[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
DHS CYBERSECURITY: ROLES AND RESPONSIBILITIES TO PROTECT THE NATION'S
CRITICAL INFRASTRUCTURE
=======================================================================
HEARING
before the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
MARCH 13, 2013
__________
Serial No. 113-4
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
81-458 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Paul C. Broun, Georgia Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice Brian Higgins, New York
Chair Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Jeff Duncan, South Carolina Ron Barber, Arizona
Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania Filemon Vela, Texas
Chris Stewart, Utah Steven A. Horsford, Nevada
Keith J. Rothfus, Pennsylvania Eric Swalwell, California
Richard Hudson, North Carolina
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Greg Hill, Chief of Staff
Michael Geffroy, Deputy Chief of Staff/Chief Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
C O N T E N T S
----------
Page
STATEMENTS
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, and Chairman, Committee on Homeland
Security:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Oral Statement................................................. 7
Prepared Statement............................................. 9
WITNESSES
Panel I
Ms. Jane Holl Lute, Deputy Secretary, Department of Homeland
Security:
Oral Statement................................................. 10
Prepared Statement............................................. 11
Panel II
Mr. Anish B. Bhimani, Chairman, Financial Services Information
Sharing and Analysis Center:
Oral Statement................................................. 47
Prepared Statement............................................. 49
Mr. Gary W. Hayes, Chief Information Officer, Centerpoint Energy:
Oral Statement................................................. 52
Prepared Statement............................................. 53
Ms. Michelle Richardson, Legislative Counsel, American Civil
Liberties Union:
Oral Statement................................................. 57
Prepared Statement............................................. 58
FOR THE RECORD
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, and Chairman, Committee on Homeland
Security:
Prepared Statement of Dean C. Garfield......................... 44
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Letter From Bennie G. Thompson and Yvette D. Clarke............ 8
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York:
Article, Best Security Team Gold Winner........................ 41
APPENDIX
Questions From Honorable Susan W. Brooks for Jane Holl Lute...... 71
Questions From Honorable Scott Perry for Jane Holl Lute.......... 72
Question From Honorable Susan W. Brooks for Gary W. Hayes........ 72
DHS CYBERSECURITY: ROLES AND RESPONSIBILITIES TO PROTECT THE NATION'S
CRITICAL INFRASTRUCTURE
----------
Wednesday, March 13, 2013
U.S. House of Representatives,
Committee on Homeland Security,
Washington, DC.
The committee met, pursuant to call, at 10:16 a.m., in Room
311, Cannon House Office Building, Hon. Michael T. McCaul
[Chairman of the committee] presiding.
Present: Representatives McCaul, King, Miller, Meehan,
Duncan, Marino, Chaffetz, Palazzo, Barletta, Stewart, Rothfus,
Hudson, Daines, Brooks, Perry, Thompson, Sanchez, Jackson Lee,
Clarke, Richmond, Keating, Barber, Payne, O'Rourke, Gabbard,
Vela, Horsford, and Swalwell.
Chairman McCaul. The Committee on Homeland Security will
come to order. I appreciate everybody's patience. The Ranking
Member should be here any minute now. The committee is meeting
today to consider the cybersecurity roles and responsibilities
of the Department of Homeland Security. I now recognize myself
for an opening statement.
I would like to first of all thank our witnesses for
testifying today and particularly Deputy Secretary Jane Lute,
who is testifying for the Department here today. I also look
forward to seeing Secretary Napolitano in the coming weeks to
discuss DHS's budget and its plan to maintain operations during
these challenging times.
The chart on the screen depicts the roles of each major
agency protecting our Nation from cyber attacks. This chart was
first presented to me by General Alexander at the NSA. And then
separately by Deputy Secretary Jane Lute over at the NCCIC
facility. The significance of this agreed-upon relationship to
our National security is paramount. Each and every agency
depicted understands their roles and responsibilities, working
in tandem to keep Americans safe.
The purpose of this hearing is to examine the Department of
Homeland Security's role, capabilities, and challenges
concerning cybersecurity. There are many issues facing the
Department. Today's hearing is an opportunity to focus on the
cyber threats facing our homeland and how together we can
defend against them.
Cyber attacks come in all forms. America is the victim of
cyber espionage. Countries steal our military and intelligence
information. There are threats of cyber warfare from terrorists
and economic cyber attacks from Iran and from China. These
countries are stealing our trade secrets and intellectual
property. The most daunting is undoubtedly the cyber threats
against our critical infrastructures.
We know that four nations are conducting reconnaissance on
our utilities, they are penetrating our gas and water systems,
and also our energy grids. If the ability to send a silent
attack through our digital networks falls into our enemy's
hands, this country could be the victim of a devastating
attack.
Yet while threats are imminent, no major cybersecurity
legislation has been enacted since 2002. Imagine months without
power. An attack on our transformers could cripple our power
grids and our economy would follow. This is not science
fiction. It is reality. A report recently released by Mandiant
confirmed China is the source of nearly 90 percent of cyber
attacks against the United States.
Most troubling is that these hackers targeted a company
that provides remote access to more than 60 percent of North
America's oil and gas pipelines. Hackers have also attacked the
servers of our air traffic control system, and just last year
an al-Qaeda operative issued a call for ``electronic jihad''
against the United States comparing our technological
vulnerabilities to that of our security before 9/11.
Iran and Russia are some of the world's worst offenders.
Last December Iranians attacked the state-owned Saudi Aramco
with the goal of stopping Saudi Arabia's oil production.
Additionally this year, Iran conducted multiple denial of
service attacks on major U.S. banks. The slide up there
demonstrates all of the denial of service attacks that have
been conducted. You can see it is truly a global phenomenon. It
is a global threat.
Unlike 9/11, we have seen the warning signs. But now it is
time to act. For us to defend against cyber attacks we must
designate roles for all the key agencies. That is DHS, DOD, and
the Justice Department. Each play a critical role defending our
homeland against cyber threats and none can do it alone.
When DHS was established, the Secretary of DHS was made
responsible for coordinating the overall National effort to
enhance the protection of our critical infrastructure. The
National Infrastructure Protection Plan and the recent
Executive Order, solidified DHS's role as the lead Federal
agency in protecting domestic, critical infrastructure.
Most importantly, the agencies themselves have agreed that
a framework, where DOJ is the lead for investigation, DHS is
the lead for protection, and DOD the lead for defense. This
would allow each department to concentrate on their core
mission with, as General Alexander once said, DHS is the entry
point for working with the industry.
In order to fulfill this role, as a civilian command
center, DHS has been building its partnership with the private
sector and growing its capability as an effective conduit for
threat information sharing. DHS manages a bottom-up network of
entities from local first responders to Nation-wide threat
analysis and emergency response centers like the National
Cybersecurity & Communications Integration Center or the NCCIC.
The Department possesses the ability to provide real-time
information necessary for instant threat detection and to share
emerging threat information to enable industry to act
immediately to safeguard critical infrastructure. Additionally
DHS has a well-developed Privacy Office to protect Americans'
privacy and civil liberties.
While the Department has made great progress, there are
areas for further improvement across the board when dealing
with cyber threats. Legal barriers, regulatory uncertainty, and
a lack of resources remain challenges. Additionally there is
not enough private-sector participation in the programs that
are already in place because they either don't have the
resources, or don't see the value in doing so.
Congress has the ability and the obligation to help fix
these problems. For us to thwart attacks we must build upon the
Executive branch's efforts and work with all stakeholders to
find a consensus necessary to protect this country. As part of
this commitment, the Continuing Resolution recently passed by
the House includes an increase of $282 million for
cybersecurity over fiscal year 2012.
Hearings like the one today will help guide the legislative
process. I have made it clear from the first day as Chairman in
this Congress, that cybersecurity be the highest legislative
priority in this Congress. I look forward to listening to all
the witnesses about what works, what doesn't, and what we can
do to streamline our cyber defenses.
One of the primary lessons from 9/11 is that only by
working together can we detect and deter our enemies. In the
wake of that tragedy, the walls prevented agencies from sharing
threat information which became very apparent. We cannot allow
turf battles to hinder us from developing the defenses
necessary to prevent cyber attacks. The threat is real and this
time we see it coming.
[The statement of Chairman McCaul follows:]
Statement of Chairman Michael T. McCaul
March 13, 2013
I would like to thank all of our witnesses for testifying today.
Deputy Secretary Lute is testifying for the Department but I look
forward to seeing Secretary Napolitano in the coming weeks to discuss
DHS' budget and its plan to maintain operations during these
challenging times.
The chart on the screen depicts the roles of each major agency
protecting our Nation from cyber attacks.
The significance of this agreed-upon relationship to our National
security is paramount. Each and every agency depicted understands their
roles and responsibilities, working in tandem to keep America safe.
The purpose of this hearing is to examine the Department of
Homeland Security's (DHS) role, capabilities, and challenges concerning
cybersecurity. There are many issues facing the Department.
Today's hearing is an opportunity to focus on the cyber threats
facing our homeland and how together, we can defend against them.
Cyber attacks come in all forms. America is the victim of cyber
espionage. Countries steal our military and intelligence information.
There are threats of cyber-warfare from terrorists, and economic cyber
attacks from Iran and China. These countries are stealing our trade
secrets and intellectual property. The most daunting is undoubtedly the
cyber threats against our critical infrastructure.
We know that foreign nations are conducting reconnaissance on our
utilities--they are penetrating our gas and water systems and also our
energy grids--and if the ability to send a silent attack through our
digital networks falls into our enemies' hands, this country could be
the victim of a devastating attack.
Yet while threats are imminent, no major cybersecurity legislation
has been enacted since 2002.
Imagine months without power. An attack on our transformers could
cripple our power grids and our economy would follow. This is not
science fiction; it is reality. A report recently released by Mandiant
confirmed China is the source of nearly 90% of cyber attacks against
the United States. Most troubling is that these hackers targeted a
company that provides remote access to more than 60% of North America's
oil and gas pipelines.
Hackers have also attacked the servers of our Air Traffic Control
System, and just last year, an al-Qaeda operative issued a call for
``electronic jihad'' against the United States--comparing our
technological vulnerabilities to that of our security before 9/11.
Iran and Russia are some of the world's worst offenders. Last
December, Iranians attacked the state-owned Saudi Aramco, with the goal
of stopping Saudi Arabia's oil production. Additionally, this year Iran
conducted multiple denial of service attacks on major U.S. banks.
Unlike 9/11, we have seen the warning signs--now it is time to act.
For us to defend against cyber attacks we must designate roles for all
of the key agencies--DHS, DoD, and the Justice Department. Each play a
crucial role defending our homeland against cyber threats and none can
do it alone.
When DHS was established, the Secretary of DHS was made responsible
for ``coordinating the overall National effort to enhance the
protection of our critical infrastructure.''
The National Infrastructure Protection Plan (NIPP) and the recent
Executive Order solidified DHS' role as the lead Federal agency in
protecting domestic critical infrastructure.
Most importantly, the agencies themselves agree that a framework
where DOJ is the lead for investigation, DHS is the lead for protection
and DoD as the lead for defense would allow each department to
concentrate on their core mission with, as General Alexander once said,
`` . . . DHS as the entry point for working with industry.''
In order to fulfill this role as a civilian command center, DHS has
been building its partnerships with the private sector and growing its
capacity as an effective conduit for threat information sharing. DHS
manages a bottom-up network of entities from local first responders to
Nation-wide threat analysis and emergency response centers like the
National Cybersecurity and Communications Integration Center (NCCIC).
The Department possesses the ability to provide real-time
information necessary for instant threat detection, and to share
emerging threat information to enable industry to act immediately to
safeguard critical infrastructure. Additionally, DHS has a well-
developed Privacy Office to protect Americans' privacy and civil
liberties.
While the Department has made great progress, there are areas for
further improvement across the board when dealing with cyber threats.
Legal barriers, regulatory uncertainty and a lack of resources remain
challenges. Additionally, there is not enough private-sector
participation in the programs that are already in place, because they
either don't have the resources or don't see the value in doing so.
Congress has the ability and the obligation to help fix these
problems. For us to thwart attacks, we must build upon the Executive
branch's efforts and work with all stakeholders to find the consensus
necessary to protect this country. As part of this commitment, the
Continuing Resolution recently passed by the House includes an increase
of $282 million for cybersecurity over fiscal year 2012 levels.
Hearings like the one today will help guide the legislative
process. I look forward to listening to all of our witnesses about what
works, what doesn't, and what we can do to streamline our cyber
defenses.
One of the primary lessons from 9/11 is that only by working
together can we detect and deter our enemies. In the wake of that
tragedy, the walls preventing agencies from sharing threat information
became apparent. We cannot allow turf battles to hinder us from
developing the defenses necessary to prevent cyber attacks. The threat
is real, and this time we see it coming.
Chairman McCaul. With that the Chairman now recognizes the
Ranking Minority Member, Mr. Thompson.
Mr. Thompson. Thank you very much, Mr. Chairman, for
holding this very timely hearing today.
Each week brings new reports of cyber breaches. Hackers are
becoming more sophisticated. They are hitting Americans where
we live, work, and play at an unprecedented rate and in new and
very troubling ways.
Last month, President Obama signed an Executive Order
improving critical infrastructure cybersecurity that directed
the Department of Homeland Security to establish a new
voluntary program for critical infrastructure.
The issuance of this Executive Order is a positive step
forward. It has the potential to foster unprecedented
collaboration between the Federal Government and the private
sector on this very difficult homeland security challenge.
I look forward to hearing from you, Deputy Secretary Lute,
about the Department's central role under this order, as well
as the progress DHS has made in recent years to build its cyber
capabilities.
I am also looking forward to hearing from representatives
of critical infrastructure sectors that are joining us today
about the importance of fostering a close working relationship
between industry and the Federal Government.
At my urging, Ms. Richardson of the American Civil
Liberties Union is here to help us think about how we can
protect that relationship in a way that protects the privacy
and civil liberties of all Americans.
While the issuance of the Executive Order is a welcome
development, it will take legislative action to fully address
cyber threats and vulnerabilities to critical infrastructure.
I appreciate what the Chairman has said about his desire to
focus on cybersecurity this Congress. But as we saw in the
112th Congress, simply wanting to pass cybersecurity
legislation is not sufficient.
Mr. Chairman, I know you share my desire to authorize DHS's
cybersecurity programs and bolster our Nation's ability to ward
off attacks to critical infrastructure. However, I am afraid
that some of our colleagues in the House have not seen the
light.
Hopefully the testimony we receive today will help this
committee make the case for moving cybersecurity legislation to
the House floor. Even as we begin work on our bill, we must not
lose sight of the need to defend, pursue, and exercise our
jurisdiction.
Recently, another committee introduced cyber legislation,
H.R. 624, which is expected to see action on the House floor in
April. That bill, for the first time, would authorize the
Department's National cybersecurity and communications
integrations center, but the Speaker did not refer the bill to
this committee.
Last week, I, along with Ranking Member Clarke, sent you a
letter urging you to insist upon a referral of the bill. Our
Members deserve the opportunity to consider the Cyber
Intelligence Sharing and Protection Act before it goes to the
full House.
With that, Mr. Chairman, I ask unanimous consent that our
letter to you be inserted into the record.
Chairman McCaul. Without objection, so ordered.
[The information follows:]
Letter From Bennie G. Thompson and Yvette D. Clarke
March 5, 2013.
The Honorable Michael T. McCaul,
Chairman, Committee on Homeland Security, H2-176 Ford House Office
Building, U.S. House of Representatives, Washington, DC 20515.
The Honorable Patrick Meehan,
Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies, 204 Cannon House Office Building, U.S.
House of Representatives, Washington, DC 20515.
Dear Chairman McCaul and Subcommittee Chairman Meehan: We write
regarding H.R. 624, the ``Cyber Intelligence Sharing and Protection
Act.''
As you are aware, H.R. 624 contains numerous provisions within the
Rule X, clause 1(j) jurisdiction of the Committee on Homeland Security.
Specifically, H.R. 624 contains provisions directing the Department of
Homeland Security's National Cybersecurity and Communications
Integration Center to integrate and disseminate homeland security
information and addressing the Government-wide use of cyber threat
information for cybersecurity or the protection of National security.
Despite these provisions clearly falling within the Committee's
legislative jurisdiction, the Speaker chose not to refer the measure to
the committee upon introduction.
On Friday, March, 1, 2013, the Chairman of the Permanent Select
Committee on Intelligence, Representative Mike Rogers of Michigan, was
quoted as saying that negotiations with the White House on the ``Cyber
Intelligence Sharing and Protection Act'' are underway and that the
parties are ``very close'' to agreeing on the role that the Department
of Homeland Security would play to better defend against cyber
attacks.\1\
---------------------------------------------------------------------------
\1\ ``White House, lawmakers resume cybersecurity bill talks,''
Chicago Tribune at http://articles.chicagotribune.com/2013-03-01/
business/sns-rt-us-usa-cybersecurity-billbre9200w9-
20130301_1_cybersecurity-bill-cyber-attacks-rogers.
---------------------------------------------------------------------------
Given that the provisions under discussion with the White House are
within the committee's jurisdiction, it is troubling to learn that the
leadership of another committee believes it has reached agreement on
the parameters of the Department's cybersecurity role.
Like you, we have strong views about the criticality of
cybersecurity to the welfare of our Nation, the role of the Department
of Homeland Security in that effort, and our committee's obligation to
play a central role in shaping cybersecurity policy. That is why we
firmly believe that the committee should defend, pursue, and exercise
jurisdiction in this area. In light of the Speaker's decision not to
refer H.R. 624 to the committee upon introduction, we urge you to
insist upon a sequential referral of the measure and afford Members of
the committee the opportunity to consider this legislation in an open
mark-up session.
By taking these actions early in the 113th Congress, you will
demonstrate your commitment to vigorously defending this committee's
legislative jurisdiction and protect this committee's position as a
central player in the cybersecurity arena. Additionally, it will afford
the committee, which has conducted extensive oversight and developed
expertise in matters of cybersecurity, an opportunity to debate and
inform the bill.
Thank you, in advance, for your attention to this request. Should
you or your staff have any questions on this matter, please contact Ms.
Rosaline Cohen, Chief Counsel for Legislation of the Committee on
Homeland Security[.]
Sincerely,
Bennie G. Thompson,
Ranking Member.
Yvette D. Clarke,
Ranking Member, Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies.
Mr. Thompson. Before I close, I would note that this
hearing is taking place at a time when the effects of
arbitrary, across-the-board spending cuts are just beginning to
be realized.
I look forward to hearing from you, Deputy Secretary Lute,
about how the sequester and the perpetual uncertainty around
budgeting impacts DHS's ability to plan, prioritize, and
execute its critical cybersecurity mission.
Once again, I would like to thank all of the witnesses for
being here today and I look forward to their testimony. I yield
back.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
March 13, 2013
Each week brings new reports of cyber breaches. Hackers are
becoming more sophisticated. They are hitting Americans where we live,
work, and play at an unprecedented rate and in new and very troubling
ways.
Last month, President Obama signed an Executive Order entitled
``Improving Critical Infrastructure Cybersecurity'' that directed the
Department of Homeland Security to establish a new voluntary program
for critical infrastructure.
The issuance of this Executive Order is a positive step forward. It
has the potential to foster unprecedented collaboration between the
Federal Government and the private sector on this very difficult
homeland security challenge.
I look forward to hearing from you, Deputy Secretary Lute, about
the Department's central role under this order, as well as the progress
DHS has made in recent years to build its cyber capabilities.
I also look forward to hearing from representatives of critical
infrastructure sectors that are joining us today about the importance
of fostering a close working relationship between industry and Federal
Government.
At my urging, Ms. Richardson of the American Civil Liberties Union
is here to help us think about how we can structure that relationship
in a way that protects the privacy and civil liberties of all
Americans.
While the issuance of the Executive Order is a welcome development,
it will take legislative action to fully address cyber threats and
vulnerabilities to critical infrastructure.
I appreciate what the Chairman has said about his desire to focus
on cybersecurity this Congress, but, as we saw in the 112th Congress,
simply wanting to pass cybersecurity legislation is not sufficient.
Mr. Chairman, I know you share my desire to authorize DHS's
cybersecurity programs and bolster our Nation's ability to ward off
attacks to critical infrastructure.
However, I am afraid that some of our colleagues in the House have
not seen the light.
Hopefully, the testimony we receive today will help this committee
make the case for moving cybersecurity legislation to the House floor.
Even as we begin work on our bill, we must not lose sight of the
need to defend, pursue, and exercise our jurisdiction.
Recently, another committee introduced cyber legislation, H.R. 624,
which is expected to see action in the House in April. That bill, for
the first time, would authorize the Department's ``National
Cybersecurity and Communications Integration Center'' but the Speaker
did not refer it to this committee.
Last week, I, along with the Ranking Member Clarke, sent you a
letter urging you to insist upon a referral of that bill. Our Members
deserve the opportunity to consider the Cyber Intelligence Sharing and
Protection Act before it goes to the full House.
Before I close, I would note that this hearing is taking place at a
time when the effects of arbitrary, across-the-board spending cuts are
just beginning to be realized. I look forward to hearing from you,
Deputy Secretary Lute, about how the sequester and the perpetual
uncertainty around budgeting impacts DHS' ability to plan, prioritize,
and execute its critical cybersecurity mission.
Chairman McCaul. I thank the Ranking Member and I also
share in your commitment to marking up a cyber bill and getting
it on the floor, passed by the House, Senate, and signed into
law by the President.
I would also, again, note that, concerning the budget
resolution, the House actually included an increase of over
$282 million for cybersecurity and I think that is a positive
step forward in this mission.
Other Members are reminded that opening statements may be
submitted for the record. We are pleased to have two panels of
distinguished witnesses.
The first would be the Honorable Jane Lute, deputy
secretary of the Department of Homeland Security. Dr. Lute came
to this position in 2009 with over 30 years of military and
senior executive experience in the United States Government,
including service at the United Nations and the National
Security Council.
The deputy's full written statement will appear in the
record. The Chairman now recognizes Deputy Secretary Lute for 5
minutes for an opening statement.
STATEMENT OF HON. JANE HOLL LUTE, DEPUTY SECRETARY, DEPARTMENT
OF HOMELAND SECURITY
Ms. Lute [continuing]. Ensuring the Nation's cybersecurity
is an integral part of the DHS mission, which is to help create
a safe, secure, resilient place where the American way of life
can thrive.
Four years ago, in the QHSR, the Quadrennial Homeland
Security Review commissioned by Congress, we called out five
essential missions in order to perform our role: Preventing
terrorism, securing our borders, administering and enforcing
our immigration laws, building National resilience, and
ensuring the Nation's cybersecurity.
Cyberspace has become the very endoskeleton of modern life,
and while this connectivity has led to transformations and
advances around the world, it has also increased our shared
risk.
DHS is responsible for securing unclassified, Federal
civilian agency networks and for working with owners and
operators of critical infrastructure to help them secure their
networks. We coordinate the National response to significant
cyber-incidents and create and maintain a common operational
picture for cyberspace across the Government.
On a minute-by-minute basis, 24 by 7, our cyber teams
confront the dangerous combination--excuse me--of known and
unknown cyber vulnerabilities and adversaries across the globe
with strong and expanding capabilities.
We face denial-of-service attacks, the theft of valuable
trade secrets, intrusions against Government networks, and
attempts against the systems that control critical
infrastructure.
To protect Federal networks, DHS deploys technology to
detect and block cyber intrusions, develop continuous
diagnostics and mitigation for agency systems and provide
guidance to agencies so that they can protect themselves.
We also work closely with owners and operators of critical
infrastructure to strengthen their facilities by sharing risk
and threat information through on-site risk assessment,
mitigation, and incident response.
DHS is home to the National Cybersecurity & Communications
Integration Center, the NCCIC, which many of you have seen, our
'round-the-clock cyber situational awareness and incident
response hub.
Over the past 4 years, the NCCIC has responded to nearly
half-a-million incidents and released more than 26,000
actionable cybersecurity alerts to public and private-sector
partners.
Last year, our U.S. Computer Emergency Readiness Team, US-
CERT, resolved approximately 190,000 cyber incidents and issued
7,500 alerts, a 68 percent increase over 2011. Our Industrial
Control Systems Cyber Emergency Response Team responded to 177
incidents, while completing 89 site visits and deploying 15
teams to respond to significant private-sector incidents.
We partnered closely with the Departments of Justice and
Defense to ensure, as the Chairman said, that a call to one is
a call to all, mobilizing all of the resources of the Federal
Government in partnership to prevent and respond, when
necessary, rapidly to cyber incidents.
While each agency operates within the parameters of its
authorities, our overall Federal response to cyber incidents of
consequence is coordinated among the three of us. This
synchronization ensures that all of our capabilities are
brought to bear against cyber threats.
But while our accomplishments our significant, we need the
help of Congress, by enacting a suite of comprehensive
cybersecurity legislative measures. In the interim, last month
the President took the executive action within current
authorities and established the Executive Order.
