80/20 rule-ish. And I think if you squint--everything really hovers around vulnerabilities that are known. Known vulnerabilities are more than 30 percent more likely to be attacked by adversaries than unknown. And we discussed this with Chairman Hurd in Las Vegas. We had this notion of IoT really should have five postures towards any failure. They're going fail. They're going to fail often. How do you avoid failure? By building security in versus building on. How do you take help avoiding failure? From willing allies like through coordinated disclosure. How do you capture, study, and learn from failure? With logging in evidence. How do you respond to failure? With security updates and patching. And how do you contain and isolate failure? With segmentation and isolation to fail safely. And those are really you must be this tall to ride the Internet of Things kind of concepts. Obviously, there's so much more we could do, but that's a really minimum viable--I once said unpatchable IoT are the lawn darts of the internet in that they are inherently unsafe. Ms. Kelly. Thank you. Both the House and Senate versions of the IoT Cybersecurity Improvement Act require minimum security requirements from vendors selling IoT devices to the government. These include basic best practices like federally procured devices being patchable and not using hard-coded passwords. Mr. O'Farrell, do you believe these standards are reasonable? Mr. O'Farrell. Yes, I do. I also note that the bill gives, under some circumstances, the ability to be able to waive those if a device does not support that, as long as another security technique is put in place. Ms. Kelly. Right. And can you describe how these practices, basic hygiene, can provide a reasonable level of security for the government to feel confident in purchasing IoT technologies? Mr. O'Farrell. So you've already heard to some degree how IoT, sort of the existing ways that you secure data centers and infrastructure, also applies and becomes applicable in some way to IoT. Many of the things which are described here, authentication, microsegmentation, least privilege access, all of those are core concepts described by NIST to secure data center infrastructure and cyber infrastructure, so the same would apply equally to IoT. Ms. Kelly. Thank you. Mr. O'Farrell. It just becomes an extension--I'm sorry. It just becomes an extension, essentially, of the existing data center infrastructure. Ms. Kelly. Okay. IoT devices promise exciting opportunities and benefits we cannot ignore, as all of you agree the security implications. Government data must be protected, and it is essential that we address the cybersecurity concerns now rather than retroactively. The IoT Cybersecurity Improvement Act provides basic security standards that are necessary for protecting government data and can set a positive example for the IoT industry at large. I believe the legislation serves as an excellent starting point for IoT security. And I yield back. Mr. Hurd. I'd like to thank the ranking member. And if my memory is correct, Mr. Gianforte, this is your first--this is your first hearing with us. It's great to have someone with your background, experience, and patents on this committee. And you're now recognized for your opening 5 minutes of question. Mr. Gianforte. Thank you, Chairman Hurd and Ranking Member Kelly. It's my pleasure to be here. Thank you for the testimony that you're providing for us today. I appreciate the effort. We need to make sure that our government is secure, and particularly the Internet of Things security is important. I want to ask questions in two areas. And as Chairman Hurd mentioned, I ran a cloud computing business for many years, and we had thousands of clients. We had over a thousand cyber attacks per day that we had to defend against, so I have some familiarity here. I'd like to talk a little bit about NIST vulnerabilities. How often does NIST publish updates on vulnerabilities? Just based on your knowledge, Mr. O'Farrell. Mr. O'Farrell. I don't actually know the exact number. I know we get vulnerabilities from NIST, but also from broadly across the industry. You know, large software companies like Microsoft and others would publish those vulnerabilities as well, and so it would not be unusual to see a steady stream of vulnerabilities coming in every month. Mr. Gianforte. Every month there would be new ones? Mr. Corman. Every day. Mr. Gianforte. Every day there's updates. So are all vulnerabilities, Mr. O'Farrell, created equal or are some more severe than others? Mr. O'Farrell. Some are more severe than others. The challenge with the vulnerabilities, you can't always tell or predict whether the vulnerability is going to be exploited in some way. Remember, a vulnerability simply says there is something here which could be a problem. It doesn't say this has been used to attack or exploit in some way. So you have to be careful with respect to how you rate vulnerabilities, but there is a rating for vulnerabilities and they are not all created equal. Mr. Corman. If I may add to that, we have a common vulnerability scoring system for various factors. We have recently learned it's insufficient for safety critical, and there's a special project through MICR to look at safety critical in hospitals, for example. Mr. Gianforte. But to your point earlier, Mr. Corman, some are more important than others from a risk perspective. Mr. Corman. Well, for consequence severity and context, yes, but there's also one more thing in the written testimony I'd like to call out, which is that for all known vulnerabilities there are a special subset that if they're in created attack tools or if they're in an exploited database, they're 30 times more likely. So your heavier risk-based clustering of this to enhance the yield. Mr. Gianforte. Mr. O'Farrell, where I'm driving here is, in a complex system that includes an operating system, maybe an application server, an application communication software, all of these systems are collections of various components. Given the frequency with which vulnerabilities are published, is it possible for a complex system to have no vulnerabilities over a 12-month period? Mr. O'Farrell. I think it is highly unlikely. I think that, in fact, you have to expect and to some degree that there's probably some vulnerability in there. It's complex. It's got many pieces of software and products. And I think if at all possible, you need to build into your security stance the expectation that you're going to have to adopt and deal with some form of exploit should it occur. So control and second- layer protection is a part of the story. Mr. Eggers. Sir, if I could--go ahead, sir. Mr. Gianforte. And I raise this, because in the legislation as it stands today it says that all procurement by the Federal Government will have no vulnerabilities. And I just want to highlight that some are more important than others. We may want to differentiate in some way. Mr. Eggers. I think--I was just going to add that I think that a focus on, A, a definition of what we mean by ``internet- connected device'' I think is crucial. B, I would say that you are right, NIST, its database of vulnerabilities ranks low to high. US-CERT pushes out vulnerability and other update information, if you will, regularly. I get them. One of the things I think that's relevant, at least in terms of the conversation here, is I think everybody is right to focus on the vulnerabilities and to upgrade fix. One of the issues, at least in terms of if you are a provider, and one of the questions that we've got is there's a requirement for tracking notification. Mr. Gianforte. Mr. Eggers, if I could just claim my time back. Mr. Eggers. You may, sir. Of course. Mr. Gianforte. Thank you. And I just wanted to, in my remaining 50 seconds, Mr. Ross, I have a question about standard practices in the software industry. As in the legislation there are particular clauses that require manufacturers of Internet of Things to provide perpetual updates to software, and I think the process of providing a way to do update is good. In the software industry, is it standard practice that that's done as part of the initial purchase price of the product or is there typically a separate maintenance contract that is designated to ensure that you get updates to your products? Mr. Ross. I think that very much depends on the product. You know, so you see, obviously, we all have apps on our iPhones that get free updates, you know, without paying any extra, and other companies provide update services as a separate package. Mr. Gianforte. And if there was a requirement to provide perpetual updates, what impact would that have on the initial purchase price of the product itself? Mr. Ross. Again, I think it depends on the business and its sort of, you know, business model how it