[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]

[H.A.S.C. No. 112-5]

WHAT SHOULD THE DEPARTMENT OF DEFENSE'S ROLE IN CYBER BE?

__________

HEARING

BEFORE THE

SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

OF THE

COMMITTEE ON ARMED SERVICES

HOUSE OF REPRESENTATIVES

ONE HUNDRED TWELFTH CONGRESS

FIRST SESSION

__________

HEARING HELD

FEBRUARY 11, 2011

[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

U.S. GOVERNMENT PRINTING OFFICE
64-861 WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, gpo@custhelp.com.

SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

MAC THORNBERRY, Texas, Chairman
JEFF MILLER, Florida JAMES R. LANGEVIN, Rhode Island
JOHN KLINE, Minnesota LORETTA SANCHEZ, California
BILL SHUSTER, Pennsylvania ROBERT ANDREWS, New Jersey
K. MICHAEL CONAWAY, Texas SUSAN A. DAVIS, California
CHRIS GIBSON, New York TIM RYAN, Ohio
BOBBY SCHILLING, Illinois C.A. DUTCH RUPPERSBERGER, Maryland
ALLEN B. WEST, Florida HANK JOHNSON, Georgia
TRENT FRANKS, Arizona KATHY CASTOR, Florida
DUNCAN HUNTER, California
Kevin Gates, Professional Staff Member
Mark Lewis, Professional Staff Member
Jeff Cullen, Staff Assistant

C O N T E N T S

----------

CHRONOLOGICAL LIST OF HEARINGS
2011

Page

Hearing:

Friday, February 11, 2011, What Should the Department of
Defense's Role in Cyber Be?.................................... 1

Appendix:

Friday, February 11, 2011........................................ 29
----------

FRIDAY, FEBRUARY 11, 2011
WHAT SHOULD THE DEPARTMENT OF DEFENSE'S ROLE IN CYBER BE?
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island,
Ranking Member, Subcommittee on Emerging Threats and
Capabilities................................................... 2
Thornberry, Hon. Mac, a Representative from Texas, Chairman,
Subcommittee on Emerging Threats and Capabilities.............. 1

WITNESSES

Cauley, Gerry, President and Chief Executive Officer, North
American Electric Reliability Corporation...................... 6
Nojeim, Gregory T., Senior Counsel and Director, Project on
Freedom, Security and Technology, Center for Democracy and
Technology..................................................... 8
Pfleeger, Shari L., Director of Research, Institute for
Information Infrastructure Protection at Dartmouth College..... 4

APPENDIX

Prepared Statements:

Cauley, Gerry................................................ 58
Langevin, Hon. James R....................................... 34
Nojeim, Gregory T............................................ 67
Pfleeger, Shari L............................................ 36
Thornberry, Hon. Mac......................................... 33

Documents Submitted for the Record:

[There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

[There were no Questions submitted during the hearing.]

Questions Submitted by Members Post Hearing:

[There were no Questions submitted post hearing.]
WHAT SHOULD THE DEPARTMENT OF DEFENSE'S ROLE IN CYBER BE?

----------

House of Representatives,
Committee on Armed Services,
Subcommittee on Emerging Threats and Capabilities,
Washington, DC, Friday, February 11, 2011.
The subcommittee met, pursuant to call, at 11:30 a.m., in
room 2118, Rayburn House Office Building, Hon. Mac Thornberry
(chairman of the subcommittee) presiding.

OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM
TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND
CAPABILITIES

Mr. Thornberry. Hearing will come to order.
Let me welcome the members and witnesses and guests to this
first hearing in this Congress of the Emerging Threats and
Capabilities Subcommittee.
I certainly appreciate all the members who have chosen to
join this subcommittee. And among other benefits, we will have
the former chair and former ranking member of the subcommittee,
Ms. Sanchez and Mr. Miller, as part of our body.
But I am really looking forward to the chance to working in
partnership with the gentleman from Rhode Island, Mr. Langevin.
He and I started working together on cyber issues in 2003 as
part of the Select Homeland Security Committee, on the Cyber
Subcommittee of that body, and have worked together on this
committee and on the Intelligence Committee basically ever
since. So I look forward to what we can accomplish together for
the country's security in the next two years.
One of the first things that one notices is the name of the
subcommittee has changed. And I think that is to better match
what our charge is. We are to look out in the future and help
see that the United States is prepared to deal with those
national security challenges that are still emerging, that we
are still learning about. Things such as terrorism and cyber
warfare.
We are also charged with nurturing emerging capability that
can meet those and other threats. And the jurisdiction of the
subcommittees has been changed to reflect so we can better
focus on cyber and these other challenges.
Of course, any emerging threat presents new challenges on
policy, legal authority, budgeting, such as we have witnessed,
for example, since 9/11. And today, in the field of cyber, we
want to start by asking really a fairly basic but I think
important question, and that is, what is the role of the
Department of Defense in defending the country in cyberspace?
If a formation of planes or some hostile-acting ships came
barreling towards a factory or refinery in the U.S., I think
most of us have a pretty good idea of what we would expect from
the Department of Defense. They may try to identify who it is,
divert them over to another area. They may even go so far as to
shoot them down. But the bottom line is we expect our military
to protect us from threats that we cannot handle on our own.
But what do we expect, or what should we expect, if a bunch
of malicious packets, or potentially malicious packets, come
barreling at us--or come barreling at the same facilities in
cyberspace? I am not sure we have a good answer to that. And if
we figure out what we expect, then the question is, can the
government do what we expect? Does it have the ability and the
authorization to do it?
I don't expect that we are going to get definitive answers
to those questions today, but I do think we need to be serious
and diligent about pursuing those answers because the threat is
serious and it is growing in numbers and sophistication.
Yesterday, at the Intelligence Committee hearing, I asked
DNI [Director of National Intelligence] Clapper, Director
Panetta, FBI [Federal Bureau of Investigation] Director Mueller
about how serious the threats in cyberspace were as a matter of
national security. Each of them responded they thought it was
in fact very serious. Clapper said, ``The threat is increasing
in scope and scale, and its impact is difficult to overstate.''
So we know that cyber is a new domain of vandalism, of
crime, of espionage, and, yes, even warfare, but I am afraid
the country is not very well equipped to deal with any of those
challenges.
As we look for solutions, we have to be smart and careful
and true to our values, but I believe we need to act to improve
our security.
And I appreciate the witnesses who are here today to help
guide us on that path.
But first, I would yield to the distinguished gentleman
from Rhode Island, the ranking member, for any comments he
would like to make.
[The prepared statement of Mr. Thornberry can be found in
the Appendix on page 33.]

STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS
AND CAPABILITIES

Mr. Langevin. Well, thank you, Mr. Chairman.
As this is our subcommittee's first hearing of the 112th
Congress, I just wanted to take a moment to congratulate you on
your chairmanship and to say how much I very much looking
forward to working with you again. As you rightly pointed out,
we have worked on many of these issues together in our time on
the Homeland Security Committee, to our time as we have served
on this committee, and as well as the House Intelligence
Committee.
So our paths keep crossing in a very positive way and we
have enjoyed a very productive partnership in the past and I
know we will continue with our work on this subcommittee as
well. So congratulations to you.
In 2007, as chair of the Homeland Security Subcommittee on
Emerging Threats, Cyber Security and Science and Technology, I
conducted a detailed and thorough examination of cyber threats
to our power grid after tests conducted at Idaho National Labs,
known as Aurora, became public.
At that time, industry representatives from NERC [the North
American Electric Reliability Corporation] misled or were
inaccurate about their testimony to the Homeland Security
Committee about their efforts to address these threats in the
private sector. Now, we called them on it and they retracted
their statements. But the experience illustrates how difficult
it can be to require and ensure security when it comes to
critical infrastructure.
Since then, threats to our critical infrastructure have
only grown, with news reports suggesting that there is interest
by malicious actors in exploiting vulnerabilities in the U.S.
power grid and other critical infrastructure. The federal
agencies have taken steps to reduce these vulnerabilities. I
have to say, though, I am afraid that many in industry and in
government still fail to appreciate the urgency of this threat.
Since I began working on this issue, I have been disappointed
by the overall lack of serious response and commitment to this
issue, and I still believe America is vulnerable to a cyber
attack against the electric grid that would cause severe damage
not only to our critical infrastructure, but also to our
economy and the welfare of our citizens.
Because of this concern, last Congress I posed this
question to the heads of all of our military services. If our
civilian power system is vulnerable, what is being done to
protect our numerous military bases that rely on them to
operate?
Well, the answers were disturbing, but not surprising. Vice
Admiral Barry McCullough, head of the Navy's 10th Fleet,
testified that, ``These systems are very vulnerable to
attack,'' noting that much of the power and water systems for
our military bases are served by single sources and have only
very limited backup capabilities with an attack on a power
station potentially requiring weeks or even months to recovery
from, our bases could face serious problems maintaining
operational status. A recent report from the Department of
Energy's Inspector General found that despite years of concern
and hand-wringing by those who are aware of the threat, not
much has been done to increase protection to these civilian
systems.
Their reports also fault federal regulators for not
implementing the adequate security standards--cyber security
standards. But if you ask industry, you will find out that
there is no actual requirement to do what the government wants.
The regulators don't have any actual ability to regulate when
they see a problem, despite being fully aware of the tremendous
risks that face our nation.
Now, if everyone is aware of the threat, both DOD [the
Department of Defense] and our civilian power sector, it
appears that the tragedy of the commons has ruled that no one
has been willing or able to address it.
At the House Intelligence Committee's annual open meeting
yesterday, Director Panetta testified that cyber threats to our
critical infrastructure had the potential to be the next Pearl
Harbor, and I agree and remain unconvinced that we have the
abilities or the authorities to stop a large-scale cyber
attack.
To this end, last year I introduced legislation to
coordinate our national cyber security policies for the
protection of our federal networks, as well as our critical
infrastructure. And while we had success with an amendment in
the House defense authorization measure, you may know that we
were forced to remove that language during conference.
Let me just say, Mr. Chairman, that I look forward to
working with you to move forward again this year and finally
begin to address these critical vulnerabilities.
Today, I am anxious to hear from our panel, especially Mr.
Cauley from NERC and ask what has changed since 2007. Are we
still as vulnerable today as we were then? And I, for one,
believe that the answer is yes. I fear that little has changed
other than the acceleration of the threat and the growth of our
vulnerability.
With that, Mr. Chairman, I look forward to our witnesses'
testimony. I want to thank our witnesses for being here, and I
yield back.
Mr. Thornberry. I thank the gentleman.
And now we will turn to our witnesses. And let me say first
of all, I appreciate each of you all's written statement.
Without objection, they will be made part of the full record.
But I thought each of you did a very good job in laying out a
number of issues. I know I learned from each of them, so I
appreciate the effort you put into that.
With us today is Dr. Shari Pfleeger, director of research
from the Institute of Information Infrastructure Protection
headquartered at Dartmouth; Mr. Gerry Cauley, chief executive
officer of the North American Electric Reliability Corporation,
NERC; and Mr. Gregory Nojeim, senior counsel, Center for
Democracy and Technology.
Pretty good? Okay, good.
Thank you all for being here. We will try to move out
smartly today. I don't think we will have votes for a little
bit, and I would like to give everybody a chance to ask
questions before those votes. So as I say, your full statement
will be made part of the record, if you would like to summarize
it, and then we will turn to questions.
Dr. Pfleeger, the floor is yours.

STATEMENT OF SHARI L. PFLEEGER, DIRECTOR OF RESEARCH, INSTITUTE
FOR INFORMATION INFRASTRUCTURE PROTECTION AT DARTMOUTH COLLEGE

Ms. Pfleeger. Good morning, Chairman Thornberry, Ranking
Member Langevin, members of the subcommittee and guests. Thank
you for inviting me here. I was asked to talk about the
economics of cyber security and I have organized my response
based on the three big questions that you asked me.
So the first one is: What are the significant challenges
that face us? And I see three big challenges. The first is the
diverse and distributed ownership of the cyber infrastructure,
which makes it difficult to apply traditional approaches for
security because there are so many different pieces. And many
of those pieces have been developed without security in mind.
They are not always the big--security is not always the biggest
motivator for making money for the providers of those pieces.
The second is appeal as a criminal tool. Criminals can use
the cyber infrastructure to perpetrate their crimes more
broadly, more quickly and more anonymously than they could
before.
And the third is, and this perhaps has the most relevance
to the Defense Department, the difficulty in reaction to
emergent behavior. Many aberrant cyber-based behaviors are
emergent in that it takes a long time to figure out exactly
what is going on, understanding the cause and effect, and
selecting an appropriate reaction. And when the cause is
uncertain and the possible responses have life-threatening or
diplomatic implications, the decisionmakers have to reduce the
uncertainty surrounding cause and effect.
So I have identified three policy, legal, economic and
technical challenges. The first is misaligned incentives. Most
of the providers are in business to make money, not necessarily
to provide security. And so many organizations prefer just to
wait for cyber attacks to happen and clean up the mess, or they
rely on what is sometimes called ``free-riding'' or ``herd
immunity,'' where they let other people implement the security,
and the people who don't implement the security still get some
benefit.
And in addition to that, the bad outcomes don't always
affect the organization lacking security or don't affect them
for very long. So, for instance, their stock prices might go
down, but then they eventually pop back up again. So there is
little incentive for them to take a long-term security view.
The second is the need for diversity. Technological
diversity leads to more secure networks and systems, but
because of a variety of things, including economic reasons,
training, access and even chance, the technology is actually
quite uniform, more than we would expect.
And finally, security is often incompatible with
organizational culture and goals, so many people who use our
networks are paid to get their jobs done and they often see
security not as an enabler, but as an inhibitor. So you see
lots of cases of people turning off the security in order to
get their jobs done, or neglecting to do things like set the
security properly.
So what should the government do? I suggest five things.
The first is to address cyber attacks the way other unwelcome
behaviors are addressed. Our current reliance on convenience
surveys for information about cyber attack trends can be
misleading and we need more careful sampling and more
consistent solicitation of data.
The government should incentivize or require better breach,
fraud and abuse reporting, and data about the nature and number
of cyber attacks should be reported consistently each year so
that sensible trend data can form the basis for effective
actions. It may be more useful to capture data in smaller ways,
in various ways for various purposes, and then good economic
models informed by these representative consistent data can
improve our general understanding not only of the cyber risk,
but of the cyber risk relative to other kinds of risk.
Second, I recommend that liability statutes cover cyber
technology. When lack of car safety was made more visible in
the 1960s, the government responded by making automobile
companies more liable for their unsafe practices and products.
Similarly, I think a combination of manufacturer liability and
economic constructs like insurance could encourage more secure
product design and implementation.
The third is insist on good systems engineering. Use the
government's purchasing power in two important ways. First,
refuse to continue to deal with system providers whose products
and services are demonstrably insecure, unsafe, or
undependable. The data gathered in this process can inform
subsequent technology decisions so that errors made in earlier
products are less likely to occur in later ones. Especially in
cyber security we see the same problems appearing over and over
again.
Secondly, insist on five up-to-date formal arguments
describing why the systems are secure and dependable. These
arguments are used in other domains like nuclear power plant
safety and could easily be applied to cyber security. And
suppliers' formal arguments could be woven into the system
integrator security arguments to show that supply chain issues
have been addressed with appropriate levels of care and
confidence.
The fourth suggestion is to provide incentives to encourage
good security hygiene. Incentives like tax incentives and
insurance discounts can speed implementation of demonstrably
more security technology and the incentives should also include
rewards for speedy correction of security problems and
punishments for lax attention to such problems.
Finally, encourage multidisciplinary research. Many
security failures occur not because there is no solution but
because the solution hasn't been applied or because designers
fail to include the user's perspective when designing the
technology.
Research involving behavioral science and behavioral
economics can improve the security and dependability of the
nation's cyber infrastructure in two ways. In the short term,
it can improve adoption rates for the security technology,
thereby reducing the attack surface against which malicious
actors aim. And in the longer term it can lead to a more
resilient cyber infrastructure that users are eager to use
correctly and safely.
Thank you.
[The prepared statement of Ms. Pfleeger can be found in the
Appendix on page 34.]
Mr. Thornberry. Thank you.
Mr. Cauley.