This Executive Order on improving critical infrastructure
cybersecurity supports enhanced sharing of cyber threat
information with the private sector. It also directs DHS to
develop a voluntary program to promote the adoption of a
cybersecurity framework for critical infrastructure and to
assist the private sector in its implementation.
At the same time, a policy directive on critical
infrastructure security and resilience strengthens our ability
to share information about how critical infrastructure systems
are functioning and the consequence of failures.
These documents reflect input from stakeholders of all
viewpoints across Government, industry, and the advocacy
community. They include rigorous protections for individual
privacy and civil liberties.
Mr. Chairman, the American people expect us to secure the
country from the growing threats posed in cyberspace and to
ensure that the critical infrastructure of this country is
protected. We look forward to working with this committee and
with Congress to ensure that we continue to do everything
possible to keep the Nation safe and secure.
Thank you very much.
[The prepared statement of Ms. Lute follows:]
Prepared Statement of Jane Holl Lute
March 13, 2013
Chairman McCaul, Ranking Member Thompson, and Members of the
committee: I am pleased to join you today, and I thank the committee
for your strong support for the Department of Homeland Security (DHS)
over the past 4 years and, indeed, since the Department's founding 10
years ago.
I can think of no more urgent and important topic in today's
interconnected world than cybersecurity, and I appreciate the
opportunity to explain the Department's mission in this space and how
we continue to improve cybersecurity for the American people as well as
work to safeguard the Nation's critical infrastructure and protect the
Federal Government's networks.
current threat landscape
Cyberspace is woven into the fabric of our daily lives. According
to recent estimates, this global network of networks encompasses more
than 2 billion people with at least 12 billion computers and devices,
including global positioning systems, mobile phones, satellites, data
routers, ordinary desktop computers, and industrial control computers
that run power plants, water systems, and more.
While this increased connectivity has led to significant
transformations and advances across our country--and around the world--
it also has increased the importance and complexity of our shared risk.
Our daily life, economic vitality, and National security depend on
cyberspace. A vast array of interdependent IT networks, systems,
services, and resources are critical to communication, travel, powering
our homes, running our economy, and obtaining Government services. No
country, industry, community, or individual is immune to cyber risks.
The word ``cybersecurity'' itself encompasses protection against a
broad range of malicious activity, from denial-of-service attacks, to
theft of valuable trade secrets, to intrusions against Government
networks and systems that control our critical infrastructure.
The United States confronts a dangerous combination of known and
unknown vulnerabilities in cyberspace and strong and rapidly expanding
adversary capabilities. Cyber crime has also increased significantly
over the last decade. Sensitive information is routinely stolen from
both Government and private-sector networks, undermining the integrity
of the data contained within these systems. We currently see malicious
cyber activity from foreign nations engaged in espionage and
information warfare, terrorists, organized crime, and insiders. Their
methods range from distributed denial-of-service (DDoS) attacks and
social engineering to viruses and other malware introduced through
thumb drives, supply chain exploitation, and leveraging trusted
insiders' access.
We have seen motivations for attacks vary from espionage by foreign
intelligence services to criminals seeking financial gain and hackers
who may seek bragging rights in the hacker community. Industrial
control systems are also targeted by a variety of malicious actors who
are usually intent on damaging equipment and facilities or stealing
data. Foreign actors are also targeting intellectual property with the
goal of stealing trade secrets or other sensitive corporate data from
U.S. companies in order to gain an unfair competitive advantage in the
global market.
Cyber attacks and intrusions can have very real consequences in the
physical world. Last year, DHS identified a campaign of cyber
intrusions targeting natural gas and pipeline companies that was highly
targeted, tightly focused and well crafted. Stolen information could
provide an attacker with sensitive knowledge about industrial control
systems, including information that could allow for unauthorized
operation of the systems. As the President has said, we know that our
adversaries are seeking to sabotage our power grid, our financial
institutions, and our air traffic control systems. These intrusions and
attacks are coming all the time and they are coming from different
sources and take different forms, all the while increasing in
seriousness and sophistication.
The U.S. Government has worked closely with the private sector
during the recent series of denial-of-service incidents. We have
provided classified cyber threat briefings and technical assistance to
help banks improve their defensive capabilities and we have increased
sharing and coordination among the various Government elements in this
area. These developments reinforce the need for Government, industry,
and individuals to reduce the ability for malicious actors to establish
and maintain capabilities to carry out such efforts.
In addition to these sophisticated attacks and intrusions, we also
face a range of traditional crimes that are now perpetrated through
cyber networks. These include child pornography and exploitation, as
well as banking and financial fraud, all of which pose severe economic
and human consequences. For example, in March 2012, the U.S. Secret
Service (USSS) worked with U.S. Immigration and Customs Enforcement
(ICE) to arrest nearly 20 individuals in its ``Operation Open Market,''
which seeks to combat transnational organized crime, including the
buying and selling of stolen personal and financial information through
on-line forums. As Americans become more reliant on modern technology,
we also become more vulnerable to cyber exploits such as corporate
security breaches, social media fraud, and spear phishing, which
targets employees through emails that appear to be from colleagues
within their own organizations, allowing cyber criminals to steal
information.
Cybersecurity is a shared responsibility, and each of us has a role
to play. Emerging cyber threats require the engagement of our entire
society--from Government and law enforcement to the private sector and,
most importantly, members of the public. The key question, then, is how
do we address this problem? This is not an easy question because
cybersecurity requires a layered approach. The success of our efforts
to reduce cybersecurity risks depends on effective identification of
cyber threats and vulnerabilities, analysis, and enhanced information
sharing between departments and agencies from all levels of government,
the private sector, international entities, and the American public.
roles, responsibilities, activities
DHS is committed to ensuring cyberspace is supported by a secure
and resilient infrastructure that enables open communication,
innovation, and prosperity while protecting privacy, confidentiality,
and civil rights and civil liberties by design.
Securing Federal Civilian Government Networks
DHS has operational responsibilities for securing unclassified
Federal civilian government networks and working with owners and
operators of critical infrastructure to secure their networks through
cyber threat analysis, risk assessment, mitigation, and incident
response capabilities. We also are responsible for coordinating the
National response to significant cyber incidents and for creating and
maintaining a common operational picture for cyberspace across the
Government.
DHS directly supports Federal civilian departments and agencies in
developing capabilities that will improve their cybersecurity posture
in accordance with the Federal Information Security Management Act
(FISMA). To protect Federal civilian agency networks, our National
Protection and Programs Directorate (NPPD) is deploying technology to
detect and block intrusions through the National Cybersecurity
Protection System and its EINSTEIN protective capabilities, while
providing guidance on what agencies need to do to protect themselves
and measuring implementation of those efforts.
NPPD is also developing a Continuous Monitoring as a Service
capability, which will result in an array of sensors that feed data
about an agency's cybersecurity risk and present those risks in an
automated and continuously-updated dashboard visible to technical
workers and managers to enhance agencies' ability to see and counteract
day-to-day cyber threats. This capability will support compliance with
administration policy, be consistent with guidelines set forth by the
National Institute of Standards and Technology (NIST), and enable
Federal agencies to move from compliance-driven risk management to
data-driven risk management. These activities will provide
organizations with information necessary to support risk response
decisions, security status information, and on-going insight into
effectiveness of security controls.
Protecting Critical Infrastructure
Critical infrastructure is the backbone of our country's National
and economic security. It includes power plants, chemical facilities,
communications networks, bridges, highways, and stadiums, as well as
the Federal buildings where millions of Americans work and visit each
day. DHS coordinates the National protection, prevention, mitigation,
and recovery from cyber incidents and works regularly with business
owners and operators to take steps to strengthen their facilities and
communities. The Department also conducts on-site risk assessments of
critical infrastructure and shares risk and threat information with
State, local, and private-sector partners.
Protecting critical infrastructure against growing and evolving
cyber threats requires a layered approach. DHS actively collaborates
with public and private sector partners every day to improve the
security and resilience of critical infrastructure while responding to
and mitigating the impacts of attempted disruptions to the Nation's
critical cyber and communications networks and to reduce adverse
impacts on critical network systems.
DHS enhances situational awareness among stakeholders, including
those at the State and local level, as well as industrial control
system owners and operators, by providing critical cyber threat,
vulnerability, and mitigation data, including through Information
Sharing and Analysis Centers, which are cybersecurity resources for
critical infrastructure sectors. DHS is also home to the National
Cybersecurity & Communications Integration Center (NCCIC), a 24�7 cyber
situational awareness, incident response, and management center that is
a National nexus of cyber and communications integration for the
Federal Government, intelligence community, and law enforcement.
Responding to Cyber Threats
DHS is responsible for coordinating the Federal Government response
to significant cyber or physical incidents affecting critical
infrastructure. Since 2009, the NCCIC has responded to nearly half a
million incident reports and released more than 26,000 actionable
cybersecurity alerts to our public and private-sector partners. The DHS
Office of Intelligence and Analysis is a key partner in NCCIC
activities, providing tailored all-source cyber threat intelligence and
warning to NCCIC components and public and private critical
infrastructure stakeholders to prioritize risk analysis and mitigation.
An integral player within the NCCIC, the U.S. Computer Emergency
Readiness Team (US-CERT) also provides response support and defense
against cyber attacks for Federal civilian agency networks as well as
private-sector partners upon request. US-CERT collaborates and shares
information with State and local government, industry, and
international partners, consistent with rigorous privacy,
confidentiality, and civil liberties guidelines, to address cyber
threats and develop effective security responses. In 2012, US-CERT
processed approximately 190,000 cyber incidents involving Federal
agencies, critical infrastructure, and our industry partners. This
represents a 68 percent increase from 2011. In addition, US-CERT issued
over 7,455 actionable cyber-alerts in 2012 that were used by private-
sector and Government agencies to protect their systems, and had over
6,400 partners subscribe to the US-CERT portal to engage in information
sharing and receive cyber threat warning information.
The Department's Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT) also responded to 177 incidents last year
while completing 89 site assistance visits and deploying 15 teams with
US-CERT to respond to significant private-sector cyber incidents. DHS
also empowers owners and operators through a cyber self-evaluation
tool, which was used by over 1,000 companies last year, as well as in-
person and on-line training sessions.
Successful response to dynamic cyber threats requires leveraging
homeland security, law enforcement, and military authorities and
capabilities, which respectively promote domestic preparedness,
criminal deterrence and investigation, and National defense. DHS, the
Department of Justice (DOJ), and the Department of Defense (DOD) each
play a key role in responding to cybersecurity incidents that pose a
risk to the United States. In addition to the aforementioned
responsibilities of our Department, DOJ is the lead Federal department
responsible for the investigation, attribution, disruption, and
prosecution of domestic cybersecurity incidents while DOD is
responsible for securing National security and military systems as well
as gathering foreign cyber threat information and defending the Nation
from attacks in cyberspace. DHS supports our partners in many ways. For
example, the United States Coast Guard as an Armed Force has partnered
with U.S. Cyber Command and U.S. Strategic Command to conduct military
cyberspace operations.
While each agency operates within the parameters of its
authorities, the U.S. Government's response to cyber incidents of
consequence is coordinated among these three agencies such that ``a
call to one is a call to all.'' Synchronization among DHS, DOJ, and DOD
not only ensures that whole-of-Government capabilities are brought to
bear against cyber threats, but also improves Government's ability to
share timely and actionable cybersecurity information among a variety
of partners, including the private sector.
Combating Cyber Crime
DHS employs more law enforcement agents than any other Department
in the Federal Government and has personnel stationed in every State
and in more than 75 countries around the world. To combat cyber crime,
DHS relies upon the skills and resources of the USSS and ICE and works
in cooperation with partner organizations to investigate cyber
criminals. Since 2009, DHS has prevented $10 billion in potential
losses through cyber crime investigations and arrested more than 5,000
individuals for their participation in cyber crime activities.
The Department leverages the 31 USSS Electronic Crimes Task Forces
(ECTF), which combine the resources of academia, the private sector,
and local, State, and Federal law enforcement agencies to combat
computer-based threats to our financial payment systems and critical
infrastructure. A recently executed partnership between ICE Homeland
Security Investigations and USSS demonstrates the Department's
commitment to leveraging capability and finding efficiencies. Both
organizations will expand participation in the existing ECTFs. In
addition to strengthening each agency's cyber investigative
capabilities, this partnership will produce benefits with respect to
the procurement of computer forensic hardware, software licensing, and
training that each agency requires. The Department is also a partner in
the National Cyber Investigative Joint Task Force, which serves as a
collaborative entity that fosters information sharing across the
interagency.
We work with a variety of international partners to combat cyber
crime. For example, through the U.S.-E.U. Working Group on
Cybersecurity and Cybercrime, which was established in 2010, we develop
collaborative approaches to a wide range of cybersecurity and cyber
crime issues. In 2011, DHS participated in the Cyber Atlantic tabletop
exercise, a U.S.-E.U. effort to enhance international collaboration of
incident management and response, and in 2012, DHS and the European
Union signed a joint statement that advances transatlantic efforts to
enhance on-line safety for children. ICE also works with international
partners to seize and destroy counterfeit goods and disrupt websites
that sell these goods. Since 2010, ICE and its partners have seized
over 2,000 domain names associated with businesses selling counterfeit
goods over the internet. To further these efforts, the administration
issued its Strategy on Mitigating the Theft of U.S. Trade Secrets last
month. DHS will act vigorously to support the Strategy's efforts to
combat the theft of U.S. trade secrets--especially in cases where trade
secrets are targeted through illicit cyber activity by criminal
hackers.
In addition, the National Computer Forensic Institute has trained
more than 1,000 State and local law enforcement officers since 2009 to
conduct network intrusion and electronic crimes investigations and
forensic functions. Several hundred prosecutors and judges as well as
representatives from the private sector have also received training on
the impact of network intrusion incident response, electronic crimes
investigations, and computer forensics examinations.
Building Partnerships
DHS serves as the focal point for the Government's cybersecurity
outreach and awareness efforts. Raising the cyber education and
awareness of the general public creates a more secure environment in
which the private or financial information of individuals is better
protected. For example, the Multi-State Information Sharing and
Analysis Center (MS-ISAC) opened its Cyber Security Operations Center
in November 2010, which has enhanced NCCIC situational awareness at the
State and local government level and allows the Federal Government to
quickly and efficiently provide critical cyber threat, risk,
vulnerability, and mitigation data to State and local governments. MS-
ISAC has since grown to include all 50 States, three U.S. territories,
the District of Columbia, and more than 200 local governments.
The Department also has established close working relationships
with industry through partnerships like the Protected Critical
Infrastructure Information (PCII) Program, which enhances voluntary
information sharing between infrastructure owners and operators and the
Government. The Cyber Information Sharing and Collaboration Program
established a systematic approach to cyber threat information sharing
and collaboration between critical infrastructure owners and operators
across the various sectors. And, in 2010, we launched a National
campaign called ``Stop.Think.Connect'' to spread public awareness about
how to keep our cyber networks safe.
In addition, DHS works closely with international partners to
enhance information sharing, increase situational awareness, improve
incident response capabilities, and coordinate strategic policy issues
in support of the administration's International Strategy for
Cyberspace. For example, the Department has fostered international
partnerships in support of capacity building for cybersecurity through
agreements with Computer Emergency Response and Readiness Teams as well
as the DHS Science & Technology Directorate (S&T). Since 2009, DHS has
established partnerships with Australia, Canada, Egypt, India, Israel,
the Netherlands, and Sweden.
Fostering Innovation
The Federal Government relies on a variety of stakeholders to
pursue effective research and development projects that address
increasingly sophisticated cyber threats. This includes research and
development activities by the academic and scientific communities to
develop capabilities that protect citizens by enhancing the resilience,
security, integrity, and accessibility of information systems used by
the private sector and other critical infrastructure. DHS supports
Centers of Academic Excellence around the country to cultivate a
growing number of professionals with expertise in various disciplines,
including cybersecurity.
DHS S&T is leading efforts to develop and deploy more secure
internet protocols that protect consumers and industry internet users.
We continue to support leap-ahead research and development, targeting
revolutionary techniques and capabilities that can be deployed over the
next decade with the potential to redefine the state of cybersecurity
in response to the Comprehensive National Cybersecurity Initiative. For
example, DHS was a leader in the development of protocols at the
Internet Engineering Task Force called Domain Name System Security (DNS
SEC) Extensions. DNS SEC is necessary to protect internet users from
being covertly redirected to malicious websites and helps prevent
theft, fraud, and abuse on-line by blocking bogus page elements and
flagging pages whose Domain Name System (DNS) identity has been
hijacked. S&T is also driving improvements through a Transition to
Practice Program as well as liability and risk management protections
provided by the Support Anti-Terrorism by Fostering Effective
Technology (SAFETY) Act that promote cybersecurity technologies and
encourage their transition into successful use.
Growing and Strengthening our Cyber Workforce
We know it only takes a single infected computer to potentially
infect thousands and perhaps millions of others. But at the end of the
day, cybersecurity is ultimately about people. The most impressive and
sophisticated technology is worthless if it's not operated and
maintained by informed and conscientious users.
To help us achieve our mission, we have created a number of
competitive scholarship, fellowship, and internship programs to attract
top talent. We are growing our world-class cybersecurity workforce by
creating and implementing standards of performance, building and
leveraging a cybersecurity talent pipeline with secondary and post-
secondary institutions Nation-wide, and institutionalizing an
effective, on-going capability for strategic management of the
Department's cybersecurity workforce. Congress can support this effort
by pursuing legislation that provides DHS with the hiring and pay
flexibilities we need to secure Federal civilian networks, protect
critical infrastructure, respond to cyber threats, and combat cyber
crime.
recent executive actions
As discussed above, America's National security and economic
prosperity are increasingly dependent upon the cybersecurity of
critical infrastructure. With today's physical and cyber infrastructure
growing more inextricably linked, critical infrastructure and emergency
response functions are inseparable from the information technology
systems that support them. The Government's role in this effort is to
share information and encourage enhanced security and resilience, while
identifying and addressing gaps not filled by the marketplace.
Last month, President Obama issued Executive Order 13636 on
Improving Critical Infrastructure Cybersecurity as well as Presidential
Policy Directive 21 on Critical Infrastructure Security and Resilience,
which will strengthen the security and resilience of critical
infrastructure through an updated and overarching National framework
that acknowledges the increased role of cybersecurity in securing
physical assets.
DHS Responsibilities
The President's actions mark an important milestone in the
Department's on-going efforts to coordinate the National response to
significant cyber incidents while enhancing the efficiency and
effectiveness of our work to strengthen the security and resilience of
critical infrastructure. The Executive Order supports more efficient
sharing of cyber threat information with the private sector and directs
NIST to develop a Cybersecurity Framework to identify and implement
better security practices among critical infrastructure sectors. The
Executive Order directs DHS to establish a voluntary program to promote
the adoption of the Cybersecurity Framework in conjunction with Sector-
Specific Agencies and to work with industry to assist companies in
implementing the framework.
The Executive Order also expands the voluntary DHS Enhanced
Cybersecurity Service program, which promotes cyber threat information
sharing between Government and the private sector. This engagement
helps critical infrastructure entities protect themselves against cyber
threats to the systems upon which so many Americans rely. This program
is a good example of information sharing with confidentiality, privacy,
and civil liberties protections built into its structure. DHS will
share with appropriately-cleared private-sector cybersecurity providers
the same threat indicators that we rely on to protect the .gov domain.
Those providers will then be free to contract with critical
infrastructure entities and provide cybersecurity services comparable
to those provided to the U.S. Government.
Through the Executive Order, the President also directed agencies
to incorporate privacy, confidentiality, and civil liberties
protections. It specifically instructs DHS to issue a public report on
activities related to implementation, which would therefore enhance the
existing privacy policy, compliance, and oversight programs of DHS and
the other agencies.
In addition, the Presidential Policy Directive directs the
Executive branch to strengthen our capability to understand and
efficiently share information about how well critical infrastructure
systems are functioning and the consequences of potential failures. It
also calls for a comprehensive research and development plan for
critical infrastructure to guide the Government's effort to enhance
market-based innovation.
Because the vast majority of U.S. critical infrastructure is owned
and operated by private companies, reducing the risk to these vital
systems requires a strong partnership between Government and industry.
There is also a role for State, local, Tribal, and territorial
governments who own a significant portion of the Nation's critical
infrastructure. In developing these documents, the administration
sought input from stakeholders of all viewpoints in industry,
Government, and the advocacy community.
Their input has been vital in crafting an order that incorporates
the best ideas and lessons learned from public and private-sector
efforts while ensuring that our information sharing incorporates
rigorous protections for individual privacy, confidentiality, and civil
liberties. Indeed, as we perform all of our cyber-related work, we are
mindful of the need to protect privacy, confidentiality, and civil
liberties. The Department has implemented strong privacy and civil
rights and civil liberties standards into all its cybersecurity
programs and initiatives from the outset. To accomplish the integrated
implementation of these two directives, DHS has established an
Interagency Task Force made up of representatives from across all
levels of government.
continuing need for legislation
It is important to note that the Executive Order directs Federal
agencies to work within current authorities and increase voluntary
cooperation with the private sector to provide better protection for
computer systems critical to our National and economic security. It
does not grant new regulatory authority or establish additional
incentives for participation in a voluntary program. We continue to
believe that a suite of legislation is necessary to implement the full
range of steps needed to build a strong public-private partnership, and
we will continue to work with Congress to achieve this.
The administration's legislative priorities for the 113th Congress
build upon the President's 2011 Cybersecurity Legislative Proposal and
take into account 2 years of public and Congressional discourse about
how best to improve the Nation's cybersecurity. Congress should enact
legislation to incorporate privacy, confidentiality, and civil
liberties safeguards into all aspects of cybersecurity; strengthen our
critical infrastructure's cybersecurity by further increasing
information sharing and promoting the establishment and adoption of
standards for critical infrastructure; give law enforcement additional
tools to fight crime in the digital age; and create a National Data
Breach Reporting requirement.
conclusion
The American people expect us to secure the country from the
growing danger of cyber threats and ensure the Nation's critical
infrastructure is protected. The threats to our cybersecurity are real,
they are serious, and they are urgent.
I look forward to working with this committee and the Congress to
ensure we continue to take every step necessary to protect cyber space,
in partnership with government at all levels, the private sector, and
the American people, and continue to build greater resiliency into
critical cyber networks and systems.
I appreciate this committee's guidance and support as together we
work to keep our Nation safe. Thank you, again, for the attention you
are giving to this urgent matter.
Chairman McCaul. I thank the Secretary and I now recognize
myself for 5 minutes for questions.
Let me say first, Dr. Lute, how much I enjoyed visiting the
NCCIC and our conversation out there and our visit. I would
encourage all Members to the extent you haven't been out there
to the cyber command center at DHS that you do so.
I think it is a very valuable experience as we move forward
towards marking up a bill and getting it on the House floor. I
think the Member education process is extremely important in
moving forward to protecting the Nation from this very
dangerous threat.
You know, we hear every day about attacks from China, the
Mandiant report, or military systems, Russia, very
sophisticated, Iran--one of the latest ones was particularly
disturbing when you hear about a rogue nation like Iran hacking
into Aramco's computer systems, 30,000 computers--hard drives
erased.
At the same time, a simultaneous attack against our major
financial sector. We will hear from the financial sector in the
second panel. In fact, JPMorgan was a victim just yesterday.
This is a serious concern. An attack like the one on Aramco
and our financial sector could have been extremely chaotic and
cause major disruption and destruction.
I wanted to say, in the limited time I have, I am very
impressed that, in spite of Congress's failure to act, that
you, that the Secretary, that General Alexander with the NSA
and Director Mueller with the FBI have come together to
actually reach out in a workable arrangement and as I think we
look forward to crating legislation, this is a model that I
think it provides a good first step in terms of what kind of
legislation we are going to mark up on this committee.
I know you referred to threat information almost like a
phonebook, you said the Manhattan phonebook, I know you are
from New York. But a piece of it in NSA's domain, a piece of it
within DHS, you know NSA's more foreign classified threat, DHS
threat information, FBI. But what we don't really fail to
realize is that majority of this threat information actually
resides in the private sector with the critical infrastructures
out there.
So I think the goal is how do we create a safe harbor, if
you will, where all of these entities can come together and
share this threat information in real time, so we can protect
not only the interest of the Federal Government but also the
critical infrastructures that are out there.
I know you and I talked about the idea of having
representatives from the ISAC's, the Information Sharing
Analysis Centers, as a full participant on the NCCIC and
forward, I think that will be a--certainly a worthwhile goal to
pursue.
So with that, let me just turn it over to you in the little
bit of time I have and maybe explain this model, how y'all came
up with it and how you see the NCCIC moving forward?
Ms. Lute. Thank you, Mr. Chairman.
I would say the model derived out of Secretary Napolitano's
conviction along with Director Mueller and General Alexander,
that we needed to pool our strengths in order to share the
burden that is being posed to the American public by threats in
cybersecurity.
We call there when they meet, we call it the TROIKA and
they come together and they speak in very plain terms about how
we can operationalize the need to respond to these threats. We
can do it by bringing our authorities and our capabilities
that, as you see in this chart, are distributed among the three
agencies.