generates revenue, so I don't think there's a single answer for the entire---- Mr. Gianforte. But if a vendor had to provide more services, typically prices would go up? Mr. Ross. You could certainly expect that in some cases. Mr. Gianforte. Okay. Thank you. And I yield back. Thank you for your patience, Mr. Chairman. Mr. Hurd. Thank you. Mr. Raskin, you're now recognized for 5 minutes. Mr. Raskin. And thank you very much, Mr. Chairman. So I'm interested in last year's cyber attack with the Mirai botnet, which took down the internet for most of the East Coast. And it was an attack that preyed on the Internet of Things connected devices like web cams and routers and so on. And as I understand it, it infected the IoT devices with malware, and then the hackers were able to gain control of the devices and use them to drive an overwhelming amount of traffic towards the target. Mr. O'Farrell, let me ask you, in the aftermath of the Mirai botnet attack, it was revealed that the attackers had used only about 20 percent of the computing power of 20 percent of the entire botnet, so in other words, a small fraction of a small fraction of the actual capabilities. How would a similar attack ramped up affect the Federal Government, if they came after us? Mr. O'Farrell. I think the ramp-up would have an equivalent ramp-up in terms of impact. Now, obviously, after that attack, organizations will have looked at other ways they can protect from such a denial-of-service attack, so it would have been some changes made to try and protect against that. But if the full force of that attack had been used at that time, with the internet as it stood at that time, it is likely the impact would have equally been proportionally large. So in terms of the Federal Government, it would have brought down major internet providers, and that in turn would have begun to affect what the Federal Government does day to day. Mr. Raskin. Gotcha. Many of the IoT devices are shipped with hard-coded passwords that are unable to be patched or updated. What risk does a hard-coded password or device present to our ability to respond? Mr. O'Farrell. So I think as Congressman Issa mentioned, you can identify these devices in terms of an IP address of some sort, whether it's IP6 of or IP4, however, the actual identification of the device in terms of--sorry, of somebody accessing the device is typically handled by a password of some sort. A hard-coded password is typically very early somebody posts that on the network. You'll get a message on the internet saying if you're accessing this camera, these types of camera, here's the type of hard-coded password. So effectively you have no password, which effectively means then those devices are open for people to access them and then try and exploit them in some way. Mr. Raskin. Thank you much. Mr. Corman, how does Senator Warner's bill address that issue? Are there other legislative measures that we should be contemplating to deal with that problem? Mr. Corman. One of the things I wrote in my written statement just in full disclosure is that Federal procurement alone won't stop the next Mirai botnet. The government does not buy enough of those devices, and the overwhelming majority of the ones that hit the internet that afternoon were from Vietnam, outside the country purchased by others. What we like about the bill is the fact that it sets, by example through purchasing power, a model that can be replicated by hospitals, other organizations, and the international policy community in a reasonable way. There are some very ugly and dangerous counterproposals, such as bricking devices; doing deep packet and inspection at the carrier, the edge, which could get into net neutrality issues; and balkanization and Geo-IP filtering that would play directly into the hands of Russia, China, and some of the people who tried to take over the free open internet a few years ago and nearly succeeded. So there are other things that can be done, some of them having very dangerous side effects for the economy and for U.S. interests. Mr. Raskin. Let me just follow up on that. The use of these IoT devices is expanding rapidly around the world. I think it's estimated that by 2020, there could be more than 20 billion of them. Does that increase our exposure? Does it make it a more dangerous situation? Mr. Corman. Yes. I used to be the director of security intelligence for Akamai, which handles the largest denial-of- service attacks in the world, and the math doesn't handle even Mirai. It certainly won't handle the growth rates. So while I really like some of the hygiene principles to lead by example, these have to be adopted by the private sector, whether through self-regulatory, through purchasing, through free market forces. But this bill alone won't stop the next Mirai, but it sets an example that could make more devices higher hygiene than lower hygiene. Mr. Raskin. Do you--and I could open this up, does the panel think that manufacturers are doing enough to ensure the security and the safety of the IoT devices? Mr. Corman. No. Mr. Ross. So I think some are and some aren't. And I think, you know, what we need to do is incentivize those who are, you know, providing good security and building it into their products to have more opportunities, including through government contracting, and to have that good work recognized. And then we need to find ways to incentivize those who are not doing a good enough job to do better. So I think they're not all the same, but certainly there are some actors out there who are not taking security seriously enough. Mr. O'Farrell. I mean, I think I would echo the sense that, one, they're not all the same, but, two, for those who do do the good job, you know, to make sure that they have the benefit of being able to, you know, fit the requirement policies of the Federal Government. That's a positive message to them, and it's rewarding the people who do the good job as opposed to those who do not. Mr. Eggers. If I may, I think the intent of the bill to bring more secure devices into the Federal Government is sound. Very sound. It is how we get there, I think, that's the trick. In terms of working with so many different businesses across multiple sectors, I think Tommy's right. We're kind of in a gray zone where I think, if anything, when I step back and I look at a bill like this, I say, how can we make sure that the companies that are making devices securely--and there's a lot of standards out there. There are a lot of companies building devices according to this or that standard, guidance, or best practice. I want to make sure that they're the ones that win and, ultimately, consumers, the purchasers, will too. Mr. Raskin. Thank you. I yield back, Mr. Chairman. Mr. Hurd. Thank you. Mr. Mitchell, you're now recognized for 5 minutes. Mr. Mitchell. Thank you, Mr. Chairman. Let me ask the panel, whoever wants to jump in on this question, you talk about government standards and those standards generating more confidence in the private sector as well. How much confidence do you have that, in fact, government-mandated standards are going to improve the circumstances? Mr. Corman. One of the things I like here is it's not the government mandating standards for the private sector, it's the government as a purchaser acting in their own selfish interests to protect the interests, not just against larger scale DDoS, but against the next OPM breach or against people surveilling your offices or any and other number of things where our smart TVs or smart gadgets could be a risk. So this is more leading by example than forcing something. It could catalyze innovation. Mr. Mitchell. Let's talk about--give me a second, and I want to hear from everybody else--leading by example to Federal Government. Last we had a hearing several weeks ago, maybe a couple months ago at this point, there were 143 chief information officers in the Federal Government; 143 of them was I think the count. How does that give us confidence? I mean, I ran a fair size private company. There was one CIO who I held directly accountable for our security of all things, not just our internet access, but all the other applications we used. I'm concerned that with 143, I'm not sure we're going to get anywhere near the level of concern we have. How do you feel that's going to help us? Mr. Corman. I think we're getting the critical mass slowly. The Presidential Executive Order on cybersecurity, two quotes, The Federal Government ``has for too long accepted antiquated and difficult-to-defend IT,'' and, ``Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced.'' The DHS' six strategic principles for IoT covers this. The Presidential Commission, FDA, Department of Transportation. There's a critical mass forming around what some of these are and an increased recognition that what we