[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]

CYBERSECURITY: THREATS TO COMMUNICATIONS NETWORKS AND PRIVATE SECTOR
RESPONSES

=======================================================================

HEARING

BEFORE THE

SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY

OF THE

COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES

ONE HUNDRED TWELFTH CONGRESS

SECOND SESSION

__________

FEBRUARY 8, 2012

__________

Serial No. 112-112

Printed for the use of the Committee on Energy and Commerce

energycommerce.house.gov

U.S. GOVERNMENT PRINTING OFFICE
82-628 WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, gpo@custhelp.com.

COMMITTEE ON ENERGY AND COMMERCE

FRED UPTON, Michigan
Chairman

JOE BARTON, Texas HENRY A. WAXMAN, California
Chairman Emeritus Ranking Member
CLIFF STEARNS, Florida JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky Chairman Emeritus
JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania EDOLPHUS TOWNS, New York
MARY BONO MACK, California FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska ANNA G. ESHOO, California
MIKE ROGERS, Michigan ELIOT L. ENGEL, New York
SUE WILKINS MYRICK, North Carolina GENE GREEN, Texas
Vice Chairman DIANA DeGETTE, Colorado
JOHN SULLIVAN, Oklahoma LOIS CAPPS, California
TIM MURPHY, Pennsylvania MICHAEL F. DOYLE, Pennsylvania
MICHAEL C. BURGESS, Texas JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee CHARLES A. GONZALEZ, Texas
BRIAN P. BILBRAY, California JAY INSLEE, Washington
CHARLES F. BASS, New Hampshire TAMMY BALDWIN, Wisconsin
PHIL GINGREY, Georgia MIKE ROSS, Arkansas
STEVE SCALISE, Louisiana JIM MATHESON, Utah
ROBERT E. LATTA, Ohio G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington JOHN BARROW, Georgia
GREGG HARPER, Mississippi DORIS O. MATSUI, California
LEONARD LANCE, New Jersey DONNA M. CHRISTENSEN, Virgin
BILL CASSIDY, Louisiana Islands
BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida
PETE OLSON, Texas
DAVID B. McKINLEY, West Virginia
CORY GARDNER, Colorado
MIKE POMPEO, Kansas
ADAM KINZINGER, Illinois
H. MORGAN GRIFFITH, Virginia

7_____

Subcommittee on Communications and Technology

GREG WALDEN, Oregon
Chairman
LEE TERRY, Nebraska ANNA G. ESHOO, California
Vice Chairman Ranking Member
CLIFF STEARNS, Florida EDWARD J. MARKEY, Massachusetts
JOHN SHIMKUS, Illinois MICHAEL F. DOYLE, Pennsylvania
MARY BONO MACK, California DORIS O. MATSUI, California
MIKE ROGERS, Michigan JOHN BARROW, Georgia
MARSHA BLACKBURN, Tennessee DONNA M. CHRISTENSEN, Virgin
BRIAN P. BILBRAY, California Islands
CHARLES F. BASS, New Hampshire EDOLPHUS TOWNS, New York
PHIL GINGREY, Georgia FRANK PALLONE, Jr., New Jersey
STEVE SCALISE, Louisiana BOBBY L. RUSH, Illinois
ROBERT E. LATTA, Ohio DIANA DeGETTE, Colorado
BRETT GUTHRIE, Kentucky JOHN D. DINGELL, Michigan (ex
ADAM KINZINGER, Illinois officio)
JOE BARTON, Texas HENRY A. WAXMAN, California (ex
FRED UPTON, Michigan (ex officio) officio)

(ii)

C O N T E N T S

----------
Page
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, opening statement...................................... 1
Prepared statement........................................... 4
Hon. Anna G. Eshoo, a Representative in Congress from the State
of California, opening statement............................... 7
Hon. Edward J. Markey, a Representative in Congress from the
Commonwealth of Massachusetts, opening statement............... 8
Hon. Joe Barton, a Representative in Congress from the State of
Texas, opening statement....................................... 8
Prepared statement........................................... 10
Hon. Lee Terry, a Representative in Congress from the State of
Nebraska, opening statement.................................... 12
Hon. Mike Rogers, a Representative in Congress from the State of
Michigan, opening statement.................................... 12
Hon. Doris O. Matsui, a Representative in Congress from the State
of California, opening statement............................... 13
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, prepared statement................................. 114
Hon. John D. Dingell, a Representative in Congress from the State
of Michigan, prepared statement................................ 115

Witnesses

Bill Conner, President and Chief Executive Officer, Entrust...... 14
Prepared statement........................................... 17
Answers to submitted questions............................... 119
Robert B. Dix, Jr., Vice President, Government Affairs and
Critical Infrastructure Protection, Juniper Networks........... 26
Prepared statement........................................... 29
Answers to submitted questions............................... 127
James A. Lewis, Director and Senior Fellow, Technology and Public
Policy Program, Center for Strategic and International Studies. 42
Prepared statement........................................... 44
Answers to submitted questions \1\
Larry Clinton, President and Chief Executive Officer, Internet
Security Alliance.............................................. 51
Prepared statement........................................... 53
Answers to submitted questions \2\........................... 136
Phyllis Schneck, Vice President and Chief Technology Officer,
Public Sector, McAfee, Inc..................................... 73
Prepared statement........................................... 76
Answers to submitted questions............................... 210

Submitted Material

Majority memorandum.............................................. 116

----------
\1\ Mr. Lewis did not answer submitted questions for the record
by the time of printing.
\2\ Additional information provided by Mr. Clinton and referenced
on page 141 is available at http://www.verizonbusiness.com/
resources/reports/rp_data-breach-investigations-report-
2011_en_xg.pdf.

CYBERSECURITY: THREATS TO COMMUNICATIONS NETWORKS AND PRIVATE SECTOR
RESPONSES

----------

WEDNESDAY, FEBRUARY 8, 2012

House of Representatives,
Subcommittee on Communications and Technology,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 9:39 a.m., in
room 2322 of the Rayburn House Office Building, Hon. Greg
Walden (chairman of the subcommittee) presiding.
Members present: Representatives Walden, Terry, Stearns,
Shimkus, Rogers, Blackburn, Bilbray, Bass, Gingrey, Scalise,
Latta, Guthrie, Kinzinger, Barton, Eshoo, Markey, Doyle,
Matsui, Barrow, Christensen, and Waxman (ex officio).
Staff present: Carl Anderson, Counsel, Oversight; Gary
Andres, Staff Director; Ray Baum, Senior Policy Advisor/
Director of Coalitions; Nicholas Degani, FCC Detailee; Neil
Fried, Chief Counsel, Communications and Technology; Debbee
Keller, Press Secretary; Katie Novaria, Legislative Clerk;
David Redl, Counsel, Communications and Technology; Jeff Cohen,
Democratic FCC Detailee; Kara Van Stralen, Democratic Special
Assistant; Shawn Chang, Democratic Chief Counsel,
Communications and Technology; and Roger Sherman, Democratic
Chief Counsel, Energy and Commerce.

OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON

Mr. Walden. I am going to call the order the Subcommittee
on Communications and Technology. I want to welcome our members
and our witnesses for today's hearing on cybersecurity threats
to communications networks and private sector responses.
Back in October, the House Republican Cybersecurity Task
Force recommended that the committees of jurisdiction review
cybersecurity issues. So this hearing continues our committee's
review of cybersecurity issues with an examination of threats
to communications networks and the responses of the private
sector. Threats to communications networks have come a long way
in a very short time and they are very, very real and serious.
Before coming to Congress, I spent about 22 years as a
radio broadcaster. And as a small businessman, I had to worry
about securing our communications network, and back then, 20
years ago, it was relatively straightforward. You had to have a
fence around the tower and you couldn't let people get near the
transmitter and a few things like that. And every once in a
while somebody would come and shoot an insulator out or
something and you kind of got grumpy and had to repair that,
and every once in a while some idiot would try to cut the guy
wires, and those usually spun around and got them. That never
happened at my stations, but it does happen occasionally. But
all of that was sort of security of that wireless age. Not
anymore.
While physical security remains important, cybersecurity
has also become a pressing concern. Now a small business
confronts a dizzying array of threats online from the Zeus
Trojan horse to Stuxnet, from LulzSec to botnets. These threats
are serious. Unless our cyber defenses hold, a bad actor could
drain the bank account of a business, crash an online company's
Web site, or launch a barrage of cyber attacks on a company's
network. Those are serious consequences for any business, and
especially for the small businesses that are at the heart of
creating new jobs in this economy. And indeed, in our small
business, I don't know, 10 years or so ago when we did create a
computer network and put everything up on digital audio, our
main server was hacked and taken over, and all of a sudden it
started running slower and slower and slower and eventually we
determined it had been overtaken.
Every month, we learn more about these cyber threats, and
what we have learned thus far is of great concern. I am
concerned that our communications networks are under siege. I
am worried that the devices consumers use to access those
networks are vulnerable, and I am concerned that our process
for looking at communications supply chain issues lacks
coordination. I am also concerned that our cyber defenses are
not keeping pace with the cyber threats.
Now, in this hearing, we are lucky to have the voices of
five private sector witnesses to guide us through the complex
issue of cybersecurity. I am hoping that you will tell me that
cyberspace is secure and we can all rest easy at night.
Unfortunately, I have read your testimony and it is not so. So
I expect that you will tell us that the threats to our
communications networks are all too real, American businesses
are losing dollars, jobs, intellectual property and much, much
more because of cyber crime and cyber espionage, and that our
national security is potentially at risk as well.
I also expect that you will explain what the private sector
is doing to fortify our cybersecurity defenses. The private
sector owns most of the critical infrastructure--the wires, the
servers, the towers and base stations--that make up our
communications networks, and they are on the front lines of
cybersecurity. So I want to know what cybersecurity services
are being offered to consumers, what protections are being
deployed in our communications networks, and what affirmative
steps the private sector has taken to lock down the supply
chain and to combat cyber crime.
I also expect to hear what you think the appropriate--and
underscore ``appropriate''--the Federal role is. Are Federal
laws and regulations helping or interfering with information
sharing? Are Federal regulations of cybersecurity practices
appropriate, and if so, how? Should the Federal Government be
providing incentives for Internet service providers and other
members of the private sector to invest and innovate in the
cybersecurity arena? And how should our country's fiscal state
shape our discussion of the Federal role?
These questions and others will form the basis for deciding
what cybersecurity legislation, if any, is needed in the near
term, and how we can best secure cyberspace in the long run. So
I want to thank the panelists today for taking time out of your
schedules to be here to help inform this important subcommittee
and the Energy and Commerce Committee on what we should do and
how we can be better informed in doing our job.
[The prepared statement of Mr. Walden follows:]

[GRAPHIC] [TIFF OMITTED] T2628.001

[GRAPHIC] [TIFF OMITTED] T2628.002

[GRAPHIC] [TIFF OMITTED] T2628.003

Mr. Walden. With that, I would recognize the gentlelady
from California, the ranking member of the subcommittee, Ms.
Eshoo, for an opening statement.

OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA

Ms. Eshoo. Thank you, Mr. Chairman, for convening this
morning's important hearing, and I want to welcome the
witnesses and I am especially pleased that Juniper Networks and
McAfee, two outstanding Silicon Valley companies, are here to
talk to us about tackling the challenges of cybersecurity this
morning.
We all recognize the serious threat to our Nation's
communications networks. Since 2006, the number of Federal
cybersecurity incidents reported to the Department of Homeland
Security has increased by 659 percent. That is a whopping
number. And the economic impact of these incidents is equally
significant. A recent study by the Ponemon Institute estimated
that the median annualized cost of cyber crime to a victim
organization is $5.9 million per year, an increase of 56
percent from 2010.
The more we rely on the Internet to conduct our business,
the more vulnerabilities we create for hackers to exploit.
Having served as a member of the House Intelligence Committee
for 8 years, I am very well aware of the threat, not just from
criminal hackers but also obviously from other countries. But
talking about the problem is not enough. We need to act, and
that requires the help of both the private sector and the
Federal Government. The private sector really represents 95
percent of this, the Federal Government the other 5 percent.
One of the first steps to tackling this growing threat is,
I think, education and training. Whether at home or in the
workplace, every American should understand what they can do to
protect themselves against a cyber attack. Improved information
sharing is also a key aspect of our Nation's response to
cybersecurity. If we are going to ask industry to report
cybersecurity incidents to the government, then we need to
establish a clear process to do so.
I am pleased to support our colleague Mike Rogers' effort,
the Cyber Intelligence Sharing and Protection Act of 2011. That
is one of three or four bills in the House. There are least
three or four in the Senate as well.
It is also important to recognize the timely alerts to
consumers and businesses can be the difference between an
isolated cybersecurity incident and one that impacts millions
of users. A voluntary ISP code of conduct currently being
developed by the FCC is one of the proposed ways to alert
consumers when a botnet or other malware infection is
discovered.
Today's hearing is a very important opportunity for us to
better understand our subcommittee's role in cybersecurity
including what role the FCC and NTIA should play in protecting
our Nation's communication networks and how the private sector
and other Federal agencies should interact with them.
So thank you to all of the witnesses, those that come from
Silicon Valley to instruct us, and with what remaining time I
have I would like to yield to Mr. Markey.

OPENING STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF MASSACHUSETTS

Mr. Markey. I thank the gentlelady.
Last week, FBI Director Robert Mueller testified that cyber
threats will soon surpass terrorism as the number one threat
facing the United States. We know from the Department of
Homeland Security that there have already been threats to the
utility sector. We also know that Russia and China have probed
our electricity grid to find vulnerabilities.
Our economy hinges on a reliable flow of power with losses
that go into the billions of dollars with every major blackout.
Our national security also depends upon it since 99 percent of
the electricity used to power our military facilities including
critical strategic command assets comes from the commercially
operated grid.
Last September, I asked all five commissioners from the
Federal Energy Regulatory Commission under our jurisdiction to
name the number one threat to electricity reliability. All five
commissioners agreed, cyber threats are the number one threat
to the grid.
In 2009, the full Energy and Commerce Committee unanimously
passed the GRID Act, which I authored along with Chairman
Upton. That bill gave FERC the authority to quickly issue grid
security orders or rules that vulnerabilities or threats have
not been adequately addressed by the industry. It was killed in
the Senate. All five FERC commissioners also agreed that giving
FERC this authority would increase America's ability to secure
our electric grid.
With cyber threats growing by the day threatening our
security and our economy, it is imperative that this committee
pass the GRID Act so that we can move it forward and empower
the FERC to move quickly to safeguard the electric grid from
cyber threats that are not sufficiently addressed by industry.
We should listen to FBI Director Mueller, to the FERC and to
the warnings coming from Russia and China. We should pass the
GRID Act soon.
I yield back.
Mr. Walden. I thank the gentleman for his comments, and we
are now going to recognize the chairman emeritus of the
committee, Mr. Barton.
Before I do that, I just want to say how important it is to
have members who have been so engaged on this, and especially
we are blessed to have Anna here, who served on the
Intelligence Committee, and Mike Rogers, who chairs it now, and
Lee Terry and Mr. Latta and Mr. Murphy, who is not part of the
subcommittee but were on the cybersecurity task force the
Speaker appointed, so all of that is most helpful as we tackle
both of these issues.
I now recognize the gentleman from Texas, Mr. Barton.

OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS

Mr. Barton. Thank you, Chairman Walden. I thought Mr.
Markey was going to say the experts said the biggest threat to
our grid was the EPA, but he went a different way with that.
Back in 2006, Subcommittee Chairman Upton held a hearing on
this very same issue, and as full committee chairman, he and I
sent a letter to the GAO asking them to take a look at this
issue. The response that we received then is the response that
we are receiving today and that is that it is quite possible
that we could have a major attack, a cyber attack, in this
country that would dramatically affect our country.
According to the Norton cyber crime report for this last
year, cyber crime is a $388 billion industry with 431 million
adults experiencing at least one cyber crime in the last year.
In another study, research has showed that the median
annualized cost of cyber crime for companies is over $6 million
a year with the range being between $1.5 million to $36 million
per year. Now, these are real numbers, real statistics and that
is for the year 2011.
As we use the Internet more and more every day, it is
absolutely imperative, Mr. Chairman and Ranking Member Eshoo,
that we really take this seriously, and as you have pointed out
and Anna has pointed out, it is good to have the chairman of
the Select Committee on Intelligence on this subcommittee
because he has access to information that could be useful if
and when we decide to legislate.
So thank you, Mr. Chairman, for holding the hearing. As you
know, there is an EPA hearing downstairs in the energy
subcommittee, so I will be shuttling back and forth.
[The prepared statement of Mr. Barton follows:]

[GRAPHIC] [TIFF OMITTED] T2628.004

[GRAPHIC] [TIFF OMITTED] T2628.005

Mr. Walden. Mr. Chairman, if you don't mind yielding to Mr.
Terry?
Mr. Barton. I will yield 2 minutes.

OPENING STATEMENT OF HON. LEE TERRY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEBRASKA

Mr. Terry. Thank you, Mr. Barton and Mr. Chairman.
This is an extremely important hearing and that we have to
elevate the level of discussion and potential solutions.
There is only one silver bullet that exists to prevent
cyber crimes. That is to completely disconnect your computer
from any network. Use it as a paperweight. Maybe just play
solitaire. That is it. If you are going to engage in any level
of commerce using the Internet, you are at risk, and the only
thing we can do is to try to minimize it. There is no silver
bullet.
Why these folks are here today is for us to understand what
tools may be available. In the cyber task force, one of the
things that we concluded is that the vast majority of everyday
hacking can be maybe not prevented but go a long way which is
basic security features offered by private sector today or the
networks or ISPs. But we have to have people to actually
purchase those or use those tools. In fact, there was one
incident in Omaha with our entity that controls our facilities
that never thought that it was important to have those type of
securities, and guess what? They were hacked and all of their
information was stolen.
But then the next level is where it gets dicey. How do you
protect people? How do they protect their data? We can't engage
in setting the standards because frankly we set the standards.
Before the ink is dry on the bill, the standards have changed.
So you are here to help us understand what solutions may be
available to minimize and help secure our infrastructure, and I
want to thank you all for being here today. Does anybody else
want 48 seconds?
Mr. Walden. Mr. Rogers.

OPENING STATEMENT OF HON. MIKE ROGERS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN

Mr. Rogers. Thank you very much. In the short time that we
have, I can't tell you a more important issue.
There are a lot of things that can keep you up, as the
chairman of the Intelligence Committee, and this one is one of
the main ones. Eighty percent of the attacks that happen every
day can be prevented by the operator. It is those other 20
percent that are the devil in the details. Between criminal
attacks, economic espionage, disruption or attacking, as we
would call it, on cybersecurity, we have a very real and
present danger when it comes to cyber threats to our networks.
Nobody is more integrated than the United States, and
therefore we are more at risk than other countries. I do
believe it is unprecedented in history that such a massive and
sustained intelligence effort by a government to blatantly
steal commercial data and intellectual property to use against
the United States is well underway. We don't talk about it a
lot because companies are reluctant to talk about it. The real
number we think is closer to somewhere between $300 billion and
$1 trillion in lost intellectual property per year. Countries
like China are leading that charge. Russia is not far behind.
Iran's capabilities are getting better, and the most concerning
are non-nation states who are developing cyber capability to
conduct disruption and attack activities against targets like
the United States. All are serious problems.
I want to thank Anna Eshoo. We did a seminar out at
Stanford University on this very issue. I think it was well
received. Her support of this bill is incredibly important. I
look forward to hearing from the witnesses, and I appreciate
you being here so that we can get to that next step and
actually do something that helps us have a fighting chance
against these cyber threats.
I yield back, Mr. Chairman.
Mr. Walden. The chair recognizes the gentlelady from
California, Ms. Matsui, who is going to control Mr. Waxman's
time.

OPENING STATEMENT OF HON. DORIS O. MATSUI, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA

Ms. Matsui. Thank you very much, Mr. Chairman, for holding
today's hearing, and I would also like to welcome our witnesses
here today and look forward to your testimony.
There is no doubt that cyber attacks are real and continue
to pose significant threats to several aspects of our economy.
Communications networks are one of many areas that our Nation
must protect and assure safety and soundness, particularly as
we consider deploying an advanced nationwide broadband network
for public safety. Advanced IP-based technologies and public
safety communications heighten the concerns for cybersecurity.
This new network, however, will share many of the same cyber
concerns as any other network. This is something we have to
take seriously and must protect.
Moreover, our economy continues to experience ever-evolving
ingenuity and innovation in the American technology industry.
One of those technologies which will continue to play a
prominent role in our economy, both in the public and private
sector, is cloud computing. We are also seeing consumer cloud
applications like the iCloud. As I see it, one of the key
issues is the challenge of cybersecurity relating to the cloud.
The challenge is to find the critical balance of continuing
to foster American innovation and growth while combating cyber
attacks. For the most part, the private sector will need to be
up to the challenge of managing itself and its networks from
potential cyber attacks. That said, I do believe that some
balance may be appropriate where the government must work
together in partnership with the private sector on enhancing
our Nation's cybersecurity preparedness. Simply put, one cannot
do it without the other.
Small businesses, many of whom rely on the broadband
economy, are also very susceptible to cyber attacks. In many
instances, small businesses cannot fend off such attacks
because they do not have a plan or lack the resources. Such an
attack, though, would be very costly to their businesses.
During this economic recovery, the last thing small business
owners in my district and across the country need to worry
about is a cyber attack that will hinder their business.
I am pleased that the FCC recently launched a public-
private partnership, the Small Biz Cyber Planner, which is an
online tool that will allow small businesses to create
customized cybersecurity plans. It is important that we
continue to educate small businesses and the public in general
about the risks that cybersecurity poses to small businesses,
the government and to our economy as a whole. I also believe a
strong public-private partnership is critical to protect
against cyber attacks. It is my hope that partnership continues
to foster moving forward.
I look forward to exploring appropriate jurisdiction of
this committee, given the communications and technology
relevance of cybersecurity. I look forward to hearing from the
witnesses today and hope that we will have future hearings in
this subcommittee so that we can also hear more about the
government's efforts to combat cyber attacks.
Again, I thank the chairman for holding today's hearings,
and I would be happy to yield to anyone on our side if they
would like to. OK. I yield back the balance of my time.
Mr. Walden. The gentlelady yields back the balance of her
time.
We will now proceed to the witnesses. We have a very
distinguished panel. We thank you again for being here today to
share the information you have in your testimony, and we are
going to start with Mr. Bill Conner, who is the President and
Chief Executive Officer of Entrust. Mr. Conner, thanks for your
testimony and we look forward to your comments.

STATEMENTS OF BILL CONNER, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, ENTRUST; ROBERT B. DIX, JR., VICE PRESIDENT,
GOVERNMENT AFFAIRS AND CRITICAL INFRASTRUCTURE PROTECTION,
JUNIPER NETWORKS; JAMES A. LEWIS, DIRECTOR AND SENIOR FELLOW,
TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND
INTERNATIONAL STUDIES; LARRY CLINTON, PRESIDENT AND CHIEF
EXECUTIVE OFFICER, INTERNET SECURITY ALLIANCE; AND PHYLLIS
SCHNECK, VICE PRESIDENT AND CHIEF TECHNOLOGY OFFICER, PUBLIC
SECTOR, MCAFEE, INC.

STATEMENT OF BILL CONNER

Mr. Conner. Good morning, Mr. Chairman and distinguished
members of the subcommittee. It is a privilege and honor to
spend a morning here with you out of the cyber warfare game to
discuss and educate what is happening below the screen.
I would like to focus my early comments on the arms race on
one particular vector of security, and it is called man in the
browser. Now, that vector of security is probably the leading
cyber stealer in the world today, and it has been around a
while and certainly impacts the small and medium business and
it is certainly impacting the change and nature of stealing IP
and money both at a country state and at an organized-crime
state.
Specifically, it is known as Zeus. It is commonly now
combined with SpyEye. For those of you don't know, Zeus was the
original man in the browser software. It started out of the
Ukraine and Russia. It went under its own merger and
acquisition by its lead competitor in the underground world
called SpyEye. Their tools and technology were next generation.
They merged in the fall of 2010 behind the scenes. As law
enforcement started to attack it, the guy took his money and
ran, combined it. In February of last year, that new code is
out on the market. You can buy it off the Internet and buy it
with 24/7 support. So no longer do you have to be intelligent
to write the code. You buy it, you pay for the support, and
they will help you design your attack vector on which banks,
which geographics you want to do.
How does this technology work? It is real simple. It is
very complicated. You cannot find it with the traditional
software that you have on your desktop, whether it is an
antivirus or the operating system looking for it. It is cloaked
software that is really targeted at small and medium business
because it is targeted for money. This is a for-money game for
that. What it basically does, it targets a small or medium
business that probably doesn't have the technology or banking
understanding with its supplier to understand how to deal with
it. How does it work? I am a treasurer at a small business. I
go online to my financial institution. I say I want to move
$1,000 or $10,000, let us say $10,000, to a supplier. I have an
agreement with my local bank to have online bill pay. I type
that in. The bank sees that but before the bank sees it, this
software wakes up in the browser and changes the payees from
one supplier to, let us say, six mules. It changes the dollar
amount from $10,000 to $100,000, so what the bank sees is
$100,000 going to six people. That bank says guess what, we've
got good security, you had to use a password, it is on your IP
address in your network and your location. I am going to send
it back because I want a one-time passcode, 30-year-old
technology that we are trying to apply to the digital world. It
sends it back to the controller of your business and says
please confirm by putting your passcode that is going to expire
in 30 seconds that you authorized this transaction. That
software wakes back up, converts that $100,000 back to $10,000,
six payers back to one. You type in your passcode, hit enter to
send it back, and guess what? That $100,000 is now gone from
the bank. You lose it, the bank loses it. Six mules that are
going to feed that money back into organized crime around the
world are off and running.
Unlike the personal side where I am protected by FDIC, my
friends, you are protected as a small or medium business by
nothing, the contract you have written, and if you look around
this wonderful country of ours, there is no clear case law.
There is case law on both sides of this because the banks said
I did nothing. We have had cases overturned that even though a
business had only done four transactions in the last year and
20 transactions happened in six hours totaling $2 million when
online was only $500,000, that is what is happening.
The good thing is, the technology exists to deal with that
today. The banks aren't doing it and small businesses don't
know what to do. So our belief is very straightforward. Much
like quality, there wasn't a lexicon. To deal with
cybersecurity, we need a lexicon. Much like quality, it isn't a
one time like year 2000. We need to do it over time. That is
why education is critical.
The second thing you must do is have public-private
partnership. I co-chair the DHS piece. I can tell you, the
legislative laws around this do not work for anybody, and I
think you have got to break public-private at different levels
from intelligence to the people like me that try to secure the
U.S. government and others to energy grids where Department of
Energy works with those types of organizations.
And finally, we must take a unified effort in public and
private to defend because it is an arms race and it is a pace
as we mentioned earlier. Thank you.
[The prepared statement of Mr. Conner follows:]

[GRAPHIC] [TIFF OMITTED] T2628.006

[GRAPHIC] [TIFF OMITTED] T2628.007

[GRAPHIC] [TIFF OMITTED] T2628.008

[GRAPHIC] [TIFF OMITTED] T2628.009

[GRAPHIC] [TIFF OMITTED] T2628.010

[GRAPHIC] [TIFF OMITTED] T2628.011

[GRAPHIC] [TIFF OMITTED] T2628.012

[GRAPHIC] [TIFF OMITTED] T2628.013

[GRAPHIC] [TIFF OMITTED] T2628.014

Mr. Walden. Mr. Connor, thank you. Excellent testimony. I
think we are going to have to recess so we can all go deal with
our own campaign accounts, and we will be back in about an
hour. We really appreciate it, and we look forward to getting
into questions with you and exploring it further.
We are now going to go to Mr. Robert Dix, who is Vice
President of Government Affairs and Critical Infrastructure
Protection for Juniper Networks, which I believe is from your
district.
Mr. Dix. Proudly.
Mr. Walden. We are delighted to have you here. Thanks for
coming the distance to share your wisdom with us, and please
proceed.

STATEMENT OF ROBERT B. DIX

Mr. Dix. Thank you, Chairman Walden, Ranking Member Eshoo
and members of the subcommittee. Good morning. Thank you very
much for inviting me to testify about cybersecurity.
Juniper Networks is a publicly held private corporation,
hardware and software manufacturer, headquartered in Sunnyvale,
California, with offices and operations around the world.
Information technology and communications networks are embedded
in all manner of the Nation's critical infrastructure including
power plants and the electrical grid, water filtration systems,
financial systems and transportation networks, just to name a
few.
While sectorwide risk assessments conducted or being
conducted in the IT and communications sectors validate that
networks are resilient, it is important to acknowledge that the
risk continues to grow and change and our efforts to protect
and prevent must be sustained and agile. In recognition of this
reality, the private sector is working every day to protect
against cyber threats through self-driven research and
innovation, industry collaboration, and partnerships with
government.
Let me share just a few examples. In 2007, a group of
private sector companies came together to address the issue of
software assurance and improving the development process
integrity of software and hardware products. SAFECode, the
Software Assurance Forum for Excellence in Code, is a group of
companies and subject-matter experts that has set aside their
competitive interest to gather and share industry best
practices through a series of written deliverables that are
available not just to the participating companies but to the
industry at large.
Additionally, in 2008, a group of private sector companies
came together to address the need for collaborative, global
incident response by forming ICASI, the Internet Consortium for
Advancement of Security on the Internet. Once again, the
participating companies who compete vigorously in the
marketplace routinely share information in an effort to
mitigate anomalous and abnormal network activity globally
because the cause is greater than any one company.
Across the 18 critical infrastructure sectors, we have
organizations such as ISACs, Information Sharing and Analysis
Centers, since 1988 working on the operational issues.
Additionally, we have sector coordinating councils that were
derived as a result of the National Infrastructure Protection
Plan in 2006.
The Partnership for Critical Infrastructure Security is the
cross-sector coordinating council representing all 18 critical
infrastructure sectors and working with the Federal Senior
Leadership Council under the NIPP partnership framework to
advance the mission of critical infrastructure protection and
cybersecurity. In fact, we are currently working with the
administration on the implementation around Presidential Policy
Directive #8 for national preparedness and the review and
update of HSPD-7 regarding an all-hazards approach to critical
infrastructure protection and cybersecurity.
Mr. Chairman, the number of users connecting to the
Internet and other networks will continue to grow. Global
Internet traffic is increasing at a rate of 40 to 50 percent a
year and is expected to grow to 4 billion users in 2013. The
explosion in the use of smartphones and tablets and the advent
and growth in the use of social media is rapidly changing the
workplace and how we communicate--example, an average of 10,000
tweets per second the last 3 minutes on the Super Bowl on
Sunday evening--while introducing cyber risks in a way that few
of us could have imagined only a short time ago. This is the
essence of technology. It enables us to do what we never could
have imagined, and that includes those with nefarious motives.
The convenience of the technology has changed banking,
purchasing, and sharing of personal financial information.
So it is only reasonable to expect that the conversation
about cybersecurity must include a discussion about economics
but there are two sides to this coin. If we focus only on
technology and technology development, we are likely to miss
the opportunity to examine the challenges and impediments to
technology and solution adoption. The market is delivering
innovation at an unprecedented pace in history. However, the
evidence would suggest that adoption of available solutions has
not kept pace and should be a topic of further examination and
discussion. Many low-cost and no-cost solutions are available
to improve any users' protection profile. Accordingly, there
are many things we can do together. It is reported by reliable
sources that some 80 percent of the exploited vulnerabilities
are the result of poor or no cyber hygiene. For me, this is
basic blocking and tackling. If we can raise the bar of
protection, it makes it more difficult and more costly for the
bad guys to do harm.
When our Nation was confronted a couple of years ago with
the threat of the H1N1 virus, we mobilized as a Nation to warn
and advise folks how to protect themselves from the risks of
infection. We have the opportunity to use that same model for a
sustained awareness program to help educate citizens, small
business, students, nonprofits, and other stakeholders how to
protect themselves from the risks of malware, phishing, and
other forms of infection in cyberspace.
Chairman Walden, Ranking Member Eshoo and members of the
subcommittee, we must move beyond just thinking about the
challenges of today to thinking about the risk profile of
tomorrow. Today's cyber attacks are more complex and often
difficult to detect and can target classes of users, even
specific users, gaining access to valuable data and causing
significant harm. With a commitment to working together in a
collaborative manner, the United States will lead the effort to
the protection, preparedness, and resilience of critical
infrastructure and cybersecurity.
On behalf of my colleagues across the industry and the
proud employees of Juniper Networks, I thank you again for the
opportunity to testify before you this morning. The threat is
real, the vulnerabilities are extensive, and the time for
action is now. The American people are counting on us to get
this right and the private sector looks forward to continuing
the collaborative relationship between Congress, the
administration, and private industry on this important issue.
Thank you.
[The prepared statement of Mr. Dix follows:]