You mentioned the analogy of the Manhattan phonebook, and
it is true. If you think about the old-fashioned Manhattan
phonebook, for those of us who remember it, it was a pretty
thick thing.
The government has Q, think of it as that way, and all the
rest of the threat information exists out there in the private
sector and we need to find ways to share this information in
real time. Now that will require better automation, better
technology, smarter networks, smarter machines, but also that
users, enterprises, and organizations get more savvy as well.
There is a famous saying making the rounds, that there are
two kinds of companies in the United States, in the world
perhaps, those that have been hacked and those that know they
have been hacked.
The status quo is simply unacceptable and the Government is
not standing still in the face of that. Our job is to protect
society from threats as they emerge. There are threats in
cyberspace and we need to mobilize to act. But we need to do it
mindful of the role of the private sector. Most of the critical
infrastructure is in private-sector hands and we operate on the
basis of, or the principle of, nothing about you without you.
So sit down with us and let's walk through how we can again,
pool all of our strengths to share these burdens.
So of it, as you said, Mr. Chairman will result in greater
representation on the NCCIC floor, greater information sharing,
greater transparency, but the time to act is now.
Chairman McCaul. I certainly agree and I think, you know,
we have conducted and I may say, Chairman Pat Meehan of the
Cybersecurity Subcommittee has done an outstanding job setting
up listening posts, listening to the private sector. We--our
philosophy is our bill, we will have buy-in from the
stakeholders.
We will have feedback from the private sector about what
works and what doesn't work. We believe that our relationship
should be a shared relationship with the infrastructures, with
the industry rather than a forced one, which I think doesn't
work as well, and less proscriptive because it is an ever-
evolving area where the law can be quickly behind events.
So, it needs to be agile, it needs to be flexible. The one
issue I have heard--now some sectors work very well at DHS like
we will hear from the finance sector, of course the oil and gas
sector. Others say that they want more participation.
How can you improve, I think DHS and the NCCIC
effectiveness, capability, and participation with the private
sector, who I believe is really the true partner here?
Ms. Lute. Thank you, Mr. Chairman.
There are partners that they are true partners, but
equally, so are the other partners in the other agencies in the
Federal Government, the sector lead agencies that work every
day with elements of the critical infrastructure of this
country across the 16 sectors of critical infrastructure.
We have prepared and handed out to all of our counterpart
agencies and to all of the governors a checklist for
understanding the problem posed by cybersecurity. What they
should be asking in their organizations, how they should work
with their partners in the private sector. We are prepared to
bring our expertise together with theirs in these various
sectors.
Some sectors are ahead of others, the defense sector for
example, IT, telecom, finance as you will hear from. Others are
mobilizing and increasingly becoming aware and taking action
and we are prepared to support all of those efforts.
Chairman McCaul. Yes, the tour I got in the NCCIC, I saw
the operations in progress. I know that NSA just did a little
sort of pilot program with you where they did share more
sensitive information through the civilian portal known as DHS
and I think the results were actually quite good and I think
the feedback was very positive about the efforts.
I think the civilian interface is important and it is
important to a lot of privacy groups I know as well. I know
General Alexander actually endorsed that idea that DHS provide
that civilian interface to the private sector.
So with the 9 seconds I have, I look forward to working
with you, I look forward to working with this committee on
drafting important legislation and finally getting this thing
done. It has been long overdue. I have been working on this
issue for quite some time and I finally feel that the time is
right now for the Congress to act for us to get something done
and we are working with our Senate counterparts, which is
something you didn't see last Congress.
I believe that, you know, Michael Daniel in the White House
has been very open and it is something that I think is
something that is too important from a National security
standpoint to play politics with. It is something we need to
get out of this committee, out of the Senate, and signed into
law by the President.
So with that, I will now recognize the Ranking Member.
Mr. Thompson. Thank you very much, Mr. Chairman.
I look forward to working with you on this committee with
respect to our jurisdiction to make sure that we have our
opportunity to put the Homeland Security's stamp on whatever
goes to the floor.
That being said, Dr. Lute, good seeing you again. We have
been missing each other for a while.
President Bush and President Obama both have indicated
through various statements and Executive Orders that
cybersecurity has to be a priority. With the latest Executive
Order from President Obama, can you tell this committee if that
Executive Order is satisfactory enough or would you encourage
this committee to take on legislation relative to
cybersecurity?
Ms. Lute. Thank you, thanks very much. Good to see you
also.
The Executive Order--through the Executive Order, the
President has acted within his authorities to direct us to
undertake a number of aggressive measures to improve the status
quo. We think legislation is still necessary.
We need to enhance information sharing, create incentives
for that, incorporate privacy, civil rights, civil liberties,
assurances, and safeguards into all aspects of cybersecurity
and adopt a framework for cybersecurity standards.
We think Congress has an important role to play, also in
affirmatively establishing the positive authority of DHS to
protect dot-gov and to help create a National data breach
reporting mechanism. So we think there is still a need for
legislation and certainly look forward to working with the
committee within its jurisdiction to successfully reach that
goal.
Mr. Thompson. Thank you very much, I am glad you made that
point.
The Chairman put a slide on the screen here that talked
about a three-part relationship between the DOD, DOJ, and DHS.
To some degree, the process is beginning to work, but from what
I understand, your testimony today is the roles could be
further defined legislatively so that those three agencies can
do their work in a better manner. Is that correct?
Ms. Lute. What I am saying, Mr. Thompson, is that, yes, we
think we can--it would be helpful to have legislation clarify
and strengthen the role of DHS in protecting .gov,
strengthening the tools available to law enforcement, and
clarifying that this is a problem of great urgency that the
Government is seized with.
Mr. Thompson. We received briefings quite a bit on
vulnerabilities that exist within cyber. But most of those
briefings go in the direction of hackers from China, hackers
from Russia, and that is a very significant part of the
challenge. But from your testimony, there is also other areas
that we should be looking at beyond that.
So most of our briefings for the most part come from a
defense posture and I am convinced that that is necessary. But
from DHS's perspective, how do you see DHS's role and in
managing that cyber jurisdiction that you have?
Ms. Lute. Well you are talking to an old soldier.
Mr. Thompson. Absolutely.
Ms. Lute. So I certainly understand the role of the Defense
Department, and in particular, knowing the National Security
Agency as I have since 1978, I understand and value its
contribution to the National defense. It absolutely has a role
to play.
But cyberspace is civilian space. We need to manage it as
civilian space. The status quo is not acceptable. People are
under attacks. The attacks that are emanating from actors in
China or Iran or Russia or elsewhere around the world are
certainly worrisome. We have raised these issues in our
diplomatic and other dialogues with appropriate authorities.
But we also know is one of the greatest dangers that we
face are the existing vulnerabilities that go unpatched in our
systems every single day. They number in the millions. So we
have got to take action collectively. Our role, in Homeland
Security, and we called this out 4 years ago. We said,
essential to helping create a safe, secure, resilient place
where the American way of life can thrive, is ensuring our
National cybersecurity. We intend to fulfill that
responsibility.
Mr. Thompson. Thank you very much. Yield back, Mr.
Chairman.
Chairman McCaul. I thank you Ranking Member. Chairman now
recognizes the gentleman from New York, Mr. Peter King.
Mr. King. Thank you Mr. Chairman. Secretary Lute, great to
see you back here. Thank you very much. Let me commend the
Chairman for going forth with this hearing. This is absolutely
essential that legislation be passed. I believe that DHS and
this committee have a vital role to play in that, in those
regards. Without setting up a competition but showing seamless
cooperation. What unique capacity does DHS bring to the table,
let's say separate from the FBI, separate from DOD? Why is it
essential that DHS be part of the final answer?
Ms. Lute. Thank you, good to see you also. When you think
about the expertise and the resources and the authorities and
jurisdictions that each of the departments bring, DOD is
responsible, General Alexander, responsible for securing dot-
mil. Dot-mil, if I can be allowed a comparison, is the size of
this pen cap. Dot-gov is the size of this box in front of me.
Dot-com is the size of this room. And growing. Organically and
instantaneously every single day.
What we bring is our working relationship with the private
sector. The responsibility to coordinate National protection
efforts on behalf of the Federal Government. The responsibility
to secure dot-gov. Now I have handed out, and I hope you have
all received our strategy for securing dot-gov. That addresses
issues, and we have policies and capabilities and staff, that
assist the Federal agencies in managing their IT systems well.
Knowing and training the users, the administrators of their
systems, knowing, understanding and protecting the systems and
technologies and the boundaries of the network as well.
Our job, and we take it seriously, is to prevent bad things
from happening and respond rapidly when we do. We have
extraordinary men and women who work in the Department on this.
In fact, our ICS-CERT, our Industrial Control Systems
Cybersecurity Emergency Response Team, was just highlighted by
SC magazine as the No. 1 cybersecurity team in the country. We
take great pride in that.
So we bring this perspective and this additional set of
responsibilities and authorities and capabilities to bear.
Mr. King. At the current moment, do you believe that DHS
has sufficient resources to implement and carry out the
Executive Order?
Ms. Lute. We are, we are undertaking to carry out the
Executive Order and devising on an aggressive time table, the
plans, the approaches, the frameworks, and the inputs. Those
resourcing decisions will need to be made in the context when
that work is completed. But we have mobilized ourselves
internally, created a task organization within the Department,
across every aspect of the Department, to get that work done in
response to the President's direction.
Mr. King. On the issue of the hostile power cyber breaches,
to the extent you can discuss it in open forum, if you could
refer to the Mandiant report and the impact of China hacking
into the United States. The significance of that, and could you
just drive home how significant that is?
Ms. Lute. Well we believe it is extraordinarily significant
and what I would say about the Mandiant report only, is that it
is illustrative of the extraordinary capability that exists in
the American private sector in the area of cybersecurity. We
really have some of the best in the world in this country. When
it comes to technology, expertise, insight, analysis, and
perseverance, with what is a growing problem.
Second, what I would say is, I guess I would echo what Tom
Donilon said recently in a speech on the question of China, we
have raised this issue of the attacks that are emanating from
actors in China, with Chinese authorities. We have called on
them to acknowledge it, take it seriously, understand it. To
investigate it and stop it and to work with us in creating
broad norms of responsible cyber behavior.
Mr. King. Would you say that Mandiant is typical or
atypical of cooperation between Government and the private
sector?
Ms. Lute. What I would say is that it is the leading edge
of what will be best practice.
Mr. King. Okay. Do you intend to pursue that type of
relationship?
Ms. Lute. Absolutely.
Mr. King. Yes, okay.
Ms. Lute. What is very clear, Chairman, is that no single
entity can do all that needs doing here. Partnering with the
private sector is an intrinsic part of our approach to
cybersecurity.
Mr. King. Secretary, thank you very much. Yield back. Thank
you.
Chairman McCaul. The gentleman, the Chairman now recognizes
the gentlelady from California, Ms. Sanchez.
Ms. Sanchez. Thank you Mr. Chairman and thank you Secretary
for being before us. This is an issue that many of us have been
working on this for a while. I have the opportunity to sit on
the Armed Services Committee and do cybersecurity from that
end.
There are many people, let me begin by saying, I
congratulate you in working across so many agencies and
departments with respect to this in the Executive arena. I know
that in the House and the Senate, those of us who work on this
on different committees sometimes don't even know we are all
working on it. So I congratulate you on that.
But there are some of my colleagues who feel that the total
answer to this is our Defense Department. I find that,
especially when I am sitting with Intel members or with HASC
members or people who are very comfortable, if you will, with
the military. So sitting also on this committee, I understand
there is just so much more to be done than just to use our
Department of Defense or some of those agencies and initiatives
on the rest of this.
Can you, can you do me a favor and walk through currently
what, how you are involved and what the situation would look
like for example? Let's say a big telecom, maybe AT&T gets
hacked and it is ruinous to many people who use, for whatever
reason, that company on a daily basis. From the moment we know
that something is going wrong, so we have got a private-sector
person, company, entity. Then it is important to all of us,
because we may do banking through that, or talking to each
other, networks. So I would assume you are involved with that.
Then who ultimately, you know, who really shuts things down or
figures out what went on? Or re-routes what is going on?
Can you sort of walk us through that so that we have an
understanding of what the different roles are, private, DHS,
military if it is there, et cetera, et cetera?
Ms. Lute. So thanks very much for that. There is no
question that what is going on in cyberspace and on the
internet right now, it is contested space. As we all have said,
and as we all know, there is a variety of sources of threats
and attacks. There is a variety of pre-existing threats and
attacks.
Among our most capable industries is the telecom industry.
You cited AT&T, certainly they are a leading player in that
industry. But the moment of attack is not the point at which to
begin our dialogue. We haven't. We are in constant dialogue
with AT&T, the other internet providers, other service
providers across the critical infrastructures in cyberspace
already. We have been doing that now for years.
Together with our partners in DOJ and DOD, who also have
their relationships and dialogues with them. So if there is an
attack, what we look to see is how well the entity under attack
can defend itself. Can we augment that with additional
information? Here is where part of what we have been innovating
over the past few years is really coming into play.
The government, as I mentioned, has threat information. Can
we put that in the hands of the private sector so that they can
take appropriate steps to defend themselves? We have proven
that we can. This country can protect itself and we will use
all of our resources to do so. But we also know that there is a
vast amount of information in the private sector.
Can we mobilize that? As kind of a cyber neighborhood
watch, so that everyone has the benefit of where the threats
might be coming from and when. So we have developed what we
call, is a sufficiency framework for defense of the networks,
where we step through, beginning at the entity level, the
agency or the organization's level. Are they doing everything
they can? Can they be augmented by us? By the FBI? By other
parts of the Federal Government or other parts of government
usefully? Can we step through that to ensure that we prevent
bad things from happening and that we respond and mitigate
immediately when they do?
Ms. Sanchez. At what point, because we have read, in
places, that more and more are experts within Intel and Defense
are aiding, if you will, some of these private entities. At
what point would they swoop in to save the situation?
Ms. Lute. So we work side-by-side with our partners in the
Federal Government, including in the intelligence agency,
appropriately under rules. Also mindful of the responsibilities
to, that we all have within our authorities. We will not manage
the cybersecurity of this Nation as an Intel program. No one is
suggesting that.
What we do want to do is mobilize all of the resources that
we have in the Federal Government to address the status quo
which is unacceptable.
Ms. Sanchez. Thank you, Secretary. I have other questions,
but I will submit them for the record. Thank you for your work
in this.
Ms. Lute. Thank you.
Chairman McCaul. Chairman now recognizes the Committee--
Cybersecurity Subcommittee Chairman, Mr. Meehan, out of order,
and ask for unanimous consent that he be recognized. Without
objection.
Mr. Meehan. Thank you, Mr. Chairman.
I am very grateful for the opportunity to join with you on
this. I thank you for your leadership in taking this issue at
the outset for our committee, because of its importance which I
think is being driven home. Not just by our awareness of the
events that are taking place within the Nation currently, but
the recognition as well as the communications we have had with
you and your colleagues across the spectrum, both in the
governmental sector and the private sector of the importance of
this issue.
While I believe that you have been consistent in the
clarion call of recognition on this issue, I think we as a
Nation are lagging in an appreciation for the genuine scope of
the threat that we face. In addition that the changing nature
in that it isn't enough just to be reliant on Government alone,
that there is a partnership that is going to be necessary.
I am struck by the reality, 90 percent of the network that
we are being tasked with protecting is in the private sector.
You clarified that well, so we can, among ourselves in the
Government and the Defense Department, NSA, communicate. So I
am really interested in how we create this collaboration with
the private sector tying back to our Governmental entities.
Recognizing of course, as well, that as we get into
communication, not just from the Government, what we know to
the private sector, but requests from the private sector to
share information with the Government that we begin to open the
door to other kinds of issues about who gets it, when, where,
and what do we do?
Can you just give me an oversight of where the critical
parts are in that relationship and how we encourage the private
sector to be really engaged in this?
Ms. Lute. Thank you. In every way, at every level we are
working with the private sector. From the meetings that the
Secretary has, and the dialogues that I have at my level
throughout our organization in Homeland Security, as well
again, if I may say in the Department of Justice and in the
Department of Defense we meet regularly with the private sector
to understand the world in cyberspace from their point of view.
But we are also mindful of our role as Government. So we work
with the other Federal agencies to--and we have been working to
begin to craft a framework, and an approach that will address
the unacceptable status quo with respect to cybersecurity
attacks.
Every 90 seconds from an operational perspective, US-CERT
gets a call about an intrusion. We push out tons of information
every day, every week. Recently with the attacks on the
financial sector, we have been working with the bureau to put
out joint information bulletins, pushing out hundreds of
thousands of signatures and information that the private sector
can use. We hear uniformly that this has been important and
helpful information, and they want more. So this is an evolving
partnership, but one that begins from a very solid foundation
of respect, mutual regard, and an understanding that no single
entity can do all that needs doing.
Mr. Meehan. How about the private sector sharing with you
though, and not just in a voluntary capacity because you have
been great, we have discussed--I had the opportunity with the
Chairman among others to spend time talking to some of these
entities in New York and otherwise, that are on the front lines
of these attacks that are coming across. It is a very sobering
situation to see the scope of it. But the--you know those are
groups that are coming to you to work together. An issue that
we are going to have to struggle with is the whole concept of
disclosure by private entities when they know that they have
been hacked.
I think you said it well, those that have been hacked, and
those that know they have been hacked. That they know they have
been hacked, there is an incentive for them to disclose,
incentive for them to participate with us. How do we make them
partners? Then how do we deal with those who do not wish to
disclose and could be in possession of information which is
material and important to the defense of our Nation?
Ms. Lute. Thank you. I won't speak for the private sector,
I was raised to speak for myself, and I know you certainly will
understand this. But we have heard this, the notion, and we
think we understand it, that it does create a burden on this
question of disclosure. But there is a far superior burden to
the consumers and to the users of this critical infrastructure,
if these entities are hacked.
If people's private information has been unlawfully and
illegitimately exfiltrated and there is potential for
exploitation by cyber criminals or others, in cyber--and we
think that we have to address that concern as well. So we look
forward to working with Congress as it contemplates legislation
in trying to square this circle.
Mr. Meehan. Well my time has expired, but I thank you Mr.
Chairman and I also look forward to--I thank you for your
observation of the need for legislation that helps clarify a
number of things, among which is the framework to allow us to
work with you and your--you know your fellow agencies, in an
effective way to create this public/private partnership. It is
a big task ahead.
Thank you.
Chairman McCaul. Let me commend subcommittee Chairman
Meehan for his great work in this area, listening to the
private sector, and the stakeholders which is vitally
important, along with Ms. Clarke from New York, who is now
recognized.
Oh, I am sorry, Ms. Jackson Lee is now recognized. Please
forgive me.
Ms. Jackson Lee. Let me thank you very much for your work,
Secretary Lute, and I do want to thank my Chairman and Ranking
Member, their timing is impeccable. Over the last 24 hours we
have heard the proclamations, or proclaiming of a cyber war,
cyber threats of major proportion in the next 2 years. So I
would like to just hold up to say this is a very informative
document, and a very helpful document. As I ask you a series of
questions, I do want to make a particular plea.
In the course of answering my question if you might respond
to that plea. The plea is that alongside of those who intend to
do enormous devastating harm, are those that we call, hackers.
Over the last 24 hours, we have heard some of the most
provocative hacking in public officials from the First Lady to
the former Secretary of State, to a number of entertainers, and
I believe that one of our pathways to success is whether or not
we can convince these individuals, whether they are benign,
whether they happen to be in the category of cerebral persons
who want to be stimulated, that they need to work with us, or
that this is a dangerous proposition when it comes to the
security of the Nation.
Because potentially if we have a cyber war, then are we
going to have all of those intervening factors cloud what we
are supposed to do to fight those who are truly engaged in
terrorism? So I want you to be able to answer that premise of
what kind of outreach or understanding do we have of the hacker
community? Obviously some are in the category of criminal
activities. But if we just sit here in this committee and speak
about trying to get our hands around cyber threats, and for
example by being aggressive and saying, this is devastating,
wind up having all of our systems hacked because we have not
communicated how devastating this is, or there is not an
outreach or there is not an understanding.
Where are these people at? We are not reaching--finding
them either through the investigatory process or not. So I ask
that question and I will pause for a moment for you to answer.
Ms. Lute. Thank you. I don't use the term, war zone or--
when I talk about cyberspace. We can't manage the Nation's
cybersecurity as if it were a war zone. I mean we have to
address this mobilizing all of the resources we have, including
the bright and extraordinary young talent that some say make up
the hacker world. We have a member of the Homeland Security
Advisory Committee, Jeff Moss who is the founder of DEFCON, and
Black Hat, one of the leading organizations that draws on that
kind of talent. We have also recently, at the Secretary's
instruction, implemented the findings of a cybersecurity
workforce, a cyber skills workforce initiative.
This task force, which was chaired by industry leaders in
the United States took 90 days and came back to us with ways to
raise the skills of our workforce. Ms. Renee Forney sitting
behind me, chairs this effort now in the Department. We are
going to do five things, and I think these five things are
going to in part, appeal to this audience. We are going to
hire, test, and train to the very best standards of
cybersecurity expertise that exists. We are going to open
pipelines, widen the pipelines bringing people, talented young
people into Federal service.
We would like them to come to the Department of Homeland
Security first, but we will accept their contribution to
Government across the board, wherever they go. We are going to
work with industry and with academia to do it. We are going to
strategically manage our workforce to prize this very valuable
talent. This is the place where we really invest in our people.
So, this is the way we are going to reach out.
Ms. Jackson Lee. Let me get these last three questions in.
Do you think that the lead role of the DHS is effective now?
Bush first established it, now you are in the Obama
administration. Two, do you have the flexibility of hiring--you
just mentioned it, but do you need more flexibility in hiring
the right kind of people? Are you improving the sharing of
information between State and local entities from the Federal
Government?
Ms. Lute. Yes, we are up to the task. We need permanent
flexibility in our hiring. We can--we will always improve, and
can always improve our information sharing, and we are working
on that.
Ms. Jackson Lee. Do you think there will be a cyber war in
the next 2 years?
Ms. Lute. Uh.
Ms. Jackson Lee. Even though you don't use the word, war?
Ms. Lute. I was a soldier for a long time----
Ms. Jackson Lee. I didn't hear you, I am sorry?
Ms. Lute. I was a soldier for a long time. I think we--
cyberspace will remain contentious for some time to come. But
there is a lot we can do about it, and are.
Ms. Jackson Lee. Do you think it can threaten the lifestyle
of Americans over the next 2 to 5 years?
Ms. Lute. Not if I can help it.
Ms. Jackson Lee. We thank you for your commitment, but I
hope that we will have this continuing dialogue. I frankly
believe if we do not reach the hacker community, and separate
them out from us, trying to fight what can be Government
undermining, I think we will have a serious problem. I look
forward to working with you. Thank you.
Chairman McCaul. I thank the gentlelady from Texas.
The gentleman from Utah, Mr. Stewart, is recognized.
Mr. Stewart. Thank you. I think you have been an excellent
witness, you are concise, you illustrate in ways that help us
understand, and I appreciate that. I was an Air Force pilot for
14 years. I flew a fairly sophisticated weapons system, but our
ROE was fairly straightforward. I mean if we were attacked, we
responded. If our forward operating bases were attacked, our
infrastructure was attacked, we would respond, and I just don't
get the same sense here that there--you know the rules of how
we operate are as clear as it was in those examples.
We talk a lot about defend, defend, defend and I would like
to spend a few minutes elaborating on your comments on
deterrents. My questions I guess would be this: Does the Obama
administration view--do they have clear red lines that China or
Iran or any other organization knows that they cannot cross? Do
they--have we been able to communicate effectively to them what
those red lines are? Are we aggressive enough, do you think
that that would help to deter future attacks by making them pay
the price?
It seems like they ping us all the time with impunity in
some cases. That concerns me a little bit, and I would
appreciate your response to that concern?
Ms. Lute. One of the things we know about former--being
former military--is that society has entrusted its Government
with the responsibility to run the military, keep the Nation
safe, defend us from attack. We do that in a physical world. We
are better at that than anybody else in the world as well.
What we also know is that not every problem presents itself
for a military solution. But there are--nevertheless there is
learning, there is information, there is capability, and there
is technology that we can derive from our partners in DOD and
from our understanding around the world to better defend
ourselves against these attacks.
But, as we know, 90 percent of the critical infrastructure
in this country is in private-sector hands. We have to involve
them in that approach. General Alexander takes the back seat to
no one in his willingness, ability, and determination to defend
this country, should we reach that point.
I take a back seat to no one, in my commitment to use our
civilian resources appropriately under the law to do that as
well.
Mr. Stewart. Well, I appreciate your response, but maybe
let me press just a little bit on this. That is, again, I
don't--help me understand what price these organizations fear
or what they feel they are going to pay with some of their--
with their constant attacks.
I mean, do they feel like we respond to those and they have
anything to lose? Or do they feel like they can operate in
this--again, with impunity, without us really pressing them
back on that?