STATEMENT OF GERRY CAULEY, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Mr. Cauley. Good morning, Chairman Thornberry, Ranking
Member Langevin, members of the subcommittee and fellow
panelists. My name is Gerry Cauley. And referring to Ranking
Member Langevin's comments on the performance of NERC in the
past, I would point out that I am the new President and CEO of
the North American Electric Reliability Corporation. And I also
serve as the Chairman of the Electricity Subsector Coordinating
Council.
I am a graduate of the U.S. Military Academy at West Point,
a former officer in the U.S. Army Corps of Engineers. I have a
master's degree in nuclear engineering from the University of
Maryland. And I have devoted over 30 years to working toward
the safety and reliability of our nuclear and electric
industries, including in 2003 serving as a lead investigator
for the 2003 Northeast blackout.
I have with me also today NERC's chief security officer,
Mark Weatherford, behind me, who until recently served as the
chief information security officer for the state of California
and previously served 26 years in the U.S. Navy as an
information security officer.
NERC is a non-profit corporation that was founded in 1968
to develop voluntary operating and planning standards for the
owners and operators of the North American bulk power system.
In 2007, the Federal Energy Regulatory Commission
designated NERC as the electric reliability organization in the
United States, in accordance with the Energy Policy Act of
2005.
As a result, our standards, including cyber security
standards, became enforceable at that time. To my knowledge,
they are the only mandatory cyber standards among the various
critical infrastructures in North America.
As CEO of the organization charged with overseeing
reliability and security of the North American grid, I am
deeply concerned about the changing risk landscape from
conventional risks such as extreme weather and equipment
failures to emerging new risks where we are left to imagine
scenarios that might occur and prepare to avoid or mitigate the
consequences, some of which could be more severe than we have
previously experienced.
I am most concerned about physical and cyber attacks
intended to disable elements of the power grid or deny specific
electricity to specific targets such as government and business
centers, military installations, or other infrastructures.
These threats differ from conventional risks in that they
result from intentional actions by adversaries and are simply
not random failures or acts of nature.
It is difficult to address such rapidly evolving risks
solely with a traditional regulatory model that relies mainly
on mandatory standards, regulations and directives.
The defensive barriers mandated by our standards do make it
more difficult for those seeking to do harm to the grid, but
alone they may not be completely sufficient in stopping the
determined efforts of the adaptable adversaries supported by
nation-states or organized terrorist groups.
The most effective approach against such adversaries is to
apply resiliency principles as outlined in the National
Infrastructure Advisory Council report on the grid, delivered
to the White House in October 2010.
I was fortunate to serve on that council with a number of
industry CEOs.
Resiliency requires proactive readiness for whatever may
come our way. It includes robustness, the ability to minimize
consequences in real time. The ability to restore essential
services. The ability to adapt and learn.
Examples of the NIAC [National Infrastructure Advisory
Council] team's recommendations include: one, a national
response plan that clarifies the roles and responsibilities
between industry and government; two, improving the sharing of
actionable information by government regarding threats and
vulnerabilities; three, cost recovery for security investments
driven by national policy; and four, a strategy on spare
equipment, with long lead times such as electric power
transformers.
NERC is moving forward with a number of our own actions to
complement our mandatory CIP [critical infrastructure
protection] standards and provide enhanced resilience to the
grid, including partnering with the Department of Energy and
the National Institute of Standards and Technology to develop
comprehensive cyber security risk management guides for the
entire electric system, from the meter to the bulk power
system.
Making actionable information available to the industry is
a priority for NERC. We worked with DOD, DHS [the Department of
Homeland Security] and other agencies in 2010 to issue high-
quality alerts to the industry on the Aurora mitigation, the
Stuxnet malware and VPN [virtual private network] tunneling
vulnerability.
We are developing a North American cyber security exercise
to prepare for and test a national response plan. In recent
meetings at the USNORTHCOM [U.S. Northern Command] and the
Pentagon, we have begun collaborating with DOD on assessing
worst-case scenarios and developing case studies at critical
military installations to ensure that essential requirements
for national security are being addressed.
We are engaged with the DOE National Laboratories in
opportunities to apply the expertise of the federal government
in enhancing the cyber security of our grid.
In 2010, we started conducting onsite security sufficiency
reviews at utilities, and we will continue that program in
2011. And we are working with vendors and industry to enhance--
to demonstrate enhanced physical security of our systems.
The emerging challenges we face are difficult but not
intractable. I believe we can and must take decisive actions
through partnership between industry and government to meet
these challenges. And I thank you, and look forward to your
questions.
[The prepared statement of Mr. Cauley can be found in the
Appendix on page 56.]
Mr. Thornberry. Thank you, sir. I appreciate it.
Mr. Nojeim.

STATEMENT OF GREGORY T. NOJEIM, SENIOR COUNSEL AND DIRECTOR,
PROJECT ON FREEDOM, SECURITY AND TECHNOLOGY, CENTER FOR
DEMOCRACY AND TECHNOLOGY