[GRAPHIC] [TIFF OMITTED] T2628.015

[GRAPHIC] [TIFF OMITTED] T2628.016

[GRAPHIC] [TIFF OMITTED] T2628.017

[GRAPHIC] [TIFF OMITTED] T2628.018

[GRAPHIC] [TIFF OMITTED] T2628.019

[GRAPHIC] [TIFF OMITTED] T2628.020

[GRAPHIC] [TIFF OMITTED] T2628.021

[GRAPHIC] [TIFF OMITTED] T2628.022

[GRAPHIC] [TIFF OMITTED] T2628.023

[GRAPHIC] [TIFF OMITTED] T2628.024

[GRAPHIC] [TIFF OMITTED] T2628.025

[GRAPHIC] [TIFF OMITTED] T2628.026

[GRAPHIC] [TIFF OMITTED] T2628.027

Mr. Walden. Mr. Dix, thank you very much for sharing those
comments with us.
We now go to Dr. James A. Lewis, Director and Senior
Fellow, Technology and Public Policy Programs, Center for
Strategic and International Studies. Dr. Lewis, thank you for
being with us. We look forward to your testimony as well.

STATEMENT OF JAMES A. LEWIS

Mr. Lewis. Thank you, Mr. Chairman, and I would like to
thank the committee for this opportunity to testify.
One thing that military and intelligence experts would
agree on is that the cybersecurity problem is getting worse,
not better. There is straightforward evidence that what we are
doing now isn't working. Most of these experts also believe
that we will not change our laws and policies until there is a
crisis. I hope they are wrong.
We all recognize the growing dependence of our economy on
cyberspace and the risk this creates. Director of National
Intelligence Clapper testified last week about how Iran, which
is eagerly developing cyber attack capabilities, is losing its
reluctance to attack the American homeland. FBI Director
Mueller testified, as you heard, that the threat we face now
comes from terrorism but in a few years the bigger threat will
come from cyber attack.
The ability to launch damaging attacks is spreading from a
few advanced nations to many countries and many hostile groups.
There is disagreement among when hackers will disrupt critical
services in the United States, but most estimates put it at
sometime in the next couple of years. Cyber crime and espionage
are rampant now, costing American jobs and damaging American
economic competitiveness and national security.
This morning, I was trying to think of what I could say
that would be a little different, and I remembered that I
attended, as a back bencher for the Director of Central
Intelligence, some of the first meetings in the Clinton
administration on commercializing the Internet. Back then, we
thought that it would be used for e-commerce, that it would be
eBay and Amazon. We didn't expect a global network that would
become the premier vehicle for espionage and a potential avenue
for attack. We thought that if we made tools and information
available, if we freed up encryption, companies and people
would voluntarily secure the networks. I am a little
embarrassed sometimes when I see a paper I wrote for the White
House in 1996 that said that because I was wrong. We made the
same mistakes in our approach to critical infrastructure
protection.
There were three big errors. The incentives for
cybersecurity vary from company to company and sector to
sector, and usually they are insufficient. There are legal
obstacles that limit the ability of governments and companies
to cooperate and to share information. And in any case, we need
a coordinated defense, not a grab bag of individual actions.
Finally, we did not expect to face world-class opponents, as
you heard from some of the earlier testimony, even midrange
opponents with access to world-class tools. We overestimated
incentives and underestimated threats and legal obstacles, and
I would like to point out that Congressman Rogers' bill would
be very useful if we could get it passed in removing some of
the legal obstacles that hamper our ability to provide an
adequate cyber defense. A serious defense requires coordination
and mandatory action. The big telecom companies are pretty good
at securing themselves and don't need more regulation but the
other sectors are in bad shape. Some people say regulation is
burdensome, but if we do not hold critical infrastructure to
mandatory standards, we guarantee a successful attack. Nor does
regulation damage innovation. An unregulated Internet is not a
substitute for a business-friendly environment that innovation
really needs.
Partnership and cooperation must become more than an
exchange of slogans. Australia has a good model, we heard about
that, where the government encouraged Internet service
providers to develop a code of conduct to deal with malware.
That appears to be working. We are considering in the United
States similar options.
Finding ways to expand the use of DNSSEC. DNSSEC is a good
story. This is a fundamental rule set, the addressing framework
for the Internet. We identified problems with it 20 years ago.
We identified fixes for it 12 years ago. We have not
implemented these fixes. This is one where finding some new
approach to get people to move faster would be really crucial.
The Defense Industrial-Based Initiative, which shares
classified threat information, is another good example of how
to do real cooperation.
There are many opportunities to improve cybersecurity, but
taking advantage of them will require a new approach. I think
one thing I can say is everyone wants to make things better. We
all realize the scope of the problem, and everyone wants to do
stuff. Hearings like this provide an opportunity to find that
new approach that will truly serve national security.
I thank the committee for the opportunity and look forward
to your questions.
[The prepared statement of Mr. Lewis follows:]

[GRAPHIC] [TIFF OMITTED] T2628.028

[GRAPHIC] [TIFF OMITTED] T2628.029

[GRAPHIC] [TIFF OMITTED] T2628.030

[GRAPHIC] [TIFF OMITTED] T2628.031

[GRAPHIC] [TIFF OMITTED] T2628.032

[GRAPHIC] [TIFF OMITTED] T2628.033

[GRAPHIC] [TIFF OMITTED] T2628.034

Mr. Walden. Dr. Lewis, thank you. We appreciate your
testimony, and we will have a few questions for you, especially
on the Australia model.
We are going to go now to Mr. Larry Clinton, President and
Chief Executive Officer of Internet Security Alliance. Mr.
Clinton, thank you for being here today. We look forward to
your comments.

STATEMENT OF LARRY CLINTON

Mr. Clinton. Good morning, Mr. Chairman, members of the
committee.
There has been a dramatic change in the cyber threat
picture in the last 18 to 24 months. Our main concern is not
hackers or kids in basements. The fact that a cyber system has
been breached is no longer the metric which determines whether
or not an attack has been successful. Cyber attacks have grown
increasingly sophisticated using what is commonly referred to
now as the advanced persistent threat, or the APT. APT
attackers are pros. They are highly organized, well-funded,
often state-supported, expert attacks who use coordinated sets
of attacking methods both technical and personal. Perhaps most
indicative of these attacks is if they target a system, they
will almost invariably compromise or breach it. Unfortunately,
conventional information security defenses don't work against
the APT. Attackers are successfully evading all antivirus
intrusion and traditional best practices, remaining inside the
target's network while the target believes they have been
eradicated.
This doesn't mean that we have no defense. It means that we
need to modernize our notion of what constitutes cyber defense.
Traditional approaches including Federal regulation will not
solve the problem because they are going to be largely reactive
and will not stay ahead of the changing threat nature. Worse,
bad regulation could be counterproductive, leading companies to
expend their limited resources on building in-house efforts to
meet regulatory demands rather than focusing on security.
The fundamental of stopping the advanced threat is to
understand our biggest problems are not technological, they are
economic. Independent research has consistently shown that the
single biggest barrier to combating the cyber threat is cost.
President Obama's Cyberspace Policy Review said many technical
and management solutions that would greatly enhance our
security already exist in the marketplace but are not being
used because of cost and complexity. Just last week, Bloomberg
released an extensive study that found that to reach an
acceptable, not ideal, acceptable level of security in critical
infrastructure would require a 91 percent increase in spending.
The private sector has been extremely responsive to
combating the cyber threat. Average spending on cybersecurity
in the telecommunications industry is $67 million a year with
governance, by the way, including regulatory compliance, being
the single biggest thought.
Despite the fact that our critical infrastructure is under
constant attack, we have never had an instance of serious
breakdown, mass deaths, evacuations, economic catastrophe,
similar to what we have seen in the environmental area. This
success is due in large part to the flexibility generated by
the current system, which relies on voluntary partnerships
where an industry understands and can manage the systems best
and use their intimate knowledge to respond rapidly to emerging
threats in a fashion they believe can best protect the system
rather than being driven by a preset government directive.
Nevertheless, there is a great deal that Congress can do and
the Commerce Committee can do to improve our cybersecurity
right now.
First of all, we need to get the government's house in
order. The National Academy of Sciences, the GAO, and just last
week the DOE Inspector General have all documented systemic
problems in managing government cyberspace. These need to be
addressed immediately.
Second, we need to provide the right mix of incentives and
regulation. For industries where the economies of the industry
are tied directly to a regulatory format such as electric
utilities, water, transportation, etc., the current regulatory
structure can be used to motivate and fund needed cyber
advancements. For industries where the economics are not
inherent to a regulatory structure, adding a new regulatory
structure will impede innovation and investment, making us less
secure. In these sectors, we need to motivate by providing
appropriate market incentives to spur greater security and
investment. An excellent example of this approach is Mr.
Rogers' bill, which passed the Intelligence Committee a couple
of weeks ago, which uses liability reforms to stimulate
additional information sharing. However, liability reform is
only one of many incentives that need to be unleashed to help
us secure our cyber networks. Other incentives include better
use of government procurement, streamlining regulation in
return for demonstrated security improvements, greater use of
private insurance, and streamlined permitting and licensing.
This incentive-based approach was spelled out in some detail in
the ISA cybersecurity social contract in 2008 and was also
endorsed by President Obama in the Cyberspace Policy Review in
2009, the multi-trade Association and Civil Liberties Coalition
white paper on cybersecurity in 2010, and the House Task Force
report in 2011.
A great deal of work needs to be done to fill out how these
incentive models can be used in the various sectors. In the
meantime, Congress ought to enact FISMA reform or to do the
Rogers information sharing bill and should do a good deal to
better coordinate amongst themselves. Passing that package of
cybersecurity reforms would be a historic and politically
achievable goal.
Ladies and gentlemen of the Commerce Committee, you are
dealing with the invention of gunpowder. Mandating thicker
armor is not going to work any more than building deeper moats
was going to stop the horders and the invaders who invented
catapults or the Maginot Line was able to stop the Germans in
World War II. We need a different approach. We need a
contemporary and creative approach that engages the private
sector with government, not having the government control what
the private sector does.
We really look forward to continuing to work with you.
[The prepared statement of Mr. Clinton follows:]

[GRAPHIC] [TIFF OMITTED] T2628.035

[GRAPHIC] [TIFF OMITTED] T2628.036

[GRAPHIC] [TIFF OMITTED] T2628.037

[GRAPHIC] [TIFF OMITTED] T2628.038

[GRAPHIC] [TIFF OMITTED] T2628.039

[GRAPHIC] [TIFF OMITTED] T2628.040

[GRAPHIC] [TIFF OMITTED] T2628.041

[GRAPHIC] [TIFF OMITTED] T2628.042

[GRAPHIC] [TIFF OMITTED] T2628.043

[GRAPHIC] [TIFF OMITTED] T2628.044

[GRAPHIC] [TIFF OMITTED] T2628.045

[GRAPHIC] [TIFF OMITTED] T2628.046

[GRAPHIC] [TIFF OMITTED] T2628.047

[GRAPHIC] [TIFF OMITTED] T2628.048

[GRAPHIC] [TIFF OMITTED] T2628.049

[GRAPHIC] [TIFF OMITTED] T2628.050

[GRAPHIC] [TIFF OMITTED] T2628.051

[GRAPHIC] [TIFF OMITTED] T2628.052

[GRAPHIC] [TIFF OMITTED] T2628.053

[GRAPHIC] [TIFF OMITTED] T2628.054

Mr. Walden. Mr. Clinton, thank you very much for your
testimony. We appreciate it.
Our next and final witness today is Phyllis Schneck, who is
Vice President and Chief Technology Officer of the Global
Public Sector, McAfee Incorporated. Dr. Schneck, thank you for
being here today. We look forward to your comments.