Ms. Lute. There is a--at the moment in cyberspace, offense
wins. We know that. I won't speak for how these organizations
that are lobbing threats, unlawfully stealing trade secrets and
other kinds of crime, quite frankly, in cyberspace, what they
think or what motivates them.
What I will say is that we are increasingly making the
country aware of the threats posed in cybersecurity. This is
present in our dialogues. I have standing conversations with a
number of international partners at the homeland security
level.
We rely on our diplomats to communicate our diplomatic
messages, but at an operator's level we are communicating very
clearly as well, behavior that is unacceptable, and trying to
find ways that we can--that like-minded governments can work
together to stop these actors from acting.
Mr. Stewart. Yes. Well, you know, I appreciate your
comment, I really do. Maybe I am not communicating my concern
adequately. But again, it just seems to me that we have not
instilled a--again, we talk about defend, defend, defend and in
your response you mentioned that again and again. But I am not
sure that we are aggressive enough in deter and making them pay
a price. Am I wrong on that concern, do you think?
Ms. Lute. I think we are getting better at that all the
time. It is an imperative for us. This simply can't go on
unimpugned.
Mr. Stewart. Okay. All right.
Mr. Chairman, I yield back.
Chairman McCaul. Okay.
The Chairman now recognizes the gentleman from Arizona, Mr.
Barber.
Mr. Barber. Thank you, Mr. Chairman.
The first meeting I came to under your leadership of this
committee, I was very pleased to hear that you made
cybersecurity a top priority for our committee and for the
Congress. I 100 percent agree that that has got to be the case.
My concern is generally, and perhaps you can comment on
this, Ms. Lute, is the public, it seems to me, is pretty much
unaware of the threat that this poses to the homeland, to the
country. I think traditionally, you know, we think of
protecting the homeland, protecting our Nation, as military
protection or police protection. This issue is not a very
visible issue at all, unfortunately, for most people.
Could you comment on what we can and should be doing, both
in the administration and in Congress and in the public at
large to make people more aware of the imminent danger of cyber
attacks and how we can get public support for taking the
necessary action?
Ms. Lute. Thank you very much for this question. Part of
the problem is strategic, centralized, and top-driven, the
threats that we perceive in cyberspace to National security. We
are addressing them.
But cyberspace is transactional, decentralized, and bottom-
driven. So is homeland security. We are transaction-based,
decentralized, bottom-driven. In our world, it is not so much
need-to-know, it is duty-to-share, when we are talking about
information.
So we are working aggressively to put the word out. A lot
of people are unaware. We have been promoting, through a cyber
education program, such things as ``Stop. Think. Connect,'' so
that people engage intellectually before they get on-line, so
they understand cyber threats. We have more to do in this
regard, but equally, citizens, companies, State and local
government, every aspect of our society needs to get engaged.
Mr. Barber. Thank you for that. I just want to add to the
gentleman's earlier comment that we see a lot of witnesses in
Congress and I really want to commend you on your clarity and
your brevity in responding to our questions and in your initial
opening statement.
I have a question related to the recent Inspector General's
audit of the Industrial Control Systems Cyber Emergency
Response Team. It found that although the team has made
significant progress in building out its capabilities to
support critical infrastructure owners and operators, the
challenges still remain, particularly in the sharing of timely
and actionable threat information.
Could you please comment on the challenge of balancing the
need to get information to critical infrastructure in time to
stop attacks, while protecting intelligent sources and methods?
Ms. Lute. We are working on that.
Sorry, I beg your pardon.
I would be happy to talk in greater detail in a different
setting. It is not--it is a significant issue. How do we share
information appropriately? But not only between the Government
and the private sector, but between the private-sector entities
themselves. I see US-CERT as the best in the country.
Mr. Barber. Very good. I certainly want to commend the
Secretary for the action that she has taken and the priority
she has given and, through you, carrying out this action within
DHS.
I am firmly of the belief that we have to have legislation.
We have to have legislation that improves and increases our
capabilities to stop these attacks, both on the private as well
as the public web sites and infrastructure. I also believe that
we have to figure out a way to make sure we have--assure people
that we are protecting their privacy.
So to the question about hackers. As we work to improve
cybersecurity, I want to know more about what we can do to
penalize those who perpetrate cyber attacks. That we send--how
do we send a clear message to our cyber adversaries of the high
cost of attacking the United States?
Also, could you talk about what we can do to hold hackers
who are not friendly, in any way, accountable for their
actions?
Ms. Lute. Thank you for that. Two aspects to my answer. No.
1, we need to strengthen the hand of law enforcement to enforce
the law. To a large extent, what we are seeing in cyberspace is
crime. We need to give our law enforcement officers the tools
they need to investigate, pursue, and successfully prosecute
the crimes that occur in cyberspace. We are working very
closely, Secret Service, Immigration Customs Enforcement,
working very closely with the FBI, other law enforcement
agencies, to do just that. We are getting better all the time.
Here is an area where legislation can help.
A word, if I may, on privacy, civil rights and civil
liberties. We can do both. We can ensure your cybersecurity
while protecting your civil rights and civil liberties. It must
remain a dual imperative.
Mr. Barber. Thank you, Mr. Chairman. You can count on my
support for legislation. This has to be a bipartisan issue and
I appreciate your leadership and that of the Ranking Member.
Chairman McCaul. I thank the gentleman. I agree with you on
the capability issue, as well. Also, Dr. Lute, on the balance
of privacy versus security. It is hugely important and I think
DHS is well-suited for that.
The Chairman now recognizes the gentleman from
Pennsylvania, Mr. Rothfus.
Mr. Rothfus. Thank you, Mr. Chairman.
Thank you, Madam Secretary, for being here today. This is
very informative for me.
I understand the collaboration that exists now between DHS,
the Defense Department, and the Department of Justice, FBI. A
question that occurs to me is whether or not we currently have
any Federal official who is the primary point of contact for
the oversight of cybersecurity?
Ms. Lute. So we would say that the Secretary of Homeland
Security is responsible for coordinating across the Government,
but we work collaboratively with our partners in DOJ and DOD.
Mr. Rothfus. So the Secretary would convene meetings of
these other agencies to ensure that collaboration is taking
place as appropriate----
Ms. Lute. Also attend. The responsibility for securing dot-
mil belongs with DOD and in other sectors, and of course, the
lead law enforcement investigative agency is the FBI.
Mr. Rothfus. If I could just----
Ms. Lute. I beg your pardon.
Mr. Rothfus. Thank you. A couple of questions as I review
the organizational structure of the Department of Homeland
Security and whether or not you are as organized as optimal.
We appear to have a number of offices within the Department
that address cybersecurity. Under Science and Technology, we
have the Office of Cybersecurity Division, where we have US-
CERT, as I understand it. Under National Protection and
Programs Directorate, we have the Office of Cybersecurity and
Communications. Then under Intelligence and Analysis we have
another Office of Cyber, Infrastructure, and Science.
None of these offices that appear to deal with
cybersecurity directly report to the Secretary. If you could
just share with us how that works, how that information is
channeled to the Secretary from these disparate offices, and
whether or not there should be consideration for any kind of
reorganization within the Department, given the importance of
cybersecurity?
Ms. Lute. The Secretary maintains constant awareness of
where we are in cybersecurity and is very up to speed on every
aspect of the operations of the offices that you described.
As chief operating officer of the Department, my job is to
see that everything is running. Every Wednesday, I chair a 3-
hour cybersecurity meeting among all of those agencies.
This is like so much else. I am an operator. Operations
conform to functions and needs that agencies or, in our case,
the Federal Government require. Is our organizational structure
optimal? I don't know of any such thing sort of anywhere. It is
a constantly-evolving process.
The issue of direct report may, at a surface level,
communicate salience, importance, or ease of access. The
Secretary places extreme importance on the cyber activities of
the Department, has no problem getting access or answers to any
question or issue that may arise, and we maintain constant
vigilance over all of these parts of the Department.
So can we change and improve? Of course. What will drive
us? We have got a cybersecurity strategy. We have laid out an
approach to securing dot-gov, we are engaging the private
sector and the American people on an educational platform, as
well, as I mentioned.
We will adapt our organization to these imperatives as we
move along. We are paying a lot of attention to this.
Mr. Rothfus. Thank you.
We have some great assets in southwestern Pennsylvania with
University of Pittsburgh, Carnegie Mellon University. I am just
curious how you are leveraging, if at all, the capacities of
our academic institutions in this effort.
Ms. Lute. Well-known to us, great partners in the analytics
side, I mean our S&T, you mentioned Science and Technology,
Doug Maughan who heads our cybersecurity work on that front. It
is a National treasure. He knows these organizations, is well-
known to them. So we leverage them a lot as we can.
I mentioned also in response to an early question, our
desire to broaden the pipeline of talent that comes into
homeland security, working with academia and with industry as
well.
Mr. Rothfus. Thank you.
I yield back.
Chairman McCaul. Thank you to the gentleman.
The Chairman now recognizes the gentleman from New Jersey,
Mr. Payne.
Mr. Payne. Thank you, Mr. Chairman.
It is very good to see you once again.
You know, we have been talking a lot about the different
Government departments are working well together, sharing
information in terms of this whole issue. But it seems like it
is still a challenge and I hear you saying that the private
sector is coming along. But you know, much progress has been
made with NCCIC program. You said that we need to get private
entities on board.
Specifically, what legislation can be passed to create
incentives for that?
Ms. Lute. Thank you, Congressman Payne and Mr. Chairman
with your permission, I would just like to acknowledge
Congressman Payne's father's passing a year ago last week. He
was one of my father's closest friends. He admired him and
appreciated the work he did. I may be a New Yorker, I was born
in Newark, and I have never forgotten it, and I just would like
to acknowledge with respect and appreciation his work,
Congressman and yours as well on behalf of the people from
someplace I call home.
Chairman McCaul. We all share in that our condolences to
you and your father.
Mr. Payne. Yes, and to you ma'am, your father played a
great part in recognizing my father's commitment to public
service very early on when a lot of people doubted it and he
was one of the people that really helped open the door for him
and we see what he was able to accomplish. So to your family, I
thank you as well.
So, in terms of the legislation to create incentive?
Ms. Lute. So, many of the ideas in the cyber EO, draw on
the House Republicans Cyber Taskforce. We think additional
legislation in terms of enhancing information sharing and
creating incentives for industry to participate with us and
adopting standards and best practices.
For example, we know today, we know today, that we can--we
have the technology to identify hardware that is on systems,
white list software that is acceptable to be on systems,
understand network configurations and have machines talk to
each other in real time to identify threat factors and respond
and patch in real time.
We think that by sharing this information and creating a
culture of accountability and action that industry will be
incentivized to act. We need Congress's help in this regard and
we look forward to working with the committee to achieve that.
Mr. Payne. Okay.
But it--I know there has been some difficulty in getting
these private entities to buy in at times and even admit that
they have been hacked and have had problems. It is almost like
having a bully and you are scared to say that you have been
attacked by this bully because it shows some type of weakness.
How do we get them to even admit that they have had issues when
a lot of them hold back that information?
Ms. Lute. We think an important component of legislation
would be establishing a National data breach reporting system
and we have changed the culture, not completely, in the example
that you cite. We need to change the culture here because as
problematic as it--as some may think it might be to report on a
breach, it is far more problematic when the breach goes
unreported and far more problematic when people's privacy and
their private information goes exfiltrated unlawfully. We need
to address that and close that gap.
Mr. Payne. Thank you.
I think I will yield back, Mr. Chairman.
Chairman McCaul. The gentleman--and I--let me just point
out, I think the liability protections that we will be looking
at can greatly incentivize the private sector to share the
information and provide that safe harbor that they can go to
which we envision to be the, you know, the NCCIC itself. So,
let me also on a point of personal privilege, your father and I
worked on the Sudan caucus and I know he founded that caucus
and was just a great soul and we miss him.
Mr. Payne. Thank you.
Chairman McCaul. With that, I now recognize the gentleman
from Mississippi, Mr. Palazzo.
Mr. Palazzo. Thank you, Mr. Chairman and I would like to
thank Ms. Lute for being here today. Thank you for your
testimony and also thank you for the vital service that you
provide and protecting our homeland from threats and your
dedication and your military service is also commendable as one
soldier to another. I was a former Marine, now a soldier to a
soldier, okay. I had to put that in there, I might get in
trouble. I have a gunnery sergeant in my office serving as the
military fellow. But anyway, I digress.
Listen, protecting our private and our public sector from
cyber attacks is extremely important. But in the interest of
time, I would also like to know, you know, what does Department
of Homeland Security do to protect their own information?
Because I am aware the Department uses the National Center for
Critical Information Processing and Storage which is also known
as NCCIPS, to house Nationally-sensitive critical or classified
information, hundreds of millions of dollars have been invested
in massive and redundant infrastructure and IT equipment to
ensure uninterrupted service to multiple Federal agencies who
share this facility.
So given the amount of sensitive information the Department
stores at the center, how secure is the center as well as DHS
assets from potential cyber attacks?
Ms. Lute. Thank you for that.
We are the largest tenant. I think three-quarters of the
data center is leased by us for secure data processing and
storage. We adopt as we do in other aspects of homeland
security, a layered approach, from perimeter fences, roving
patrols, armed access gates, guards, CCTV, facility control
systems, fully redundant power supplies.
What we are trying to model in homeland security is best
practice across the range of activities that we have said is
necessary to secure dot-gov, from being aware on how to well
manage our IT systems, understand who has access, et cetera.
But it is a layered approach involving physical as well as
cyber measures.
Mr. Palazzo. As we focus on how we protect our information
and prevent cyber attacks, should the Department and other
Federal agencies use NCCIPS as a model for securing sensitive
information?
Ms. Lute. We think it represents an approach to best
practice who, again, incorporates not only physical but
cybersecurities as well.
Mr. Palazzo. So it is a good model?
Ms. Lute. It is a good model.
Mr. Palazzo. For other agencies to adopt?
Ms. Lute. Yes.
Mr. Palazzo. It is secure?
Ms. Lute. Yes.
Mr. Palazzo. Safe?
Ms. Lute. Yes.
Mr. Palazzo. All right, now----
Ms. Lute. Mississippi, I spent a year in Mississippi, so--
--
Mr. Palazzo. Not in August, right?
Ms. Lute. In August, it was hot.
Mr. Palazzo. Bless your heart.
It--real quick, to just change a little bit and I don't
think anybody has really touched--I know China has come up a
couple of times. You know, my experience with the Chinese
hasn't, you know, really been pleasant from the sense that, you
know, after Katrina, they flooded our markets with contaminated
drywall, you know, constantly hearing about their products
being dangerous to children, you know, coated in lead-based
paint and so on.
Then you look at--from a military standpoint, they are
building up their military and to hear the report that came out
2 weeks ago that there is blatant attacks by the Chinese
government that is kind of attacking our systems. Can you
elaborate just real quickly on the cyber threat posed by China
and any plans this administration has in deterring China from
continuing to steal U.S. intellectual property and other assets
from the public and private sectors? What would be our red line
that we say they cannot cross before we retaliate?
Ms. Lute. Congressman, what I will say in this forum, and I
am happy to pursue this in an appropriate forum other than
here, is that we are concerned about the attacks that seem--
appear to be emanating from actors within China. We made this
very clear. We have called on Chinese authorizes to recognize
and address this, to investigate it, pursue it, and to work
with us in establishing collaborative norms. We take this very
seriously.
Mr. Palazzo. Thank you.
I yield back.
Chairman McCaul. The Chairman now recognizes the--let's see
here, hold on second, the--yes, the gentleman from Texas, Mr.
O'Rourke.
Mr. O'Rourke. Thank you. Thank you, Mr. Chairman.
Secretary Lute, thank you for your testimony today and the
quality of your answers to the questions asked so far.
A lot of analogies have been made today to physical space
and cyberspace, physical security and cybersecurity and one
that I would like you to respond to is the analogy between
border security and cybersecurity and one of the challenges we
have had as a committee and a Congress is defining what border
security is and we are spending $18 billion on it today, twice
what we were spending in 2006. We have doubled the size of the
Border Patrol. A lot of important future legislation hinges on
our answer to it, and we are unable to define it.
I can see perhaps as cybersecurity reaches a greater
profile and there is more attention paid to and we understand
the nature of the threat. There could be an overcorrection or
an over response and I think to protect against that, we need
to find measurable goals and milestones against those goals.
Could you talk about how Department of Homeland Security
has defined those so far or plans to in the future?
Ms. Lute. So when we speak about and everybody is searching
for the illusive analogy in the physical world to cyberspace.
You know, is it--is it like a global commons, you know, is it
like clean air or clean water? I think cyberspace is more like
light than air and I think it presents challenges in that
respect.
What we want and what we have been promoting is an open,
interoperable, reliable, and secure internet globally.
Certainly that requires more than we can do in the Department
of Homeland Security, more than we can do as a country, it
requires all of us around the world. We have benefited
enormously from this.
Our job in homeland security is to secure dot-gov and to
work with the private sector to secure the Nation's critical
infrastructure. We are evolving standards of what that means,
reducing the number of attacks and threats, repairing
instantaneously vulnerabilities as they are automated or as
they are detected on an automated basis. So this will be an
evolving set of challenges and issues that we will be dealing
with.
Mr. O'Rourke. What are the protections to the taxpayer with
these evolving goals and definitions? I mean we can spend $10
billion, $100 billion, a trillion, $10 trillion, how do we know
that we have spent enough, that our money is being used
effectively, that we are meeting the goals that you and the
oversight committee have agreed upon?
Ms. Lute. Right. How do we know that what we are doing is
working? If we have a removable media policy, is that enough?
If we control access to our networks, is that enough? If we
give everybody dual-key authentication responsibilities when
engaging in networks, will that be enough? This is what we are
crafting. We are doing it together with the private sector.
Because while we have ideas of our own, we know that they
do as well. We look forward to working with this committee,
because we know that you have ideas. So that is very much on
our minds. Because we are determined to address this problem.
Mr. O'Rourke. So you are talking about the process which
you will undertake to define those goals and measure success
and effectiveness. Are those specific goals, perhaps specific
to the threats and challenges that we face in these, the three
domains that you mentioned? Are those goals that you will share
with this committee?
Ms. Lute. Yes, absolutely.
Mr. O'Rourke. We will be able to measure progress against
those goals. Measure the effectiveness of the dollar spent.
Ms. Lute. That is the, again, we operate on a duty-to-share
model, in terms of information and how we work in Homeland
Security. Especially in cybersecurity. So we will.
Mr. O'Rourke. One of the things that you mentioned that
caught my attention is cyber space is civilian space. There
have been a couple of questions to this, but how do you see
your job in terms of managing that balance that you talked
about, between civil rights as you talked about it, personal
freedom, liberties, the things that make the internet such a
driver of economic growth and creativity in our country and in
the world, and balance that against these security concerns?
Ms. Lute. So if I could be permitted an example? I was the
lead negotiator for the United States with the European Union
on a data-sharing agreement called Passenger Name Recognition,
PNR, to ensure the safety of air travel. It took us 18 months
to have this negotiation. At the center of it was our ability
to enforce our laws at our borders and to ensure the
operational safety of the traveling public. Equally at the
center was the role, were issues of privacy and civil rights
and civil liberties.
We have been managing billions of files of data over the
past 10 years in the Department of Homeland Security with
respect to this traveling information. There has not been one
privacy incident. So we think we can get it right. Again, I am
an operator and this comes down to what it is we do.
Mr. O'Rourke. That is impressive. Thank you. Thank you, Mr.
Chairman.
Chairman McCaul. The gentleman, the gentlelady from
Indiana, Mrs. Brooks, is recognized.
Mrs. Brooks. Thank you, Mr. Chairman and thank you deputy
secretary for being here and for your service. In 2012, FEMA
and DHS held a National-level exercise. I have been a deputy
mayor in the city of Indianapolis in the late 1990s working
closely with public safety. As a U.S. attorney have worked with
Federal, State, and local on a number of exercises,
particularly after 9/11. I value the importance of exercises.
It was on the Nation's ability to prevent, respond, and recover
from a significant cyber incident, as I understand it. We hear
that obviously cyber incidents are becoming greater in number
and in severity.
My question is: What role does FEMA play, before, during
and after, a significant or a catastrophic cyber incident? At
what point might we expect that, if that after-action report is
finished, and if it is not finished, when can we expect its
release?
Ms. Lute. I will have to get back to you on the release of
the after-action report. In my background and tradition, those
are extremely important exercises, the lessons learned. What
you want to do successfully in any organization, and we
particularly want to do in Homeland Security, is embed these
lessons learned so that we can replicate our success and avoid
repeating failure.
Lessons learned are an important part of that. You know
when I was a young Signal Officer in the Army, we use to do
exercise all the time. The Signal Officer always had to keep
everything running so that the infantry or armor, they could do
exercises. But we had to have everything working perfectly.
Well, what if it doesn't work perfectly? What are the
consequences to our ability to operate? So how do you bake that
in to our exercises and our understanding?
FEMA of course plays a key role in leading Federal-level
exercises, which State and locals are so much a part. So we are
beginning to bake this into our thinking about exercise
scenarios. But also, FEMA also, you know, in the Department of
Homeland Security, is the Federal Response Agency. So what are
the consequences, how do we understand, working with industry,
the consequences of catastrophic failure and what that will
mean for the public? How do we mitigate it, how do we restore
services quickly? Address our responsibilities in that regard.
So very much on our minds.
Mrs. Brooks. Does DHS, does FEMA actually possess the legal
resources and authority it needs, in the case of a catastrophic
incident?
Ms. Lute. Well FEMA certainly has the authorities that it
needs to respond to an incident. What we know is that, a cyber
incident could have consequences that matter for which FEMA is
appropriately authorized to respond.
Mrs. Brooks. Okay. Do you know how FEMA works with the
private sector in, I am not certain, are you familiar with the
exercise that they did in 2012?
Ms. Lute. Yes, yes.
Mrs. Brooks. How does FEMA work with the private sector in
recovery?
Ms. Lute. Well, well again, you know one of the things
about Homeland Security is our partnership with the American
people. FEMA is an example of where we live that every day in
response to disasters. So it is a very close working
relationship. Our dialogue at the State and local level with
FEMA representatives on the ground, with community leaders,
political officials as well, it is pretty interwoven.
I think the central point for me on cyber and FEMA is that
physical and cyber infrastructure are inextricably linked.
There can be vulnerability to that infrastructure through
cyber, to which we have to be attentive, broaden our minds and
understandings of what could result, and mobilize the
appropriate levels at the Federal level to respond. The
appropriate resources at the Federal level to respond.
I would be happy to get you, to discuss this in greater
detail. We are working with FEMA on the lessons learned, as you
mentioned. We know that there could be consequences that we
have to be attentive to.
Mrs. Brooks. So how does FEMA interact with the other DHS
components during a cyber incident specifically?
Ms. Lute. They are at the table, appropriately, again for
what response they may have to mobilize. The actions that they
may have to take. They are certainly in the room and part of
the response. As we understand the consequences of an event
that may give rise to physical effects that would engage FEMA's
responsibilities.
Mrs. Brooks. Thank you, I yield back.
Chairman McCaul. Thank you. The Chairman now recognizes the
gentleman from Nevada, Mr. Horsford.
Mr. Horsford. Thank you, Mr. Chairman and thank you, Deputy
Secretary. It is been very informative to have you here in the
presentation. I do have a specific question on cybersecurity
but before I do that, while I have such a high-ranking
representative, I wanted to share something with you and see if
you could help me with the response.
I heard from one of our local veterans recently. His name
is James Courtney. He served three tours in Iraq and he is
disabled after 15 years of active duty in the United States
Army. His wife and the mother of three U.S. citizens, all boys,
does not have a green card. As I understand it, in 2003, Sharon
was held by the Border Patrol for several hours and denied even
a phone call to her family in El Paso. Without any explanation
Sharon was told if she just signed a simple document, that she
would be let go. She now stands accused of falsely claiming to
be a U.S. citizen.
What do we say to families like this? Who have been
affected by what is a broken process? From what I have heard,
it sounds like this family has been wronged. Do you agree? What
is the Department doing to address issues like this one?
Ms. Lute. Congressman I am not familiar with the incident
that you are speaking about. I don't want to give you an off-
the-cuff answer. I would be happy to take the facts back as you
represent them, and find out.
Mr. Horsford. If you wouldn't mind doing that. I know that
this did occur in the prior administration and it is, some time
ago but there are details that I think are important for this
committee and for me to be able to respond to.
You know, Mr. Chairman, I think that as we address larger
issues, other issues including immigration, it is these type of
circumstances that I hope will be brought forward and I that we
can also talk about.
Let me switch to the issue of cybersecurity. I wanted to
follow up to the Ranking Member's question dealing with the
sequester. You know, we have all agreed here today that
cybersecurity is very important and that we need to work in a
bipartisan manner to pass legislation to help both the private
sector as well as the public sector.