had been doing don't work across those federated CISOs to treat the Federal Government as an enterprise. Mr. Mitchell. Okay. Mr. Eggers? Mr. Eggers. Congressman Mitchell, if I may, to your point about standards, I think standards are really important. Our companies live and breathe by standards. They are successful because they use standards that are private sector led, industry driven, global in nature very often. The thing about the bill--again, the intent about bringing secure devices into the government is sound. I think one of the things we want to look at is are we scoping the device of the definition of internet-connected device adequately? And I think the answer is we don't know really yet. I think one of the things we'd like to do is talk with groups like NIST, NTIA to help inform how we make that decision. It's very broad. It could capture low-end devices that really aren't intended to be plugged into the bill. It does consider, obviously, devices that are at least capable, but should they? It's not clear. In many cases, they shouldn't be. One of the issues I will--and then I'll finish, is one of the issues about tracking vulnerabilities and making patches and upgrades is you could find a situation if you're a contractor--and that term too is vague--the lengths at which they've got to go to track virtually any known vulnerability, and there are a lot of avenues for finding those, and you would be beholden to quite a notification structure, and so that gives me pause. The idea about upgrading is sound, but the notification, among other things, gives me pause. Mr. Mitchell. Mr. O'Farrell, you had a comment? Mr. O'Farrell. Maybe two things. One of them, in terms of the--you know, as a taxpayer looking at the Federal Government purchasing IoT infrastructure, I would like to know that they're getting value for their money, and security is a key part of that. Mr. Mitchell. Absolutely. Mr. O'Farrell. So that's where I see those key guidelines. They represent what is a reasonable model around security. With respect to the broadness of the definition of IoT, yes, I think devices at the edge, they're difficult to describe, and they'll probably see opportunity to focus a little bit more on describing that, but the legislation does describe mechanisms that says, if devices are simple enough such that they cannot meet all of the requirements with respect to patching and so on, that there are some waivers associated with that. With respect to describing vulnerabilities, I think the bill specifically is trying to imply you should not be delivering equipment with known vulnerabilities, and then based on patching you get to fix those vulnerabilities, if and when they appear and when you find out about them. That's why the patching is a critical part of the story when combined with recognizing that vulnerabilities will occur. Mr. Mitchell. Mr. Ross, you had a comment. The last few seconds here. Mr. Ross. Sure. I will try to make it quick. But I think, you know, as you look at the Internet of Things, it really does describe a really broad array of devices, including, you know, at one end, sensors that don't even have operating systems and are designed to be cheap and mass-produced and can be so, while minimizing security risks, depending on how they're deployed in a network environment. And at the other end, you know, looking at, really, life- critical systems, as Mr. Corman has discussed. And I think that definition, it's really important that we capture it, because there is a cost-benefit equation here. And in some cases, the government is going to want to be able to buy devices that are inexpensive and mass-produced without having to build in a lot of security features that would drive up the cost and make them unsustainable. And you think about things like sensors and infrastructure that you want to put in place and leave for 50 years just to tell you, you know, seismic activity over time. I think that security standards are very important, but being calibrated against risk is what allows us to drive security in the most sort of efficient and rational way. Mr. Mitchell. One other quick comment and I'll yield back, Mr. Chair, is that you mentioned incentivizing them, and in my mind, it's also creating systems that the general public understands what the government is doing so they can assess how they do that. And today's hearings raise concerns for me. I have a camera system in my house for security, and to be absolutely blunt with you, it's a small town, and I can access it on my phone, I'm not sure if it has patches and what they do to patch it. I should know better. So I'll yield back. Mr. Hurd. Mr. Corman, did you have a---- Mr. Corman. Yeah, I'll be very brief. Some of Representative Gianforte's comments, and your own, they kind of make the case for what I said earlier about the value of software bill of materials. If it is unrealistic to perpetually update,if it might cost more money, if the company has gone out of business--the camera manufacturer--these things allow at least the procurer to assess, am I affected, where am I affected, should I unplug it? And there are a series of use cases that this would ameliorate or soften with that increased transparency. Just like a bill of materials or food label, like if you're allergic to peanuts or if you're allergic to some sort of food and, you know, having some sort of ingredients list allows me to make a choice. And if there were a recall, if we did find out there was a bad batch of a certain ingredient in the food we ate, we know to stop eating it. And such a function could be applied to IoT and software as well. Mr. Mitchell. Thank you, Mr. Chair. Mr. Hurd. Thank you. Now I recognize myself, and not necessarily for as much time as I may consume, but I'm going to take my time. Mr. Ross, maybe we pick up on a comment you just made. If a censor doesn't have an operating system, how can it be used in a DDoS attack? Mr. Ross. So, again, it really depends on--and I think one of the things that we need to think about when we're thinking about IoT security more broadly is not just how a device functions, but how a device fits into a broader network. And, you know, Mr. Eggers has mentioned taking a multilayered approach. How we build in security at different levels within a network can really shape outcomes far beyond the individual device. That said---- Mr. Hurd. But should the person developing that censor take those concerns into, as they're developing, how that censor works? Mr. Ross. I think the person developing the censor needs to be able to respond to the demand for the product, and security ought to be part of that demand. But you can imagine a situation in which you might want to deploy, for example, a lot of sensors with limited security built into the devices themselves but adopting network solutions that allow you to manage security through cloud services, through network security mechanisms that use those devices in a controlled way,and even patch them through cloud-based services rather than patching individual devices. You know, the innovation around security approaches to securing IoT devices and other devices is incredible. And really, you know, we're seeing innovation in the security space keep pace with innovation in the product space. In other words, there's new approaches to security that we're seeing every day. And so I think it's really important, as we craft policy, not to limit the ability for those network-based solutions to sort of take hold. Mr. Hurd. And I'll ask this question again to you, Mr. Ross. And then, Mr. O'Farrell, I'd welcome your thoughts on this as the software guys here. How difficult is the code to have--to update a widget or a device that we're considering part of the Internet of Things? How difficult is that code to write? Is that standard code? Is it something that is open source information out--open sourced out there where you pull that module and say, hey, here's how we do it? Is there a commonly accepted way of doing that? Your thoughts on that. Mr. Ross first, and then Mr. O'Farrell, your opinions. Mr. Ross. Sure. The two gentleman to my left probably have a better technical background to answer that, but I would say, you know, 2016 IoT developers survey found about 25 percent of IoT devices don't have operating systems. So accepting patches and that kind of thing is--you know, without an operating system is much more challenging. That said, you know, I think the complexity of the codes sort of depends on the code base and the product itself and, you know, individual manufacturer's approach to coding. But I would defer to my more technically savvy colleagues. Mr. Hurd. I'll let Mr. O'Farrell and Mr. Corman and Mr. Eggers, if you have comments, I'd welcome that on this question too. Mr. O'Farrell? Mr. O'Farrell. So in terms of broader