Mr. Nojeim. Thank you, Chairman Thornberry, Ranking Member
Langevin, and members of the subcommittee.
Thanks for the opportunity to testify on behalf of the
Center for Democracy and Technology about cyber security and
the role of DOD.
CDT [the Center for Democracy and Technology] is a non-
profit, non-partisan civil liberties organization dedicated to
keeping the Internet open, innovative and free.
The United States faces significant cyber security threats.
While the need to act is clear, it is essential that we take a
nuanced incremental approach that recognizes distinct roles for
DOD, the Department of Homeland Security, and the private
sector. Generally speaking, DOD entities should be responsible
for military systems, DHS for civilian government systems, and
the private sector should monitor its own unclassified systems.
We ask that you keep a key distinction in mind: Policy
toward government systems can be much more prescriptive than
policy toward private systems. The characteristics that have
made the Internet successful--openness, decentralization and
user control--may be put at risk if heavy-handed cyber security
measures are applied to all critical infrastructure. In the
case of critical infrastructures, one size does not fit all.
When DHS and private sector efforts to secure civilian,
government and private systems fall short, it is tempting to
conclude that Cyber Command and NSA [the National Security
Agency] should lead outside the dot-mil domain. But they
operate in a culture of secrecy--for entirely legitimate
reasons--that would hamper civilian cyber security efforts that
depend on public trust and corporate participation.
Instead, expertise and resources of Cyber Command and NSA
must be leveraged to help DHS with its cyber security mission.
More robust information sharing from the private sector to
the government and vice versa is one way to leverage resources.
But policymakers must proceed carefully to ensure that
information sharing does not devolve into de facto surveillance
through ongoing or routine disclosure of private communications
to the government.
When he unveiled the White House Cyberspace Policy Review,
President Obama correctly emphasized that the pursuit of cyber
security must not include governmental monitoring of private
sector networks or Internet traffic. That is one of the
overriding civil liberties priorities in the cyber security
arena.
Another is ensuring the free flow of information. Even in a
cyber security emergency, empowering the government to shut
down or limit Internet traffic over private systems could have
unintended effects, including discouraging network operators
from sharing cyber security information that they ought to
share out of fear that that information would be used to shut
them down. They know better than the government when elements
of their systems need to be isolated.
Despite the value of anonymity on the Internet, some have
proposed sweeping identification mandates, even a passport for
using the Internet.
Identification and authentication will likely play a
significant role in securing critical infrastructure. We don't
dispute that. However, they should be applied judiciously to
specific high-value targets--like classified military
networks--and to high-risk activities, and should allow for
multiple identification solutions. Finally, you should resist
proposals that would damage cyber security by making
communications less secure. We are concerned about proposals to
extend communications assistance for law enforcement design
mandates to communications applications to facilitate
electronic surveillance, as is being sought by the FBI. Because
it could weaken communication security.
Privacy and security cannot be viewed as a zero-sum game.
Measures intended to increase communication security need not
threaten privacy and indeed can enhance it.
We look forward to working with the subcommittee to
identify and promote these win-win measures.
[The prepared statement of Mr. Nojeim can be found in the
Appendix on page 65.]
Mr. Thornberry. Great. Thank you.
I will look forward to the same thing.
I am going to reserve my questions and give other members
have a chance.
And I would yield first five minutes to Mr. Conaway.
Mr. Conaway. Thank you, Mr. Chairman.
And panel, thank you.
It is interesting, we have Dr. Pfleeger on one end and Dr.
Nojeim on the other, because many of the things that Dr.
Pfleeger was proposing to do fly in the face of what Dr. Nojeim
was saying in terms of some of the prescriptive things that
would happen.
To follow up the Chairman's original comments about the
analogy between a physical attack on America and the response
that the federal government spoken, you know, it would have
been the military, of course, but the federal government's
response to that is pretty clear. Trying to look at those
solutions in cyber, given that the cyber attack happens in the
blink of an eye or less and the warnings aren't nearly as easy
to discern obviously captures the problem we have.
Who out there among the think tank groups are proposing
solutions to that? In other words each of you brought--maybe
that was your mandate--brought narrow, focused solutions to the
issues, but is there a group out there that is looking at the
broader issue? How does it--you know, what is the federal
government's role--DOD and NSA--with respect to the dot-mil and
homeland security? And then nobody on everything else has Dr.
Nojeim concerned. Is that a rational way to continue down this
path?
Mr. Nojeim. I don't think that anybody is out there
proposing that there is a silver bullet. I think that most
people who are engaged in this endeavor all recognize that
there needs to be a number of incremental steps taken.
To the thought that there is a silver bullet I think flies
in the face of the kinds of risks that we are facing. We are
going to have to have a situation where industry and the
government cooperate--and sometimes very closely--in order to
deal with these risks.
We have suggested not that industry has to stand alone when
those packets are coming toward them, but that there is a very
strong role that the government can play in helping out. It
includes information sharing. It includes the sharing of attack
signatures that will help the private industry identify the
attack as it comes in.
Mr. Conaway. And that is the sharing of information that
Dr. Pfleeger was saying ought to be done on a real-time basis
as opposed to ad hoc every once in a while. Am I understanding
between those two comments?
Ms. Pfleeger. I don't think it necessarily has to be real
time, but it has to be regular. As the threats change----
Mr. Conaway. Okay.
Ms. Pfleeger [continuing]. We need to know what the changes
look like.
Mr. Conaway. Not trying to put words in your mouth, but is
that--do I understand what you just said in relation to what
her comment was in terms of one of the solutions is to have a
better way to gather the scope of the problem on a regular
basis as opposed to an ad hoc basis?
Mr. Nojeim. Oh, no. We agree that there has to be----
Mr. Conaway. Okay.
Mr. Nojeim [continuing]. A lot of information sharing and
that is----
Mr. Conaway. How you put that in place, that
``requirement'' in place without terrifying folks about your
other comments that we are taking over the Internet, you know,
all the other things. That Internet nonsense is going out there
right now as a result of some of the comments the President
made and misinterpretation of those. How do we bridge that gap?
Mr. Nojeim. I don't think you have to have a world where
communications traffic that is private-to-private traffic and
is coming over an Internet backbone has to be shared with the
government. I don't think that anybody's proposing that world.
I think what we do need is a world where if a private
industry sees anomalies, they can share information about those
anomalies with government agencies that need to act on them and
that that can happen quickly, and it can happen in near real-
time.
Mr. Conaway. Let me--before my time runs out, Mr. Cauley,
help me understand the scope of your national test on the
security exercise. Is that just with respect to the electricity
grid that you are talking about doing, or is that broader
infrastructure than just electricity?
Mr. Cauley. Congressman, this year the exercise will be
fairly limited in scope. We are looking to pull in all the key
players in the industry in terms of participating in the
exercise and demonstrate the communications and emergency
scenarios that we might see. We do have interfaces with
Homeland Security, DOD and Department of Energy and others, who
will participate in that exercise.
One of the challenges that we are looking to try to resolve
during such an emergency is what are the relationships between
industry and government and how do we crystallize what those
relationships should be and who is in charge and how that
works. So we are hoping this exercise in the fall of this year
will help answer and maybe clarify what additional questions
need to be answered with that regard.
Mr. Conaway. Thank you, Mr. Chairman. Yield back.
Mr. Thornberry. Thank the gentleman.
The ranking member.
Mr. Langevin. Thank you, Mr. Chairman.
Again, to the panel, thank you for your testimony today.
All this is, obviously, fascinating and very important work.
If I could, Mr. Cauley, I would like to start with you.
First of all, thank you for refreshing my memory, just the
record mentioning that you are new on the job at NERC as the
chair. Thank you for the wealth of experience you bring to the
job. And I certainly look forward to working with you in that
role.
Let me ask. You touched on some of the things in your
testimony about what has changed since 2007, but for the point
about conversation, would you highlight against some of those
things that have changed over the last few years?
And I still am of the opinion that NERC and FERC [the
Federal Energy Regulatory Commission] really still lack the
authority to direct all power utilities to follow the cyber
security regulations, so I would like you to touch on that as
well. And actually, how do you know that the government's
guidance is being followed or that we are actually secure?
Mr. Cauley. Thank you, Ranking Member Langevin.
The industry has evolved quite a bit. As you know, the
issue of cyber and physical security is relatively new to the
industry compared to the 100-year history of the industry.
I have had the opportunity in the past year to go out and
meet a number of CEOs in most of the industry, and I believe
that the awareness and the commitment is there that perhaps may
not have been there before, but certainly has been elevated.
And I feel we have the support of the industry.
The standards that we had have been in transition, so I
think we have evolved and improved standards. We just recently
approved a new standard with a bright line criteria in terms of
what are the critical assets that need to be covered by our
cyber security standards. And we are in the process of adopting
NIST [National Institute of Standards and Technology] controls
into our standards, and that work continues.
I believe at this point that the Federal Energy Regulatory
Commission has full and adequate authority to direct us to do
any additional standards or modifications to the standards that
would be required to protect the security of the grid. In terms
of----
Mr. Langevin. Would you agree, though, that FERC doesn't
have the kind of robust authority that, say, the Nuclear
Regulatory Commission has when dealing with threats or things
that need to be directed is done?
Mr. Cauley. Yes, sir. I was going to get to the point where
I think there is--there may be a gap, I think, that does exist.
So in addition to the standards, we have the ability to put
actionable information to the industry. We have improved that
process.
So where I think we have a gap, a very narrow gap that has
been narrowed with their activities over the last couple of
years, is in an emergency situation, if there is an imminent
threat to the grid, at this point we have the ability to put
that information out, but not to produce a mandatory
requirement in a short amount of time.
In that arena I do support expanded authorities for the
federal government. It could be FERC or it could be another
agency, but I believe there is an opportunity as an authority I
would like to have. For an emergency imminent threat to the
grid, action must be taken.
I would caution, however, that the grid is a very complex
machine. Ordering certain actions can have adverse
consequences, even to the point of taking down the grid, so
that involving NERC in that process and putting the directive
in the form of a conservative action, conservative position,
but not telling operators how to operate the system, would be
most effective.
Mr. Langevin. Thank you. And I would certainly look forward
to working with you on closing that gap.
Mr. Chairman, if you could, would you--does NERC work right
now with DOD, identifying threats to the electric
infrastructure critical to our military readiness? I know you
talked--said that in your testimony, for the purpose of the
record, would you expand on that?
Mr. Cauley. Yes, Ranking Member Langevin. We have just
begun that recently, and we are in the process of ramping that
up.
The first thing we are going to do is look to develop a
design basis scenario. I think the industry has a perspective
of what are the worst-case scenarios that can happen from their
own risk management perspective, but when we look at national
threats, obviously those risks tend to be more widespread and
potentially more devastating.
So we are in the process of beginning to develop a national
cyber and physical security attack on the grid and what is the
worst-case scenario that we could work from. That will drive
things like the extent of our emergency plans, do we need spare
equipment, and those kinds of questions.
The second piece, just to be brief, is working on an
installation-by-installation basis in terms of, are there
adequate redundancies and procedures in place to ensure that