But we have a sequester that is affecting our ability to do
our job today. So I would like to understand what the impact of
the sequester has been to your Department, specifically as it
relates to cybersecurity.
Ms. Lute. Thank you for that. Cybersecurity is not immune
from the impact of sequester. Both our perimeter deployment
Einstein E3A will be affected. Our ability to automate the
continuous diagnostics and monitoring system will be affected
as well. Our ability to reach out to stakeholders as well.
It is particularly important because in cyber space, in the
world of technology, the problems and the solutions that we are
going to be dealing with 2 years from now, haven't been
invented yet. So this is a place and an environment where speed
takes on a whole new meaning.
Mr. Horsford. As it pertains to the workforce because as we
have heard from members in the private sector, this is a very
specialized workforce, and as we develop information-sharing
capacity, what is our ability to recruit and retain on the
Department side, the skill set of the workforce that we need in
this regard?
Ms. Lute. Of course it is affected, as you know. But one of
the things that we are doing is overhauling our whole approach
to become a world-class home to a world-class cybersecurity
workforce. By hiring, testing, and training to the highest
standards of cybersecurity. These really are cyber ninjas.
Those are the standards that we want to instill, train to,
certify, and maintain. We want to attract folks. We want to
open the pipeline with industry and with academia. We want to
strategically manage this workforce across the Department, and
indeed, across the Federal Government one day.
We want to overhaul our acquisition and procurement,
including our workforce, so that they are as skilled of the
needs in the contracting environment for this. We want to
create a cyber reserve. So we are not standing still on this
question at all.
Mr. Horsford. Just if I could ask if the Department could
provide us the college initiatives, I guess, that you have
done. If you could maybe share that information with those of
us who want to make sure that the Department is doing
everything it can to reach out to the next generation of
graduates that we need.
Thank you, Mr. Chairman.
Chairman McCaul. Thank you. The gentlelady from New York,
the Ranking Member of the Cybersecurity, Infrastructure
Protection, amd Security Techonologies Subcommittee, Ms. Clarke
is recognized.
Ms. Clarke. Thank you, Mr. Chairman. Deputy Secretary Lute,
I don't mind sharing you with Congressman Payne. I am the New
Yorker here.
Let me first of all thank you for your passion, your
talent, your expertise that you brought to bear on the
cybersecurity mission for the Department of Homeland Security.
It is truly refreshing.
I also want to extend a thank you to our Ranking Member,
Mr. Thompson, for his leadership and partnership in penning the
letter to Chairman McCaul and me regarding the legislative
jurisdiction issues that threatens to undermine the DHS mission
and marginalize the effectiveness of governance and oversight
of this committee. I think it is really important that we not
get into a bidding war, but we all play a very critical role in
this new governance in this space.
Mr. Chairman, last year our committee faced strict
resistance to legislating a strong statutory role for the
Department of Homeland Security's cybersecurity mission. Though
you may have differences of opinion with Mr. Lungren's
legislation, the precise act, I am sure you would agree, that
the strong authorities for the Department of Homeland Security
were commendable.
Unfortunately, some colleagues last year were unwilling to
consider giving DHS the statutory certainty that it sorely
needs and prevented the legislation from reaching the floor.
So I am glad that you are holding this hearing today to
hopefully spotlight the good work, and you have been, that the
Department is doing. Just last month, ICS-CERT was awarded the
best security team award at the RSA by ``SC Magazine.'' I would
like to insert that recognition into the record. I think that
we need to--morale is important here.
Chairman McCaul. I agree and without objection, so ordered.
[The information follows:]
BEST SECURITY TEAM GOLD WINNER
The Industrial Control Systems Cyber Emergency Response Team (ICS-
CERT) Security Team responds to incidents, vulnerabilities, and threats
that can impact those industrial control systems (ICS) which operate
critical infrastructure across the United States. These systems are
vital for the processes used throughout many critical sectors that the
Nation depends on every day.
The ICS-CERT Security Team's mission is to reduce cybersecurity
risks by offering four core products and services to the Nation's
critical infrastructure sectors: Providing situational awareness to
Government and the private sector through National alerts and
advisories that warn of cyber threats and vulnerabilities; conducting
technical analysis of malware, system vulnerabilities, and emerging
exploits; performing cybersecurity incident response for asset owners
and operators; and partnering with the control system community to
coordinate risk management efforts and serve as the focal point for
information exchange.
The ICS-CERT Security Team has received National and international
recognition as an essential element for coordinating cybersecurity risk
reduction efforts among the Nation's critical infrastructure asset
owners. Through its incident response, situational awareness, and
recommended practices efforts, the team is recognized as a National
resource for cybersecurity guidance.
It is also a key functional element of the DHS National Cyber
Security and Communications Integration Center (NCCIC) and is integral
to the Department's capability to coordinate National-level cyber
events. ICS-CERT Security Team presence in the NCCIC Operations Center
provides synergistic information-sharing value to the various public
and private-sector partners participants.
http://awards.scmagazine.com/best-security-team-0
Ms. Clarke. Thank you, sir.
I firmly believe that DHS's role needs the clarity and
authority of statute to most effectively do its mission. That
is why last year I introduced the Identifying Cybersecurity
Risks to Critical Infrastructure Act to get an important
segment of DHS's authorities written into law.
So Deputy Secretary Lute, can you talk about the importance
of getting your Department's cybersecurity mission and
authorities codified in statute? What aspects of DHS's
cybersecurity mission do you think would be particularly
impactful if we could fully authorize them?
Let me repeat that for you--can you speak to the importance
of getting your Department's cybersecurity mission and
authorities codified? What aspects of DHS's cybersecurity
mission do you think would be particularly impactful?
Ms. Lute. I certainly agree with the importance of that and
the Secretary absolutely agrees. We think it is important in
this rapidly unfolding field to clarify the responsibilities
that this Department will be given, particularly when it comes
to securing dot-gov, in the area of information sharing as
well.
Ms. Clarke. With that, I yield back the balance of my time.
Chairman McCaul. Well, I thank you for your questioning.
Know that I am committed to getting this done, to getting
existing authorities codified, and to making the Department as
strong a player as they are in this very important field,
working together with the other agencies. I think we have one
last Member, the gentleman from California, Mr. Swalwell.
Mr. Swalwell. My district is in Northern California and it
includes northern Silicon Valley and it is really the cradle of
innovation. We also have two National laboratories and, I
believe, more Ph.D.s in our district than anywhere else in the
country. Very smart, innovative folks in our district, and I am
concerned that if we were to get hit hard in our district, we
would fall hard.
I am also concerned that if we sneezed from a cyber attack,
the rest of the country could catch a cold because of the
ripple effect of what it would mean to many of the industries
in our district. We are talking all of Silicon Valley south and
then, of course, the part of Silicon Valley that is in my
district in the north.
So I am concerned that right now the rest of the country
also does not understand enough about what the real threat is
here. I want to know what we can do to better educate. Because
we are starting to hear more about the threat, but--and folks,
I think, will accept that their computer may get hacked.
Someone may send out an e-mail in their name that didn't come
from them.
But I don't know if we are prepared yet or we understand
that we could go to the bank one day and our account balance
could say zero. Or we could show up to work one day and our job
is no longer there because the technology or something critical
to the employer has been stolen by someone abroad.
When I was a prosecutor for 7 years, I worked closely with
telecommunication companies to prosecute a number of our
homicide cases, to work with them on subpoena compliance as
well as ways to make sure that it was a two-way street, that
their cooperation would not mean they would be penalized for
working with us.
Now I know that we do have the National Cybersecurity and
Communications Integration Center and my first question is what
is the participation like, in that center, with private
industry and what can we do, legislation-wise and as far as
coordination efforts, to make sure that private industry is
really working with us?
Because I know from being a prosecutor that it has to be a
two-way street and because 90 percent of the networks are not
dot-gov or dot-mil, if we don't have their cooperation or
participation, we can't truly protect against the threat.
Ms. Lute. Well, thank you for the question and thank you
for your part of the country. I took my Ph.D. from Stanford. I
am a believer. I am a believer.
It is an extraordinary National asset for us, the vibrancy
and the contribution of that community, not only to this
country but to the world. This instantaneous organic growth of
the internet, in many ways can trace its lineage back to this
part of the country. We certainly appreciate it.
We also appreciate the role of collaboration in the private
sector. I speak very often with the leadership of private
industry out in the Valley. They are extraordinarily thoughtful
on all of the questions that we have discussed today.
On the NCCIC thought, to your specific question, we do have
private industry representatives in some of the various sectors
and we can talk to you in detail about that. For those members,
Mr. Chairman, who have yet to come see us, we invite--that
door--let me just reiterate your invitation and urging that
they come and see us.
We agree on the partnership. We agree on the two-way
street. We agree on the need for collaboration. We are putting
our money where our mouth is in terms of having them on the
floor with us at an operational level and including dialogue
with them at a policy level at my and the Secretary's--in our
discussions with them as well.
So across the board I agree with you.
Mr. Swalwell. Great. Right now in this era of sequester,
and we don't know how long this is going to last, but we do
know that the threats are going up and the money to fight the
threats are going down. How much does that concern you that
your budget could continue to be on the chopping block and
reduced as our country becomes more and more vulnerable to a
cyber attack?
Ms. Lute. Nothing is standing still. As I mentioned before,
in cyber space, the problems and the opportunities that even 2
years from now, perhaps even 1 year from now, that we will be
dealing with have not been invented yet. So time is of the
essence.
Mr. Swalwell. Finally, as a prosecutor, it is frustrating
to me that it seems like we spend most of our time defending
against the threat, but it is very hard, and I understand from
the cases I have had, it is very hard to go after somebody on
the law enforcement side and prosecute an individual who is
hacking against us, tracing where the individual is coming
from, which oftentimes is across the world.
Can we truly, really not just prevent the threat or prevent
a cyber attack, can we truly go after an individual and
prosecute them and hold them to account?
Ms. Lute. I am a big fan of the rule of law and I am a big
fan of the power of the law in this country. We are working
very closely with the FBI to strengthen the hand of law
enforcement. We have mentioned this is one of the things that
we think cyber legislation would usefully add, which are tools
to put them in the hands of law enforcement officers to
successfully prosecute cyber criminals.
Mr. Swalwell. Great. Thank you, Mr. Chairman.
Chairman McCaul. Thank you. Let me say, Deputy Secretary
Lute, let me thank you for your testimony. It is been very
impressive and I think very productive towards our discussions
in developing legislation, which as I state, is a high
priority.
Also, Chairman Meehan and I will be scheduling tours for
our members to the NCCIC and we look forward to seeing you out
there again.
With that, I know the Members will have--they have
additional questions. You need to--you should respond in
writing. With that, the clerk will prepare the witness table
for the second panel.
Okay, with that, let me go ahead and introduce the next
panel and thank you for your patience.
First we have Mr. Anish Bhimani; he is the managing
director and chief information risk officer, JPMorgan Chase and
is chairman of the Financial Services Information Sharing and
Analysis Center, also known as the FSISAC, industry-wide
organization charged with facilitating information sharing
among the various members of the financial services sector as
well as Government agencies. He has served as chairman since
2011 and on the board since 2009.
Next we have Mr. Gary Hayes; he is the vice president and
chief information officer at CenterPoint Energy. In this
position he oversees the information technology infrastructure
and systems for the company's electric and gas delivery
services, some actually in my district. Mr. Hayes has decades
of experience in the field of energy infrastructure protection.
Thank you for being here today.
Last we have Ms. Michelle Richardson; she is the
legislative counsel with the American Civil Liberties Union
where she focuses on National security and Government
transparency issues. Before joining the ACLU, Ms. Richardson
served as counsel to the House Judiciary Committee where she
specialized in National security and civil rights.
We look forward to hearing from all of you. Your full
statements will appear in the record, and I would also like to
note that Mr. Dean Garfield, CEO of the IT Industry Counsel was
also scheduled to appear but had a scheduling conflict. I ask
unanimous consent that his statement be entered into the
record.
Without objection, so ordered.
[The information follows:]
Prepared Statement of Dean C. Garfield
March 13, 2013
Chairman McCaul, Ranking Member Thompson, and Members of the
committee, thank you for the opportunity to testify today. I am Dean
Garfield, president and CEO of the Information Technology Industry
Council (ITI), and am pleased to testify before the House Committee on
Homeland Security on the important topic of cybersecurity. ITI
represents global leaders in innovation, from all corners of the
information and communications technology sector, including hardware,
software, and services.
You have asked ITI to speak on the topic of cyber threat
information sharing. Within that context, I would like to focus my
testimony today on three areas: (1) The opportunity facing the United
States to establish a cybersecurity policy framework that is a model
for the rest of the world; (2) the critical role of bidirectional
industry-Government information sharing in a robust cybersecurity
policy framework; and (3) key considerations regarding how U.S.
civilian agencies can effectively contribute to effective information
sharing.
our opportunity: the right cybersecurity policy framework
I want to begin by stating a fact I think all of us agree on: We
all are committed to protecting the Nation from cyber threats. The tech
sector, other industries and stakeholders, Federal and State
governments--we share a common responsibility to work collaboratively
to provide effective, forward-thinking strategies and solutions that
safeguard the American people and the networks and systems upon which
we all rely. For us in the tech sector, this responsibility is part of
our ethos. It is built into every one of our products and services.
During the past few years, both Congress and the administration,
working with numerous private-sector stakeholders, have sought to
create policies to improve America's cybersecurity posture,
particularly critical infrastructure (CI) cybersecurity. We commend the
efforts our policymakers have devoted to the unique challenge of better
protecting America's citizens, critical assets, and infrastructures
from ever-evolving cyber threats.
ITI and our member companies have been deeply involved in the
policymaking process. Our views are based on a comprehensive set of
cybersecurity principles for industry and Government we developed to
better inform the public cybersecurity discussion.\1\ ITI's six
principles aim to provide a useful and important lens through which any
efforts to improve cybersecurity should be viewed. To be effective,
efforts to enhance cybersecurity should:
---------------------------------------------------------------------------
\1\ http://www.itic.org/dotAsset/191e377f-b458-4e3d-aced-
e856a9b3aebe.pdf.
---------------------------------------------------------------------------
(1) Leverage public-private partnerships and build upon existing
initiatives and resource commitments;
(2) Reflect the borderless, interconnected, and global nature of
today's cyber environment;
(3) Be able to adapt rapidly to emerging threats, technologies, and
business models;
(4) Be based on effective risk management;
(5) Focus on raising public awareness; and
(6) More directly focus on bad actors and their threats.
We were pleased the cybersecurity bills passed by the House last
year--on cybersecurity R&D, cybercrime, education and awareness,
information sharing, and others--embodied these principles. We
understand many of the ideas Members of Congress are contemplating this
year will enable these approaches. We are also appreciative that the
President's recent Executive Order adopts these same principles.
Overall, the United States appears to be embracing a cyber environment
that encourages efficiency, innovation, and economic prosperity while
promoting security, business and individual privacy, and civil
liberties.
The United States is, however, not the only country grappling with
how to develop the right cybersecurity framework. Governments around
the world are also wrestling with important questions of how to protect
their citizens and businesses in the face of ever-evolving cyber
threats. Unfortunately, the approaches some other governments are
taking do not always put innovation and collaboration first. Some
governments are enacting inflexible, heavy-handed cybersecurity-related
laws and policies that are rooted in top-down regulation and technology
mandates. Most worryingly, these mandates are country-specific and thus
at odds with global best practices. Such approaches rarely provide
better security and in many cases may weaken security and disrupt
global commerce and innovation.
Thus, the U.S. approach is important for an additional reason. We
can and must set a good example for the rest of the world about the
right way to approach cybersecurity policy. And as we execute on our
approach, it will be important that we in both Government and industry
collaborate with our peers around the world to tackle our shared
challenge. Cyberspace is a global and interconnected domain that spans
geographic borders and National jurisdictions. Top-down approaches
being pursued in other nations undermine the greater global
collaboration that is needed to respond to threats. The U.S. Government
must proactively seek dialogues with our trading partners about how to
achieve the requisite levels of security needed to meet National
security concerns while preserving interoperability, openness, and
economic development.
the role of bi-directional industry-government information sharing
Mr. Chairman, Mr. Ranking Member, effective sharing of actionable
information among and between the public and private sectors on cyber
threats, and incidents is an essential component of improving
cybersecurity. To be as nimble and flexible as many cyber intruders
are, we need an improved information-sharing system that operates in
real time, ensures protection of personal data, and is bi-directional--
from the private sector to Government, and from Government to the
private sector. Of course, effective information sharing itself is not
the goal. What matters is the action relevant stakeholders take with
that shared information to manage and mitigate cyber risk. But we know
from experience that, once effectively informed of the specific threats
they face, organizations take appropriate and reasonable measures to
mitigate them.
Although many public and private-sector entities participate in
information-sharing activities, there is broad agreement that gaps
exist. ITI has worked closely with policymakers over the past few
years, providing ideas and possible solutions for what types of
improvements could and should be made. Overall, our recommendations
fall into four general areas.
First, we should improve upon existing information-sharing
organizations rather than create new structures. We need to better
leverage our current organizations and evolve them into more effective
partnerships for true sharing. Dozens of organizations and structures
play important roles facilitating cybersecurity information sharing
among private entities and between the private and public sectors. Some
key examples include the Information Sharing and Analysis Centers
(ISACs), the U.S. Computer Emergency Readiness Team (US-CERT), and the
National Cybersecurity and Communications Integration Center (NCCIC).
These and other organizations represent nearly all sectors of the
economy as well as Federal, State, and local governments.
Second, we must improve the flow of actionable information from
Government to industry. Government has unique insight into certain
types of threats or hazards. When provided with this insight, the
private sector's ability to assess risks, make prudent security
investments, and develop appropriate resiliency strategies is greatly
enhanced. The Executive Order intends to improve the Government's
sharing of actionable information with the private sector on specific,
targeted cyber threats and technical indicators that flag risks
generally. We hope these changes are executed quickly, but we also
believe that more needs to be done legislatively to build on the
Executive Order.
Third, we must address liability concerns that impede information
flows. Private entities holding information about cybersecurity risks
often decline to voluntarily disclose it, or delay disclosure, for fear
of lawsuits or regulatory actions. There is a need for limited safe
harbors in these cases, and this is a key role for Congress. We look
forward to also working with you to pass legislation in this regard.
Finally, privacy must be protected while information sharing is
increased. We believe effective cybersecurity should strengthen
personal privacy. For that reason, a policy framework must ensure that
information that companies might share with the Government and each
other for cybersecurity purposes should only be used for those
purposes. This will protect civil liberties and at the same time give
companies confidence that what they share will not be used for
unrelated, unintended purposes.
the way forward: the role of u.s. civilian agencies
As we work to improve Government-industry information sharing, ITI
understands policymakers are thinking about how the U.S. Government can
better coordinate and execute its roles and responsibilities vis-a-vis
the private sector in this area. Civilian agency leadership in this
regard is critically important. ITI believes that whatever agency has
principal responsibility for cybersecurity information sharing
coordination should follow three key tenets. First, the lead agency
needs to build on existing Government resources so as not to create new
redundancies and confusion. Second, those tasked with this job must
have the technical proficiencies to be able to provide rapid, real-
time, situational awareness. Finally, the lead agency must ensure
Government-wide respect for the legitimate data security, privacy, and
civil liberties concerns I alluded to earlier.
conclusion
Mr. Chairman, Mr. Ranking Member, ITI and our member companies are
pleased you are continuing to consider how we can improve information
sharing for the purposes of cybersecurity. We stand ready to provide
you any additional input and assistance. In addition to this testimony,
we are submitting for the record two ITI papers that provide more
detailed recommendations on how information sharing can be improved.\2\
Thank you.
---------------------------------------------------------------------------
\2\ ITI Recommendation: Steps to Facilitate More Effective
Information Sharing to Improve Cybersecurity (October 2011), and ITI
Recommendation: Addressing Liability Concerns Impeding More Effective
Cybersecurity Information Sharing (January 2012).
The Chairman now recognizes Mr. Bhimani for 5 minutes for
his opening statement.
STATEMENT OF ANISH B. BHIMANI, CHAIRMAN, FINANCIAL SERVICES
INFORMATION SHARING AND ANALYSIS CENTER
Mr. Bhimani. Thank you, Mr. Chairman.
Chairman McCaul, Ranking Member Thompson, Members of the
committee, my name is Anish Bhimani and I am appearing today as
the chairman of the Financial Services Information Sharing and
Analysis Center, FSISAC.
The FSISAC was established in 1999 in response to
Presidential Decision Directive 63. It is a nonprofit
organization funded entirely by its member firms and sponsors.
Its membership is comprised of over 4,400 financial and banking
institutions, large and small, and it serves as a primary
industry forum for collaboration on the critical cybersecurity
threats facing the financial sector.
Despite the competitive nature of our industry, members of
the FSISAC recognize that the threat from cyber attacks affects
all of us. That defending the Nation's critical infrastructure
is not a competitive issue.
To effectively combat this threat, we must come together as
a sector and leverage the full capabilities of our collective
membership. Above all, the key to the success of the FSISAC is
trust amongst its members. Trust is not something that can be
mandated nor easily earned.
Indeed, over the past 14 years, FSISAC members have worked
tirelessly to engender trust amongst each other and promote the
flow of threat information across the sector. These efforts
have paid off significantly.
In January of this year, members of the FSISAC shared over
92,000 pieces of threat intelligence and approximately 400
events across the sector.
Equally critical is a strong partnership and close
collaboration with Government agencies. One example of this
partnership is the successful effort to obtain over 250 secret-
level clearances and several top-secret SCI clearances for key
financial services personnel. These clearances have enabled
FSISAC members to receive briefings on new security threats and
implement defenses to combat these threats.
We would like to see this process updated and expanded to
provide more clearances to the private sector and make it
easier for this information to be shared more broadly and
quickly with our members.
Another good example of partnership is the work of the
National Cybersecurity and Communications Integration Center,
NCCIC at DHS, of what we heard said earlier.
Since June 2011, FSISAC representatives cleared at the top-
secret SCI level have attended NCCIC daily briefs and other
meetings to share information on threats and potential impacts
to the sector. Our presence on the NCCIC floor has greatly
enhanced the sector's awareness of and ability to respond to
continuously evolving threats against the industry.
In 2011, a pilot program known as the Government
Information Sharing Framework, or GISF, was launched with the
Defense Department. Under the program, an initial 16 financial
services firms were granted access to advanced analysis on
cyber threats. The GISF provided an invaluable service of the
sector, enabling participants to receive actionable and timely
information that allow them to search for similar activity in
their own environments. Unfortunately, the Department of
Defense terminated the pilot program in December 2011 due to
funding limitations.
The FSISAC strongly supports not only restarting the GISF
program or a program like it, but also expanding its reach
across the entire financial services sector.
In addition to our DHS partnerships, we also benefit
tremendously from having a strong sector-specific agency,
specifically, the Treasury's Office of Critical Infrastructure
Protection plays an invaluable role to the sector serving as a
conduit between our members and the various agencies that play
a role in critical infrastructure protection. We believe that
given its knowledge of the industry, as well as its
relationship with various agencies, Treasury is uniquely
qualified to serve in that role.
Finally, I would like to point out that it is impossible to
discuss information sharing without also considering what
specific information we need to share in order to most
effectively protect our infrastructure.
Although much of the current debate around information
sharing has focused on the very important goal of protecting
privacy, we believe that much could be accomplished without
ever sharing any personal information. The most valuable
information we could gain, such as technical details of cyber
attacks, analysis of incident attack patterns, techniques and
trends and contextual information about threat actor groups and
campaigns tends to be extremely technical in nature and doesn't
necessarily need to include any personal information nor reveal
the organization affected.
Whatever information we receive, the most important thing
is that it be actionable and timely. Cyber threats are coming
out as faster than ever before and are growing increasingly
complex. As a result, receiving stale and outdated information
is of very little value. In fact, it is a drain on resources
and a waste of valuable time.
We are strong advocates of a framework where our respective
agencies and companies can deliver relevant information very
quickly at network speed with information flowing in both
directions.
In closing, please accept my thanks on behalf of the FSISAC
for the opportunity to address the committee on this critical
issue. The ability to share information across the sector as
well as our partners in Government and law enforcement, while
still protecting privacy and civil liberties is core to our
industry and our Nation's response of the growing threat.
I look forward to any questions the committee may have.
[The prepared statement of Mr. Bhimani follows:]
Prepared Statement of Anish B. Bhimani
March 13, 2013
Chairman McCaul, Ranking Member Thompson, and Members of the
committee, my name is Anish Bhimani, and I am the chief information
risk officer of JPMorgan Chase & Co. I am appearing today as the chair
of the Financial Services Information Sharing and Analysis Center (FS-
ISAC). I thank you for the opportunity to address the committee on the
important topic of roles and responsibilities of the Government and
private sector in the critical area of cybersecurity.