applicability of patching, your PC at home is constantly patched. Every cell phone that's out there, from evenmajor manufacturers, is constantly patched. The applications living on those are constantly patched. So the concept of being able to say, is patching a well-known function, yes, it is. I think where the challenge that Mr. Ross is pointing out, you may have a class of devices who are so simple that they don't necessarily have the ability to handle a software upgrade. They may not even have software at all. They might be a very simple device just relaying temperature or something. Under those circumstances, then you need to apply other techniques. You either need to have that device talk to a gateway, and then the gateway itself is patched and secured, or you do things with network segmentation or other network management capabilities to be able to secure that piece of infrastructure. Mr. Corman. Just to add to that, some of it's knowing how to do secure updates over the air without making that a security risk itself. And we do know how to do that. That information is available. Some of it is going to raise the cost of goods on some of these devices because they need to future- proof a larger image than they started with. There are some IoT platforms that anticipate and build in the ability to do updates securely with encryption. There are some that are cheap, maybe too cheap to be safely used. So it's not a zero cost, but we know how to do it. Technically, there are platforms that could do it, and if we reward those that do. And then lastly, the NTIA process for upgradability did say it could be an out of station based model, where you say, I am patchable, I commit to patching for X years. And that goes into the Federal Government's purchasing decision of, if I'm going to buy an unpatchable device, I'll have to spend more aftermarket, or just choose not to buy it. Mr. Hurd. Mr. Eggers, do you have an opinion? Mr. Eggers. Yes, sir. Quickly. So I was just going to add that I hear from members that much depends on the device and where it's supposed to be, with the kind of device, the operating environment in which it's supposed to function. I think one of the challenges with protecting the Internet of Things is we are dealing with legacy devices that really weren't ever meant to be connected to the internet. And our colleagues will say, hey, then we build a security appliance, some kind of protective system firewall, what have you, around there. So I think, at least in terms of engaging government, business to business, a lot of times they will work through these tough issues around software upgrading and so forth,what devices can do, what are their limitations. And I think that is really important to understand. There are certain devices that are meant to do some things and devices aren't supposed to do other things. And so I think our members, and generally what I hear is they're very cognizant about what devices can do and where they should go and how they should be protected. Mr. Hurd. So would it be fair--and I'll welcome all four of our illustrative panel's opinions on this. On this legislation when it says the IoT device must be patchable, would adding something to the effect of, if it has an operating system, and if not, then, X, Y, and Z? Mr. Corman. I think the existing bill in the Senate anticipates this and allows for waivers and allows for NIST to specify compensating controls for devices that can't do this,as opposed to maybe making some brittle assumptions that may not hold up over time. I do like Ranking Member Kelly's comment about keeping some sort of advisory board to keep these vibrant and evergreen. I think a lot of the ones in the bill right now are evergreen, but we do want to make sure that this is--you know, there's no unintended consequences or byproducts of this. Mr. Eggers. I would say one of the items about the bill that I've noticed that seems to be helpful is it's forward- looking, right?We're trying to say, hey, let's project forward and say how can we do some things that we know we should do? One of the issues that I think has come up with our members is the roll that third-party certifications may apply where that's applicable. We are in favor of private sector entities looking to different labels, certification models, if you will, but to have government possibly put a thumb on that scale seems to be premature---- Mr. Hurd. Who is doing that right now? Mr. Eggers. Well, you've got different organizations. You've got UL. You've got different organizations providing, I think, approaches, let's say in Europe. The challenge, I think, with this is the speed of the threat, the dynamic nature of trying to put, let's say contents, we're not clear about what contents would be in that label. Would it be proprietary information? What kinds of maybe software-related information would be on that label? Can it keep up with the threat? And then, at least in our experience, once kind of a selection by parts of government take hold, it's hard to extract ourselves from that model. Right? Mr. Hurd. So is there any scenario current or in the future that you can think of where you need to have a password hard coded into a device? Mr. Eggers? Mr. Eggers. You know, I would say at least I've gotten positive feedback on the idea that once you receive a device, you should be able to change that pass code. That's helpful. But to your question, I'd have to get back to you. Mr. Hurd. So you've never had a member come to you and say, man, I really need to make sure that password is password in that device because it's not going to be able to function? Mr. Eggers. They would say that that is a bad idea uniformly. Mr. Hurd. Mr. Ross, do you have an opinion? I know there's like a bunch--we're on like three or four different kind of questions right now. Mr. Ross. Yeah, I know. Mr. Hurd. Throw it out there. Mr. Ross. Well, let me take your first question first on the patching. I think, you know, as you know, when product developers are considering how to approach a product, there's a few variables that are intentioned, you know. You have computing power, battery power, cost, size of the device. You add more computing power, you add more cost, you need more batteries, you increase size. So I think it's--I'm hesitant, when looking at the government's diverse needs for sensors and other IoT devices in a variety of different contexts, including national security, including infrastructure, I'm hesitant to say if you have an operating system, you need to be patched. There are tradeoffs that you should make. And considering risk in, you know, how you apply security measures I think gets you a better outcome. It gets you---- Mr. Hurd. So on---- Mr. Ross. --security, you know, built to--calibrated to the risk that the devices pose. Mr. Hurd. So is there a scenario in which you would advise the Federal Government that operating some system that has an operating system to not patch that software? Mr. Ross. There may be. I mean, there are very small operating systems on very small devices, and we may have a need as a government. Again, you know, I come from---- Mr. Hurd. Based on the level of threat or the vulnerability? Mr. Ross. Right. So I come from a national security background. And as you I'm sure know, the Department of Defense and the intelligence community, they want to put sensors on everything. And I've heard goofy proposals about putting sensors on cows to track their movements with pneumatic herders and see where those herders go. It happens. The ability to deploy---- Mr. Hurd. I may have been involved in a few of those conversations, by the way. Mr. Ross. Yeah. So, you know, the ability to deploy cheap mass-produced devices that may not pose a risk, a substantial risk to life, public safety, the economy and so on, may be a trade off that we want to be able to make for other purposes. And I think, again, it's not to say that there shouldn't be standards;it's to say that the standards should be more nuanced than one size fits all, that there should be a risk framework that governs how standards are applied. So back to your second question, I'm not sure that I can conjure up a scenario where a hard-coded password might be appropriate. The one thing I would say is that we have--you know, as you know, you're the champion of the modernizing government IT act that we desperately need. The government is using systems, and I'm sure I could read this off of the talking points around the legislation, that are 50 years old or older.That's true in a lot of different contexts. And many systems, you think about industrial control systems, are built to last a very long time. And what we're doing now is we're applying software and other devices retroactively to help manage those systems. I know that we've heard from some of our members