STATEMENT OF PHYLLIS SCHNECK

Ms. Schneck. Good morning, Chairman Walden and Ranking
Member Eshoo and other members of the subcommittee. Thank you
very much for the opportunity to be here this morning, and
thank you for your interest in cybersecurity as it applies to
the telecom sector.
My testimony will focus this morning on four areas: the
threat landscape, the communications sector's unique role in
cybersecurity, private sector technologies and policy
recommendations to enable greater cross-sector cyber
resilience.
First, just a bit of background. My technical background is
high-performance computing and cryptography. I was raised in
this back to the days of the radio tower. My father was one of
the first in supercomputing in this country and taught me to
write code. I know how to exploit code, but I was taught the
responsibility of that and the responsibility of the computing
power that we have and I am confused on and passionate about
protecting that and protecting good science. I am also focused
on partnership. Outside of McAfee as a volunteer, I ran the
private sector side of the FBI's InfraGard program, about which
Director Mueller testified several times. I ran that for 8
years and grew that program from 2,000 subject-matter experts
across the critical infrastructure sectors to 33,000, and today
chair the national board of directors for the National Cyber
Forensics and Training Alliance, which brings together the top
fraud analysts from the banking sector, telecom,
pharmaceuticals, and others with the FBI under the same roof
and other organizations and governments, do analytics that
helped to arrest 400 cyber criminals worldwide in the past 2
years.
A little bit about McAfee. We are based in Santa Clara. We
are the world's largest dedicated security company. We protect
business, governments and consumers all over the world from the
full spectrum of cybersecurity attacks. We are a trusted
partner and adviser on cybersecurity throughout the world, and
as a wholly owned subsidiary of the Intel Corporation enjoy
driving that innovation that goes directly to the hardware. The
buck stops at the hardware, so the adversaries can get in in
several different ways, but when a piece of hardware knows not
to execute a malicious instruction, that is when we have the
enemy.
As you have heard this morning, the cyber threat landscape
has evolved. Obviously it is not a dorm-room activity anymore.
It is more a mass espionage. There are two kinds of companies
and agencies across the world, public sector and private, those
who know they are owned and those who don't. We are looking at
the mass movement of money markets and jobs between countries
and companies and we are looking at the threat of destruction
should they desire. This enemy is faster and smarter than we
are at times. They are certainly faster. They have no
intellectual property boundaries, no legal boundaries, no
policy boundaries, and in many cases, they have plenty of
money. They have absolutely no obstacles to execute on our
infrastructure.
Which leads us to the role of the Internet service
providers. In the days when I sent my first packets between my
sister's room and mine, there was nothing in that route except
one address on the other. Now we have an unknown set of routes
but we have an ability and a great infrastructure run by the
ISPs that deliver our traffic and that of the adversary very
reliably. So the enemy has now used our great cyber
infrastructures that we built as the good guys over the world
as a mass executive transport system for malware. They haul
packets at high speed. They do a great job. They are fairly
secure, as was mentioned earlier, but the current Internet
architecture allows everything to get delivered to the grid, to
the banks, to the rest of the critical infrastructure.
ISPs can play a key role in better cybersecurity. They are
already doing some of this but they have some challenges. One
thing they can do is help detect this traffic in the network
fabric and use some global threat intelligence to do that, and
I will explain that in just a moment, but imagine if our
network fabric was smart enough not to route the traffic of an
adversary and only to route good traffic. Secondly, demand more
secure technologies and equipment from the market. Demand that
those technologies are armed with proactive technologies and
not let a malicious instruction run. And third, ISPs can't
carry the burden alone. As was said earlier, it is up to every
system to be hardened, up to every company and user to harden
their enterprise, and good cyber hygiene plays a role in that.
What are the challenges that the ISPs face today? Just to
name a couple, you have things such as Stored Communications
Act of 1986, a little while ago. That was before I sent my
first packet. It prevents sharing information outside of the
telecoms, so imagine the difficulty in enabling the global
threat picture that the enemies use. We can't make that rule
because legally we can't combine our information together.
Secondly, it costs a lot of money. Clean bandwidth costs money
and users aren't willing to pay that difference, so we need
some help leading to some policy recommendations and some
proactive technologies.
First and foremost, we can put threat intelligence together
and map a global cyber radar map of where the enemy is at any
time. At McAfee, across 160 million endpoints, we see a risk
profile in every IP address on the Internet. Other companies do
this. Telecoms do this. Governments can do this if we can share
that information together and make a global threat picture and
prevent those malicious instructions from running, whether it
is application listing or working with the hardware, keep the
enemy out.
So for the policy recommendations, we support the
recommendations in Representative Thornberry's work, certainly
with information sharing, insurance reforms and tax credits,
and certainly in the bill of Representative Rogers and
Representative Ruppersberger enabling the government to finally
facilitate the good information sharing, to put that
information together to not only provide liability protections,
protections for privacy and for civil liberties, but to balance
out the advantage that the adversaries had over us until now.
Let the government facilitate that collaboration so we can
build that global threat picture, feed it back into the network
fabric, and have it grow as a living, breathing system to feed
us the information in return. ISPs play a central role in the
global digital infrastructure. They can help us. We can help
them. We have to work on this legal and policy framework for
global information sharing.
Thank you very much for requesting McAfee's views on these
issues. I look forward to answering any questions.
[The prepared statement of Ms. Schneck follows:]