I would like to address a few points today: First, an overview of
the FS-ISAC, its charter, purpose, and membership; lessons learned with
regard to information sharing; perspectives on the FS-ISAC membership's
interaction with Government agencies; and finally, recommendations
around information sharing and cybersecurity governance.
fs-isac background
The FS-ISAC was established in 1999 in response to Presidential
Decision Directive 63. This directive, later updated by Homeland
Security Presidential Directive 7, required public and private-sector
organizations to share information about cyber threats and
vulnerabilities, with the goal of helping protect the Nation's critical
infrastructure. The FS-ISAC is a nonprofit organization funded entirely
by its member firms and sponsors. Its membership is comprised of
thousands of financial and banking institutions, large and small, and
its mission is straightforward--to provide the primary industry forum
for collaboration on the critical cybersecurity threats facing the
financial services sector. From 12 founding members at its inception,
the FS-ISAC has grown to over 4,400 organizations, including commercial
banks and credit unions of all sizes, brokerage firms, insurance
companies, exchanges and clearing houses, payments processors, and over
30 trade associations, representing the majority of the U.S. financial
services sector.
The overall objective of the FS-ISAC is to provide the financial
services sector with the information it needs to defend against cyber
threats and risk. It acts as a trusted third party that allows members
to share threat, vulnerability, and incident information in a timely,
trusted, and, if desired, anonymous manner. FS-ISAC information-sharing
services and activities include:
Delivery of timely, relevant, and actionable alerts from
various sources distributed through the FS-ISAC Security
Operations Center (SOC);
Trusted mechanisms to facilitate member sharing of threat,
vulnerability, and incident information, in either an
attributed or non-attributed manner;
Sector-specific groups and subcommittees that provide forums
for members in a given part of the sector, e.g., the Payment
Processors Information Sharing Council (PPISC), Insurance Risk
Council, Payments Risk Council, Community Institutions Council,
and the Clearing House and Exchange Forum (CHEF);
Bi-weekly threat information sharing calls for members and
invited security/risk experts to discuss the latest threats,
vulnerabilities, and incidents affecting the sector;
Engagement with private-security companies to identify
threat information of relevance to the membership and the
sector;
Development of risk mitigation best practices, threat
viewpoints and toolkits, as well as member-driven research
regarding best practices at member organizations;
Subject Matter Expert committees, including the Threat
Intelligence and Business Resilience Committees, which provide
in-depth analysis of risks to the sector, and provide
technical, business, and operational impact assessments, as
well as strategies to mitigate risk; and
Participation in sector, cross-sector, and National
exercises and drills, such as the Cyber Attacks Against Payment
Processes (CAPP), National Level Exercise 2012, and the Cyber
Storm series.
Despite the competitive nature of our industry, members of the FS-
ISAC recognize that the threat from cyber attacks affects all of us,
and that defending the Nation's critical infrastructure is not a
competitive issue. We all recognize that to effectively combat this
threat, we must come together as a sector and leverage the full
capabilities of our collective membership. We also know that we must
trust one another. Trust, simply put, is the key to the success of the
FS-ISAC, and any information-sharing model.
Trust is not something that can be mandated, nor easily earned.
Indeed, over the past 14 years, FS-ISAC members have worked tirelessly
to engender trust amongst each other and are using all of the
capabilities listed above to promote the flow of threat information
across the sector. As an example, the FS-ISAC has built a model for
sharing information in an authenticated, but anonymous, manner for
those organizations that wish to take advantage of it. In addition, we
have instituted a ``traffic light'' protocol, indicating levels of
information sensitivity and how information may be disseminated to the
membership, partners, and other organizations. These mechanisms have
effectively and efficiently enabled the amount of information shared
among FS-ISAC members to grow from a mere trickle a few years ago, to a
veritable (but manageable) flood today. In January 2013, members shared
over 92,000 pieces of threat intelligence and approximately 400 events
across the sector.
u.s. government interaction
Equally critical as industry collaboration is our partnership with
Government agencies. We could not protect ourselves against cyber
attacks without extremely close collaboration, partnership, and most
importantly, information sharing, with a number of Government
agencies--most notably, the U.S. Department of Treasury and the
Department of Homeland Security, but also the Federal Reserve, Office
of the Comptroller of the Currency, United States Secret Service, U.S.
Cyber Command, Federal Bureau of Investigation, National Security
Agency, Central Intelligence Agency, and State and local governments.
Additionally, the FS-ISAC is a member of, and partner to, the Financial
Services Sector Coordinating Council (FSSCC) for Homeland Security and
Critical Infrastructure Protection, established under HSPD7, and works
extremely closely with the Financial and Banking Information
Infrastructure Committee (FBIIC), under the auspices of the President's
Working Group on Financial Markets. These organizations and
relationships are part of the financial sector's long history of
public-private partnership with various Government agencies in the area
of cybersecurity.
One example of this partnership is the successful effort by the
Department of Treasury, Homeland Security, FBI, U.S. Secret Service,
and other partners to obtain over 250 secret-level clearances and
several TS/SCI clearances for key financial services sector personnel.
These clearances have enabled FS-ISAC members to receive briefings on
new security threats and have provided useful information to the sector
to implement effective controls and defenses to combat these threats.
We know that this process is not always easy, and that sponsoring
private-sector clearances has, historically, been difficult. But in our
view, given how much cyber information is classified, it is absolutely
essential that private-sector representatives have access to this
information. The FS-ISAC would like to see this process updated and
expanded to provide more clearances to the private sector, and make it
easier for this information to be shared more broadly and quickly with
our members.
Another good example of partnership is the work of the National
Cybersecurity & Communications Integration Center (NCCIC) at DHS. In
June 2011, the FS-ISAC became the fourth private-sector organization to
place staff on the floor at the NCCIC. Specifically, FS-ISAC
representatives, cleared at the Top Secret/SCI level, attend NCCIC
daily briefs and other meetings to share information on threats,
vulnerabilities, incidents, and potential impacts to the sector. These
individuals interact on a daily basis with the NCCIC, routinely submit
and respond to requests for information, collaborate on analyses and
work with the NCCIC staff to determine what information from the NCCIC
would be of use to our members, and what can be shared with whom. Over
the past 18 months in particular, our presence on the NCCIC floor has
greatly enhanced situational awareness and information sharing between
the sector and the Government, as well as across other critical
infrastructure sectors that participate on the floor. More recently,
the FS-ISAC has embedded a full-time staff person on the NCCIC floor in
addition to the part-time resources that were deployed last year.
One of the high points in the public-private partnership with the
sector occurred in 2011 when a pilot program, known as the Government
Information Sharing Framework (GISF) was launched with the Defense
Department. Under the program, an initial 16 financial services firms
(with a plan to expand participation later) were granted access to
advanced threat information, as well as to classified analysis on
threat actors and mitigation techniques. The GISF provided an
invaluable service to the sector, enabling the pilot participants to
receive actionable, timely, and contextual information that allowed
them to search for similar threat activity in their own environments.
It also allowed private-sector participants to adjust their assessments
of cyber espionage threats using intelligence that had previously been
unavailable. The program jump-started new efforts across the industry
and helped reshape the sector's approach to assessing cyber espionage
risks.
Unfortunately, the Department of Defense terminated the pilot
program in December 2011 due to funding limitations. The GISF was a
significant leap forward in the public-private partnership, and
represented a critical line of defense in mitigating the growing cyber
threat. The loss of that information feed has already been felt, as
numerous financial institutions have experienced activity from actors
first identified through GISF reporting and intelligence. The FS-ISAC
strongly supports not only restarting the GISF program, but also
expanding its reach across the financial services sector. We urge
Congress and the Department of Defense to resolve any outstanding
funding or authorization issues and reinstate this crucial program.
As you can see, the financial services sector, and the FS-ISAC in
particular, work in collaboration with a wide range of Government
agencies--probably more than anyone would imagine. At the same time, we
benefit from having a strong sector-specific agency--the Treasury
Department--that allows us to navigate the various Government agencies
involved in cybersecurity.
Specifically, the Treasury's Office of Critical Infrastructure
Protection plays an invaluable role to the sector, serving as a conduit
between our members and the various Government agencies that play a
role in critical infrastructure protection. We believe that, given its
knowledge of the financial services industry, as well as its
relationship with various intelligence agencies, Treasury is uniquely
qualified to serve in that role. Regardless of which organization is
involved, however, the key is that we receive timely, actionable data
from the appropriate source, whoever that is, so that we can take the
appropriate action.
creating a useful information sharing framework
There are two critical elements to creating a useful information-
sharing framework: Determining what information should be shared, and
developing robust processes for sharing timely information.
In thinking through this problem, it is impossible to construct an
effective information-sharing framework without also considering what
specific information we need to share to most effectively protect our
infrastructure. Although much of the current debate around information
sharing has focused on the important goal of protecting personal
information, we believe that much could be accomplished without ever
sharing personally identifiable information. With that in mind, here
are a few examples of information we at FS-ISAC believe would be most
helpful to share:
Technical details of cyber attacks as seen on networks, in
IT systems, or by victims, including IP addresses of attackers
and their networks;
Analytic content of incidents, attack patterns, and trends
without revealing the organization affected;
Analysis of technical details to determine the techniques,
tools, and procedures that adversaries are using to target
victim organizations;
Contextual information about threat actor groups and
campaigns;
Information about the motivation, objectives, and
capabilities of these groups or campaigns.
In addition to those most critical data elements we think must be
shared, we also believe that critical infrastructure owners and
operators would benefit from having a much stronger framework around
how we share.
The cybersecurity threats the financial industry faces are coming
at us faster than ever before, and are growing increasingly complex. As
a result, receiving stale and outdated information is of very little
value in protecting our infrastructure--in fact, it is a drain on
resources, and a waste of valuable time. We are strong advocates of a
framework where our respective agencies and companies can deliver
relevant information very quickly, at network speed, with that
information flowing in both directions.
Why is that important? Today, we in the private sector face attacks
that were once directed only against major Government institutions.
Government agencies may have established strategies and tactics to deal
with those attacks that would be valuable to those us facing similar
threats. Likewise, the financial sector has collectively established
strategies and tactics that may be of use to Government agencies.
Sharing these strategies and tools to deal with advanced threats
comprehensively and quickly would do a great deal to help us all fight
advanced attackers.
conclusion
In closing, please accept my thanks on behalf of the FS-ISAC for
the opportunity to address the committee on this critical issue. The
risks associated with cyber attacks and threats are real, and of
paramount importance to the financial industry as a whole. The ability
to share information across the sector, as well as with our partners in
Government and law enforcement, while still protecting privacy and
civil liberties, is core to our industry and our Nation's response to
the growing threat.
I look forward to any questions the committee may have.
Chairman McCaul. Thank you, Mr. Bhimani.
The Chairman now recognizes Mr. Hayes for his testimony.
STATEMENT OF GARY W. HAYES, CHIEF INFORMATION OFFICER,
CENTERPOINT ENERGY
Mr. Hayes. Thank you Chairman McCaul, Ranking Member
Thompson, and Members of the committee. My name is Gary Hayes,
I am the chief information officer for CenterPoint Energy and
thank you for inviting me to testify and share my experiences
and perspectives on cybersecurity and our Nation's critical
infrastructure.
A few quick points about CenterPoint Energy, we are
headquartered in Houston, Texas. We have electric transmission
and distribution, natural gas distribution and interstate
pipeline. We serve over 5 million metered customers, primarily
in Arkansas, Louisiana, Minnesota, Mississippi, Oklahoma, and
Texas.
In other words, we are the owner/operators of multiple
critical infrastructure systems. We take cybersecurity
seriously.
As identified in our enterprise risk management program is
one of the highest corporate risk. We have been in the cyber
business for well over 10 years. The issue is the game has
changed. The volume, voracity, and variety presented by
extremely sophisticated and organized bad actors whose intent
is to steal information or impact operations continues to
exponentially evolve.
The question is: How do we work together to meet these
dynamic and ever-changing and evolving threats?
I strive to keep my team focused by reminding them we need
excellent solutions quickly not perfect solutions eventually.
We have to keep that same thought in mind.
Some key takeaways that I would like for us to talk about.
First, we need shared goals and collaboration. Excellent
solutions for collaboration, information sharing, and
technology sharing. It is very clear we need each other in this
cyber war, situational awareness, information, tools, and
techniques to be proactive and not reactive.
We must have a peer-to-peer partnership built on those
shared goals, objectives, and trust to achieve these results.
The good news is there are some examples of this today. Our
industry's collective cybersecurity work with the DHS, DOE,
TSA, and NIAC provides a foundation but we need more.
Second, we need a pragmatic cyber framework. A framework
must be based on the principles of risk and agility, a
framework that provides value. It must provide learning,
strategies, objectives, techniques, and tools that can be
aligned with that risk.
Another challenge is there is energy providers from
hundreds of customers to millions of customers. So our solution
has to be scalable. A one-size-fits-all will be ineffective and
costly.
Finally, we must have incident readiness. The reality is
advanced persistent threat actors are not going away and the
risk of cyber incidents remain. Increased situational awareness
coupled with joint response and recovery plans have to be
incorporated into everyone's current operating procedures.
As I mentioned before, the effort in the electric sector
with NIAC is an excellent example of an emerging Government and
industry effort to address resiliency and incident response.
In closing, I grew up in Oklahoma right in the heart of
Tornado Alley. Any time a large thunderstorm rolled across the
plains, my mom had us in the cellar. My dad stood at the top of
the stairs looking at the sky trying to see if a funnel cloud
was forming. Sometimes we were there for hours.
Now flash forward a few decades, today we have tremendous
situational awareness, meteorology based on advances in
technology tell us when the funnel is forming. How strong is
the tornado? What is the path and the time that it is going to
reach our location? Couple this with education of the public,
improvements and construction techniques and emergency response
plans and we dramatically changed tornado safety.
Looking back, I realize my parents were being responsive to
the best information they had. The risk of not acting was too
great.
Today, I feel I am standing at the top of the cellar stairs
looking to the skies and watching for that cyber tornado. We
have protection in place but constant vigilance is our mission
in this cyber storm. In summary, we must join in shared goals,
peer-to-peer collaboration to be proactive and to be prepared.
Chairman McCaul, Ranking Member Thompson, and Members of
the committee, we appreciate the opportunity to share our
perspectives and stand ready to assist you in your efforts as
you move forward to protect our critical infrastructure.
[The prepared statement of Mr. Hayes follows:]
Prepared Statement of Gary W. Hayes
March 13, 2013
overview
Chairman McCaul, Ranking Member Thompson, and Members of the
committee, my name is Gary Hayes and I am the chief information officer
for CenterPoint Energy. Thank you for inviting me to testify on my
experiences and perspectives on protecting critical infrastructure from
cyber attacks.
CenterPoint Energy, Inc. (``CenterPoint Energy''), headquartered in
Houston, Texas, is a domestic energy delivery company that includes
electric transmission and distribution, natural gas local distribution,
natural gas gathering and processing, interstate pipelines, and
competitive natural gas sales and services. It has assets totaling more
than $21 billion. Our company has approximately 8,800 employees and
serves more than 5 million metered customers primarily in Arkansas,
Louisiana, Minnesota, Mississippi, Oklahoma, and Texas.
As the CIO of CenterPoint Energy I am accountable for our
cybersecurity programs and have direct responsibility for our corporate
business systems' cybersecurity. Because of the diverse segments of the
energy infrastructure in which CenterPoint Energy's companies
participate, I coordinate, collaborate, and communicate with our
operational technology functions to define policies, procedures,
practices and programs in our efforts to provide cybersecurity. I have
a highly dedicated, educated, and capable team executing
responsibilities in this effort.
I also have the responsibility to represent and coordinate
representation of our company in industry and Government efforts
focused on cybersecurity.
We focus heavily on participation in relevant industry groups. I
participate on the American Gas Association (``AGA'') and Edison
Electric Institute (``EEI'') Cyber Task Groups and I coordinate with
David Jewell, senior vice president, Commercial Operations,
Optimization and Gas System, who represents CenterPoint Energy on the
Cyber Task Group for the Interstate Natural Gas Association of America
(``INGAA''). We also participate in numerous governmental, private, and
industry-related efforts focused on cybersecurity.
Our cybersecurity technologies operate across three areas:
Interstate pipelines, local gas distribution utilities, and an electric
utility. For cybersecurity purposes, our interstate natural gas
transmission pipelines are under the jurisdiction of the Transportation
Security Administration (``TSA''). Our local gas distribution companies
operate under the same jurisdiction but, for cybersecurity purposes,
have no single regulator because some of the Federal authority has been
delegated to the States. And, finally, CenterPoint Energy's electric
utility in the Houston, operates under the jurisdiction of the Federal
Energy Regulatory Commission (``FERC'') for compliance with North
American Electric Corporation reliability standards. We also work
voluntarily with a multitude of other groups including the Federal
Bureau of Investigation, Industrial Controls Systems Cyber Emergency
Response Team (ICS-CERT) and the Department of Energy (DOE) and, of
course, Department of Homeland Security (DHS).
My goal today is to share CenterPoint Energy's perspective with
regards to cybersecurity challenges, activities, and opportunities.
That perspective is this: Cyber threats are evolving and require
collaboration, information sharing with the Government, and continued
collaboration with the industry to effectively protect the Nation's
critical infrastructure. Our goal is to focus our resources on facing
the cyber threat.
This perspective is shaped by our experiences and participation in
industry groups as well as our collaboration with several Governmental
agencies including the DOE, DHS, and the TSA. Furthermore, our
relationship with members of our supply chain, our suppliers and
vendors, is critical. From these experiences, we have determined that
we need the ability to respond in a quick and agile manner, as well as
continuously improve our capabilities to respond. Collaboration is the
key.
As a critical energy transporter and distributor to the Nation, we
know that we have responsibilities to the public, our customers, and
our shareholders. We have prioritized our cybersecurity efforts in
parallel with our corporate philosophy.
(1) Public Safety
(2) Energy Delivery
(3) Customer Service
I hope this document provides a helpful ``participant's view and
perspective'' as we work together to protect our company and our
Nation's critical infrastructure.
cybersecurity efforts and collaboration
CenterPoint Energy has a long history of safe and reliable energy
delivery to our customers. Our team members take pride in getting up
every morning with this mission top of mind. To this point, we take
protection of the public, our control systems, customer and employee
information, critical infrastructure information, and intellectual
property very seriously. Cybersecurity has been incorporated into our
processes, procedures, and operations through various mechanisms over
time. But, we do recognize that the current cyber environment has
escalated beyond historical expectations and our efforts must and will
continue to evolve in order to meet these dynamic and ever-evolving
threats.
We have evolved from a strategy of ``perimeter defense'' (e.g.,
keep the bad actors out) to a strategy of ``depth-in-defense''
(recognition that technology system perimeters were susceptible to
compromise, depth-in-defense provides increased reliance on detection
and response mechanisms to address threats within the protection
perimeter). We have established objectives, techniques, talent, and
tools to assist us in our current efforts. We have also focused on
educating our workforce, as they represent the first line of defense.
However, we recognize our cybersecurity capabilities must continue to
evolve. This recognition comes from education and collaboration with
industry and Government. Our objectives are to mature and enhance our
strategy and move to an ``agile defense''.\1\ In particular, we will
enhance our focus on the people, processes, and technologies that can
be managed, monitored, tested, measured, and continuously improved.
---------------------------------------------------------------------------
\1\ An enhanced comprehensive security strategy referred to by NIST
as ``agile defense''. Agile defense combines traditional perimeter,
depth-in-defense, and depth-in-breadth, which is a planned, systematic
set of multidisciplinary activities that seek to identify, manage, and
reduce risk of exploitable vulnerabilities at every stage of the life
cycle. Life cycle is the network that includes product design and
development; manufacturing; packaging; assembly; system integration;
distribution; operations; maintenance; and retirement.
---------------------------------------------------------------------------
As an important part of the energy delivery value chain, we are
also enhancing resiliency, which is our ability to respond quickly to
attacks and to maintain critical services. As we have learned through
our participation in many of the cyber discussions, ``bad actors will
get in''. It is not a matter of ``if'' but a matter of ``when.''
Therefore, we continue to evolve our capability to respond and operate
in a compromised state.
Identifying and coordinating with the right stakeholders is vital
to that evolution.
First, we believe that participation with industry coalitions is
critical. Our collaboration with fellow energy sector members allows us
to continually learn and incorporate leading practices, provide mutual
assistance and educate stakeholders and policy makers of real risks and
possible solutions. We encourage and assist in collaboration between
AGA, EEI, INGAA, and key policymakers.
Second, collaboration between the public and private sector is a
vital part of cyber protection. Deployment of the SmartGrid in Houston
presented us with the opportunity to work with DOE, DHS, and other
Federal agencies in order to successfully deliver advanced metering
capabilities. Throughout the process, we collaborated with Government
stakeholders to incorporate customer protection and cybersecurity into
our design and operations. This could not have been achieved without
information sharing, a focus on quality and integrity, strong risk
management, and joint objectives--all of these achieved through
collaboration.
Those partnerships are also critical for our intelligent grid
project and we look forward to continuing those relationships.
Other examples illustrating the success of public-private
partnerships are the joint industry and Governmental initiatives that
developed the electric sector cybersecurity Capability Maturity Model,
guidelines for the natural gas pipeline sectors' Pipeline Security
Guidelines and many more activities that have benefited CenterPoint
Energy and our industry. These collaborative efforts focused on
targeted objectives and provided tangible programs, information, tools,
techniques, and knowledge to help us enhance our efforts in this war
against cyber threats. We encourage Congress to promote continued focus
on private and public partnerships for the protection of our National
security.
And, finally, cybersecurity collaboration must take into account
the entire life cycle and supply chain. Therefore, we must recognize
the essential participation of our vendors and suppliers in this
effort. They have worked with us to provide products and solutions to
meet the demands of this challenge. Our joint goals and efforts focus
on design, testing, and improvement of products to understand quality,
integrity, risks, threats, mitigations, and management of these
solutions in our operating environment.
cybersecurity participant observations
There is a set of common themes that we see emerging from our
cybersecurity efforts and dialogues:
Shared Goals.--Identifying and merging the focus and priorities of
the stakeholders is a key to success.
Risk-Based Approach.--A risk-based approach is fundamental to our
efforts. Goals should be prioritized and articulated clearly. Solutions
should be focused and yet flexible. A ``one-size-fits-all'' approach
won't work for unique problems. There are utility service providers
serving hundreds of customers and others serving millions of customers;
therefore, the risk profile will influence the objectives, techniques,
and tools to effectively manage cybersecurity.
Information Sharing and Situational Awareness.--We desire a defined
collaborative process to share information in a quick, secure, and non-
prejudicial fashion. That process should educate us in ways that we can
be proactive and not reactive. Throughout many conferences, meetings,
calls, and other interactions, we continue to hear that the ICS-CERT
serves as a strong template for developing a working model of
collaboration. ``Boots-on-the-ground'' security team members find this
of great value in their efforts in the cyber war. We believe this is an
example of information sharing that provides actionable information,
support to our industry, and brings value to public-private
partnership.
Leveraging Tools and Techniques.--Although we, and many others,
employ market-leading technologies and information solutions, we
believe our effort would be greatly enhanced by leveraging cyber
technologies and solutions utilized by Governmental organizations and
fellow industry members. We recognize there are many obstacles, but
today's cybersecurity challenges require us to remove these obstacles
and provide a repeatable and supportable path to facilitate results.
Each day of delay is another day of opportunity for advanced persistent
threat actors.
Security Clearance.--Expanded security and expedited clearance for
appropriate personnel within the private sector and expedited
communication of critical information is critical to the ability of
owners and operators to be proactive and responsive to emerging
threats. We were pleased to see such a provision in the President's
Executive Order on cybersecurity.
Cybersecurity Regime.--A cybersecurity framework must prioritize
the principle that agility is the key to responding to cyber threats.
An overly burdensome and prescriptive regulatory regime will be
increasingly challenged to keep pace with evolving cyber threats. A
beneficial framework not only defines capabilities, but provides
learning, methodologies, objectives, and techniques (tools and
measures) to achieve the required results. In conjunction with risk-
based analysis, that type of framework can be leveraged by all
participants to mitigate threats.
Incident Management.--The reality is advanced persistent threat
actors are not going away and the risk of a cyber incident will remain
top of mind for the foreseeable future. Increased situational awareness
coupled with response and recovery plans will be incorporated into
existing emergency operating procedures.
A leading effort on incident management comes under the auspices of
the National Infrastructure Advisory Council (NIAC) report, several
electric utility CEOs are engaged in an on-going partnership with the
White House National Security Staff and senior officials throughout the
Government, including Department of Energy Deputy Secretary Daniel
Poneman and Department of Homeland Security Deputy Secretary Jane Holl
Lute. This collaboration has resulted in several Government-industry
initiatives, one of which is to identify roles and responsibilities
that will expedite response and recovery should a major power
disruption occur.
Collaboration.--All of these themes require partnerships with
industry and Government. Collaboration is essential to our combined
mission of protecting the public, customers, employees, critical
infrastructure, intellectual property, and National security. Notable
examples demonstrating the strength of collaboration between public and
private sectors include the Industrial Control Systems Joint Work Group
(ICS-JWG) and the TSA-sponsored public-private partnership which
supports the National Infrastructure Protection Plan (NIPP).