that managing those systems that are, you know, themselves very old and based on out-of-date protocols and that kind of thing, require solutions that may not be, you know, within the confines of the security standards on this bill. That said, I don't have any specific use cases in which a hard-coded password would be necessary to the function of those kinds of devices. Mr. Eggers. And if I may, Mr. Chairman, come back to my answer about the need for, let's say, taking a device and changing the pass code so it's harder for a bad actor to commandeer that device. So I said uniformly it would be a bad idea. I think, generally speaking, most of our folks would say that's a bad idea. I do wonder, because it has been raised, about, let's say, the nature of a device, let's say in a medical situation where access to that device in an emergency setting, let's say, you need to get in, you need to operate it, and if there are challenges with, let's say, the credentials, what have you, it's one thing that's come up. So I would say maybe, like a lot of things where we operate really in a zone of gray, that's one thing I might just flag. But on balance, you don't want a bad actor to easily commandeer your device. Mr. Hurd. Mr. Corman? Mr. Corman. Just building upon what's been previously said. We looked at the medical device for safety critical emergency access extensively on the congressional task force for the last year and a half. There's a difference between having a hard- coded unchangeable fixed password that adversaries can guess and take advantage of and the ability to go back to a factory default or a safe mode or emergency override with physical access. So I hear that come up often as an excuse, I'm not saying it's being used that way this time, but no one's saying you shouldn't be able to get to a factory default mode. It's more a matter of are we making it incredibly easy to be herded into a botnet. And Mirai had to publish its source code after it was done. So even though the first attacks were cameras, one of my first calls was to the Food and Drug Administration to say that the three defining characteristics of Mirai were it was internet facing, it had a fixed password that was guessable, and it was unpatchable. And I just described most connected medical equipment, including half-million-dollar imaging systems and bedside infusion pumpshooked up to people. You can Google these passwords. So one thing I wanted to clarify is there's a difference between being able to reset them versus how exposed we are with the current condition. The second thing is, I'm fully onboard with a risk-based decision. It's come up several times. What I want to extend to that, though, and clarify is risk to whom. Because the risk of you buying your internet-based camera is--who cares if your camera gets hacked for you. The risk with the externalities and the tragedy of the commons, that the collective might of all those were able to hurt someone else. So we should absolutely do risk assessments. But if we narrowly hone in on what's the use case of the buyer as opposed to what's the collective hygiene public health issue of those being herded into a collective might, that must be part of that risk association. Mr. Hurd. Mr. O'Farrell, close out the time that I do not have. Mr. O'Farrell. Okay. With respect to the password question, I think if a device needs a password, a hard-coded password effectively means you've no password. So if the device has a password at all, then a hard coded one does not work for that. Thinking through to devices, yes, on the extreme sensor side of devices, your devices with no operating system, and I would argue, they are not really connected to the internet. They are in turn connected to other systems which connect to the internet, and they're the systems which then need to be protected. But if the device itself is connected to the internet or backed into a data center over TCP/IP or some equivalent protocol, broadly speaking, it will probably have an operating system or at least needs to be protected using a gateway or something else. Mr. Hurd. Thank you. And we're now round two. Robin Kelly, you're now recognized for your next 5 minutes. Ms. Kelly. Oh, only five for me, huh. Okay. There's no doubt in my mind that Congress must establish cybersecurity standards to protect internet-connected devices from hackers and bad actors, but I also understand the other side that, you know, there's concern about rigidly crafted regulations that would stifle innovation. Mr. O'Farrell, do you believe that the Federal Government can develop IoT cybersecurity without too much stifling of innovation? Mr. O'Farrell. So I believe that in the context of the proposal where you're trying to establish what are really pretty basic security rules are basically a kind of a rules of the road for what the Federal Government should be doing for procurement. I think the balance of being able to establish those rules and making sure that you're basically getting value for money against any potential curtailing of innovation, I think is a good balance. These are pretty basic rules. They are not going to some inappropriate level of constraint. Ms. Kelly. And Mr. Corman had made the comment he thought that the advisory board was a good idea. Do you agree with that assessment? Mr. O'Farrell. Yes, I do. I think partially one of the challenges with Internet of Things and anything having to do with cyber moving forward is, as several people have pointed out, you do not know what the threat of tomorrow is going to be and you do not know what adoptive level of security you're goingto have to bring. So an advisory board would help to be able to surface those and react to those before they become a real problem. Ms. Kelly. Okay. And, Mr. Corman, the Senate version already has the waiver process. Do you think that's a good idea and would ease some concerns? Mr. Corman. To a certain extent. One theory I have is the notion that you can't sell a product with known vulnerabilities unless you get a waiver. I think it'll be the norm that on any given day that you sell you will have some known vulnerability. So we want to make this as streamlined as possible. That's why I err on disclosing, in other words, avoiding a failure to warn. And, you know, the expectation of patching or the ingredients list to know if you need to, even if your vendor doesn't warn you or can't. So the ability to have a pressure release valve of a waiver process makes sense, because then the agency is explicitly accepting that risk and can do other things to swarm and surround that. But I'd want to make sure that the common path is the easy path is the safe path. And waivers may just be a way to undermine this, so I tend to favor carrot and stick. FDA did something where they essentially said, if you have a disclosure program and you can fix your issue in 30 to 60 days, then you don't have to go through a recall process. Kind of being very clever to say the safe thing is easy thing. So you can do it however you want, but you're going to want to do it this way. And my only comment on the waivers is let's make sure that they're rare and necessary as opposed to burdensome and slowing down the Federal Government. Ms. Kelly. And we all know that, as much as we try, no piece of legislation is perfect, so I wanted to give each of you a chance to make a suggestion toward this legislation. Mr. Eggers? Mr. Eggers. Yes, ma'am. Thank you for asking. I will confess I have not looked at the advisory board idea in detail, but I will. I'm more familiar with the Senate bill. I might even suggest, maybe if there's one thing to take away at least from my thoughts here today, it's that maybe going broader than an advisory board. And what do I mean by that is we found that the Commerce Department can play a really powerful role--NTIA, NIST in particular--to bring multiple stakeholders. The four of us are just a portion of that. What they can do--and I think the NIST cyber framework effort is a good model. They brought folks together. They're able to say, here's what our interests are. They were consulted. They provided input. There's a lot of back and forth, right? It was quality input-output. I think industry bought it in a major way. We may need to do that here. We are supportive of that. I think that the Commerce Department--I don't want to speak for them, but I think they would be open to that idea. One thing I might suggest is it's not clear if our friends at NIST and NTIA have the resources they need to carry that forward. One thing I might suggest is we look at what they may need, we may want to consult with them, hey, maybe it doesn't need to be as big as the framework effort where we have about maybe 5 to 6 workshops in the span of about 13 months. But here's what I took away: Industry played a big role. So