each critical installation will have power supply and, if it is
taken out, that we would have the capability to restore power
very quickly.
Mr. Langevin. Okay. Thank you.
Thank you, Mr. Chairman. I yield back.
Mr. Thornberry. Thank the gentleman.
Mr. Gibson.
Mr. Gibson. Thank you, Mr. Chairman.
And appreciate the panel today. Very informative testimony
right across the board.
I actually want to pursue the experimentation question just
a little bit further. So I am understanding that this is the
first time, sir, that your organization is participating in
this type of exercise in 2011. Yes, sir?
Mr. Cauley. If you are referring to the national exercise--
--
Mr. Gibson. Yes, secure grid exercise.
Mr. Cauley. We have done training and exercises
historically in preparations for hurricanes and earthquakes and
known types of risks. We have participated most recently in
Cyber Storm III and the previous versions of Cyber Storm, so we
have participated in exercises.
What we are proposing to do this year is to get--in our
exercise is to get greater involvement by industry rather than
a sampling of industry, and gauge our entire communications
infrastructure. We have an ability to communicate with the
operating companies directly, and rather than having a
government-driven exercise, where we bring a few of them in, I
want this to be industry-driven, where the government folks can
participate with us.
Mr. Gibson. I am trying to--where I am driving is I am
trying to get an appreciation for just how secure our
electrical grid is, and I am trying to get an understanding of
the exercise that is going to try to draw conclusions about
that.
So you mentioned you are still drawing up the design for
the exercise. What principles are you using to ensure your
sampling geographically and with enough depth that you are
going to be able to draw significant conclusions from the
exercise?
Mr. Cauley. Congressman Gibson, I think we are talking
probably several different things. So in terms of the actual
evolving security of the grid, I believe we are enhancing that
continuously. We have standards for firewalls and protections
and access controls and those kinds of things.
So the actual security is progressing in terms of
continuously improving. The challenge is, what is the worst
thing that could happen? And we are in the process of working
with Department of Defense to postulate some potential extreme
events, like take down major cities, take down major oil
refineries or military installations.
Those scenarios, we have not run those in the past, and we
are developing those as new this year.
We currently have the ability to communicate directly and
have robust communications with industry folks. But now with
this new scale of a scenario we have not seen before we will
test that and demonstrate our ability to meet that challenge.
Mr. Gibson. And one final question on this same topic. So
as private sector, as research and development is done on the
possibility of moving beyond copper for transmission, are you
comfortable that there is enough collaboration that you will be
able to make assessments as far as security going forward?
Mr. Cauley. We have very open dialogue with national labs
and other agencies in government, that we are trying to take
advantage of every technology that will be useful and practical
and cost effective for implementing in the private sector.
Mr. Gibson. Okay. Thank you.
I yield back.
Mr. Thornberry. Mr. Johnson.
Mr. Johnson. Thank you, Mr. Chairman and Mr. Ranking
Member. I commend you for holding this hearing and look forward
to joining you in the hard work that will be necessary to
secure the cyber domain.
There is an emerging consensus that we need to clear
jurisdictional distinctions between military and civilian cyber
security efforts. Just as the military does not police our
streets, it should not police our civilian cyber
infrastructure.
But we must ensure that the armed forces will have the
necessary tools to prosecute and defend the country from cyber
warfare.
One note on private sector regulation. As we draw these
fine jurisdictional distractions, Congress should establish
hard regulatory requirements, not just soft suggestions of
voluntary security measures to ensure the security of our
private sector technology infrastructure.
We do not merely recommend that airlines maintain the
highest standards of safety and reliability. Likewise, we must
not merely recommend that American industry implement state-of-
the-art best practices to ensure cyber security. We must
require it, and there should be penalties when those
requirements are not heeded.
My first question I would ask each of our panelists, what
is the first question, the essential question for determining
whether any given cyber threat should be the purview of
civilian or military cyber security authorities?
Ms. Pfleeger. That is a difficult question to answer
because the military often uses private sector networks to
accomplish things. And the threats to national security can be
economic, they could be espionage, they could be a variety of
things.
So I am not sure that--I think it would be a case-by-case
answer rather than a one-size-fits-all answer, which I think
reinforces what Mr. Nojeim said, that there is no silver bullet
for security. And it is very difficult, I think, to--I think
you need to look at the threat models and use the threat models
to decide when the military should step in and when it
shouldn't.
Mr. Johnson. Thank you.
Mr. Cauley. Congressman, first I would agree that mandatory
requirements and enforceability are one element in establishing
an adequate defense. And we have those standards and are
looking to continue to improve those for the electric grid.
I think to answer your question directly, it is the
responsibility of the asset and information owners to protect
their assets and their information. And I think those are
divided into government and private sector assets and
information.
However, the reality is we are very much intertwined.
Military bases and systems depend on electricity. So we are
bound together not only in the information world, but also in
the electric world.
So I think it is important to complement that clear line of
responsibility and accountability for securing our own systems
to make sure that our actions are also complementary and
helpful to each other.
And so I think there are opportunities for the military to
assist us in information awareness, and when we are under
attack and maybe don't know it, and vice versa, for us to
ensure we have done everything we can to provide reliable
electric service.
Mr. Nojeim. I agree with both of the other panelists.
I think that one thing to keep in mind is that you often
won't know what precisely was the source of the threat, what
was the source of the problem. So then it becomes difficult to
say who is responsible to respond to that threat.
But you--I think it is easier to say that everybody should
be securing their own systems or the systems for which they are
responsible, and to add that, if I am securing my system and I
learn about information that would help Mr. Cauley secure his
system, I need to have a way to share it. And that is, I think,
where a lot of productive work can be done.
Mr. Johnson. Thank you.
Mr. Nojeim, in the physical world there are clear
differences of capability and role between civilian law
enforcement and the armed forces. The military wields superior
firepower, specializes in destruction instead of arrest or
investigation, and is subject to less restrictive rules of
engagement.
What are or should be the equivalent differences of role
and capability between civilian and military cyber-security
authorities?
Mr. Nojeim. You know, some of the capabilities are going to
have to be similar. So, for example, say the National Security
Agency has the ability to distinguish which--what is an attack
signature that could threaten--of malware that could threaten a
communications system. That information is useful, not just to
the NSA, not just to Cyber Command, not just to the Department
of Homeland Security, but to many people who are trying to
secure information systems.
The point that I am trying to get across is that while we
talk about and I have talked about having distinct roles for
each of these entities, we can maintain that distinction by
relying on other activity that will help secure all networks
better.
One of those activities is information sharing, which I
have talked about, and another is the sharing of expertise.
There may be expertise within the military and at the National
Security Agency that would be helpful to the Department of
Defense, and there is already a mechanism to allow for the
sharing of some of that information.
Mr. Johnson. Thank you, Mr. Chairman.
Mr. Thornberry. I thank the gentleman.
Mr. West.
Mr. West. Thank you, Mr. Chairman, and thank you, Mr.
Ranking Member, for the panel being here today.
I think when we look at this 21st-century battlefield it is
definitely different from what we encountered in the 20th
century. And of course it is multi-dimensional, multi-spatial.
And of course the cyber realm does bring some interesting
challenges.
So my question, going back to my time in the military, we
always had this thing called mission-essential vulnerable
areas, and we always sat down and looked at what was our high-
value target list, the things that we knew that we needed to
protect from our adversaries and our enemies.
So my question is, in your assessment, what systems should
be considered critical to national security, and under what
framework should the government and the Department of Defense
in particular provide for the security of private networks,
both to those deemed critical to national security and to a
wider user base?
I will open that up to the panel. And subject to your
response, I will yield back to the Chairman.
Mr. Cauley. Congressman, I would take this on from the
perspective of the electric grid in relationship to military.
We have taken steps to identify what are the critical
assets within the grid, and we have approved a standard
requiring companies to identify those. Obviously, nuclear
plants are essential. Large-generation, high-voltage
transmission that serves as the backbone of the grid.
Blackstart generation that allows us to reboot the system if it
needs to be done. And our larger control center.
So we are in the process. We have required that. What that
may not get to, however, is the relationship with security--the
military installations, which as I mentioned, the initiative
that we have started with DOD is to identify if there is,
besides our own electric priorities, what are the priorities of
the military that we need to take a look at as well.
And then at that point it becomes a decision between the
electric company servicing that facility and the military base
in terms of what additional steps would be needed.
I would add one more aspect that I hadn't had a chance to
mention. There are going to be some actions and threats that
are beyond the capability of the industry to cope with.
And an example, much has been said about a nuclear blast
400 kilometers in the sky creating an EMP [electromagnetic
pulse] event that takes down the grid. And--suggesting we need
to understand the relationship between government and industry
in resolving issues. That is a poster child for that, because I
think the industry would say that is a government issue, if we
have a nuclear blast going off over our skies in the homeland.
Obviously, we would be expected to take some actions in terms
of protecting and hardening the grid. But those issues need to
be worked out further.
Mr. West. Then the follow-on question is, do you think we
have a clear line of delineation between the responsibilities
of, you know, the government, DOD and the private sector?
Mr. Cauley. No, sir, not to the extent needed for clarity
of responsibility facing these new threats. I think the
collaboration, consultation has been good, but I think it is
based on ad hoc relationships and not clear lines of
responsibility and authority.
Ms. Pfleeger. I would like to use two examples to address
your question. The first is there is a model that seems to be
working that the Defense Department is already using called the
``defense industrial base,'' where collaboratively the major
contractors come together to share their cyber experiences and
to share the things that they have done in order to address any
kind of cyber problem.
That might be a good model for expanding in some way, and
the roles there I think are fluid because I think
collaboratively, the defense industrial base acts to help the
Defense Department, but at the same time makes clear what their
individual goals are as private enterprises.
The other thing is that I would encourage the Defense
Department to think more about prevention, rather than reaction
to cyber attacks. And let me use an example. I was at a meeting
a couple of years ago where someone from DARPA [the Defense
Advanced Research Projects Agency] was talking about funding a
system where the whole, for example, the whole communications
system in the U.S. could be viewed on one screen and you could
watch as a cyber event unfolded that one part of the country
goes down, then another, then another.
The problem with that example is that it might not have
been a cyber attack. It might have been that all the phone
companies are buying their switches from the same vendor. There
is a flaw in the switches and they all happen to be going down
because some system problem was percolating through the system.
So that is what I meant in my testimony about the
difficulties of emergent behavior and the risks of making
assumptions. And so it is very hard in those cases to decide
not only what is going on, but what is the appropriate thing to
do to react.
Therefore, I think it makes a lot more sense to look from a
preventive point of view at things like our critical
infrastructure and look at more diversity, look at redundancy,
look at ways of making sure that if we do have some sort of