To illustrate further, I offer the case of our interstate gas
transmission pipelines where the cyber collaboration with the Federal
Government began through our work with INGAA and AGA. After the
September 11 attacks, and before the TSA or the DHS were created, we
voluntarily collaborated through INGAA and AGA with the then-Research
and Special Programs Administration within the Department of
Transportation (DOT) to develop the initial Pipeline Security
Information Circular. This collaborative approach to developing and
implementing security measures continues to this day in our
collaboration with the TSA. Since that time, gas pipeline owners and
operators have worked with TSA to safeguard and protect our
infrastructure's security--both from physical and cyber attacks. As a
result of years of work and collaboration between owners and operators
and the TSA we have a strong, trust-based collaboration--a public-
private partnership. This approach, and the relationship it fostered,
produced robust, thorough cyber guideline development for natural gas
transmission pipelines even before the ``911 Act'' became law.\2\
---------------------------------------------------------------------------
\2\ Implementing Recommendations of the 9/11 Commission Act.
---------------------------------------------------------------------------
TSA is using a voluntary partnership approach because it works. TSA
and the private sector partner in order to leverage the collective
expertise and experience of the Government and private industry in
finding practical solutions to cybersecurity. This approach and the
relationship it has fostered have produced robust cybersecurity
guidelines and best practices for natural gas transmission pipelines.
The TSA approach builds on what has been proven through experience:
Public-private partnerships for cybersecurity generate solutions. A
Congressional Research Service August 2012 report, ``Pipeline Cyber
Security: Federal Policy,'' stated that ``TSA officials assert that
security regulations could be counter-productive because they could
establish a general standard below the level of security already in
place at many pipeline companies based on their company-specific
security assessments.'' Moreover, the report notes that ``[b]ecause TSA
believes the most critical U.S. pipeline systems generally meet or
exceed industry security guidance, the agency believes it achieves
better security with voluntary guidelines, and maintains a more
cooperative and collaborative relationship with its industry partners
as well.''
We believe that the key to effective cybersecurity is the trust
developed in partnerships like the one with TSA. The dynamic solutions
that are born of the public and private sector coming together are not
possible when the Government is only acting as a regulator and
enforcer. The cybersecurity world moves too quickly for such
traditional regulatory models to be beneficial or productive.
conclusion
We take seriously the responsibility of protecting our customers,
employees, assets, and communities in which we operate, and thus
cybersecurity is a top priority for CenterPoint Energy. We also
recognize the importance of critical infrastructure to our National
security. Because cyber threats are constantly changing and evolving,
we support voluntary programs that encourage partnership,
collaboration, sharing of information and technology, and the
preparedness necessary to mitigate and respond to the ever-changing
nature of cyber attacks. We will not succeed in this effort alone. The
strengthening and expansion of industry and Government partnerships
provides our best front in this cyber war.
Chairman McCaul, Ranking Member Thompson, and Members of the
committee, we appreciate the opportunity to share our perspectives and
stand ready to assist you in your efforts to protect our critical
infrastructure.
Chairman McCaul. Thank you, Mr. Hayes. I appreciate your
analogy. It is well taken.
Now the Chairman now recognizes Ms. Richardson for her
testimony.
STATEMENT OF MICHELLE RICHARDSON, LEGISLATIVE COUNSEL, AMERICAN
CIVIL LIBERTIES UNION
Ms. Richardson. Chairman McCaul, Ranking Member Thompson,
thank you for the opportunity to testify today on the
Department of Homeland Security's role in cybersecurity.
This hearing is very timely. DHS is currently running major
cybersecurity programs in order to secure critical
infrastructure and Congress will likely vote on legislation
further defining its role in the coming months.
One of the most important decisions Congress will make is
whether domestic cybersecurity programs will remain in the
hands of civilian agencies, like DHS, or be ceded to the
military. Under long-standing American legal requirements and
policy traditions, the military is restricted from targeting
Americans on American soil.
Yet some are now arguing that cybersecurity should be the
exception and the National Security Agency should be empowered
to collect more information about internet users in order to
respond to on-line threats. Doing so would create a significant
new threat to Americans' privacy and must be avoided.
The NSA has developed extraordinary powers and has been
granted incredible legal leeway, all under the premise that its
spying would be turned outward against foreign enemies. Setting
it free to collect American information for cybersecurity would
be unprecedented.
This warning seems dire but that is because the
consequences are dire. If domestic cybersecurity programs are
ceded to the NSA, this committee, rank-and-file Members of
Congress and the American public will never hear of it again.
Keeping cybersecurity within DHS and within the jurisdiction of
this committee would enhance privacy and accountability in very
concrete ways.
In addition to being a bad deal for privacy, placing new
programs outside of DHS isn't even necessary from a security
perspective. The highest ranks of the intelligence community
agree that DHS should retain authority over civilian cyber
programs.
NSA Director Alexander has stated that his agency should
not be the public face of domestic cybersecurity and that DHS
should be the entity to deal directly with civilians, the
private sector, and the domestic internet.
The Obama administration continues to empower DHS and other
civilian agencies to pursue cybersecurity for critical
infrastructure in the public. The other panelists discussed in
their statements the many different existing programs and
information sharing hubs that are working successfully through
DHS and other agencies.
Its involvement in this area is only going to grow in light
of the recent Executive Order. For example, the much-touted
Defense Industrial Base Pilot Program, now known as the
Enhanced Cybersecurity Program, will be expanded to all
critical infrastructure and run by DHS. That program will
organize and facilitate the flow of information from the
Government to critical infrastructure.
Also under the Executive Order, DHS will conduct the first
inter-agency privacy analysis of cyber information sharing. As
noted by the other panelists, there are dozens of information-
sharing bodies within and outside of the Government, all
sharing different data pursuant to different statutes. No one
has ever reviewed those programs for their effect on privacy.
The President endorsed the Fair Information Privacy
Principles and that heartens us, and we look forward to DHS's
public report, due back next year. This committee could help
bring pressure to bear on the agencies in its jurisdiction to
ensure that they conduct a full and meaningful privacy analysis
as part of that product.
Since civilian control is decidedly better for privacy,
works from a security perspective, and is already being
implemented through current programs, it is disappointing that
a legislative proposal that would fundamentally alter this
balance is being considered.
The Cyber Intelligence Sharing and Protection Act, known as
CISPA, would create a cybersecurity exception to all privacy
laws, so that companies can share Americans' internet data with
each other and with the Government, even in the absence of a
warrant, subpoena, or emergency, and share that information
directly with military agencies like the NSA.
In its veto threat, the administration argued this bill,
``effectively treats domestic cybersecurity as an intelligence
activity and thus significantly departs from long-standing
efforts to treat the internet and cyber space as civilian
spheres.''
We hope the House will refer that bill to this committee or
that you will otherwise consider taking up legislation of your
own.
Thank you for this opportunity to testify. We look forward
to working with this committee going forward on DHS's role in
cybersecurity.
[The prepared statement of Ms. Richardson follows:]
Prepared Statement of Michelle Richardson
March 6, 2013
Good morning Chairman McCaul, Ranking Member Thompson, and Members
of the committee. Thank you for the opportunity to testify on behalf of
the American Civil Liberties Union (ACLU), its more than half-a-million
members, countless additional activists and supporters, and 53
affiliates Nation-wide, about the role of the Department of Homeland
Security (DHS) in protecting the cybersecurity of critical
infrastructure.
The topic of today's hearing is very timely. DHS is currently the
lead agency running major cyber programs on behalf of the Government
and critical infrastructure, but Congress is considering establishing a
new information-sharing regime that could collect cyber information
notwithstanding any of the privacy laws currently protecting Americans'
sensitive and personal data, and some proposals are unfortunately
questioning the role of DHS. Most Americans would agree that the
enhancement of on-line security is a worthy and appropriate goal for
those vested with the responsibility for safeguarding the interests of
all Americans. Protecting the right to internet privacy--a right with
roots in our Constitutional principles opposing unreasonable search and
seizure and assuring limited Government--is as critical a goal as
enhancing on-line security, and DHS is the agency best positioned to
handle such new authority in an effective and accountable manner. We
look forward to working with this committee to ensure that these new
cyber programs remain under civilian, rather than military control, and
that Congress conducts extensive oversight of all DHS programs to
ensure protection of privacy rights.
Cybersecurity programs can and must be run in accordance with the
Constitution and American values.\1\ The internet is an incredibly
useful and empowering tool that enhances public knowledge, broadens the
reach of our free speech rights, and eases and facilitates daily
business and personal activities. As a result, internet data is rich in
intimate details of our private and professional lives, such as where
we go, with whom we associate, what we read, our religious faith,
political leanings, financial status, mental and physical health, and
more. Protecting privacy is necessary for the public to feel confident
in continuing to engage with new and developing technology; any
cybersecurity initiatives should make protecting that privacy a
paramount goal.
---------------------------------------------------------------------------
\1\ The American Civil Liberties Union's letters to Congress,
comments to Federal agencies, blogs, and other cybersecurity materials
may be found at http://www.aclu.org/cybersecurity.
---------------------------------------------------------------------------
Many existing and proposed cyber efforts do not threaten the
privacy or civil liberties of every day internet users, and we urge
this Congress and the administration to pursue those programs and to
avoid alternative proposals that risk creating major new and
unnecessary surveillance programs. Appropriate programs for
Congressional or administrative action include those to secure
Government and military networks, educate the public on hygiene issues,
prosecute internet-based financial crimes, invest in research and
development, secure the supply chain of hardware, and share targeted
threat information with critical infrastructure.
i. the importance of keeping domestic cybersecurity programs within
civilian agencies
Under long-standing American legal requirements and policy
traditions, the military is restricted from targeting Americans on
American soil. Instead, domestic intelligence and law enforcement
activities are run by civilian authorities. Some are now arguing that
cybersecurity should be the exception, and that military agencies like
the National Security Agency (NSA) should be empowered to collect more
information about every-day American internet users in order to respond
to on-line threats. Doing so would create a significant new threat to
Americans' privacy, and must be avoided.
To date, the military vs. civilian debate has been skewed by the
intense focus on cybersecurity threats posed by hostile foreign
governments, or international terrorists, and the comparative
inattention to threats unrelated to National security. While advanced
persistent threats from foreign actors are real and require a
multifaceted response from the Government, it does not follow that all
cybersecurity incidents impacting domestic internet users should merit
a military response. Even by intelligence community estimates, those
dangers represent a small portion of the threats that affect American
internet users. Malware, financial crimes, and other threats that do
not rise to the level of international incidents make up the
overwhelming majority of malicious conduct on the internet. The
conflation of foreign spying and potential sabotage, with corporate
espionage, everyday internet crime, political statements, and
essentially prank behavior has inflated every internet malfeasance into
a potential National disaster. This hyperbole is simply not factually
accurate, and only serves to encourage policy decisions with serious
privacy and civil liberties implications.\2\
---------------------------------------------------------------------------
\2\ See, for example, Howard Schmidt, Price of Inaction Will Be
Onerous, NYT, Oct. 18, 2012, available at http://www.nytimes.com/
roomfordebate/2012/10/17/should-industry-face-more-cybersecurity-
mandates/price-of-inaction-on-cybersecurity-will-be-the-greatest.
---------------------------------------------------------------------------
Placing cyber programs under the jurisdiction of domestic civilian
agencies like DHS has real and far more positive consequences for
transparency and accountability. DHS's lead competition for cyber
programs--the NSA--is a black hole of information. Programs housed
there, like in the rest of the intelligence community, are not subject
to any meaningful public oversight. The NSA's activities appear to be
presumptively classified, and whatever oversight that takes place is
cabined in the Intelligence Committees, which conduct most of their
business behind closed doors.
One only need look to intelligence wiretapping for an example of
the dangers posed if Congress hands control over domestic cybersecurity
to the NSA. In 1978, Congress established the Foreign Intelligence
Surveillance Act (FISA) to govern foreign intelligence electronic
surveillance. Federal judges meeting in a secret court issued opinions
interpreting Americans' Constitutional rights and developed a secret
body of law that the American public has not been allowed to read. The
extreme secrecy around such intelligence programs helped conceal a
program of illegal and warrantless wiretapping for over 6 years.
Congress eventually amended the FISA to permit this warrantless
surveillance to continue, but included a sunset provision that was
scheduled to expire at the end of last year. Congress reauthorized it
without having a single open hearing with administration witnesses to
explain how this expansive authority affects Americans' privacy. While
some claim this evolution of expanded wiretapping as a success of the
intelligence oversight process, it reflects the limits and consequences
of housing these programs behind the intelligence wall.\3\
---------------------------------------------------------------------------
\3\ The Supreme Court recently ruled in Amnesty v. Clapper that
ACLU clients lacked standing to challenge the FISA Amendments Act of
2008, because they could not prove that surveillance of their
communications under the act was ``certainly impending,'' all but
foreclosing meaningful judicial review of that statute's
constitutionality.
---------------------------------------------------------------------------
If cybersecurity--with a set of programs dominated by non-military
and non-National security concerns--is ceded to the NSA, this
committee, rank-and-file Members of Congress, and the American public
will never hear of it again. Keeping cybersecurity within DHS and other
civilian agencies, and within the jurisdiction of this committee would
enhance, not harm, both security and privacy.
ii. the current role of the department of homeland security in
cybersecurity
Developments over the last several years have rightly steered
domestic programs into the DHS or other civilian agencies. In 2010, the
Secretary of DHS and the director of the National Security Agency (NSA)
signed an agreement that put DHS in charge of cybersecurity in the
United States, with the NSA providing support and expertise.\4\ The
President's recent Executive Order 13636 continues this approach,
putting DHS and the National Institute of Standards and Technology atop
the domestic cyber hierarchy, with consultation from the Attorney
General, the Privacy and Civil Liberties Oversight Board, and the
Office of Management and Budget.\5\ These major structural and policy
commitments add to long-standing DHS programs that share information
with companies and infrastructure operators, educate the public, and
secure Government systems.
---------------------------------------------------------------------------
\4\ MEMORANDUM OF AGREEMENT BETWEEN THE DEPARTMENT OF HOMELAND
SECURITY AND THE DEPARTMENT OF DEFENSE REGARDING CYBERSECURITY,
September 27, 2010, available at http://www.dhs.gov/xlibrary/assets/
20101013-dod-dhs-cyber-moa.pdf.
\5\ Executive Order 13636, Improving Critical Infrastructure
Cybersecurity, 78 Fed. Reg. 11739, February 12, 2013 [hereinafter
Executive Order].
---------------------------------------------------------------------------
DHS's role in the collection, use, and dissemination of
cybersecurity information has substantially grown over the last several
years. With the recent Executive Order, its participation will expand
again, especially in two areas. First, DHS will run the Enhanced
Cybersecurity Services program and facilitate the sharing of threat
indicators with critical infrastructure owners and operators.\6\
Information sharing in this direction--from Government to private
sector--has far fewer privacy implications than the reverse. It does
however cement DHS' role in information sharing and publicly available
Privacy Impact Assessments suggest that the agency is imposing
meaningful privacy protections for the personally identifiable
information (PII) coming into its possession. For example, PII is not
maintained in a system of records, and therefore is not searchable by
name or other identifiers, and information is not retained unless it is
``directly relevant and necessary'' to address a cyber threat.\7\
---------------------------------------------------------------------------
\6\ Id. at 4(c).
\7\ PRIVACY IMPACT ASSESSMENT FOR ENHANCED CYBERSECURITY SERVICES,
January 16, 2013, available at http://www.dhs.gov/sites/default/files/
publications/privacy/privacy_pia_nppd_ecs_jan2013.pdf, at 7.
---------------------------------------------------------------------------
Second, DHS will coordinate a review of current information sharing
programs to determine whether they meet the ideas in the Fair
Information Practice Principles (FIPPs).\8\ Currently, there is little
publicly available information about what agencies are currently doing
with cybersecurity information and this annual report will be the first
overarching review of these programs.
---------------------------------------------------------------------------
\8\ Executive Order at (5).
---------------------------------------------------------------------------
iii. emerging domestic information-sharing programs must be run by
civilian agencies such as dhs
Congress is considering a significant expansion of the Government's
authority to collect cybersecurity information, and if the expansion
moves forward, it is critical for civil liberties that they be run by
civilian agencies such as DHS. H.R. 624, the Cyber Intelligence and
Sharing Protection Act (CISPA), would exempt cybersecurity information
sharing from all privacy laws and reverse decades of statutory
protections for sensitive information like our communication,
financial, and internet information. It would permit corporations to
determine what information pertains to cybersecurity and allow them to
share it with the Government--including military agencies like the
NSA--and other corporations without making a reasonable effort to
shield or scrub out personally identifiable information that is
unnecessary to address the threat at hand. Companies would then be free
to use Americans' sensitive private information as they see fit, and
the Government could use it for certain reasons other than
cybersecurity. When one of those reasons--National security--is wholly
undefined, we are especially concerned that the military and
intelligence agencies accessing that information would consider
themselves to have free reign over such private records, under ever
expanding arguments of what National security includes. These and other
fundamental problems are why the ACLU continues to oppose CISPA.
One of the biggest problems with CISPA is that it does not require
companies that participate in this new information sharing regime to
work with civilian agencies, and instead allows them to share sensitive
and personal information directly with the NSA and other military
agencies. The bill's sponsors claim that American corporations insist
on dealing with the NSA and may withhold this information from the
Government altogether if directed to go elsewhere. This assertion does
not stand up, especially considering that the companies in question are
not part of the defense sector, and primarily offer services to the
public and the private sector. Companies that actually have defense
information are already permitted to participate in a NSA-run
information regime, and other potentially targeted sectors can continue
to work with the agencies that have long regulated them.
CISPA insists on giving the companies the authority to share
domestic, civilian internet information directly with the NSA even
though it neither wants nor needs it. NSA Director General Keith
Alexander has stated that his agency should not be the public face of
cybersecurity and does not need to directly receive domestic cyber
information.\9\ In fact, the House Intelligence bill is an outlier. The
administration's Statement of Administration Policy on CISPA in the
112th Congress, said that the bill:
---------------------------------------------------------------------------
\9\ Jennifer Martinez, General: Nation Needs DHS Involved in
Cybersecurity, THE HILL, Oct. 21, 2012, available at http://
thehill.com/blogs/hillicon-valley/technology/259547-general-nation-
needs-dhs-involved-in-cybersecurity-, (``I see DHS as the entry point
for working with industry,'' [General Keith ] Alexander said at an
event hosted by the Wilson Center and National Public Radio . . .
Alexander stressed that protecting the Nation's critical infrastructure
requires a team effort from the Government, including the involvement
of DHS. ``Where I sit, it's our job to help them be successful. I think
they're taking the right steps and it's the right thing to do,''
Alexander said. ``Our nation needs them to be in the middle of
this.''); Kim Zetter, DHS, Not NSA Should Lead Cybersecurity, Pentagon
Official Says, WIRED, Mar. 1, 2012, available at http://www.wired.com/
threatlevel/2012/03/rsa-security-panel/ (`` `Obviously, there are
amazing resources at NSA, a lot of magic that goes on there,' said Eric
Rosenbach, deputy assistant secretary of Defense for Cyber Policy in
the Department of Defense. `But it's almost certainly not the right
approach for the United States of America to have a foreign
intelligence focus on domestic networks, doing something that
throughout history has been a domestic function.' Rosenbach, who was
speaking at the RSA Security conference in San Francisco, was adamant
that the DHS, a civilian agency, should take the lead for domestic
cybersecurity, with the FBI taking a strong role as the country's
domestic law enforcement agency.'').
`` . . . effectively treats domestic cybersecurity as an intelligence
activity and thus, significantly departs from long-standing efforts to
treat the internet and cyberspace as civilian spheres. The
administration believes that a civilian agency--the Department of
Homeland Security--must have a central role in domestic cybersecurity,
including for conducting and overseeing the exchange of cybersecurity
information with the private sector and with sector-specific Federal
agencies.''\10\
---------------------------------------------------------------------------
\10\ OFFICE OF MANAGEMENT AND BUDGET, EXECUTIVE OFFICE OF THE
PRESIDENT, STATEMENT OF ADMINISTRATION POLICY, H.R. 3523, CYBER
INTELLIGENCE SHARING AND PROTECTION ACT, April 25, 2012, available at
http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/112/
saphr3523r_20120425.pdf.
The Senate's most recent information-sharing legislation, Title VII
of the Cybersecurity Act of 2012, also made clear that cybersecurity
information should only go to a civilian agency.\11\ While a handful of
amendments to CISPA passed on the House floor last year, none of them
addressed this point. Members of the Intelligence and Homeland Security
Committees filed amendments that would have required new domestic
information sharing to be routed through civilian agencies, but they
were not made in order and did not receive a vote.\12\ The
administration, the Senate, and the privacy community are in agreement
that civilian control of these programs is not only good for civil
liberties, but workable from a cyber and National security standpoint.
CISPA stands alone in failing to follow this common wisdom.
---------------------------------------------------------------------------
\11\ S. 3414, The Cybersecurity Act of 2012, 112th Cong. (2012).
\12\ CISPA amendments filed with the with the House Rules Committee
are available at http://rules.house.gov/Legislation/
legislationDetails.aspx?NewsID=812. Amendment 19 by House Permanent
Select Committee on Intelligence Member Representative Jan Schakowsky
(D-IL) and amendment 21 by House Homeland Security Committee Ranking
Member Bennie Thompson (D-MS) would have ensured that new sharing under
CISPA would have gone to civilian agencies and DHS respectively.
---------------------------------------------------------------------------
iv. further areas for committee oversight of dhs cybersecurity
Because of the House's imminent efforts to expand information
sharing and the importance of keeping those programs in civilian hands,
this statement has focused on that proposal and how it fails from a
civil liberties and privacy perspective. But we also urge this
committee to undertake oversight activities of existing cybersecurity
programs. In particular, we urge the committee to review the
implementation of the EINSTEIN program, which works with providers to
scan Government systems for known cyber threats. The last Privacy
Impact Assessment on EINSTEIN was written in 2010 and there is little
public information about the broader application of the program and the
effectiveness of privacy requirements. The committee should also make
sure that agencies are participating meaningfully in the FIPPs review
discussed above so that DHS can do an overarching analysis of whether
privacy is protected in current programs.
v. conclusion
Thank you for the opportunity to share our views on cybersecurity
and the role of DHS. The administration is giving DHS increasing
responsibilities in this area and we hope that if information
collection programs expand, they too are housed in DHS. We look forward
to working with you on this and other civil liberties issues in the
future.
Chairman McCaul. Thank you, Ms. Richardson. This committee
is, again, committed to taking up legislation. I think you
raised some valid points and concerns in terms of a civilian
versus military space.
Let me start with Mr. Bhimani. Your sector has been perhaps
one of the most successful stories in terms of working with DHS
and protecting your critical infrastructure. Yet, has been
under attack, as you know, by countries like Iran and others
quite extensively.
Could you share with this committee your experiences with
your sector's participation with the NCCIC and how that has
worked for your industry?
Mr. Bhimani. Yes. Thanks very much for that recognition. I
think our Members obviously think that we should very seriously
devote thousands of people towards this problem. But
individually, you can only go so far.
So with all the challenges that maybe have been facing this
sector, I shudder to think what it would have been like if we
hadn't been sharing with each other and hadn't had that
partnership with both Treasury and DHS.
I think our presence on the NCCIC floor has really sped
that partnership significantly, being able to get information
both from the NCCIC as well as from our members to the NCCIC.
Chairman McCaul. Would you recommend--would it be your
recommendation--well, first of all, it has been successful for
you, your relationship with DHS and the NCCIC, is that correct?
Mr. Bhimani. Yes, it has. I think there is always ways to
improve any sort of partnership, but it is--if I compare it
with the relationship we had with various agencies years ago,
it is light-years ahead.
Chairman McCaul. Would you recommend in getting full
participation from the 16 ISECs out there to participate on the
NCCIC floor? Would that be helpful?
Mr. Bhimani. Yes. The same way I said that I think that we
as a sector recognize that us individually really have
responsibility for the whole sector, if you look at all those
sectors, there is a tremendous amount of dependency from one
sector onto another. We have as much dependency on the
electricity sector, the telecom sector, as we do on each other,
right.
So I do think that there is a certain--and with as much
progress as we made within the sectors, not just financial, but
otherwise, sharing with each other, I do think doing that would
significantly enhance cross-sector sharing, yes.
Chairman McCaul. I think that is going to be one of the
goals of this committee, is to get full participation from the
private sector.
Mr. Hayes, you obviously represent the energy side of the
house. Obviously, the Mandiant report out there talks about
China targeting our energy sector. Can you tell us about your
experience with DHS and the NCCIC and why that would be
valuable to codify that relationship into law?
Mr. Hayes. Sir we have had a good relationship with DHS,
primarily around the ICS-CERT. When I go to meetings within the
industry group and talk to the boots-on-the-ground security
people, it is probably one of the security organizations that
they reference the most in terms of the benefit it brings to
them.