[GRAPHIC] [TIFF OMITTED] T2628.055

[GRAPHIC] [TIFF OMITTED] T2628.056

[GRAPHIC] [TIFF OMITTED] T2628.057

[GRAPHIC] [TIFF OMITTED] T2628.058

[GRAPHIC] [TIFF OMITTED] T2628.059

[GRAPHIC] [TIFF OMITTED] T2628.060

[GRAPHIC] [TIFF OMITTED] T2628.061

[GRAPHIC] [TIFF OMITTED] T2628.062

[GRAPHIC] [TIFF OMITTED] T2628.063

[GRAPHIC] [TIFF OMITTED] T2628.064

[GRAPHIC] [TIFF OMITTED] T2628.065

Mr. Walden. Very impressive testimony. Thank you. Thanks
for all the work you do to try to keep us secure.
We will now go into our question phase, and I wonder, Mr.
Clinton, you talked about incentives and were fairly specific.
Can you dive down a little deeper in terms of what that means
in terms of more specifics on the incentives that would make a
difference here?
Mr. Clinton. Certainly, sir. Thank you. We are supportive
of the approach that was articulated in the House Task Force
report which suggests that a menu of incentives needs to be
developed because different industries are responsive to
different things. The defense industrial base may be attracted
by a procurement incentive, the banking industry maybe by an
insurance incentive, the utilities perhaps by getting rid some
of the outdated regulation that is based in an analog form
rather than digitalized. So you need to have a set of
incentives.
On the other hand, you need to have some agreement as to
what needs to be incentivized, and for that, what we have
suggested and is in the multi-trade association paper that I
spoke of before is that we need to have some independent entity
which does not create the standards or practices but simply
evaluates the standards and practices, an underwriters
laboratory for cybersecurity, if you will, and then
organizations would choose to elect a higher or lower level of
adoption based on their business plan and their business plan
would be improved because they would have access to lower
liability costs, lower insurance, better chance to get a
Federal contract, etc. So we are saying that we need a new
system, not a government mandate system, but a system where
there are government roles such as providing the incentives and
there are independent roles, something like this underwriters
laboratory, and then responsibility for the owners and
operators.
Now, in those sectors of the economy where the economics is
already built into a regulatory model, then you can use that
regulatory model. You don't need a new regulatory model. You
can use it. For example, if you are dealing with the utilities,
they have generally a fairly detailed regulatory structure. The
problem that they are having is that they get mandates at one
level and the funding comes at another level so there is going
to have to be a correlation done on the government side. But
basically we think you need an independent set of entities
indicating what needs to be incentivized. That can be done on a
continuing basis. Government needs to provide the incentives
and industry needs to implement them.
Mr. Walden. All right. Very helpful. Thank you.
Dr. Schneck, so when you and your sister were trading
packets when you should have been sleeping, obviously, doing
your homework, turn out the lights, that was when this threat
was really computer to computer. Now we understand it to be
bigger than that, broader than that and whole networks that can
be taken down. So can you describe what those threats look like
and what should happen there?
Ms. Schneck. Absolutely. We did that over a 1200-baud modem
over a phone line.
Mr. Walden. I remember a 300-baud modem where you put the
phone in the little coupler.
Ms. Schneck. Right. So the threat really looks at an
instruction that executes off the site of memory, not the piece
of memory in your computer that holds some word-processing
program but it is where your computer grabs the next
instruction, what do I do next. At the root of every exploit or
attack, it is, I am controlling my will on your machine,
whether I am telling your machine to send out a lot of traffic
or adjust something that might change the settings on something
that controls circuit relays on an industrial system. I am
allowing--my will is being changed on your machine, I am
executing on your machine. So as was pointed out earlier, you
can buy these exploits on the Net. You can even unleash botnets
together in a screen that looks like it came off of Quicken. It
is a spreadsheet, and you can choose addresses to which to send
it. You are simply relying on someone else's construction of a
piece of code, and we see in McAfee labs 66,000 new variants of
these pieces of code every day called malware that allow my
will to be instructed on your machine.
So the idea is, well, it is twofold. One is to catch the IP
addresses that are spreading it across the Internet and that
goes to that threat position, sharing that global threat
picture. I can't forecast the weather without the weather from
all the different States or countries, and that comes from
enabling the information sharing, but also the ability to
detect an instruction that is doing something it shouldn't do.
Resilience means I can run even if the enemy gets in so the
enemy will get in. The biological analogy is the disease is in
your body but it will never hurt you. So we have to let many
instructions get in because they will and simply be resilient
to that, and that is the ability to work at the operating
system level instead of having to judge every instruction, are
you good or bad, because we have shown that is not effective,
just know what is good and don't let anything else run. That is
known as application white listing in the community. And then
down at the hardware level, understand what an instruction
should be accessing or shouldn't and just block it, and we can
do that.
Mr. Walden. I am glad you are on our side.
Ms. Schneck. Thank you.
Mr. Walden. Mr. Conner, you were talking about Zeus merging
with SpyEye. Some of us wondered maybe that should have gone
through like an FCC approval process for a merger and it would
never have happened. All right. Now we will get serious.
I am going to turn to my friend and colleague from
California, who brings so much to this discussion and debate,
Ms. Eshoo, for 5 minutes for questions.
Ms. Eshoo. Well, I want to thank each one of you for your
outstanding testimony. I think that this is one of the best
panels that has been assembled on a given subject matter and it
is highly instructive.
I can't help but feel that this is like trying to get socks
on an octopus, though. I mean, it is massive. And I think that
we all have a pretty good sense of what the threat is. I don't
think that we have a clear picture of really what to do with
it. There are so many agencies. There was a mention of a 1986
law that I want to hear more about. We have talked about
public-private partnerships. We know that 95 percent of this is
in the private sector, 5 percent in the government. Where do we
begin with this? What are the legal roadblocks as any of you
see them right now that are holding us back to do what my next
question would be, what is the new paradigm? And if we have
very good pieces in place right now, what do we keep, what
should we get rid of? And to Dr. Schneck, do you agree with
this notion of Mr. Clinton's of an underwriters lab? That
sounds very interesting to me.
So I don't know who wants to begin with what, maybe with
legal roadblocks that you know of. I think it was Dr. Schneck,
were you the one that mentioned the 1986 law? I am not familiar
with that and what it is blocking.
Ms. Schneck. So I am not a lawyer.
Ms. Eshoo. Neither am I.
Ms. Schneck. But the overall premise and the reason I
mentioned that is because the adversary has the ability to act
on us very quickly because they have no roadblocks. We have the
ultimate weapon, and that is, we own the infrastructure that
works at the speed of light, and if we can put the instructions
together and the intelligence together to work as your body
does, it attacks a virus that comes in because it knows it
doesn't belong there, it doesn't need to have a meeting to do
so. We need the Internet to work the same way so the routers
and the machines that route our traffic, they need to
understand that something is bad, and to do that, we have to
replace the chemical and biology with the intelligence from
data and that means getting data from all sides of the equation
that we control from the private sector. We have to be able to
combine that with data in the government sector, not even in
the classified realm. That would help, but this is all un-
class. And then some of those laws actually prevent the ISPs
from combining that data together. I don't have the answer
legally on how to make that work while also preserving the
civil liberties and privacy, which are crucial. But we have to
find a way to put together at the indicator level this address,
this location could hurt you and make that accessible to a
router at several hundred gigabits per second.
Ms. Eshoo. Now, what you just described, would that fit in
with Mr. Clinton's idea of an underwriters lab, or not?
Ms. Schneck. I think it is different.
Ms. Eshoo. It is different. OK. Did anyone ever tell you
that you look like David Gergen? I was looking at you and I
thought, I know he reminds me of someone.
Mr. Clinton. Well, I am pretty flattered. I hear David is
upset when the comparison is made.
I agree with Phyllis. I think that it is a--we are talking
about kind of different things. First of all, with respect to
the legal issues, after he got elected, President Obama
appointed Melissa Hathaway to do a 60-day cyber review on the
National Security Council staff and the largest portion of that
is appendix A, which is a thick document going through all of
the legal barriers that need to be reviewed, so that is a place
to start.
Essentially what we have here is, we have a whole bunch of
laws that were written for an analog world and we are now in a
digital world. I mean, we have still laws on the books dealing
with how you manage your videotapes. I haven't had a videotape
in quite a while. So there is a lot that can be done to work
out that legal underbrush and modernize things. We have
suggested some of those things are regulatory and could be
offered as incentives, you know, to get away from some of these
burdens. Some of them, for example, are duplicative auditing
requirements. We are all for auditing but we should have one
unified cybersecurity audit and you pass that audit and you
don't have to do the rest of the audits but there are multiple
State, local, Federal, different agencies that are involved in
this, so organizations are spending a lot of their time and
money doing redundant things. We should strip away a whole
bunch of those sorts of things.
The last thing on where you start, I would strongly suggest
that Congress start by cleaning up the Federal Government's
roles and responsibilities. That is a much more limited system.
You can make a lot of progress really quickly while we are
continuing to work with a public-private partnership model that
we currently have.
Ms. Eshoo. Thank you. I am out of time.
Mr. Walden. I will yield to the gentleman from Nebraska,
Mr. Terry. Before I do so, it strikes me, we ought to get this
appendix A and maybe have a task force of this subcommittee
that really gets into the weeds and that more deeply, and we
have got people who have great experience here.
Mr. Terry. So where do we start, Mr. Clinton?
Mr. Clinton. Well, as I said, I would start first of all at
the Federal level. We need to straighten out roles and
responsibilities of the Federal Government and between
governments at the Federal, local and State levels. So, for
example, I mentioned the problem that we have in the utility
sector where we have mandates that exist at one level, the
funding comes at another level, and what we have to do is
realize that solving some of the cybersecurity problem is going
to cost us some money. Unfortunately, when you have State
public utility commissioners, they are resistant to increasing
the rate base, and this is understandable, but we have to find
some way to get a pass-through on some of these things.
So I think a good review and scrubbing of the governmental
issues is one place to start. Simultaneously, we have a lot of
activity already going through the public-private partnership
that can use a number of these things. Mr. Rogers' bill is a
good example. And then I think we need a really concentrated
effort on working on these other incentive programs, exactly
what do we need to do with the insurance industry to get them
to be bigger players, exactly what----
Mr. Terry. In what way?
Mr. Clinton. Well, you know, private insurance is one of
the most effective pro-social motivators we have. People drive
better, they give up smoking, et cetera.
Mr. Terry. So cyber insurance?
Mr. Clinton. Cyber insurance, sure, so that if there is--
the problem that we have in insurance, there is a couple of
problems. One of the problems is, we don't have enough
actuarial data because the data is being held.
Mr. Terry. Doesn't Google have all of that?
Mr. Clinton. Pardon me?
Mr. Terry. I am sorry.
Mr. Clinton. A lot of the insurance guys would like----
Mr. Terry. You guys were good at humor. I tried it.
Mr. Clinton. A lot of the insurance guys would like to
share data but this runs into antitrust problems, OK, because
to be sharing data for rates, but actually if we could get them
to share that, perhaps in a public-private partnership, we
would get a more realistic view of what the threat is. Right
now they set everything at maximum, but if we share data, we
could get a more realistic view of what the threat is. We think
this would bring down insurance rates. When you bring down
insurance rates, more people will buy the insurance. When more
people are buying the insurance, more insurance companies will
get in, and we get a virtuous cycle going on and we can use
insurance to motivate better cybersecurity investment.
Mr. Terry. All right. Mr. Dix, one question for you, and
you can add on wherever you want, but you mentioned that, you
know, for everyday users, small businesses, it is a just a
matter of cyber hygiene, so I say, OK, you pull out your soap
and you wash. What does that really mean and what can you do?
What can we do as small business people or whatever?
Mr. Dix. So again, as I mentioned, I think we need a
comprehensive and sustained national education and awareness
campaign that tells the user constituencies how better to
protect themselves from the infection in cyberspace. Leveraging
the resources of the Federal Government such as the Small
Business Administration, the Internal Revenue Service, the U.S.
Postal Service, and other agencies that interact with citizens
and businesses every day would be a place to help message that,
creating and leveraging a model like we did with H1N1 where we
have a sustained plan of public service announcements that
drive people to a place where they can get information. It
might even be nice if every Member of Congress had a link on
their constituent Web page that directed folks to the National
Cybersecurity Alliance or the Internet Security Alliance as a
place to learn basic best practices, low-cost or no-cost things
that they can do to protect themselves.
If I might add, another piece of the fundamental blocking
and tackling is to ensure an operational capability that
presents something like a National Weather Service or a CDC
capability where we have a picture into what is going on in the
networks at all times in steady states and in points of
escalation. I raise that because many of us work together
through the National Security Telecommunications Advisory
Committee and delivered a report to the President in May of
2009 that recommended the creation of a joint coordination
center, a joint public-private integrated 24/7 operational
capability to improve detection, prevention and mitigation. We
have got to get in front of this. Most of our time now is spent
in response and recovery. Part of the problem we ran into,
legal barriers. Once we got into trying to integrate, we
developed a model in the private sector. Once we began to try
and integrate that capability with the government, the lawyers
told us they couldn't talk because they couldn't share this
information. Hopefully Representative Rogers' bill will help
break down some of those barriers, but we should have an
operational capability that has a picture as to what is going
on in the network at all times and we have those kinds of data
feeds available. Organizing them and having a National Weather
Service or CDC type of capability is long overdue.
Mr. Terry. Thank you.
Mr. Walden. The gentleman's time has expired.
I believe Mr. Waxman is next for 5 minutes for questions.
Mr. Waxman. Thank you very much, Mr. Chairman.
Dr. Schneck, and anybody else who wants to respond to this
question, what special considerations do the growing use of
smartphones and tablets present?
Ms. Schneck. Thank you. There are several. Smartphones and
tablets are just small computers. They have the exact same
vulnerabilities that all the other machines have that you are
used to, and they have tens of thousands times of memory in
them that the guidance systems do that took our first Apollo
rockets to the moon. So when you think about the power that is
in your hands, you now have the ability twofold. One is that it
enables the enemy to, if it is not secured appropriately, it
enables an adversary to use it as a platform to get into your
enterprise network. In the interest of time, I am going to
simplify this a lot, but people are wanting to use the home
device at work, and what happens is, once the adversaries
discover they can use that unprotected home device that happily
houses Angry Birds and launch an attack into the enterprise
network because companies are letting folks use the small
devices.
So there are technologies to lock that down. We do a lot of
that. We manage that worldwide. But you are looking at a
massive explosion of small devices. The lady mentioned the
cloud. These devices leverage the cloud because they don't have
as much processing power as the big machine. So most of your
processing is done in the cloud. You have to pay extra
attention to the security on that motion data at rest and
shared resources where your data are when they are not on the
phone. Your personal information most likely is all over that
phone, pictures of your friends and family, locations. If you
lose it, you want to make sure you have a remote capability to
destroy that. It is a wonderful device, but it has access to,
again, all the critical infrastructure. If you are working on
one and it is talking to your network, it has access now to
your personal information.
So I think it brings a wonderful new--I spoke about this at
the consumer electronics show. It brings a wonderful new sense
of fun to computing and it also brings new dangers that we
need, to quote my colleagues here, to get out in front of
before this is yet another massive vector because mobility is
multiplying.
Mr. Lewis. Just real quickly, every once in a while I talk
to hackers just to see what they are up to, and recently one of
them told me that the price for a toolkit to hack an iPhone is
about $200,000 on the black market, and he said for other
phones it is only $10,000. So, you know, I don't know. What
this is going to do, though, it is going to force us to pay
more attention to the service providers, to the big telecos, to
the ISPs to the cable companies. Responsibility is going to
shift away from the edge, away from the consumer to the service
provider.
You don't patch your cell phone. You know, you don't
program it. You depend on its computing becoming a service, and
that will change the contours of security and change the
requirements for regulation.
Mr. Conner. With all due respect, I disagree with that. If
you look at Metcalfe's law and if you look at just what
happened with Apple and AT&T, the value has shifted. It shifted
from the carriers to the endpoints, and this is about identity,
and I will give you a good example. The threat I talked about
going out of band or using a mobile network and a device is a
surefire way to stop that kind of transaction today, and it is
safe and it is protected. It uses digital signature through a
wireless carrier network and on a mobile device with digital
signature which is probably why to try to hack the device costs
a heck of a lot more on an iPhone or iPad than a normal phone.
And if you use that, the probability on that attack factor, you
don't break it.
So I think there are good pieces and I think my personal
experience, the minute you think you are going to stop all this
in the network, the ID and IP address is no longer the
identity. The number one thing people fake is who you are, what
you are, and the application of who are you, and that is the
hardest thing to combat in terms of good guys versus bad guys.
The threat I showed you is not the identity of the person that
is doing it. He has faked your identity, and no perimeter
technology, no network can deal with that until they deal with
the endpoint itself.
Mr. Lewis. I don't think we are disagreeing, though. I
think that you are going to see that the authentication
technologies you are talking about will depend ultimately on
the service provider.
Mr. Waxman. Well, let me ask one question, and I know I
don't have much time, but many of you mentioned in your
testimony how communications networks are central to most other
critical infrastructure sectors. How does this then relate to
the importance of this committee in addressing cybersecurity of
communications networks? Anybody want to respond to that?
Mr. Lewis. Well, I think that in the opening remarks, a few
of you mentioned some of the things that are going on at NTIA
and FCC that could reduce risk, right, and one of the examples
we have heard about is of course this measure to get the
Internet service providers to adopt a voluntary code of conduct
for dealing with malware. It is a good thing to do. It is sort
of basic-level stuff. The FCC has an effort to promote the use
of DNS security, DNSSEC, and this is--not to get too
complicated, but this is a growing vulnerability. It is
relatively easy to fix. Other countries have moved faster than
the United States. It is something that we can probably do on a
collaborative basis.
The third thing to look at is some of the responsibilities
for other activities, other protocols. This is a place where
you don't want the government creating technology, right. It is
not for this kind of level of technology. But you do want it
maybe coordinating a response, and so when you look at FCC,
when you look at NTIA, the DNSSEC, the ISP efforts, some of the
other measures, Commerce is doing similar things, this is where
you can play a big role.
Mr. Waxman. Thank you, Mr. Chairman.
Mr. Walden. With the committee's indulgence, we were all
going to ask you about the Australia model, and then we all
forgot. Without objection, would you mind addressing the
Australia model?
Mr. Lewis. Well, Phyllis talked about this as well. Your
ISP probably has a pretty good idea of what is going on on your
computer at home, right, and right now they don't really do
much about it, and I think Bob talked about this as well. You
know, there is basic hygiene things that most people don't do.
Your ISP has fairly good knowledge when you are running
malware, when you are part of a botnet, not perfect knowledge
but good knowledge. What actions can they take to stop that?
And in Australia, Australia is not the only country that does
this anymore, at one point they thought the attorney general
will come in and tell the ISPs what to do, because the ISPs
were not doing anything. This was a failure of incentives,
right. And there was a tussle, a political tussle. At the end
of the day, the ISPs--and Australia is a little easier because
it is a smaller country. They said how about if we come up with
a voluntary code of conduct that will let us deal with the
malware threat, and with a little guidance and help and
involvement from the attorney general and the Australian
federal police, which is roughly equivalent to some of our
Federal agencies, they came up with a pretty good system that
works pretty well.
This will not deal with the advanced threat but it will
deal with--you know, quick, name a country in the world that is
the biggest supplier of botnets used in cyber crime. It is the
United States, and it is not because we are cyber criminals, it
is because we are incompetent in our defenses. The Australian
model changes that. We are number one, hey, great.
There are some issues, and I will just do them quickly.
Other countries that do this--Germany. Germans have a lighter
approach. What happens in Germany is, you get a little popup on
your screen that says basically we notice you are infected,
call this number if you want help. Australians and some of the
other countries that do this say click here and we will clean
your computer for you. A few other places that don't go public,
they just intervene without your knowledge. You have a privacy
issue. You have to be careful about that. One of the things
that comes up over and over again is, Should we isolate
infected computers? Should we cut infected users off from the
Internet. Some companies are beginning to do this. You are
putting such a burden on me that I am just going to cut you
off. A big issue. If you look at the places where we have data,
there is an amazing drop in the rate of infection. So this
works, and it would be useful if we followed the Australians,
the Germans, the Japanese, the Turks, any number of countries.
Mr. Conner. I will give you two other points on Australia
that are, I think, relevant to this group. Australia is also
looking at their energy grid, and granted, their energy grid is
a little different architecture than the United States, more
like Ireland and others, but in the process that we are working
with them, they are starting with the infrastructure part and
the actual production side, the energy creation, one, to lock
down the authentication of the systems within the creation of
the power and starting there, and then going to the export of
that power through the grid as it extends through the different
carriers all the way to the endpoint in terms of that. We are
involved with other companies here in the United States helping
them do that.
The other piece is, as they look at health care, they think
that is a critical area in terms of being able to have health
care cards, a novel idea when you get to privacy concerns here,
but as I say, you can't have privacy without security and
policy.
Mr. Walden. Thank you, and thanks for the indulgence of the
committee. I am going to go to--oh, Dr. Schneck. I am sorry. Go
ahead.
Ms. Schneck. One point, if that is OK.
Mr. Walden. Yes, sure.
Ms. Schneck. So I think that the example in Australia is a
beautiful example of this need for information sharing. I would
challenge the wording a little bit from Dr. Lewis, and I don't
think he meant it this way, but the ISPs don't know what is
going on in your computer. They are not watching your banking.
They are not watching you work. They see because they own that
block of addresses. They see the behavior from that block of
addresses as a footprint as it tries to send traffic, which the
ISPs are able to track to protect you from malware. They see
that footprint, just like McAfee sees it, reflect on things
they own, and from that they can see where traffic has come in,
for example, a ridiculously large volume in a short period of
time from a certain set of machines and they can look at those
machines and say these are infected with certain code, and they
can then, in the Australian model, let you know, and so the
question becomes, how do they let you know. I think it is a
great example of the use of that intelligence picture. It shows
how with Representative Rogers' work, we could actually get a
larger intelligence picture. That is what makes for the humans
that the pretty weather map picture that Mr. Dix recommends.
But also, you have the ability now to look at who is infected
where and start looking at these incentives. How do we
incentivize the general public to do this hygiene? Most people
with a computer don't know what it does all night when they are
sleeping. If they knew, they would clean it up. It is not that
hard. So I think this is a really neat exercise on the
information sharing and the incentives.