did government. Our members bought in, by and large. I can go out, and we do, we promote that framework to about six major chambers, State, local chambers, every year, lead up every year to a summit. So we're able to promote that tool, not only domestically to our businesses, but as a model globally. And that's one of the things we're aiming to, is that we have a process, a model that can work for business wherever they are on the globe. Thank you. Ms. Kelly. Thank you. Mr. Ross. Thank you, Member Kelly. If I might, I'd offer three things. First of all, I think it's a very promising piece of legislation, and, you know, we think the idea of the government using its purchasing power to drive security makes a lot of sense. So these are offered in the spirit of improving that legislation. Number one, the definition of internet-connected devices, as I've been suggesting, I think needs to reflect risk. And I know that NIST is working on looking at a risk-tiering or a categorization of IoT devices. I think that's maybe something that can be built upon in the definition. Second of all, I think we really like the emphasis on security research and coordinated vulnerability disclosure. But there are some refinements that we would like to see to make sure that patches can be fully deployed before vulnerabilities are disclosed to the public. And then the third thing, I'm not sure exactly how you get this in the legislation, but what we would not want to see is any set of standards become sort of the new lowest bar where, you know, that leads to acquisition workforce to buy products that are the cheapest possible as long as they meet the bar. We want to see competition for better cybersecurity and the government buying for value, not just for lowest cost. And I think the more we can do to incentivize that, the better off we'll be. Ms. Kelly. Thank you. Mr. Corman. I love the question. I appreciate it being asked. Thank you. I mean, clearly, I proactively mentioned there's tremendous value in a list of ingredients for free market choice at purchase time to tell better products from worse, to answer am I affected and where am I affected, when there's an active attack in the wild that you might be able to actually defend yourself against, and for the devices that have gone out of business, the manufacturers, the ability to defend yourself in those important use cases. And if I were to add to that, there is a technical standard being discussed called MUD, or Manufacturer Usage Description. It's a very elegant, very simple idea that a device--every device--would advertise to the network this is the man I need to talk to and this is the port I need to speak on. And if other devices in the network noticed it was doing something else, it must be compromised. It's something that on its own may not get as much adoption, but were this part of a government procurement wish list or fast track or incentivized, it could be promising. It's not very robust now, but I like the concept. And it could go even furtherand leverage free market innovation. I think this idea came out of Cisco, if I recall. And then just a little caution on the disclosure idea, I do agree that great care has to be done on the notion of safe harbor for coordinated vulnerability disclosure. And in my written testimony, I cautioned against MPVD reinventing the wheel. There's been significant and robust debate with the Librarian of Congress, the Copyright Office,who is recommending that the current exemptions to the MCA for research that allowed or enabled the voting machines, medical, to get the strength of law and be made permanent. I would not want to undo some of those really subtle nuances, nor would I want to tie that to the availability to patch first. There are many devices that cannot be patched, but it's still meaningful to know, to shield yourself, and insulate yourself. So rather than designing that right now, I would be happy to comment further, but I think that that last well- intended suggestion could backfire in unanticipated ways that I could articulate. Ms. Kelly. Thank you. Mr. O'Farrell. Thank you very much for the opportunity to comment on improvements to the bill. I think I see two areas. One of them is related to the definition of IoT devices themselves. As you can see, it's an area of quite a few questions, but specifically, it points to those IoT devices which are being procured by the Federal Government for use by the Federal Government. I think it would be good to clarify that, if that was to be extended further in some way, that that would be done in cooperation with industry. So the advisory board, part of that, or even strengthening that in some way to say that we're dealing in this world, which is going to be highly adoptive and highly volatile and, therefore, we need to constantly keep working with industry as we come up with new standards or new rules of the road. I would like to see that incorporated a little bit more strongly in the bill. Ms. Kelly. Thank you. And I'm done. Mr. Hurd. Mr. Raskin, you're now recognized for an additional 5 minutes. Mr. Raskin. Thank you, Mr. Chair. Ms. Kelly asked one of the questions I wanted to ask and maybe--no, it's an excellent question, Ms. Kelly. But I did want to ask a similar kind of question which is, at a time when the crises facing the country are multiplying-- you know, we had the worst act of mass gun violence, random gun violence in our history a couple days ago; we've got millions of Americans still without power, without water, facing very perilous conditions in Puerto Rico and the Virgin Islands and so on--how would you express to the public the importance and the urgency of what it is you've come to testify about? How would you explain to people why this is something that really requires our attention? Mr. Eggers? Mr. Eggers. Sure. Yes, sir. Thank you. I think it's pretty simple:We want the IoT to expand and be successful. We think it's going to lead to economic growth and to jobs, but to do that we have to manage risks, smartly. I think that the bill here provides an opportunity for a dialogue around these important issues. One of the things that we're going to do is we're going to provide the committee, at least I anticipate that we'll do it relatively soon, thoughts on the provisions, at least in the Senate bill, and then we'll move on from there. But I appreciate the opportunity to provide our thoughts. But I think, if anything, we want to make sure businesses gain as they're producing securely, and so will consumers. But I think we have to manage risks as we expand the IoT. Thank you. Mr. Raskin. Anybody else? Mr. Corman? Mr. Corman. One of the lines I put in the Presidential testimony, which was in August last year, has become more true every single day with NotPetya, with WannaCry. And I'm going to read it verbatim. I said: Through our overdependence on undependable things, we have created the condition such that the actions of any outlier can have a profound and asymmetric impact on human life, economic, and national security. That was a concern of things coming. If you look at healthcare as a sixth of our economy, there's a promise and a peril to these things. But in a sixth of our economy, connected medicine is creating new cures, it's dropping the costs, it's increasing access. If we are cavalier about risks like this, any crisis of confidence in the public to trust these things could have a very deleterious effect on, not just patient safety, but the economy. And further, imagine something like the Harlem Presbyterian outage or the WannaCry outage, during a shooting, during a Boston Marathon bombing, during an earthquake or hurricane relief when we need it most. So this is something we have--back to overdependent on undependable IT. Our failure rate is about 100 percent on highly replaceable assets like credit cards. And even though we haven't dramatically improved our cybersecurity on those tolerable losses, we have increased our dependence on these safety critical and national security things. So without being dire or doom and gloom, we've run out of runway for these low consequence failures. And I think it's not just that we want economic growth, it's that we want the confidence of the public and the national security intact. Mr. Raskin. Thank you. Mr. O'Farrell? Mr. O'Farrell. Yeah. Maybe to echo a little bit, I think the reason why this is important is because IT security today is, to a large degree, around privacy or ensuring that financial or other transactions take place securely. IT security in the context of IoT is going to be around real factories, healthcare, things which directly affect the economy, things that directly affect the day-to-day life within a city. And because of that, compromise or damage associated with those are going to real--and much more impactful in a very, very