attack, we can come back up quickly or at least in some manner
that enables the Defense Department, as well as private
enterprise, to function while we figure out what is really
happening and apply fixes.
Mr. Nojeim. I would just add that there is a list of
critical infrastructure key resources, tier one, tier two
lists. DHS has prepared it. It is based on assessments as to
what would happen if these were destroyed or rendered
inoperative; in terms of casualties, whether people would have
to evacuate areas; what would be the damage to national
security.
So there has already been a lot of thinking about what
needs to be protected. We don't have to recreate the wheel on
that score.
Mr. Thornberry. Mrs. Davis.
Mrs. Davis. Thank you, Mr. Chairman.
Thank you all for being here. You provide a broad range,
and that is appreciated.
I don't know whether you would feel prepared to answer this
question specifically, but I am wondering about interagency
collaboration, coordination. One of the things that we
experienced here on the Armed Services Committee a number of
years ago was sort of our shock that in fact, you know I guess
I would say the Pentagon and the State Department didn't really
talk to each other to the extent that they should, and that we
really weren't looking at a whole-of-government approach, if
you will.
Can you apply that to the issues that we are addressing
here in terms of cyber security? How would you assess the
extent to which that is kind of a working--I guess it is a work
in progress in many ways--but where are we in that issue, to
look upon how we best deal in an interagency way on this issue?
Ms. Pfleeger. Well, there are some formal and some informal
things going on. There was for a while an Infosec Research
Council where different agencies funding cyber security
research had representatives get together periodically and
share what they were doing and coordinate.
There are more formal things like the Department of
Commerce now has an Internet Policy Task Force that is looking
across the government. But you are absolutely right that a lot
more needs to be done. There needs to be a lot more regular
interaction at high levels across the different----
Mrs. Davis. Any area particularly that you would seek to
improve, specifically if we could focus on that?
Ms. Pfleeger. Well, certainly discussions between Defense
and Commerce and between Defense and State. Those are probably
the two I would pick.
Mr. Cauley. Congresswoman, with respect to the electric
system, we have had very collegial consultation with a variety
of agencies, and they are very helpful. I think if we are
challenged it is just a confusion over leadership and the
relationships between the different organizations, and the
relationships between government and private sector.
So they are collegial. We are getting worked on. We are
learning. They are learning from us. We are learning from them,
but it is not clear what the delineation of responsibilities,
who is in charge, those kinds of questions. We are making do
with what we have today.
Mrs. Davis. Who is in charge, that is a big question. We
got that, yes. Thank you.
Mr. Nojeim, do you want to comment on that as well----
Mr. Nojeim. I would just say that there is some
cooperation, some communication, and that it is starting to get
better and it needs to go further.
Mrs. Davis. Can I just ask you a little bit about the labor
force as it relates to this highly complex STEM [science,
technology, engineering, and mathematics] area of education and
science and technology. Clearly, we are not where we want to be
generally in the country as it is in terms of encouraging young
people to go into the field.
Can you assess sort of the labor force and those people who
are migrating to these careers and to this area? And what we--
what else--what should we be doing, even in terms of preparing
our youngest children, I think, in having the ability to work
in this area since we know that, as I know as I am just getting
introduced to this topic and our concern that state actors make
us very vulnerable. And we obviously need to be providing that
expertise to our young people as well.
Any thoughts, ideas as far as the labor force?
Mr. Cauley. Well, in the electric industry, we are seeing
an influx of talent. I mean, I think it is pretty obvious that
kids will go where the jobs are. We are seeing very high
influx. And we are also focused on training. I think we do have
a gap that we are working on which is to elevate the
credentials, the professional credentials of our security--
physical and cyber security folks.
So I think its major improvements in the last couple of
years, lots of new talent coming in, but a long ways to go as
well.
Mrs. Davis. Yes?
Ms. Pfleeger. In many cases, the people who provide cyber
security expertise don't do only that, especially in small
businesses. And so we are having a workshop at the end of April
at Georgia Tech to look at the demand, to help inform what the
supply should look like. And we are inviting people from
government and industry together to tell us what their demand
looks like and what some of the problems are so that we can
make some recommendations about what the supply activities
should look like.
Mrs. Davis. Thank you.
Thank you, Mr. Chairman.
Mr. Thornberry. Thank you.
Mr. Ryan.
Mr. Ryan. Thank you, Mr. Chairman.
I just have one question. One of the issues we have not
just with--I am going to ask if it fits into the cyber strategy
that we all should have as a country--is the issue of
translating a lot of different languages. Is that an issue when
we are talking about cyber security, where we have, whether
they are state actors or a decentralized, you know, Al Qaeda-
type, where these folks are working from a different language
than the English language, and trying to attack our systems.
And, you know, is this an issue for us? Is this something
that we need to be aware of? Because clearly, I know as far as
the private sector goes, you are talking about Mandarin and
Farsi and being able to have enough Americans able to speak
these languages, to write and read in these languages for our
corporate interests, as well as our governmental interests.
I just wondered as I am sitting here listening, is that
something that we should be concerned about not having, on top
of what Ms. Davis was just saying, the workforce capable of
helping us address this problem?
I will let you answer and yield back the balance of my time
when you are done.
Mr. Cauley. Congressman, from an electric perspective, I
don't view that as a priority at this time. For North America,
all of our information exchange is done in English, including
in Quebec where French is the language. But the electric grid
operations are purely English.
So we treat anything that is not in English as suspect to
start with. So it is not really an interpretation question for
us. It hasn't come up to our attention at this point.
Mr. Nojeim. I think at one level, bad code is bad code and
it is not really a question of whether it is English language
or Spanish or another language. I think that the issue about
needing people to speak in multiple languages comes up mostly
in terms of prosecuting wrongdoers and being able to understand
what people are saying who are perpetrating the crimes.
Mr. Ryan. I know at one point we had an issue with a lot of
the intelligence we were getting. We weren't able to translate
a lot of the, you know, kind of prepared for attacks against
us, we weren't able to do that. So I just want to throw that
out there if that is something we need to continue to look at.
Mr. Thornberry. And that is still the case with a lot of
intelligence we get. We don't have the resources to translate
it, so I thank the gentleman. Dr. Pfleeger, you talked about
incentives in your statement. It has been suggested to me that
with proper incentives, we can elevate general cyber security
that would take care of roughly 80 percent of the problems that
are going through cyberspace. Do you think that is about right?
Ms. Pfleeger. Well, I don't know if it is 70 percent, 80
percent. What I--two days ago, Arbor Networks revealed the
results of a survey that they did of network engineers. And the
top problem that the network engineers talked about was non-
technical factors being one of the most significant obstacles
to reducing mitigation time.
A lot of that has to do with there being a lack of
incentives for the people maintaining the networks to pay more
attention to security; the lack of users to pay more attention
to security. And so because a lot of these non-technical
problems loom large, that 80 percent number is probably close.
I mean, if you look at things like the causes of all a lot
of typical problems, we see the same things over and over
again. People don't change things from the default settings.
They don't understand how to install security software.
If there were incentives to encourage people to do the
right thing, what I called in my testimony good hygiene, won't
completely solve the problem, but it could eliminate a lot of
these things that we see that recur that shouldn't be happening
anymore. We should know better by now.
Mr. Thornberry. Do you know of any organization that has
actually run the numbers, by which I mean to say this incentive
for this tax provision or this, you know, whatever it is, will
have this consequence in the real world, because businesses are
calculating cost-benefit every day. How much is it going to
cost? What is the benefit I get? And that cost-benefit has to
line up for them to take additional actions. Has anybody run
the numbers to kind of get more specifics on it?
Ms. Pfleeger. There are some researchers who have done some
economic models that suggest which incentives might be the most
effective, but I haven't seen a lot that use real-world
numbers, in part because it is hard to get good data.
Mr. Thornberry. Yes.
Ms. Pfleeger. So there are some first steps, but it would
be really helpful if business would work with some of the
modelers to--so that the models reflect the realities of the
business trade-offs.
Mr. Thornberry. Okay.
Mr. Cauley, especially in your written statement, you made
reference to the fact that private industry is always going to
be at least a step behind in identifying some of the most
sophisticated threats that go through cyberspace.
I mean, just assume, if you will, that you can take care of
80 percent by good hygiene, we still have 20 percent that are
the more sophisticated, difficult threats to deal with. And so
from what you said earlier today, I take it in that area you
think there needs to be more government assistance of some sort
for that kind of upper tier.
Mr. Cauley. Yes, Mr. Chairman. That is why I think we need
a dual strategy. So the Ranking Member Langevin has suggested
we need firmer regulations and standards, and I agree with that
because it provides a baseline of the expected mandatory
requirements.
But facing a dynamic, ever-evolving adversary, sitting
still with fixed barriers is going to be very difficult. So
having a robust relationship with the government intelligence
agencies, which we are beginning to develop to take quick
information and be able to turn it into actions that the
industry can take, is essential.
So let's treat it like it is a dynamic, ongoing war, and it
is not a fence put around the systems. And I think that is
where we need the help from the federal government.
Mr. Thornberry. Let me ask you this. There has been lots of
talk about a smart grid. To me that indicates that there are
more access points on the grid to the Internet. Does that not
increase our vulnerability--potential vulnerability of the
electricity grid?
Mr. Cauley. Mr. Chairman, it does create--introduce
additional risks, additional entry points. And it is incumbent
upon the industry and government, I think, in partnership to
work out a sufficient set of security requirements for a smart
grid and also for the vendors to deliver devices and systems
that build in the security as a major objective from the start,
not as an add-on later down the road.
Mr. Thornberry. Mr. Nojeim, I think Mr. Cauley a while ago
kind of used the EMP example as a big, catastrophic sort of
event that would require government direct intervention.
And I guess what I am wondering with you is do you--set EMP
aside--what do you think there could be a situation where the
cyber event is of such a magnitude as to overwhelm, perhaps,
private ability to deal with it and that direct government
action would be appropriate?
Or, as I think you have kind of indicated in your
testimony, is it always--as far as direct responsibility, it is
DOD for DOD, DHS for dot-gov and all of dot-com is on its own?
Mr. Nojeim. So I just--if I gave the impression that all of
dot-com is on its own, I didn't mean to do that, because what I
did say in the testimony at least a few times were some
measures that ought to be taken to help dot-com defend itself.
As for a catastrophic event that the private person
couldn't deal with, I would need to just talk a little bit more
and understand a little bit more about what that event would
be. So, for example, some people have said that maybe the
government ought to have authority to order the shutdown of
Internet traffic to a critical infrastructure system.
Well, see, that authority, as you think that through, would
only be exercised when the person who owns or operates the
system thinks that it ought not to be shut down. And they have
strong incentive to protect their system. They have a strong
incentive to isolate their system when it is in danger, and
they do that right now.
I think the question we have to ask is whether the
government would have superior information that would inform
that decision. And if so, that is kind of information ought to
be shared.
And we also ought to ask other questions about what
incentives that kind of authority would create. Would the owner
operator of that system be willing to share information that
they ought to share what they know that that information could