Mr. Walden. I appreciate that, and I appreciate the
committee's indulgence in just trying to get some more
information out there.
Mr. Rogers, thank you.
Mr. Rogers. Thank you very much. I know we are short on
time.
Mr. Conner, are you familiar with the company DigiNotar or
what used to be the company DigiNotar?
Mr. Conner. Very much so.
Mr. Rogers. And signatures and attribution is very, very
difficult, although I think we are getting better. It is pretty
difficult. Can you briefly--I think it would be good for the
committee to hear the story of DigiNotar and how a viable
company went away in about a month after being hacked and what
it does, quickly, and what happened and why this is important
to move forward.
Mr. Conner. So if you look at the Internet when it was
created, the little yellow lock, everyone sees the little
yellow lock on their browser and on their PC and they think
they are safe. Very few people know what that little yellow
lock means, and what it is supposed to mean is the
communication path is secure between you and the Web site that
you are communicating with and who is on each end of that. The
problem is in the SSL world, which is kind of the security
level of that, the identity on each side of that may or may not
be who it is reported to be. We co-chaired along with Verisign
a new standard on that extended validation because if you go to
your Super Bowl last week, you will see people advertising,
hosting and selling that little yellow lock for $19 for your
business Web site. The only problem is, the verification of who
on the end of that is, is pretty lax. And they just look at the
server and go well, that must be you.
So the issue was, this one company that provides the little
yellow lock, in this case, predominantly in the Netherlands,
was breached, and they were breached from Iran just as many
other security vendors have been breached. We get a target
every day from country states, our little 350-person company
with no help to the U.S. government, thank you very much, to
defend that. Well, this little company got attacked just like
Comodo did, just like others did, and they breached that little
yellow lock that said who they were and they began to take down
the government security because that government used the little
yellow lock for all its online capabilities, and the people in
Iran, guess what, used that little yellow lock to say they were
Google and other people. So anyone in Iran that was Googling
content in that country was able to give up to the Iranian
government whatever they were looking at, whatever they were
doing, and one government was basically shut down for at least
60 days, and unfortunately, to those of us in the security
world, we found out about it through the browser forum and
actually Entrust was a partner to that group, and it ended our
relationship with them prior to that, and even we weren't
notified. So that talks about to your question of the legal
framework of what is going on here and the disclosure
requirements.
Mr. Rogers. Thank you. And I just think that was a great
example of a nation-state using its intelligence services to
co-opt something like that. And by the way, DigiNotar is no
longer a company, so if you want----
Mr. Conner. Yes, it is out of business.
Mr. Rogers [continuing]. To talk about the cost, there is a
hack that took this company and is now out of business, so----
Mr. Conner. Well, be careful. It was a subsidiary of a
public business that still exists that acts like it didn't
happen.
Mr. Rogers. But the contracts that it has in the
Netherlands no longer exist?
Mr. Conner. No, that is correct.
Mr. Rogers. OK.
Mr. Conner. That is exactly correct.
Mr. Rogers. It is an American company that actually owned
it?
Mr. Conner. That is right. And I think the point that you
are on, Congressman, is an important one. There are ways--we
have been attempted to be hacked by the same group. We have
watched them try that over the last 12 months. Two of the
people that own the yellow locks in the United States and
abroad have been taken down relative to Iran being able to
break in and impersonate those pieces. So it is happening every
day.
Mr. Rogers. I thought it was important for the committee to
hear that particular case because it shows how sophisticated
and how dangerous it can be if somebody has a nefarious purpose
other than criminal. Criminal is bad enough. This was other
than criminal. And I see my time is almost up so I am going to
ask two questions and close up.
Mr. Lewis, I would like you to talk about, we have been
through a long time. It has been very difficult to get to a
place where we have a very narrow focus on how to move to the
next step. Just talk about the challenges of why we think it
has been difficult to even get a very narrow change in the law.
And lastly, Dr. Schneck and maybe Mr. Dix can talk about
this, you talked about hardware. There is much concern about
hardware entering our system that may be malicious and very
difficult for us to understand exactly what that hardware is
doing in our systems, and I am hoping you can talk about that
and what we might be able to do from a regulatory and/or
cautionary position on behalf of the United States Government
to make sure that those type of hardware systems don't enter
our system and some of our hardware systems are not exposed
when they leave this country to manipulation by foreign nation-
states.
Mr. Lewis. Thank you, because those are hard questions.
They are great questions but I am glad Phyllis got one of them.
So, you know, the neutral answer is to say when you look at a
new technology, it usually takes the United States somewhere
between 20 and 50 years to figure out to get it in order. So
you look at airplanes, steamboats, railroads, electricity,
cars. We are in year 18 for the Internet. So we are not doing
too bad, I guess. I mean, we have a couple years to sort this
out.
A little more pointed answer: We have so many old ideas.
They have not gone away. If it was in PDD-63, which was the
Clinton administration policy, and we are still trying it, it
doesn't work. Give it up. And the second thing is, as you have
heard, we have old laws that are real obstacles. You of course
are trying to fix this but if it is the Electronic
Communication Privacy Act designed for dial telephones, you
have serious issues here. You have business issues, you have
privacy issues. So it is a hard problem and it will take time
to work out, but the prevalence of the old thinking and the
difficult legal environment we have has really slowed us down
and put us at risk.
Mr. Rogers. Mr. Dix or Dr. Schneck?
Mr. Dix. First of all, I would like the record to reflect
that Mr. Lewis and I agree on that last point. Thank you. First
of all, let me just touch on the hardware issue because the
whole supply chain risk management issue, you know, it is
interesting to me, the last count, there is 155 different
supply chain risk management initiatives in the government
today. We need to coordinate those issues. And quite frankly,
organizations like ours, we invest heavily in what we call our
brand integrity program because our reputation is how we grow
our business. So we invest from concept to delivery in our
products, in our hardware and software products.
To make this short, one of the things that I think that
this body could help with, as we sit here today and we deal
with this supply chain risk management problem, the Federal
Government still continues to buy from untrusted sources. There
is a cultural cost to government of cost and schedule across
the departments and agencies where in order to save 5 cents on
a widget, we are buying from low cost, low bid. As a result of
that, we end up in the gray market and then we wonder why we
have counterfeit or malicious products in our government supply
chain. We should be buying from trusted sources. If there is
some reason why we are not going to buy from trusted sources,
there should be a justification, it should be public, and the
liability from that should accrue to whoever the acquirer is.
Mr. Rogers. Dr. Schneck, can you just comment on that as
well?
Ms. Schneck. I do agree. I will also add that we look at
supply chain again as an issue of your product integrity. We do
rigorous testing, both the manufacturing and acquisition. We
would also believe in leveraging some of the existing standards
to really focus on a product integrity issue, because what you
want to know is, did that widget that you bought, is it exactly
what you think you bought. That is the heart of the issue. So
it is rigorous testing and expanding some of the existing
standards.
Mr. Rogers. Just to clarify for the record, Mr. Chairman,
so we are at risk if we integrate into the U.S. system non-
trusted sources of product? I want to make sure I am clear on
that.
Mr. Dix. I certainly think it increases the risk.
Mr. Rogers. Thank you.
Mr. Lewis. I used to do the supply chain stuff when I was
in the government sort of on both sides of the table, and a
couple points on that. First, right now it so easy to hack, you
know, that you have to assume that our Chinese and Russian
friends are taking the low-cost approach to espionage. Why
should they not do it? The second one is, it is very hard to
push this out to a global supply chain. We are not going to be
able to get out of that. So this is an exceptionally difficult
issue that will probably force us to think about how we are
going to work with foreign suppliers. And there is not really a
choice here. So what I do think will happen--I will just say
this real quick--right now hacking is so easy, why bother. If
we ever manage to improve our defenses, they will switch to
supply chain.
Mr. Walden. I appreciate that. Here is the problem. I am 5
minutes over his time and I think members are----
Mr. Rogers. But this is a Clinton we can all agree with
right here.
Mr. Walden. The gentleman's time has long ago expired, and
I appreciate the patience of the committee members who haven't
had a chance to ask a question yet, so we will try to get back
on schedule. Mr. Doyle.
Mr. Doyle. Thank you, Mr. Chairman. Thank you for putting
this hearing together, and to the panelists, your testimony and
your answers to the questions have been very informative.
I want to follow up on a line of questioning that Mr.
Waxman had to Dr. Schneck. Dr. Schneck, I know in your
testimony, McAfee labs predicts an increase in attacks on
smartphones and mobile devices in the future, and it is my
understanding, your company had partnered with a research
facility at Carnegie Mellon University sci lab, which is in
Pittsburgh, the district I represent, about how businesses and
employees handle mobile device security, and apparently this
study showed that most of lost and stolen mobile devices create
some of the biggest concern for businesses. About 40 percent of
the organizations surveyed have had lost or stolen devices and
half of those devices contained business-critical data.
Further, about 50 percent of mobile users that were studied, we
found out they store their passwords and their PIN numbers and
credit card information on their mobile devices, which I am
completely guilty of. I am going to erase them as soon as this
hearing is over.
It seems to me that one way to tackle this is to make sure
that the devices that employees are using are secure in the
first place so that if an employee uses them, that the data
remains secure or you could remove that data from a remote
source, and to follow up with what Mr. Waxman asked you, to
your knowledge, could you elaborate on what is being done by
device manufacturers and app developers to secure their
products for commercial use?
Ms. Schneck. So we look at protecting them once they are
received so from what we have worked with, there are a couple
of vectors on what they are doing before delivery. You know,
one is--I will take the application side first. When people
download an application, they rarely think about is this
application secure. One of the biggest dangers we see is not
did I catch a virus, it is did I go and purposely download
something with a big smiley face on it and a great app that did
something neat for me, but what it is actually is, it is a
pretty picture and delivery of malcode. One of those
instructions will get to be a platform to enter your network
corporate or to start shipping back your personal information
for sale in the Russian underground. So that is one risk. And
the app developers, so some companies are very careful in the
app markets and only approved or back to the trusted source
point, the only approved apps are there for sale. Other
companies are more open about it and it is up to the user to be
very careful about what you download.
Mr. Doyle. Mr. Conner, do you have some thoughts on that?
Mr. Conner. Yes. We work with all of them, so from the
Android operating system to iOS to the Microsoft, the first
thing we are working with each of them on is, how do you
identify the device itself securely and authenticate that back
to your company, because if you don't know it is connected to
your company, you have got your first issue and kind of the
consumerization and the enterprise.
The second theme becomes, how do you then work with the
applications that go into that phone, and each one of those
ecosystems do that differently. Some have sandboxing where they
then can use our security or others to make sure they know who
is coming in to put that there. They all three have very
different testing mechanisms to test those apps in terms of
that sandbox and how they communicate that back and forth. And
then the third thing we are working with each of them on is how
you secure email and content and communication, whether it is
mobile, no different than we did with laptops and desktops
before.
Mr. Doyle. Mr. Dix?
Mr. Dix. Yes, and good old U.S.-based innovation has
delivered today. Available in the market today, a capability to
lock, locate and wipe those devices on demand.
Mr. Lewis. We are getting close to maybe having a solution
to authentication. It has been the holy grail for about 20
years.
Just a quick story to help put this in perspective. There
used to be just one government-approved private company in
North Korea. Do you know what they made? They made mobile phone
apps. I see a pattern.
Mr. Doyle. And just another general question for the panel.
Do you think the FCC has any role to increase mobile device
security, and what should that be? Mr. Conner?
Mr. Conner. Absolutely. In fact, you look at the FCC, the
critical infrastructure there. I mean, I spent 10 years at AT&T
and another 10 putting electronics and systems into those type
of companies. It starts with that. I mean, I said you can look
at the mobile networks as either good or bad. It can stop the
crime I talked about today if used correctly with technology
that cannot be broken today. So I think that if you think of
one governing body trying to own each of these pieces, it is
folly. I think DOE needs to work with the public partnership
and private partnership for its domain. I think Commerce and
Treasury needs to work it, and I think FCC needs to own that
infrastructure around that ecosystem because to think that the
attack vectors that the bad guys are taking against us are one
size fits all is just ludicrous.
Mr. Doyle. Very good. Mr. Chairman, thank you.
Mr. Walden. Thank you, Mr. Doyle.
We will now go, I think Mr. Gingrey is next in order.
Mr. Gingrey. Mr. Chairman, thank you.
This question is for the entire panel. Maybe we will start
with Mr. Conner. Some have argued that before we enter the
cybersecurity debate, we should heed the Hippocratic oath and
make sure that in the first place we do no harm. If there were
one caution that you could offer us before legislating, what
would that be? Mr. Conner, why don't we start with you?
Mr. Conner. Well, I think the way I would start as a
government is the bully pulpit, frankly. I spend a lot of my
personal time with this team and others, spend a lot of time
educating, and I think quality is a great example that this
government got right. They didn't need equality. They just got
on the bully pulpit and said quality is important. And when I
think of security, the lexicon was not here. It still isn't
here the way it was. If someone started quality, saying I am
going to get to six sigma, they wouldn't know what it meant
when quality started before the book. You heard cost equality.
I hear cost of security. We are focused on what cost. Are you
focused on the total cost of security or just the cost to
implement something? So I would start with education and your
bully pulpit.
The second thing I would start on is the inability of
businesses to talk to governments or to themselves because of
antitrust and the patchwork legislation in the States. I am
tired of it being it a one-way communication street to
intelligence and nothing in return, and I understand they
legally can't do it, but as the company that is tasked with
protecting our government and governments and enterprises and
citizens, it is pretty folly to me. I can only give you
information; you cannot give me any.
Mr. Gingrey. Mr. Conner, thank you.
We will go to Mr. Dix and move rapidly.
Mr. Dix. Thank you very much. Two quick things. One is,
continue to inspire and drive an environment that supports
innovation and investment, and secondly, be cognizant of the
fact that the bad guys move fast. We need to have speed,
nimbleness and agility in our ability to respond. Attempting to
comply with a compliance model that takes a long time to build
and implement slows us down and imposes impediments to our
ability to have speed, nimbleness and agility.
Mr. Lewis. In 2007, we had an intelligence disaster----
Mr. Walden. I don't believe your microphone is on.
Mr. Lewis. In 2007, we had an intelligence disaster in this
country. The details are still largely classified. In 2008,
DOD's Supernet was hacked. We were unable to get the opponent
off for about a week. In 2010, we saw Google and about 80 other
companies get whacked, lose intellectual property. Most of them
have not reported it but this will show up in Chinese products
in about 5 years. Last year we saw Stuxnet, which was the
ability to destroy physical infrastructure using cyber attack,
and we have a list at CSIS of major cyber events, mainly
because I got tired of people asking me when we would have a
cyber Pearl Harbor. The list is up to 90.
So I think what we need now is, we need to stop saying do
no harm. We need to move out. We need to do a coordinated
defense.
Mr. Gingrey. Dr. Lewis, so you think we definitely need
legislation?
Mr. Lewis. I do, and I think there are things--one thing
that we can say now that we couldn't have said 5 years ago, we
now have a pretty good idea of how to do this between the
experts up here, some of the other places. There are agencies
that have done a particularly good job. We now have a good idea
of how to reduce risk and we need to implement that.
Mr. Gingrey. Mr. Clinton?
Mr. Clinton. I agree that we do need legislation. The
question is, what is the legislation that we need. I do
subscribe to the ``do no harm'' theory. I think the one thing
that I would tell the committee is to understand that this is
not a technology issue. It is an enterprise-wide risk
management issue. The problem we have is that in the
cybersecurity world, all the incentives favor the bad guys.
Attacks are cheap. They are easy. They are really profitable.
It is a terrific business model. Defense is hard. We are
following the attackers around. It is really hard to show
return on investment to what you prevent, and criminal
prosecution is virtually nonexistent. So I would go back to the
last thing I said before I finished my oral statement:
Understand that you are dealing with the invention of
gunpowder. This is an entirely different thing. You can't just
take 20th century models and plug it in here because you can
pass legislation that will do harm, that will take away needed
resources from where they need to be. We need a creative 21st
century approach, and a lot of what we are seeing in the public
policy world is not that.
Mr. Gingrey. Mr. Clinton, thank you.
In the last 12 seconds, last but not least, Dr. Schneck.
Ms. Schneck. Let us take this is an opportunity, unleash
the power of the private sector. We built this thing. We didn't
build it with security. Now we understand this adversary. Let
us take the information we have, the data we have, the ISPs see
all the mobile phone activity. They can see that. They can
protect that. Incentivize us so that we can still eat when we
get done doing it but let us make sure that we build business
models around building security in from the hardware up, and I
think you will see this world change in a few worlds.
Mr. Gingrey. I thank the panel for their excellent
responses, and Mr. Chairman, I yield back.
Mr. Walden. Thank you, Dr. Gingrey.
Ms. Eshoo and I were talking about, we are going to lock
the doors and not let you out until you give us all the ideas
that we need to do here, and we will let you out today. But
seriously, in terms of helping us understand how to get this
right. You have a lot of them but in your testimony but if you
could help us drill down very specifically, at least within the
jurisdiction we have, we would really appreciate very specific
suggestions back.
We are going to go now to Ms. Matsui from California. Thank
you for participating.
Ms. Matsui. Thank you, Mr. Chairman, and I have to say,
this is probably the most interesting and scary testimony I
have ever heard. But I think that quite frankly, our country
doesn't realize what risk we have, and I think the things we
hear about over the news are things--talk about hacking but
they are at a level, a personal level that people understand.
This is far beyond that. It really affects every sector of our
economy, our country, the way we live. So I truly believe that
this education process is going to be very, very important. And
I also believe that people like you have to step up to talk
about it in ways that the public could understand.
Cybersecurity, everybody sort of understands it but doesn't
understand it. So I think with every advance in technology, we
open ourselves up, and our daily lives can be impacted so much.
I wanted to follow up a little bit more on the cloud-based
services. Businesses and governments are now going into the
cloud, and what are the unique challenges facing the cloud with
respect to cybersecurity and are we prepared, are we thinking
ahead, knowing what we know now about how we address these
challenges, and why don't we just start over here with Mr.
Conner?
Mr. Conner. It is something that is getting a lot of
attention from everybody, and I think a lot of people are
running before they thought it through. I think it is very
application and business sensitive, depending what you put in
the cloud. Some stuff you put in the cloud, it is user name and
password sensitive, that is fine, but if you are putting
valuable financial information and intellectual property in the
cloud, you have two issues. The security within the cloud is
not what the security was within a mainframe data center today,
and how do you authenticate to the cloud is still a matter of
how you choose to implement that, and I think that is very
naive.
Ms. Matsui. So are we still at a place though where we
could start looking at that and incorporate, you know, how we
integrate some of these things into some of the information-
sharing activities. We are still OK right now, but right now
you talk about the cloud as a very sexy thing so people are now
jumping to it.
I was curious also, Dr. Lewis, that you mentioned that
government should find ways to incentivize companies, and Dr.
Schneck was talking about the same thing. What types of
incentives would be the most effective, in your opinion? And I
would also like to hear from Dr. Schneck too.
Mr. Lewis. There are basically four kinds of incentives.
There is regulation, and we are going to need some of that, not
too much, and it varies from sector to sector. There are tax
breaks. I mentioned this to the Republican task force on
cybersecurity. They thought this was not the best year to go
after tax breaks. There are subsidies, right, and we might need
subsidies for research and development, perhaps some other
things. Finally, there is a coordinating effect, right? Someone
has to lead, and you can find this--maybe a good story from the
Australian example. If you pull industry together and point
them in the right direction, they will come up with some really
good stuff and we can find some examples in the Defense
Department where that has worked pretty well. So regulation,
tax breaks, subsidies, and that might include building
something into the rate structure for some critical
infrastructure, and then coordination.
Ms. Matsui. Dr. Schneck, do you agree?
Ms. Schneck. Not entirely. I think regulation draws a box
around the technologies that you are forced to adapt. It puts
all your money there. It takes it away from science innovation,
and even worse, it shows the bad guy what we are not
protecting. But I do favor the rest. I favor tax incentives.
You know, we believe in insurance reform. Anything that allows
a company to be creative, invest upfront in cybersecurity,
because the upfront investment is a lot easier and a lot more
fun than the cleanup, and it is a lot cheaper. I testified
earlier a couple months ago about small businesses and
incentives being needed when--we don't realize the small to
medium businesses make up, you know, 99 percent in some cases
in our business fabric, and if you think about where some of
the newest technologies come from, not just cyber but maybe our
jet engine comes out of a startup of a couple really bright
guys out of college, they are not going to invest a whole lot
in cybersecurity necessarily when they get that huge SBIR
grant, but if built into that grant was some positive incentive
or some extra money saying you will get this money from the
government only if you promise to secure it, and we could be
doing that for all levels of companies.
Ms. Matsui. So government does have that type of role,
though, and I think the part that I am looking at is, who
convenes all this way? How do you do this so you all work
together? Because I think you are absolutely right, the
business sector can work together and have the solutions but
how do we get to the next point?
Mr. Conner. Well, I think the first thing you have got to
do is relieve the legal obligation when we sit with CEOs. In my
first public-private, all the CEOs agreed until they went and
talked to their legal counsel, and guess what? Then it went
completely dead because no one wants to go public. For one, you
have got an antitrust issue of sharing, and second is, the
minute you go public, you create a standard to be sued
criminally as well as civilly, and that is the reality as a
government person doesn't understand, but if you are a CEO,
class actions mean something and suits mean something, and the
minute I say something, I now put a different standard to me to
be held to.
Ms. Matsui. Well, thank you very much. I see my time has
run out. This is very fascinating.
Mr. Walden. Thank you.
We now go to Mr. Latta from Ohio. We look forward to your
comments as well.
Mr. Latta. Well, thank you, Mr. Chairman. I appreciate it.
And I thank the panel for being here. For someone who did serve
on the cybersecurity task force, I can tell you, it is like you
go home, go to your office, it is like, do I really want to
turn that thing on now or not.
And if I can go back first, Mr. Conner, you know, talking
about the yellow lock that you engaged with Mr. Rogers in a
discussion about. You know, a lot of times they tell you if the
https comes up, you are safe. Are you going to tell me that is
not true now?
Mr. Conner. The only thing I would tell you is, unless that
chrome goes green, I wouldn't assume that you are safe.
Mr. Latta. OK. Because the reason I ask that, you know, we
have to get this message out to our constituents and the
American people, and I know that a lot of folks see that little
yellow lock come up and say I am fine. I hate to say that my
daughters were on some social networking and we had a problem
for about four days before somebody could spend--I don't want
to say how much money it took to get the thing fixed before we
could get back on the computer. But, you know, I am really very
cognizant of the fact now of watching for that https to come
up, because again, it also goes to the whole point of, you