real way. You have an opportunity to react to a privacy breach of some sort. You do not have an opportunity to react if a factory is brought down or if there's real danger put into a city because of traffic system's been hacked or something like that. This is why it's important. We're early in the days. IoT is a fledgling story at this stage. So you have an opportunity to build in some security from the very beginning rather than dealing with it after something really bad happens. Mr. Raskin. Mr. Ross? Mr. Ross. Sir, I would say we can get this wrong in two different directions. One would lead us to lose the benefits of innovation, and the other would lose the benefits of globalization. You know, it's not just the physical risks that these devices turned against us can pose, it's also losing out on the cutting edge scientific research that these devices are offering or the benefits to public health or the benefits to, you know, critical infrastructure and that kind of thing. And if we don't protect them from cyber attacks, we lose those benefits. On the other hand, if we go too far and we adopt indigenous standards that put us at odds with the rest of the world, and we close off the internet and we segment and fragment, we lose the ability to transact business around the world and the benefit to our economy that that brings us. Mr. Raskin. Thank you. Mr. Chairman, I also wanted to take a second to thank you for calling this hearing today. Unsecure IoT devices pose significant risk to our national security and can have devastating consequences, as Mr. Corman said. So I think that the Internet of Things Cybersecurity Act is a great first step to protect federally procured IT devices and sensors from cyber attacks. And I want to thank Representative Kelly for excellent legislation, and I do strongly support her bill. Mr. Hurd. Thank you, Mr. Raskin. And some final questions from me. How do we prevent--if we say you have to be this tall, from that staying--that that's the floor--or that would be the ceiling, actually, how do we make sure that we continue--that industry continues to follow good digital hygiene? Mr. Corman. We did encounter this at the PCI data security center, the effort to set a minimum, and we got one, right. It almost caused a race to the bottom, and we don't want to cause that. I think that's why the language we use here is critically important. And I think it's an ``and.'' I don't think it's, do you do in this, private sector, public-private partnership or some minimum hygiene to protect your own interests right now, especially with time being the enemy. If these thing are evergreen, like never have a password you can't change, we can act on that and we can encourage best practices, carrots and sticks, preferential purchasing, with a parallel effort that does leverage things that can be layered on top of it. It is always a risk. We need to define a minimum that you get it. That's why we have to be very careful, conscientious here that this is something to do the 80/20 rule now. It can't be the finish line. Mr. Hurd. Mr. O'Farrell? Mr. O'Farrell. So I don't think we should be afraid to set the minimum. And some of these minimums here are pretty basic and---- Mr. Hurd. Pretty minimum, huh? Mr. O'Farrell. Pretty minimum. And so we should not be afraid to set those as minimums because we fear, you know, we're not going to be able to do more as it is appropriate. I think the most important thing though, as it is appropriate, does require a lot of interface with industry. Obviously, I am part of a company who produces a lot of software. I want to be able to have a seat at the table to be able to say, what are the guidelines that we need to follow, how are we going to secure that, and so on. So being involved in that and involving industry is very important. That does not mean we should not be afraid to set this bare minimum, which is, you know, based on what NIST or what some basic cyber hygiene is in place today. Mr. Hurd. Mr. Eggers and Mr. Ross? Mr. Eggers. Mr. Chairman, I might just add that I'm always a little concerned, at least I hear concerns expressed from members about minimums and maximums, only because the environment moves so quickly. One of the things that I think we want to try to do is encourage demand for stronger devices, right. And that may mean that maybe they're more expensive, maybe not. We want makers of devices and those that provide manage services and so forth to gain from that extra security. One of the things I think about when I start hearing minimums and maximums is, are we in this space going to set some kind of check-the-box formula where it, A, might give us a false sense of security? Maybe with that false sense of security we are not deploying resources optimally. We've seen that happen. The other thing is, it's not clear where a minimum goes to maybe a higher level. Much depends on the implementation. One thing we have seen is once regulation sort of get going, they are hard to pull back and harmonize. And that's one of the things we're struggling with now. Mr. Hurd. I'm assuming Equifax didn't have a high enough minimum, right? You know, and so we--yes, there should be a--I get the fear. Because my goal is that Congress never gets in the way of entrepreneurship and growth, but it's being made hard when private sector companies are not following basic digital system hygiene. Nobody opted in for their information to be in Equifax, right? And so I get that frustration. But then your members need to get their act together. Mr. Eggers. So let me offer a thought. I think you're concerned--I'm not going to argue with your concerns, but here's what I hear from members. So I think one of the things we don't do a good job with is whether it's OPM, SEC, Equifax, and other entity,we're going to have more,we don't do a great job of creating a safe space where an organization can come in as soon as they think that there's something wrong and say, here's what's going on. Rather than having an environment where they're having a finger pointed at them, and you're saying, why did you let this happen,we say, hey, we'll get to that. What can we do to help make things better so we can pull in information, in a voluntary way, and we can learn and get that information out to other organizations? I honestly haven't learned enough about what's happened with some of these recent breaches to really have a firm sense that I can comfortably say that one organization did very, very poorly and one didn't. I understand that organizations have had challenge, but sometimes we don't know the full picture. And we haven't, at least one thing is, bills like this don't necessarily contemplate what are we going to do about the bad guys, right? What are we going to do about pushing back on bad actors?I think deterrence, at least through denial, stronger devices are some, but what are we also going to do to make an example of bad back actors?So they think, for example, hey, I'm not going to do this again. Mr. Hurd. Mr. Ross? Mr. Ross. Mr. Chairman, two points. I think one, you know, we focused a lot on minimum standards today. Part of my suggestion about a risk-based framework is thinking about higher risk devices as well. And, you know, we may decide we don't want to make sure certain devices are patchable or have hard-coded passwords at the very low end. But at the high end, not having a hard-coded password may not be enough. We may want to insist upon two-factor authentication or other identity- management approaches that are much stronger than just not having a hard-coded password. So I think that's one important thing. The second thing is, if we want minimum standards for government procurement or any other sorts of standards to drive or sort of race to the top for cybersecurity, market mechanisms are really important. And part of that means that consumers, both at the enterprise level and on an individual household basis, need to have information to make informed decisions that factor in security. And right now, we don't have sufficient tools to get information to consumers in ways that they can understand and act upon. So I think that's another really important part of the solution. Mr. Hurd. Mr. Corman. Mr. Corman. You know, I almost wanted to bring up Equifax, but obviously Equifax is not an IoT device. That said, the cause here was a known vulnerability that was able to be remediated but wasn't. It's very similar to this rubric, right? A known but unmitigated vulnerability. To the point raised just now, though, there is a tongue-in- cheek, much shorter bill we could do, if we want to avoid being prescriptive. We could have a bill that basically says, let the free market do whatever the heck it wants, you are liable for all damages caused by a known vulnerability or a default password. It's as free market and