be used to shut them down? Would they be more hesitant to shut
down on their own when they think they ought to, because they
are waiting to be ordered to shut down by the government,
knowing that with the order will come a limitation of
liability?
So I think we have to think these things through and maybe
game out some scenarios before we make blanket decisions.
Mr. Thornberry. Okay. Let me ask one other thing, and then
I will yield to the ranking member and others who may have
questions.
But as I understand what you have said, you think there is
an appropriate role for government to share with private
industry information it receives about signatures and malicious
attacks going on in cyberspace as long as it is the private
entity that deals with it, that takes direct action of some
sort.
Mr. Nojeim. Yes. Yes.
Mr. Thornberry. And even though, obviously, if the
government were to share some information with, say, a
telecommunications carrier, the government will have to expect
that some information is kept classified, potentially.
Mr. Nojeim. And the government should expect and should
help the telecommunications carrier have people on staff who
can handle classified information.
Mr. Thornberry. Certainly.
Mr. Nojeim. And if there is a gap there----
Mr. Thornberry. Absolutely.
Mr. Nojeim [continuing]. And the right ones don't have the
right clear cleared people, that is a place where the committee
ought to pay particular----
Mr. Thornberry. Well, DOD deals with defense contractors--
--
Mr. Nojeim. All the time.
Mr. Thornberry [continuing]. All the time in huge numbers,
so, yes, I think that is a fair point.
Ranking member.
Mr. Langevin. Thank you, Mr. Chairman.
To continue to explore this role of proper balance of
authorities and such, particularly in time of crisis--and this
is really for the entire panel--you know, do you think they
DOD's role should be in specifically protecting not just our
power systems, but other critical infrastructure, such as our
financial institutions or communications sector?
Should there be any new structures set up to increase their
coordination with the Department of Homeland Security, for
example?
Mr. Nojeim. I think there are some structures already. And
again, when we think about role of DOD when it comes to
securing private systems, it should be in a supportive role and
that, for example, it should be supporting the efforts of the
Department of Homeland Security to work with those private
entities to secure their systems.
And Cyber Command and NSA are going to have information and
expertise that will be useful. And the important thing is to
loose it and to access it and together to DHS and to these
other entities so they can do a better job.
Mr. Cauley. I would answer that question. I think there
is--I have seen evidence of good coordination between the
Department of Defense and Homeland Security, but I will repeat
my earlier comment that working to try to resolve electric
industry issues related to cyber, it is a community of
agencies.
It is not clear, you know, where all the responsibilities
lie or where the authorities are, but we try to work with
everybody.
I think there is an interesting set of questions here in
terms of what DOD should be authorized to do in the state of an
emergency. And I really wouldn't rule out--I sympathize with my
fellow panelist's comment that it becomes very, very scary if a
government agency can take an action that would alter the
controls of the power grid, because it is just a scary thought.
It could have unintended consequences.
But I can conceive of extreme denial of service attacks on
the Internet or sort of a major cyber concurrent attack on the
entire country, where intervention by DOD might be beneficial
just to stop the bleeding in the initial minutes and hours. And
I think that would merit some more dialogue in terms of what
that would look like, but overall I think the industry needs
the information to act under most circumstances.
Ms. Pfleeger. I suggest that the DOD consider again the
threat models and try to work collaboratively in advance with
providers of the key infrastructure, perhaps by giving them
scenarios. So the DOD might suggest, for instance, that the
electric grid have the capability to do a handful of things
that would be useful to both the grid and the Defense
Department, if there were an attack on the grid.
I think that kind of in--advance, preventive set of
measures might be more effective than just having a blanket
ability to--for the DOD to take over something that it is not
used to running.
Mr. Langevin. Let me turn to something else. You know,
there is a debate around, you know, what constitutes cyber
warfare, what constitutes a cyber attack, if you will, versus
defense. You know, and basically how involved should our
military be in cyber security when you look at, for example,
computer network operations by DOD. Much of this debate focuses
around--what constitutes ``warfare,'' you know.
Could you provide a definition to us about what cyber
warfare is and what it looks like, and what the appropriate
response should be?
Mr. Cauley. Ranking Member Langevin, I have seen enough in
the last few months--just in my visits with NORTHCOM and the
Pentagon--to understand that the Department of Defense has a
much richer understanding of the ongoing cyber warfare than we
have in the private sector.
So I think anything that can be done to not just keep that
information internal as we know what is going on in the cyber
warfare arena, but how can we help industry understand the
information they need to know to--to be aware of what is going
on.
I myself have a top secret clearance--been to some of the
briefings. I have understood more than I had in the past. And
it is serious stuff going on. And I think we need to be able to
share that with industry in a timely fashion.
The tendency is, because it is a war, to keep it inside the
military and not share it. And I think we have to figure out
how we overcome that a bit.
Mr. Langevin. Well, I yield back.
Mr. Thornberry. Dr. Pfleeger, one of the challenges the
government always faces is how to have a role that does not
distort the market in some way. And I am thinking about
especially research in this area.
Obviously, the Microsoft and the Dells of the world are
doing lots of research about next phases of computing that can
be more secure. Do you have suggestions as to the government's
role in funding specific kinds of research that would be
complementary but not displace the role that private industry
plays?
Ms. Pfleeger. I think there are already a lot of activities
coordinating what the private sector is doing with what our
universities should be doing and what the government should be
sponsoring.
Both within the DOD and the Department of Homeland Security
they have lists of their key topics that they try to fund.
I think the place where there is room for improvement is
that often the focus is on the technology alone and not on how
people use the technology or perceive the technology. And so I
think that is an opportunity for improving not just the kinds
of technology that we are producing to make things more secure,
but improving the technology transfer, improving the eagerness
with which users view the security. If they could view it more
as an enabler than as an obstacle, I think that would make a
huge difference.
So it isn't always what the technologists like to get
funded to look at, but in fact, technology that isn't used
properly or isn't used at all is fairly worthless.
Mr. Thornberry. Let me also give you a chance to weigh in
if you would like on this question about emergency powers.
Because I know it has been very controversial in some of the
Senate bills about to what extent a government ought to have
ability to take emergency actions. And you have heard a little
bit of it addressed here.
Do you have views on that?
Ms. Pfleeger. I don't really have a view. I have looked at
some of the issues. But I am not a lawyer. I am not a
historian. I am not sure it would be appropriate for me to make
a judgment.
Mr. Thornberry. I appreciate it.
Yes, gentleman from Texas.
Mr. Conaway. It occurred to me, that as you are looking at
this new cloud concept where everything is out that--the things
that we are talking about today--before that--in other words,
all of that innovation which creates greater accesses and from
anywhere you want all your data is out there.
Does the stuff we talked about today really contemplate
that at all?
Ms. Pfleeger. Do you mean--if I understand you, you are
asking whether the kinds of recommendations that we made in our
testimony----
Mr. Conaway [continuing]. Yes, just the state of play, is
the state of art for--does the users out there remotely
understand the risks they take, that you are relying on private
entities to protect all of that?
It just occurred to me that we fight this fight right now
where most everybody's stuff was on a laptop and you had a
direct access line. But now with this--the new innovations and
the continued improvements and everything, do we really
contemplate--are these recommendations getting as far ahead as
what that is ahead of the normal way people understand what is
going on?
Ms. Pfleeger. Well, I think the cloud computing is a good
example of misaligned incentives. Because a lot of people--a
lot of organizations are choosing to use the cloud because it
is cheaper without being aware, as you point out, of the risks
that they are taking.
And so I think a lot of these questions are being raised.
But there aren't a lot of good answers yet.
Mr. Nojeim. I think that it is a double-edged sword. And
you could have cloud providers that are better at security than
the individual user is on his or her laptop. So maybe if more
users demand more security, we will get better security as a
result of migration to the cloud instead of worse security.
Mr. Conaway. But is the driver--is the free market system
robust enough to drive those kinds of things without the users
knowing it and/or appreciating it----
Mr. Nojeim. I think it depends on the user. There are some
users that are large corporations that are moving to the cloud
and they are asking these questions----
Mr. Conaway. They will drag along the protections for all
those folks----
Mr. Nojeim. They are going to drag along the protections
for--you know, obviously, they are interested in protecting
their own data. I think the issue is whether the practices
become such that they become more a standard at a higher level
as a result of the demands of industry. As it moves toward the
cloud it would filter down and help consumers.
Mr. Conaway. Okay.
Thank you, Mr. Chairman. Appreciate that.
Mr. Thornberry. Let me just--I have been trying to take
notes and see if I can summarize, at least, some areas where it
seems to me you all are pretty well in agreement.
One is that the government does need to take some action.
That continuing to let things drift along as--that may be a
little--continuing as we are without some additional action
would be a mistake.
Secondly, that there needs to be some further action in the
form of incentives, regulations to encourage a general--or to
mandate a general increase in cyber security.
Third, that at a minimum, the Department of Defense should
ensure that the appropriate entities in the private sector have
access to more of the information that the Department of
Defense has in order to protect those private networks better.
So have I--does anybody disagree, I guess, with at least
that starting point?
Now, you all have to say something. They can't----
Mr. Nojeim. I think that is a good starting point. I think
that, you know, people are going to say, ``Well, I didn't call
for more regulation,'' or this or that.
But----
Mr. Thornberry. Yes, yes.
Mr. Nojeim [continuing]. I think that, you know, when we
look at incentives, we look at accessing information that the
government has and spreading that out, I think that there is a
general consensus about that.
Mr. Thornberry. And you are okay with increase incentives
and considering, at least, looking at regulation of certain
sectors that are already regulated, at least, as something----
Mr. Nojeim. Yes.
And as I said, we think that different sectors are going to
be subject to different rules.
Mr. Thornberry. Yes. Yes.
Mr. Cauley. Mr. Chairman, I would generally agree, as well
with a couple of nuances. I think there does need to be clarity
within the various agencies in the government in terms of roles
and responsibilities, and who do we work with as private
sector.
I think in terms of the mandates to industry, my sense is
we have--in the electric side, we have addressed that mostly
through existing structures through the Federal Energy
Regulatory Commission and our ability to do mandatory
standards.
I did point out a gap, I thought, in emergency, in an
immediate threat--do we need a mandate and action?
I think there is a danger of further escalating the
mandatory compliance directive aspect because we may drive the
electric industry to sort of a common plateau of mandated
regulations. And I am trying to get them to fight the dynamic
warfare in cyber--so I think we can over-regulate when we have
a solid foundation. So I just want to make that distinction.
Mr. Thornberry. And that is a fair point and an important
amplification, I think.
Ms. Pfleeger. I also agree that it is a good summary.
I think, in addition, the government could--I think we
would probably all agree that the government could encourage
private sector initiatives that already are good behavior.
There already are examples of private enterprise making data
public, collaborating in various ways. And so making that more
visible and providing incentives in that way might be helpful.
Mr. Thornberry. Okay.
We may want to pursue--I have some other questions on that
line that we may want to pursue with you.
Anyway, thank you all very much for being here. I
appreciate your testimony and the time it took to prepare it,
and for your being here.
With that, the hearing stands adjourned.
[Whereupon, at 12:59 p.m., the subcommittee was adjourned.]
?