know, again, let us say you do online banking or people do
certain things, we need to be able to communicate that, so that
is one thing.
If I could ask Mr. Dix and Dr. Schneck this question. You
both mentioned in your testimony the idea of creating trusted
relationships online either through authenticated emails or
through white lists. Could you elaborate on these ideas and
explain how they differ from the previous cybersecurity
measures like spam filters and blacklisting?
Mr. Dix. Ladies first.
Ms. Schneck. So our focus on trusted relationships are in
the macro and a little bigger. I would say that we all need to
work together, and we do. Organizations such as Bob mentioned,
organizations such as the NCFT and the InfraGard show that
government and private work together. I think we are dealing
online today with a world much different than spam filter. I
used to help build a spam appliance many companies ago, and
what we looked at then was only the email vector. Now you have
the web vector, the firewall vector, the mobile vector. Again,
the enemy is faster. So when you start looking at trusted
relationships online, we had at least 30 different parameters
we looked at just at email. It wasn't just, ``Did I trust the
sender?'' It was all kinds of things and indicators in that
note. And now you multiply that. So you have, from our
perspective in protecting against cybersecurity threats at all
the different vectors, we have over 1,000 different parameters
of trust that we look at, and it is not just an established
relationship. It is what has your behavior been lately as in
the last two milliseconds and the last 15 years.
Mr. Dix. Continuing to advance the development and
implementation of the national strategy for trusted identifies
in cyberspace is a step in the right direction, and that is an
example where industry and government working with NIST have
come together to deal with this issue of identity. Every one of
my colleagues here has mentioned the issue of identity as being
a root issue in this entire trust discussion that we are having
here today. So there is an effort underway. It is
collaborative. It is producing results and moving to
implementation for the in stick would be a step in the right
direction.
Mr. Latta. Mr. Conner?
Mr. Conner. Just the last comment on that is, the irony of
this is, you think of who are the most trusted identifiers we
use. They are usually government issued. And I think this is
one area our government needs to get out of the U.S. think and
into the rest-of-the-world think.
Mr. Latta. Let me kind of go on with this, because, you
know, again, when you are looking at, you know, people trusting
what they are doing on the Internet and banking, I don't care
what it is, but when we were talking about trust, this is
another discussion that was held a little bit earlier, you
know, talking about not buying from the low cost, low bid and
you need to buy from that trusted source, but how do you know?
How do you know even if you buy from somebody that is trusted
that that stuff is still good without going--I mean, how do you
go through unless you are testing? Are you testing constantly?
I will throw that out to all of you.
Mr. Dix. So since I brought that up, I will take that
first, with your permission, sir. So each of us that are
manufacturers has a network of authorized resellers and
distributors that we utilize in the distribution of our
products into the marketplace. That is a place to start from,
understanding who those authorized providers are. There is also
a great deal of work that is going on right now through the
Trusted Technology Forum and the Open Group to be able to
create a certification and accreditation process for suppliers,
working collaboratively with the government again in a
standards-based approach to being able to address this issue.
So there is some good work that is going on right now, but the
fundamental piece of it in my mind is cultural. We are still
evaluating people and departments and agencies on their ability
to meet cost and schedule. That drives a certain behavior
because it doesn't have security as a paramount foundation of
that conduct.
Mr. Latta. Mr. Chairman, I see my time is expired and I
yield back.
Mr. Walden. Thank you very much.
Dr. Christensen, you are now recognized for questions.
Mrs. Christensen. Thank you, Mr. Chairman, and thank you to
all of the panelists.
This is a general question. The FCC's Communication
Security, Reliability and Interoperability Council has been
formulating recommendations for best practices to ensure
optimal security and reliability of communication systems, so
how do you see this process contributing to improvements in
cybersecurity, or said another way, what is FCC's role in the
coordinated defense that we heard about?
Mr. Lewis. I am really glad you said that because I have
been sitting here trying to remember what CSRIC stood for. I
had gotten all but two of the letters.
We have all said, when you talk about cloud, when you talk
about mobile, that we are moving to a world where the role of
the service providers is going to be more important, and that
is where FCC and NTIA are the lead agencies right now. There
are others of course that are involved but FCC originally
looked at this issue and they were afraid that if they took too
active a role, as I understand it, they might be seen as trying
to regulate the Internet, and they wanted to avoid that. So
instead, they have taken on an approach that works more on
coordination with private sector experts, with developing
venues for these private sector experts to get together and
encouraging them to come up with a voluntary approach, and one
of the things I had said to FCC staff a while ago is, try the
voluntary approach, and if it works, great. If it doesn't work,
then we have to think about more mandatory measures. So far it
looks like it is working, though. So I understand they have
some measures they might roll out in the next few months.
Commerce has some other things they are doing. This is where
the service providers and their regulators will be one of the
key elements of cybersecurity in the future.
Mrs. Christensen. Anyone else?
Mr. Dix. So they are in a position to serve in a key role
in this education and awareness campaign that we talked about
and coordinating that at the national and in a sustained manner
to help deliver messages to constituent stakeholders whether
they are home users all the way up to large enterprises,
working with the carriers and the content providers to be able
to help deliver that message. So I think there is a key role in
that part of it in showing leadership around how we advise
people how to protect themselves.
Mrs. Christensen. Ms. Schneck?
Ms. Schneck. Just one point in addition, having worked with
them a bit over the past few months, they are setting a great
example. Their house is in order from a cybersecurity
perspective. They have some new leadership and they are really
looking--they are reaching out to the private sector saying
what are the best practices. They are reaching out, from what
they tell us, to other CIOs and the government. So when you
talk about the need to get the government's house in order, I
think that is an exemplary piece. And in addition, they have a
group of people really looking at these policies and really
looking at these issues. We have never seen that before. So I
think this is a good time for them to not only build on the
awareness they launched, I believe it was last spring with the
SBA to the hygiene program point, but then jump on that for the
larger enterprises also as an example.
Mrs. Christensen. Well, Mr. Conner, and this is probably
what you are referring to at the SBA, but your testimony notes
that according to the FCC, three out of every four small and
mid-sized businesses report having been affected by cyber
attacks. So what is the role of the FCC in preventing the
attacks or aiding the small business community?
Mr. Conner. Well, I think increasingly the networks
underpin all those attacks so you have got the ISPs, you've got
the carriers themselves and you got the devices attaching to
it. I think one of the areas that we must remember is, is it
not always outside where those attack vectors come from, and
just like organized crime found its way inside organizations, I
think increasingly we are going to have to look at that as an
attack vector, and that should be something that the FCC takes
into consideration as they look at how to deal with it in
addition to the ISP filtering and the other pieces they use.
But one thing I would caution, I hear a lot of rhetoric
around building separate networks, and having lived in a world
that I am old enough that we had separate networks, I think the
reliability when things like 9/11 and tsunamis happen, the
benefit of having multiple networks and the Internet outweigh
the needs of a protected, isolated network because I don't
believe in today's world that is a real answer.
Mrs. Christensen. I don't have any other questions, Mr.
Chairman. I will yield back the balance of my time.
Mr. Walden. I thank the gentlelady for yielding.
I believe Ms. Blackburn is next for questions. Then I will
go to Mr. Shimkus next.
Mrs. Blackburn. I will skip.
Mr. Shimkus. Thank you, Ms. Blackburn, and thanks for the
panel. Sorry, we have two competing panels, and I apologize for
not hearing all the testimony.
Let me go to Mr. Lewis. You mentioned in your written
testimony the importance of domain-name system security,
DNSSEC. Could you describe the problem with the current
implementation of domain-name systems and why DNSSEC is
important?
Mr. Lewis. Well, I think what you have heard from all us is
when the people who designed the Internet designed it as a DOD
network and then they thought it would grow out a little bit.
They didn't worry about trust. They didn't worry about
authentication. Phyllis knew it was her sister at the other
end, right? When we did this, we didn't have to worry about
this and so the domain-name system, which is the addressing
system, is vulnerable to spoofing. It can be manipulated and, I
think as you have, redirect traffic. So you think as far as you
can tell on your machine you are going to a legitimate site and
it could instead be the government of Iran or a Russian cyber
criminal. You can spoof it. And DNSSEC uses authentication
technologies largely so that we reduce that ability, really
almost eliminate it, to impersonate another site.
Mr. Shimkus. Yes, and I think the challenge with this
committee is, it is so high tech, so--you know, we are
laypeople for the most part. It is just very tough for
laypeople to understand. That is why we have experts like you
come. A lot of us do understand domain, just the basics, why
you have a domain. Now ICANN is exploding domain names, and
with that, should we--and this is one for the whole panel--
should we be working with ICANN to roll out DNSSEC?
Mr. Conner. I think everybody is already working that. I
would tell you be aware of newfangled toys. DNSSEC has a
promise but it also has liabilities today that are equal to the
liabilities we have today. Will it be there in 5 to 10 years?
We hope sooner, but it is not there, not even close. I think we
have got to use the capabilities we have like EBSSL where the
chrome turns green and you know you are safe, and when someone
says your identity is who it is, it is, and I think that is
where I put the focus instead of buying $19 authenticate
technology to take a responsibility liability for your identity
and who that is, and if it costs you 500, I mean, that is where
a bully pulpit starts to make a difference in our technology.
Mr. Shimkus. Mr. Dix, anyone else want to respond? Anyone
else? That is fine, because I want to go to a couple other
things. I also deal with democracy movements in former captive
nations, eastern Europe, whatever you want to call them, and
followed the cyber techs in Estonia years ago, the meddling by
China and Russia and their neighbors and continue to be very
concerned, although the new technological age is allowing
democracy movements to get their word out, to communicate, and
that keeps evolving. But you also see governments like the
government of Belarus try to clamp down on that and which I
have also been very concerned about. So that is just a
statement. I mean, it just an evolving--it is like a
competitive market. People want to get information but the bad
guys want to get around and it moves too fast that we can
really regulate. I have always said that about this
subcommittee and the tech community, there has got to be a lot
of self-interest that gets people to move before they get
caught.
Let me just segue real quickly into, I serve on the Energy
Committee and we go to power plants all the time. I am a big
proponent of nuclear power. And Mr. Terry's opening statement
talked about, well, you could be secure if you just had a
desktop alone and were no longer connected. Now, with WiFi and
stuff, who knows what folks could end up doing. But the power
utility system relies so much on data going to RTOs, really
what they are producing is excitable electrons to get on the
grid, which if that all we had to worry about and had a closed
system, we would be fairly safe, but it is all the monitoring
and calculation of the load. What is the solution to the
utility industry? Does anyone have----
Mr. Conner. Two thoughts. One is, as I testified earlier,
that is why you have to start with DOE's elite. Electrical is
very different than nuclear at the source. We believe you have
got to start within the power production plant itself. We are
working with large manufacturers in terms of how do you
authenticate everything in that power production plant because
you want to know what parts, whether they are original ones or
the alternate parts coming in, who they are and where they are
from. And frankly, that doesn't matter whether they come from
good or bad sources, just know where they come from and that
they are there.
The second thing we then focus on is, who is accessing
those systems and sharing that information so only the people
with the right authorization or identity can see it. And then
the third thing we are working with them is, how that data is
shared because data, in and of its own, at one location will
not solve a grid by definition.
Mr. Lewis. Two other quick points. The idea of a secure
network, a standalone secure network, just doesn't make any
sense. People bring their iPhone to work and they plug it in to
charge, and we have seen that happen twice with allegedly
isolated air gap networks, so forget it.
We need to think about securing the industrial control
systems, the SCADA networks. This is an avenue of attack. It is
a different kind of network technology. Right now, it is the
typical thing. When you buy it, the password is ``password''
and the user name is ``admin'' and it doesn't take a lot of
activity for foreign opponents to figure that out. People also
need to look at how their critical infrastructure connects to
the Internet. When you talk to nuclear companies, for example,
they will usually tell you we are not connected. When you do
the actual survey, what you find is, you know, sure, so we need
to have some way to bring the industry--some companies do
great. Others need some help and we need to figure out how to
do that.
Ms. Schneck. And one point on that, the good news is, a lot
of these industrial control systems are the same across sectors
so if you can get some best practices and some incentives in
one sector, they will multiply across from the grid to even
transportation and nuclear in some cases. Authentication is one
vector. Another is what gets executed. It goes back to the
instruction. It is a malicious instruction from someone you
don't want going to execute on a system that talks to something
that controls physical infrastructure, and that comes from
working at the component level, making sure that you have
technology in those components that looks at whatever operating
system is on that and says only execute these things. This is
actually pretty simple on these because they only do one job in
life. They are a component on the SCADA system. It is not
just--it is not like they are a big server so you can lock down
what they do.
Mr. Shimkus. Thank you, Mr. Chairman. Thank you.
Mr. Walden. Thank you.
We will now go to Ms. Blackburn for 5 minutes for
questions.
Mrs. Blackburn. Thank you, Mr. Chairman, and thank you all
for being here and for your patience with us.
I want to say just a couple of things. I think it is so
important that the industry lead on this. Anything that we do,
as different members have said today, is going to be passe
before the ink is dry on whatever it is that we do. As we look
at the security issues, I think that your guidance is there.
Another thing. We have spent some time in this committee
and also in CMT, Commerce, Manufacturing and Trade, looking at
the issue of privacy and the data security issue, the breach
notification issue, which is a component of what we have here,
and quite frankly, I think that most people do not realize the
vulnerability that exists in their home with the computer that
is there, and believe you me, I hear about it a lot with my
district in Tennessee with all the songwriters and entertainers
and the individuals that are in logistics informatics or
financial service informatics or health care informatics and
auto engineers. So the problems are compounding for this every
day. But as we look at the privacy issue and in my
conversations with them, let me ask you about Federal
preemption. And as we look at our standards on breach
notification, data security, I wonder if you all have any
thoughts on putting in Federal preemption language and making
certain that we are working from one standard and the
importance of that.
Mr. Clinton. Ms. Blackburn, if I could, we are supportive
of Federal preemptive notification requirement. I think we have
47 different ones now. For a multi-state company, it is very,
very difficult to work on the similar themes that I have been
hammering on throughout today and generally is that we have to
understand that it is not a technical problem, it involves
cost. If we can find a way to reduce cost, we can have good
standards but we don't have to have multiple good standards. So
we can lower compliance costs, increase simplification, we will
have better adherence, we will have better security, better
privacy and at lower cost, and I think that that ability to cut
through kind of the government falling all over itself at the
various levels is critical to getting that done, so I am very
supportive of that.
Mrs. Blackburn. OK.
Mr. Conner. I would second that. I would tell you the
single largest legislation issue that has brought security from
being in the Stone Age to today is probably California 1386.
Why? Because it said if it happens, you have a carrot and a
stick. If you tried to protect yourself with encryption, you
are safe, and if you haven't, you are liable for a class-action
suit. That is singly the shot that was heard around the world,
at least in the United States. The problem being, as Larry
said, we have got too many State legislations, a patchwork, so
that needs to get dealt with because it is an inextricable link
to cybersecurity in terms of that.
The second piece I would tell you is the regulation that
just was passed by the FCC about disclosure is going to have
just as profound impact. The problem is, it is only public
companies, and that disclosure is pretty nebulous in terms of
being meaningful for you as a small business person in
Knoxville or Nashville or Memphis in terms of what that means
to you.
Mrs. Blackburn. OK. Thank you. I will yield back.
Mr. Walden. The gentlelady yields back, and now I think our
final questioner is Mr. Bilbray from California. We welcome
your comments. You are recognized for 5 minutes.
Mr. Bilbray. Thank you, Mr. Chairman.
Mr. Conner, do you believe that law enforcement has the
tools they need to go after cyber criminals as described in
your testimony?
Mr. Conner. No, they do not. I have to tell you, if you
look at the attempts that are being made with DHS and within
Justice to have the criminal network geared up, I mean, part of
the problem is, we look at it and there are one-time uses for
critical events. Well, unless you use it every day, that system
is never going to be ready. We partnered with Interpol to do
just that. They have 6,000 agents worldwide, and their issue
was--because I certainly didn't have the money--Interpol is
treated like a country now under passport control. We were able
to put their passport information so it has biometrics.
Unfortunately, this country doesn't deal with that in its
passport today. It is first generation digital. The second
thing it has--and this is all on commercial chips--it has
software to do logical access so those 6,000 agents if they go
after a tsunami, they can go on any network, including an
Internet cafe, and be secure in getting access to that
information, whether it is mobile, etc., and last but not
least, physical access to every Interpol office. All that
technology resides on this little card--this is a real one--
that those 6,000 agents use around the world today as they
follow crime, hopping jurisdictions that have three different
standards, three different use cases, that allows them to do
their job. Why is it important? Because it is what he or she
has to use every day. To the extent it is not something you use
every day, it will not be useful at the time of need in some
event.
Mr. Bilbray. So basically you are saying we are at place in
cyber crime where we were in the 1930s with the bad guys
running around with Thompson submachine guns and the cops
carrying .38 revolvers.
Mr. Conner. Well, and worse than that, we are isolated. We
are isolated here in the United States with, as my colleague
said, the most at risk and no ability to interwork on a global
capability with the good guys to defend that.
Mr. Bilbray. It is interesting you bring that up because I
think that most of us here will remember after 9/11 this issue
of the technology, security, the biometrics, the high-tech
stuff was one of the top priorities of the 9/11 Commission. We
passed a thing called the REAL ID bill and now everybody has
found excuses to keep dragging it on, dragging it on. In fact,
I think we are even giving grants to States for homeland
security and States are refusing to implement the 9/11
recommendations, so we are giving them money and they basically
say that we want to spend it on other things rather than the
first priorities. Do you think we may want to revisit that
whole situation rather than just ignoring the fact that----
Mr. Conner. Absolutely. I spoke the morning after Bush
addressed both the House and Senate. That morning after, I was
with Mr. Bennett and other legislators that were leading this
effort and spoke at NATO after 9/11 on, we have learned to
defend air, land and sea, the next frontier is cyber.
Unfortunately, in those 10 years, we made a lot of progress but
the bad guys have made more progress and they can jump across
jurisdictions with no legislative legal barrier.
Mr. Bilbray. Mr. Chairman, I have to say that this is one
thing that I think that our committee always referred over to
Homeland Security but here is a point where we may want to
talk. This is a place that both sides of the aisle should be
able to cooperate on. We have got a consensus there. And
frankly, the bad guys in here, the obstructionists are on both
sides of the aisle too. So maybe this committee can take a look
at, you know, how we can go back and revisit that and address
that issue.
And I appreciate the fact that you draw the line about--I
am concerned and I will ask the doctor to jump in here because
the two at the end brought up two interesting things, that when
we develop strategies, how to address this. We don't want to
create a box that gets people to litigate the private sector
but we also don't want to create a box that allows the bad guys
to know how far they have to move outside to avoid it, and I
would solicit both comments. Let us start with the doctor and
then I will go back of how, you know, can you elaborate again
how that us creating arbitrary boxes may be utilized by the bad
guys.
Ms. Schneck. I think it was said earlier, and even by
Ranking Member Eshoo, this issue is so vast, this is science,
that if you start saying you will implement these five things,
the adversary is always looking at how to get around that. They
know their target. They know what they want. They spend many
months and people on finding exactly the intellectual property
they want. They find the person and the company. They know what
the person will respond to and they get it.
It is quite clear that if we say we are going to seal up
these gateways and these ways, these are the best practices
that we must follow when it is a regulation, that is where the
money will go, and after that, the money won't go to anything
new and different and therefore the adversary then always goes
outside that and says well, I can get in this way. It is like
the point to the industrial control system. They say they are
disconnected but true story after true story finds a little
modem out the back so the person can watch the game while they
do the monitoring. There is always a way out in science, and
what we want to do is instead incentivize. You have a classic
problem. We are not incentivized to do what is good for the
greater good. We are incentivized towards our shareholders. So
instead, if you put that money and that incentive toward
innovation, we will end up building stronger and better
technology at many times the speed that the legislation could
even get through do to the, quote, protection.
Mr. Conner. Congressman, I think that is a great question.
I am frankly less concerned about what we say we are doing. Say
anything you want, by the time you say it, they have already
figured that out. They are not waiting for us to legislate and
regulate and figure out the next hole. I think the model is
very clear. It is joint forces and it is in DOD. We still have
strong Army, Air Force, Marines, Colonel Garlick, and they act
on their own. They are highly integrated with their suppliers.
There is what is publicly available. I served on the Joint
Forces Advisory Board as a private sector person. There is what
you do in that that is public and there is what you do that is
not public, and I think that is how cybersecurity has to be
treated. There was 10 percent of the money set aside to deal
with cybersecurity, and no Army, Air Force department could do.
They had to get their best and brightest in on it and they had
to share what is public is public and what is not public is
equally or maybe more important.
Mr. Bilbray. Thank you, Mr. Chairman.
Mr. Chairman, they referred to Australia. Being the son of
an Australian war bride, it reminds me of the story of a
notorious Australian bushman, a robber named Ned Kelly. Ned
Kelly was notorious for putting so much armor on so that nobody
could shoot him, and his armor slowed him down so much that
they shot him in the back where he wasn't armored, and I think
that may be very symbolic of the Ned Kelly syndrome, that we
put on so much armor thinking we are defending and what we do
is create an opportunity for the bad guys to get around it.
Thank you. I yield back.
Mr. Walden. I thank the gentleman and I thank all our
committee members for letting us have a more freewheeling
hearing than sometimes we have, but the value of the content we
got from you all is just unparalleled, and I think my
colleague, Ms. Eshoo, and I will be reaching out to each of you
to say come back to us with what really would work. We got a
lot of that today and our staff has got that. We are going to
move forward on this. I think there is an opportunity to look
at device manufacturers, perhaps the phone side, the router
side, there is an issue on the education side, and so we really
appreciate what you are doing out there in this fight and your
input to us so we can try to get it right and solve this
problem.
With that----
Ms. Eshoo. I would say bravo and thank you very much. Every
member really drew so much from your testimony and the answers
to our questions have been most, most helpful. Thank you.
Thank you, Mr. Chairman.
Mr. Walden. Thank you, and with that, the committee will
stand adjourned.
[Whereupon, at 11:56 a.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]