open to interpretation, as you want. You can be a risk taker, you can be a risk avoider, you can change the cost of goods. A little tongue-in-cheek, but to a certain extent, we have to decide what's reasonable and what's appropriate for the shared responsibility model of the goods that we're inheriting. So we don't have to necessarily tell them what to do. I think these ones are pretty evergreen, as we've testified thus far. That said, if we want the criteria to change over time, I'dlike to remind everyone listening, not just the committee, this is a statutory authority. I believe we're going to get software liability through case law. I think a jury of their peers is going to find that harm caused to a loved one due to a software defect is no different than harm caused by a physical defect. And we will get case law introducing something, whether or not there's a regulatory or a purchasing procurement document. So part of the virtue of this particular experiment and this leading by example with procurement guidelines, is I believe, and I said this in my testimony as well, this could create a rubric that could be a safe harbor clause for any case law around this. So rather than fighting it or wondering what it might do badly, I think it creates a very tenable, intractable building block for the private sector to insulate their harm and insulate their maximum liability. They don't like that at first. I think in the fullness of time, we're going to see this not come through statutory but through case law. Mr. Hurd. Thank you. Will the gentleman from the Commonwealth of Virginia be interested in asking questions or making comments? Mr. Connolly. I would. Thank you, Mr. Chairman. Mr. Hurd. And he is recognized for the final 5 minutes. Mr. Connolly. I thank the CHAIR. And let me follow up on what you were just saying, Mr. Corman. I take your point, and it may be the way to go. But on the other hand, statutory action influences case law. And not having a statute means that a court in some ways has to itself impose minimum standards if it's going to find liability. And so that's not always a desirable outcome from a legislative point of view. You may want to comment on that. Mr. Corman. There was a significant discussion on this in the Presidential Commission on Enhancing National Cybersecurity, which did ask the Department of Justice to explore the current state of the law with regards to software liability, just as an uncomfortable truth. One of the discussions that went in great detail is that if a court is doing this in a vacuum, if they place the liability in the wrong place, it could have devastating effects on the software industry. For example, most of these vulnerabilities that are exploited are in third-party, open-source code that are 100 percent volunteer. So if you were to place responsibility for all the harm caused by Heartbleed when it hit the Federal Government April a few years ago, on the poor guy who introduced the code at 4:00 a.m., on New Year's Day, no one will ever contribute to open source again. And since 90 percent of the software in closed source in commercial goods it's open source, you would have just single handedly destroyed the software industry. And that's not actually a big stretch for a nontechnical jury. Mr. Connolly. True. Mr. Corman. Yeah. Mr. Connolly. But, you know, in some of this discussion one would think--let's take Equifax--that it's Equifax that's the victim. Well, 143 million people are also victims. They've had their data compromised. And where do they seek redress? Your argument that it's a free market, I heard you say, maybe tongue-in-cheek, but an absolute free market doesn't necessarily protect the other victims who've had their financial information compromised. Mr. Corman. It's my sincere belief that a few years from now, whether we chose to do it or are forced to do it, we're going to end up with a rubric that people are not responsible for zero day attacks from China, but they are absolutely responsible for known avoidable vulnerabilities. I think everything is going to hinge on what was known and avoidable. Mr. Connolly. Well, you know, GAO in a series of reports basically found, and I quote: ``While there are many industry- specific standards and best practices that address information security, standards and best practices specific to IoT technologies are still in development and not widely adopted.'' Now, Congress, generally in this sphere, has been reluctant to legislate, actually. Some would criticize us for being too reluctant. But that kind of finding suggests, as the chairman I think was indicating, either industry adopt some industry-wide standards that people can adhere to that give us some comfort in protecting the citizens we represent, or we have to do it. Mr. Ross. Mr. Ross. Congressman, if I might. I think it's a great point. I think we will get maximum bang for the buck when those standards are international standards, because so many devices are produced overseas. And I think there is a gap. There's a gap, for example, you know, there is a proliferation of different types of operating systems for IoT devices, and that has a real impact on their security. Having a--you know, having international standards around IoT operating systems might be something we ought to explore. And I think the government can play a big role in supporting efforts to develop international standards. And that's something we haven't looked at nearly enough, in my view, because, you know, a lot of times international standards are developed on the side by people who, you know, work in the industry and try to come up with an international standard in their free time. That can't be how we approach security. We need a much more focused approach on identifying where there are gaps or where standards are out of date and really putting some support behind developing them in the international context. Mr. Connolly. And that's a good point. I would just say, keep in mind that if this isn't done with some robustness by the private sector, sooner or later the public sector will be under enormous pressure. For example, if there ever is something that we kind of agree is a cyber Pearl Harbor, the shutdown of the electric grid, or the banking system, writ large, the public pressure on us to do something will be enormous. And so some sense of urgency, it seems to me, is really important within the private sector to get some kind of basic standards that people buy into that are reassuring, that aren't just, you know, PR, but that actually provide some protection that is measurable and testable. Absent that, I fear that some day it will be done for you, because the pressure will be so great after some incident, Equifax apparently isn't it, but it was big enough that it got a lot of attention. And I just fear that when that day comes, absent private sector activity, you're going to see tremendous pressure on the legislative branch to protect the public. Mr. Ross. Congressman, I fear that too. I think the one thing I would say is that it doesn't necessarily have to be the private sector taking action versus the public sector, but the private sector and the public sector working together is really powerful. And I think what we've seen, you know, within this framework is that industry and government got together on a framework that has proved very valuable by all accounts. But it's now, you know, the government and the private sector together are also now taking it to the International Organization of Standardization and seeking to internationalize it as a standard. And I think that's a great model for how we can explore IoT cybersecurity, but also other areas where we really need to fill in the gaps on international standardization for security. Mr. Connolly. And I know my time is up, but I would agree with you. I think that's a preferable way to go, but it's got to be robust, it's got to be measurable and testable, it's got to be reassuring to the public and most of the stakeholders. Otherwise when something happens, that will be found to have been as inadequate as it is. Mr. Ross. Absolutely. Mr. Connolly. I thank the chair. Mr. Hurd. Thank you, sir. And I'd like to thank our panel of witnesses today. This really was an invaluable conversation. I always feel when I leave a hearing with just as many questions as answers, it's actually a good thing. And so thanks for taking the time,thanks for y'all's perspective. And the hearing record will remain open for 2 weeks for any member to submit a written opening statement or questions for the record. And if there's no further business, without objection, the subcommittee stands adjourned. [Whereupon, at 4:08 p.m., the subcommittee was adjourned.] APPENDIX ---------- Material Submitted for the Hearing Record [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]