=======================================================================

A P P E N D I X

February 11, 2011

=======================================================================

PREPARED STATEMENTS SUBMITTED FOR THE RECORD

February 11, 2011

=======================================================================

[GRAPHIC] [TIFF OMITTED] T4861.001

[GRAPHIC] [TIFF OMITTED] T4861.056

[GRAPHIC] [TIFF OMITTED] T4861.057

[GRAPHIC] [TIFF OMITTED] T4861.002

[GRAPHIC] [TIFF OMITTED] T4861.003

[GRAPHIC] [TIFF OMITTED] T4861.004

[GRAPHIC] [TIFF OMITTED] T4861.005

[GRAPHIC] [TIFF OMITTED] T4861.006

[GRAPHIC] [TIFF OMITTED] T4861.007

[GRAPHIC] [TIFF OMITTED] T4861.008

[GRAPHIC] [TIFF OMITTED] T4861.009

[GRAPHIC] [TIFF OMITTED] T4861.010

[GRAPHIC] [TIFF OMITTED] T4861.011

[GRAPHIC] [TIFF OMITTED] T4861.012

[GRAPHIC] [TIFF OMITTED] T4861.013

[GRAPHIC] [TIFF OMITTED] T4861.014

[GRAPHIC] [TIFF OMITTED] T4861.015

[GRAPHIC] [TIFF OMITTED] T4861.016

[GRAPHIC] [TIFF OMITTED] T4861.017

[GRAPHIC] [TIFF OMITTED] T4861.018

[GRAPHIC] [TIFF OMITTED] T4861.019

[GRAPHIC] [TIFF OMITTED] T4861.020

[GRAPHIC] [TIFF OMITTED] T4861.021

[GRAPHIC] [TIFF OMITTED] T4861.022

[GRAPHIC] [TIFF OMITTED] T4861.023

[GRAPHIC] [TIFF OMITTED] T4861.024

[GRAPHIC] [TIFF OMITTED] T4861.025

[GRAPHIC] [TIFF OMITTED] T4861.026

[GRAPHIC] [TIFF OMITTED] T4861.027

[GRAPHIC] [TIFF OMITTED] T4861.028

[GRAPHIC] [TIFF OMITTED] T4861.029

[GRAPHIC] [TIFF OMITTED] T4861.030

[GRAPHIC] [TIFF OMITTED] T4861.031

[GRAPHIC] [TIFF OMITTED] T4861.032

[GRAPHIC] [TIFF OMITTED] T4861.033

[GRAPHIC] [TIFF OMITTED] T4861.034

[GRAPHIC] [TIFF OMITTED] T4861.035

[GRAPHIC] [TIFF OMITTED] T4861.036

[GRAPHIC] [TIFF OMITTED] T4861.037

[GRAPHIC] [TIFF OMITTED] T4861.038

[GRAPHIC] [TIFF OMITTED] T4861.039

[GRAPHIC] [TIFF OMITTED] T4861.040

[GRAPHIC] [TIFF OMITTED] T4861.041

[GRAPHIC] [TIFF OMITTED] T4861.042

[GRAPHIC] [TIFF OMITTED] T4861.043

[GRAPHIC] [TIFF OMITTED] T4861.044

[GRAPHIC] [TIFF OMITTED] T4861.045

[GRAPHIC] [TIFF OMITTED] T4861.046

[GRAPHIC] [TIFF OMITTED] T4861.047

[GRAPHIC] [TIFF OMITTED] T4861.048

[GRAPHIC] [TIFF OMITTED] T4861.049

[GRAPHIC] [TIFF OMITTED] T4861.050

[GRAPHIC] [TIFF OMITTED] T4861.051

[GRAPHIC] [TIFF OMITTED] T4861.052

[GRAPHIC] [TIFF OMITTED] T4861.053

[GRAPHIC] [TIFF OMITTED] T4861.054

[GRAPHIC] [TIFF OMITTED] T4861.055