[GRAPHIC] [TIFF OMITTED] T2628.066

[GRAPHIC] [TIFF OMITTED] T2628.067

[GRAPHIC] [TIFF OMITTED] T2628.068

[GRAPHIC] [TIFF OMITTED] T2628.069

[GRAPHIC] [TIFF OMITTED] T2628.070

[GRAPHIC] [TIFF OMITTED] T2628.071

[GRAPHIC] [TIFF OMITTED] T2628.072

[GRAPHIC] [TIFF OMITTED] T2628.073

[GRAPHIC] [TIFF OMITTED] T2628.074

[GRAPHIC] [TIFF OMITTED] T2628.075

[GRAPHIC] [TIFF OMITTED] T2628.076

[GRAPHIC] [TIFF OMITTED] T2628.077

[GRAPHIC] [TIFF OMITTED] T2628.078

[GRAPHIC] [TIFF OMITTED] T2628.079

[GRAPHIC] [TIFF OMITTED] T2628.080

[GRAPHIC] [TIFF OMITTED] T2628.081

[GRAPHIC] [TIFF OMITTED] T2628.082

[GRAPHIC] [TIFF OMITTED] T2628.083

[GRAPHIC] [TIFF OMITTED] T2628.084

[GRAPHIC] [TIFF OMITTED] T2628.085

[GRAPHIC] [TIFF OMITTED] T2628.086

[GRAPHIC] [TIFF OMITTED] T2628.087

[GRAPHIC] [TIFF OMITTED] T2628.088

[GRAPHIC] [TIFF OMITTED] T2628.089

[GRAPHIC] [TIFF OMITTED] T2628.090

[GRAPHIC] [TIFF OMITTED] T2628.091

[GRAPHIC] [TIFF OMITTED] T2628.092

[GRAPHIC] [TIFF OMITTED] T2628.093

[GRAPHIC] [TIFF OMITTED] T2628.094

[GRAPHIC] [TIFF OMITTED] T2628.095

[GRAPHIC] [TIFF OMITTED] T2628.096

[GRAPHIC] [TIFF OMITTED] T2628.097

[GRAPHIC] [TIFF OMITTED] T2628.098

[GRAPHIC] [TIFF OMITTED] T2628.099

[GRAPHIC] [TIFF OMITTED] T2628.100

[GRAPHIC] [TIFF OMITTED] T2628.101

[GRAPHIC] [TIFF OMITTED] T2628.102

[GRAPHIC] [TIFF OMITTED] T2628.103

[GRAPHIC] [TIFF OMITTED] T2628.104

[GRAPHIC] [TIFF OMITTED] T2628.105

[GRAPHIC] [TIFF OMITTED] T2628.106

[GRAPHIC] [TIFF OMITTED] T2628.107

[GRAPHIC] [TIFF OMITTED] T2628.108

[GRAPHIC] [TIFF OMITTED] T2628.109

[GRAPHIC] [TIFF OMITTED] T2628.110

[GRAPHIC] [TIFF OMITTED] T2628.111

[GRAPHIC] [TIFF OMITTED] T2628.112

[GRAPHIC] [TIFF OMITTED] T2628.113

[GRAPHIC] [TIFF OMITTED] T2628.114

[GRAPHIC] [TIFF OMITTED] T2628.115

[GRAPHIC] [TIFF OMITTED] T2628.116

[GRAPHIC] [TIFF OMITTED] T2628.117

[GRAPHIC] [TIFF OMITTED] T2628.118

[GRAPHIC] [TIFF OMITTED] T2628.119

[GRAPHIC] [TIFF OMITTED] T2628.120

[GRAPHIC] [TIFF OMITTED] T2628.121

[GRAPHIC] [TIFF OMITTED] T2628.122

[GRAPHIC] [TIFF OMITTED] T2628.123

[GRAPHIC] [TIFF OMITTED] T2628.124

[GRAPHIC] [TIFF OMITTED] T2628.125

[GRAPHIC] [TIFF OMITTED] T2628.126

[GRAPHIC] [TIFF OMITTED] T2628.127

[GRAPHIC] [TIFF OMITTED] T2628.128

[GRAPHIC] [TIFF OMITTED] T2628.129

[GRAPHIC] [TIFF OMITTED] T2628.130

[GRAPHIC] [TIFF OMITTED] T2628.131

[GRAPHIC] [TIFF OMITTED] T2628.132

[GRAPHIC] [TIFF OMITTED] T2628.133

[GRAPHIC] [TIFF OMITTED] T2628.134

[GRAPHIC] [TIFF OMITTED] T2628.135

[GRAPHIC] [TIFF OMITTED] T2628.136

[GRAPHIC] [TIFF OMITTED] T2628.137

[GRAPHIC] [TIFF OMITTED] T2628.138

[GRAPHIC] [TIFF OMITTED] T2628.139

[GRAPHIC] [TIFF OMITTED] T2628.140

[GRAPHIC] [TIFF OMITTED] T2628.141

[GRAPHIC] [TIFF OMITTED] T2628.142

[GRAPHIC] [TIFF OMITTED] T2628.143

[GRAPHIC] [TIFF OMITTED] T2628.144

[GRAPHIC] [TIFF OMITTED] T2628.145

[GRAPHIC] [TIFF OMITTED] T2628.146

[GRAPHIC] [TIFF OMITTED] T2628.147

[GRAPHIC] [TIFF OMITTED] T2628.148

[GRAPHIC] [TIFF OMITTED] T2628.149

[GRAPHIC] [TIFF OMITTED] T2628.150

[GRAPHIC] [TIFF OMITTED] T2628.151

[GRAPHIC] [TIFF OMITTED] T2628.152

[GRAPHIC] [TIFF OMITTED] T2628.153

[GRAPHIC] [TIFF OMITTED] T2628.154

[GRAPHIC] [TIFF OMITTED] T2628.155

[GRAPHIC] [TIFF OMITTED] T2628.156

[GRAPHIC] [TIFF OMITTED] T2628.157

[GRAPHIC] [TIFF OMITTED] T2628.158

[GRAPHIC] [TIFF OMITTED] T2628.159

[GRAPHIC] [TIFF OMITTED] T2628.160

[GRAPHIC] [TIFF OMITTED] T2628.161

[GRAPHIC] [TIFF OMITTED] T2628.162

[GRAPHIC] [TIFF OMITTED] T2628.163

[GRAPHIC] [TIFF OMITTED] T2628.164

[GRAPHIC] [TIFF OMITTED] T2628.165

[GRAPHIC] [TIFF OMITTED] T2628.166

[GRAPHIC] [TIFF OMITTED] T2628.167

[GRAPHIC] [TIFF OMITTED] T2628.168