In terms of the NCCIC, we are learning about that. We want
to understand that capability around situational awareness. As
I mentioned, it is better to see the storm coming, to deal with
it than have to react to it after the fact.
So those are the things that our industry is working with.
We are working also with NIAC through both DOE, NSA, DHS, and
several others, to look at a response plan for our industry as
we move forward.
Chairman McCaul. Well, that is good because we always talk
about the electric grid and how shutting that down would
potentially cause more damage than Sandy or other hurricanes,
if done effectively.
Ms. Richardson, I wanted you to expand, as you correctly
noted, that General Alexander, the director of NSA, sees DHS
having an important role with cybersecurity, particularly, as
he put it, being a civilian interface to the private sector.
Can you explain to this committee why that civilian interface
is so important?
Ms. Richardson. Sure. A lot of the press around
cybersecurity has really focused on foreign actors and attacks
at a very high level on our defense information, corporate
espionage.
But overwhelmingly, the cybersecurity programs that affect
everyday Americans are about everyday cyber crime, insecure
networks, things like that. Those do not merit a military
response. They should be handled by civilian agencies and the
capability has certainly been built up there.
We can certainly look over the last decade that, as the
Government has expanded its intelligence authorities, once you
go behind that intelligence curtain, there isn't oversight and
there isn't accountability and it operates in almost complete
secrecy, with even Members of the intelligence committees
saying that they don't have basic information on how these
programs are run.
We don't see that happening nearly as much in programs that
are run under DHS and are presumptively public.
Chairman McCaul. So do you believe that civilian
authorities over, say, the dot-com and the critical
infrastructures, as has been put forth by both President Bush
and Obama, is the better route to go?
Ms. Richardson. Absolutely. That doesn't necessarily
detract from the NSA and Defense working in its own sphere.
They have their own authorities and they will continue to build
them out.
However, as we turn to the public internet that everyday
Americans are using, it absolutely has to be controlled by
civilian agencies like DHS.
Chairman McCaul. We are trying--I was looking at that
bubble chart earlier, just trying to figure out the roles
between the--I believe they all have roles and there is plenty
work for everybody. I think it is clearly defining these roles
between the three agencies that is highly important. We need to
get this right before we pass legislation.
On the issue of privacy, Chairman Meehan and I are looking
for ways to ensure that privacy is protected under the
Constitution. We have looked at the Executive Order language as
a possible starting point.
I know that your group, the ACLU, for the most part has
been supportive of the language, in terms of the adoption of
the Fair Information Practice Principles for internal
information sharing. Is that a fair statement?
Ms. Richardson. Yes. We were very happy to see the
Executive Order embrace the FIPs. They represent principles
like transparency, accountability, minimization, control over
your own information. Those should be the bedrock going forward
for information-sharing programs.
Chairman McCaul. Okay. Well, thank you very much. That is
all I have for now. I now yield to the Ranking Member.
Mr. Thompson. Thank you very much, Mr. Chairman. I am most
appreciative of having other people talk about cyber, other
than just in a classified setting or some other kind of setting
where we can't talk about it.
Well, that kind of puts a muzzle on Members of Congress
from going forward and trying to do the right thing, because it
is presented to us in a manner where we can't talk about it.
So for this hearing, it has allowed us to hear from not
just DHS, but also people who either do it everyday or people
who review policy everyday. What I would like to do for each
one of our witnesses is to say we are not trying to reinvent
the wheel. Most private sector businesses' best practice says
we have to have a secure network as best we can.
We are not trying to create a bureaucracy on top of that,
so no ``you have to do it this way because the Government says
to do it this way.''
Now that being said, do I hear from the private sector that
it is important for a civilian coordinating role to be part of
this cybersecurity policy?
Mr. Hayes, we can start with you and we will go from there.
Mr. Hayes. Yes, I believe it is very important to have that
clear role. I think there was the discussion earlier with Ms.
Lute about the FEMA. We utilize the FEMA ICS formats in our
structure, so clear command in incident situations are
important.
It is also equally important as we work with our
partnership and organizations across our industries and our
agencies, that it is clear in how we are dealing with that.
What information can be shared, what information can be shared
openly, fairly, quickly, responsibly? Those are things that are
very, extremely important to us, because those are the things
we react to.
As my other speaker talked about, actionable items, how do
we get to actionable items? That is what we do on a daily
basis. So without the clarity of roles and responsibilities
across those organizations, then we are providing multiple
perspectives. Just to give you an idea, as we track the number
of entities, and that could be Governmental or industry or
whatever, we are well over 70 different groups that are
focusing on cybersecurity. So as a single company, you can't
support 70 types of activities. You have got to focus on the
ones that are providing the value, creating the value,
providing the information that you can respond to and actually
benefit both your company and the customers that you serve.
Mr. Thompson. Mr. Bhimani.
Mr. Bhimani. I do believe it is important to have a
civilian agency involved. What I would say, just echoing Mr.
Hayes's comments, is it is often difficult for those of us in
the private sector to navigate the various agencies and
departments involved in cybersecurity.
We have benefited tremendously in the financial industry
from having the Treasury Department and their critical
infrastructure protection office do that for us. So I strongly
believe that there be a single organization to be that conduit.
I think, the call-out of sector-specific agencies in the
Presidential directive, I think is a step towards that.
I think, as I mentioned before, our partnerships with DHS
have been very strong, both with the NCCIC as well as with the
Intelligence and Analysis Directorate.
What I would say is what we care most about is that we are
able to receive actionable, timely information from whoever has
it, and not necessarily be limited to those agencies we can
speak with as dictated by what we need.
Mr. Thompson. Ms. Richardson, I would say on top of that,
how would the need for transparency and oversight impact
perhaps what we have heard from these other two witnesses?
Ms. Richardson. Well, I think often transparency,
oversight, privacy are conceptualized as opposite to timely
sharing and agility that is needed in this area. That is not
necessarily the case.
There are ways to conduct information sharing that
absolutely builds in all of the privacy principles that are so
important to protect this very sensitive data. So it is very
possible to do a very targeted information-sharing program that
clearly defines what can be shared, who can receive it, and
what can be done with it.
The answers to those questions are just technical data,
stripped of the personal information, with civilian agencies
who can then use it just for cybersecurity purposes. The devil
will be in the details, but there is nothing inconsistent with
providing these guys with what they need and doing it in a way
that protects privacy.
Mr. Thompson. Thank you. I yield back, Mr. Chairman.
Chairman McCaul. Thank you.
The Chairman now recognizes the Chairman of the
Cybersecurity, Infrastructure Protection, and Security
Technologies Subcommittee, Mr. Meehan.
Mr. Meehan. Thank you, Mr. Chairman.
Thank you for this very distinguished panel taking the time
not only to be before us today but for the work that you are
doing out there in the private sector, in all matters of it.
Because as we have identified in numerous aspects of
today's hearing, this is a true public-private partnership and
in more ways than perhaps in any other in Government, because
we are tied together so significantly. I look forward to
working with you, each of you, as we move forward.
Mr. Bhimani, let me ask you a question because I think you
touched on something that is important in my understanding. It
is as much to educate those who are out there, taking very
seriously the important points that have been made by Ms.
Richardson and the recognition that you and I think the banking
industry have for the security of private information and other
kinds of things, a long history of being able to do that.
You spoke a little bit in your testimony about what may be
necessary for you, and I think there are two points that I want
you to speak to. It is necessary so it is real and actionable.
But you also don't want to be getting a lot of information that
as you, in your words, if it is stale it is a waste of time.
We also appreciate that a lot of times we are talking about
fractions of seconds within which the speed of this game is
moving before somebody can be violated.
So can you speak to a little bit more about what the nature
of that information that you are looking for, how it can be
actionable but yet at the same time not necessarily be
identifiable in a way that would create concerns for people who
might be the subjects of some of that?
Mr. Bhimani. Sure, I would be happy to.
Let's go back to when we think about any sort of an attack,
what do we care most about? We care most about the method of
the attack, the nature of the attack and, frankly, the
motivation of the attacker, right?
There is a term that we use a lot in cybersecurity, it is
called an indicator of compromise, or an IOC. So sharing those
indicators of compromise from one firm to another. Hey, we saw
some activity from this address. Those sorts of things are very
useful from that perspective.
One other example might be we----
Mr. Meehan. So it may not be--it is not necessarily
content-specific?
Mr. Bhimani. No.
Mr. Meehan. It is really--could you just talk for a
second--like----
Mr. Bhimani. Sure. Sure. So----
Mr. Meehan. So what is that information? Is it--or what?
Mr. Bhimani. Yes, so it might be--yes, it might be an IP
address. It might be a specific vulnerability in a system that
was exploited. It might be----
Mr. Meehan. Back door, so to speak, or something like that?
Mr. Bhimani. I am sorry?
Mr. Meehan. A back door, so to speak.
Mr. Bhimani. A back door, so to speak, yes.
Mr. Meehan. We understand the soft way. This is the way it
is being exploited.
Mr. Bhimani. Exactly. So basically, what is the attack
technique used around that, right? I think that, if I go back
to something I mentioned before, the GISF, right? One of the
things that was most valuable out of that was, look, we can't
tell you why or where this is, but if you see something coming
from this IP address, be worried. That is something you should
block. That is the kind of stuff that we need, right? So what
we don't need to do is--you know, back to this--a majority of
what we need tends to be machine-level data, right, IP
addresses, vulnerabilities in software, specific attack
patterns or things like that, that have nothing to do with an
individual's information or an individual's data.
In fact, in most cases, those things sit in two different
systems within our organizations, right? So even by sharing
one, you are almost physically barred in some cases from
sharing the other one, because it comes from a completely
different place.
Mr. Meehan. Well, thank you. This is an issue that I want
to explore. I appreciate the points that have been made by Ms.
Richardson, as well, and I think we are going to be looking to
explore ways in which privacy can be protected, but we can be
actionable in an appropriate fashion.
Just, Mr. Hayes, you represent not just the energy
industry, but in my mind, the broad spectrum of kind-of, sort-
of utilities and otherwise, so it could be water, it could be a
whole variety of things. There is also sophistication that has
been identified. Your industry, Mr. Bhimani's industry, are
really at the cutting edge of this, but there is a lot of
things, municipal water supplies. I mean, they are paid for by
taxpayer, rate-payer dollars. They have got systems that are 20
and 30 years old. They are not built for the current level of
cybersecurity.
How are we going to be able to include all of the important
partners in this at the same time, you know, without creating
or--you know, standards that become check the box or become
problems in which we talked about clutter? It almost becomes
counterproductive. I am interested in your observations on how
we can encourage people to participate and at what point in
time the relationship starts to become counterproductive,
because it becomes overly bureaucratic.
Mr. Hayes. So I think it was hit on earlier about how we
are integrated together, that all the systems are such that we
touch each other and have dependencies. I mentioned earlier
that, you know, there are companies--small municipal water
facilities, small electric companies, rural electric
cooperatives who may have one person in their IT department.
How does that one person stay up with all of what is happening
from that perspective?
It is going to have to look at a risk-based profile. Are
their actions as necessary as perhaps the actions of a large
utility serving millions of customers? They may be of equal
consequence in some ways, but the overall major consequences
that could occur may be different. So I think developing the
skill sets and knowledge to do risk-based analysis helps us
understand how to prioritize and focus those areas where we
need to make the best investments.
Now, stepping away from that, we participate with
organizations and industry groups in a variety of all sizes.
Many of those will come to the seminars or the learning
sessions, and if we learn, we share those best practices, and
those people are willing to go back and incorporate those
things within to their environments, within their risk profile,
so I think it goes back to not only info sharing, information
sharing, like we have talked about, but even within our
industry groups, continuing to broaden the bigger footprint of
thhe needs and necessities for information sharing in those
areas.
Mr. Meehan. Well, thank you. Thank you for the work that
you do, and look forward to working with you collectively in
the time ahead to do what we can in this public-private
partnership to get it right. Thanks.
Thank you, Mr. Chairman. I yield back.
Chairman McCaul. I thank you. Let me just, in closing,
since we don't have any other Members asking questions, if I
could just give each of you just a couple minutes to highlight
the most important points as you see it and particularly as we
move forward with legislation, what you believe to be the most
important pieces to that legislation?
We will start with Mr. Bhimani.
Mr. Bhimani. I would just echo--reiterate the importance of
being able to get actionable, timely information out to the
private sector from whatever the source, right? I do recognize
a lot of the challenges between the civilian and the
intelligence agencies, right? But at the end of the day, you
know, we need to know what is going on and what is affecting us
in a way that makes sense, so that is the first thing I would
say.
The second thing I would say in conjunction with that is,
just reiterating my earlier point that it can often be very
difficult for private-sector entities to navigate the number of
agencies and the number of departments within agencies that do
this, so having a conduit, like in our case Treasury, to serve
as that point of contact for the industry I think is
invaluable.
Mr. Meehan. [Off mike.]
Mr. Hayes. I think what is necessary is for the clarity of
roles. I know that was talked about a lot today, and I think
that is very beneficial. Anything that considers that helps us
understand how do we interact helps in that process.
It has got to be practical and immediate. This is a timely
issue. The people and what we are dealing with are things that,
as mentioned, need to be actionable. We need to come back and
be able to do things and apply technologies and techniques and
intelligence against solving this problem.
Risk-based, one-size-fits-all is not appropriate. We have
got to think about how we can address that small municipal all
the way up to the larger utility infrastructures. Timely--and
it is going to be timely in the fact that, how do we move from
being reactive to being proactive to being predictive? How do
we get the game where we are understanding that we might see
these things coming earlier, often referred to as situational
awareness? The other one is scalable. So what we need to do is
it goes to my point. We have got to be able to apply this
across the spectrum of our industry so it is effective to all.
When we talk about legislation, just simply, it has got to
be to where I don't have to go to my legal department or my
regulatory department to address an issue. So if it creates
those constructs--and I don't go and work in those constructs--
but if it creates those constructs, it makes information
sharing difficult, slows the process down. So keep that in mind
as we move forward.
Last, it has got to be peer-to-peer and collaborative. We
have talked about that throughout, and I heard that
tremendously through the session, that is built on the trust
that we both are going to react responsively in this effort to
solve the problem around cybersecurity.
Chairman McCaul. Thank you.
Ms. Richardson.
Ms. Richardson. Thank you. When we are evaluating
cybersecurity legislation, we are very happy to report that
largely it doesn't affect civil liberties, and there are a lot
of things that the Government and Congress can be doing that
are civil liberties-neutral, like building up capacity at DHS
or education programs, research and development, securing the
supply chain, and we really hope the Government will focus on
those programs and not the ones that implicate civil liberties.
To the extent, though, that the Government does want to
increase information sharing and write laws that are going to
contravene long-standing privacy statutes, there are a couple
of things that have to happen. No. 1, those programs have to be
civilian-run and by an agency like DHS. No. 2, those programs
have to minimize the collection of personally identifiable
information. No. 3, those programs have to absolutely tamp down
the use of that information once it is collected, so that it is
not purposed for things outside of cybersecurity.
I think the last thing is just to urge you to take the time
to get this right. I think we have seen that once the
Government is formally given authority, it is almost impossible
to get it back. So if Government now overreaches and allows too
much information to be shared, I don't know how fixable it will
be, so we hope that Congress makes sure that there is a very
targeted, tailored approach going forward.
Chairman McCaul. This has been very insightful. I want to
thank the witnesses for your testimony.
Pursuant to Committee Rule 7-E, the record will be held
open for 10 days. Members may have additional questions in
writing.
Without objection now, the committee stands adjourned.
[Whereupon, at 12:42 p.m., the committee was adjourned.]
A P P E N D I X
----------
Questions From Honorable Susan W. Brooks for Jane Holl Lute
Question 1. Has the Department released the National Level Exercise
2012 After-Action Report? If not, when will the Department release the
report?
Answer. The final National Level Exercise 2012 After-Action Report
is currently in clearance and FEMA will provide a copy to Congress once
it is approved. However, the NLE 12 Quick Look Report (attached) has
been released and is publicly available.*
---------------------------------------------------------------------------
* The document has been retained in committee files and is
available at https://www.llis.dhs.gov/sites/default/files/
National%20Level%20Exercise%202012%20Quick%- 20Look%20Report.pdf.
---------------------------------------------------------------------------
Question 2. Last year FEMA released the National Preparedness
Report (NPR), which showed that significant gaps still remain in our
Nation's Cybersecurity capability. The NPR reported that the Nation was
not even half-way to the desired capability level for cybersecurity.
What should we do to educate and train our Federal, State, local, and
private-sector partners to help build and mature the Nation's
cybersecurity capability?
Answer. Emerging cyber threats require the engagement of the entire
Nation--from Government and law enforcement to the private sector and
most importantly, the public. Raising the cyber education and awareness
of the general public creates a more secure environment in which the
private or financial information of individuals is better protected.
DHS advocates for a safe and secure cyber environment by conducting
outreach and awareness efforts to educate and inform the general public
about cybersecurity opportunities to enhance their confidence to
protect themselves on-line.
In 2011, DHS released the Blueprint for a Secure Cyber Future,
which calls for a coordinated effort across the homeland security
community to protect America's critical information infrastructure and
build a safer and more secure cyber ecosystem. Such tools and resources
that promote cybersecurity education include the DHS/NSA Centers for
Academic Excellence, the CyberCorps Scholarship for Service Program,
the Integrated Cybersecurity Education Communities Program, and the
Federal Virtual Training Environment, which provides on-line access to
cybersecurity training for State, local, territorial, and Tribal
governments.
DHS recognizes that partnership and collaboration are crucial to
ensuring that all Americans take responsibility for their actions on-
line. To that end, we are continuing to grow the Department's public-
private partnerships through the Stop.Think.Connect.TM
Campaign, which is a year-round National public awareness effort
designed to engage Americans and encourage them to join the effort to
practice and promote safe on-line practices. In addition, National
Cyber Security Awareness Month (NCSAM) is an opportunity to engage
public and private-sector stakeholders--as well as the general public--
to create a safe, secure, and resilient cyber environment.
The Department promotes cybersecurity in grades K-12 and higher
education. Key programs provide established undergraduate and graduate
specializations at designated universities and scholarships in exchange
for Federal service after graduation. DHS, in coordination with the
National Initiative for Cybersecurity Education, is currently
institutionalizing and delivering tools and resources through the
National Initiative for Cybersecurity Careers and Studies (NICCS)
portal. The NICCS public website is a comprehensive on-line resource
for cyber education and training for Federal employees and the general
public.
DHS is building strong cybersecurity career paths within the
Department and in partnership with other Government agencies. To
accomplish this critical task, we have created a number of competitive
scholarship, fellowship, and internship programs to attract top talent,
including computer engineers, computer scientists, analysts, and IT
specialists. For example, the Homeland Security Advisory Council Task
Force on Cyber Skills provided recommendations in October 2012 that
will help DHS develop the next generation cyber workforce. The
Department has worked to fulfill recommendations that expand the
National pipeline of men and women with advanced cybersecurity skills,
enable DHS to become a preferred employer for the talent produced by
that pipeline, and position the Department to help make the United
States safer, more secure, and more resilient.
Finally, the Multi-State Information Sharing and Analysis Center
(MS-ISAC) provides managed security services to States and local
governments, education and training services, and resources to non-
member SLTT governments on a fee-for-service provision and to the
public. The MS-ISAC has since grown to include all 50 States, three
U.S. territories, the District of Columbia, and more than 200 local
governments.
In addition, the National Computer Forensic Institute has trained
more than 1,000 State and local law enforcement officers since 2009 to
conduct network intrusion and electronic crimes investigations and
forensic functions. Several hundred prosecutors and judges as well as
representatives from the private sector have also received training on
the impact of network intrusion incident response, electronic crimes
investigations, and computer forensics examinations.
Question 3. In February, the Emergency Alert System of two
television stations in Montana was compromised and a fake emergency
alert message warning of a zombie apocalypse occurring in several
counties. While this incident did not cause any harm, my concern is
that the American people rely on public information during crisis and
disasters to help guide their actions and hacking into the system could
cause great harm or confusion. What are some measures that can be taken
to prevent this from occurring again and assure the American people the
information we provide through the emergency alert system is accurate?
Answer. A Federal Communications Commission's (FCC) investigation
of the false emergency alert messages identified several standard best
practices that could have prevented this event. The FCC's review
revealed that the broadcasters were using off-the-shelf technology, but
had not acted on the manufacturer's recommendation to change the
default password and user ID codes. The default user ID and passwords
are contained in the manufacturer's on-line manual and are easily
discoverable. In addition, critical portions of the broadcaster's
network were accessible through the public internet and were not
isolated by a firewall. The following security best practices,
published by the National Association of Broadcasters, would greatly
reduce the possibility of future similar events:
(1) Follow the manufacturer's installation instructions;
(2) Change manufacturer passwords immediately upon installation of
the purchased equipment;
(3) Employ a strong password model (using combinations of letters,
numbers, and symbols) that must be changed periodically; and
(4) Install firewall software to protect critical internal networks
from easy public access.
Implementation of these basic security practices would help to
prevent future abuses. Further, the National Protection and Programs
Directorate/Office of Cybersecurity and Communications is engaging with
the Federal Communications Commission and the Federal Emergency
Management Agency to examine system configuration and recommending
additional measures for consideration and implementation by
manufacturers and broadcast system owners and operators to increase
security and system integrity.
Questions From Honorable Scott Perry for Jane Holl Lute
Question 1a. When a company from the private sector chooses to
report that they fell victim to a cybersecurity crime, what is the
process by which they go about doing that? Specifically, what is the
department or agency they report to?
Answer. Successful response to dynamic cybersecurity crime requires
leveraging homeland security, law enforcement, and military authorities
and capabilities, which respectively promote domestic preparedness,
criminal deterrence and investigation, and National defense. DHS, the
Department of Justice (DOJ), and the Department of Defense (DOD) each
play a key role in responding to cybersecurity crimes, with each
department having areas with overlapping jurisdiction regarding law
enforcement, protection, and response. Regardless of which agency
receives an initial incident report, these Federal entities regularly
share incident information in a manner that protects privacy and civil
liberties, and coordinate on response activities such that ``a call to
one is a call to all.''
Question 1b. If the Government substantiates the claim, what
information can be provided to the company? Specifically, is the
company given tools to prevent future attacks; do they receive the
origin of the attack?
Answer. If a company requests that DHS evaluate a suspected
intrusion, the company may voluntarily provide network or system log
data to the NCCIC for technical review to ascertain the characteristics
of an incident. The NCCIC will analyze the log data and provide the
company with a detailed analysis, classified and/or unclassified as
appropriate, and recommend mitigation strategies. Other agencies, like
the FBI, may also coordinate with DHS to share information with the
company.
The Department's enhanced cybersecurity and communications
collaboration, situational awareness, and everyday response
capabilities through the NCCIC allow for information sharing across all
levels of government and the private sector for cyber incident
situational awareness and coordinated response and recovery efforts.
DHS routinely shares threat knowledge in anonymized, non-attributable
formats, with the private sector to enable effective computer network
defense during steady states as well as in response to a more
particularized threat. In response to an incident, DHS frequently
provides analysis to assist in mitigating the activity or preventing
future attacks. In addition, the NCCIC shares timely and actionable
incident data with the affected company as well as interagency partners
and across multiple sectors to enable alert and warning activity,
helping other partners protect themselves before they are impacted. For
instance, the Cybersecurity Information Sharing and Collaboration
Program allows for sharing and receiving anonymized actionable threat
data: With participating private-sector entities that provides
protection for information submitted and enables collaboration with
other entities in response to cybersecurity threats and incidents.
DHS also offers a number of voluntary programs to increase an
entity's cybersecurity posture upon request. These include the Cyber
Security Evaluation Tool, which is a self-assessment tool downloadable
from www.us-cert.gov and a library of recommended practices that a
company can follow to increase their cybersecurity posture.
Additionally, critical infrastructure owners and operators can request
an on-site Cyber Resilience Review of their organization's overall
cyber posture or an assessment of their control systems' security from
the Industrial Control Systems Cyber Computer Emergency Response Team.
Question 2. Currently, it is in the best fiscal interest for many
companies not to report cyber attacks on their networks. In drafting
legislation, can any confidentiality safeguards be implemented that
would encourage more companies to come forward when they have fallen
victim to cyber attacks?
Answer. The Department of Homeland Security (DHS) has a long
history of responding to cyber and physical security incidents
involving critical infrastructure and protecting the confidentiality of
sensitive information through the Protected Critical Infrastructure
Information program (PCII). PCII is an information-protection program
that enhances voluntary information sharing between infrastructure
owners and operators and the Government. If the information submitted
satisfies the requirements of the Critical Infrastructure Information
Act of 2002, it is protected from disclosure under the Freedom of
Information Act; State, Tribal, and local disclosure laws; use in
regulatory actions; and use in civil litigation. PCII can only be
accessed in accordance with strict safeguarding and handling
requirements. Only trained and certified Federal, State, and local
government employees or contractors may access PCII.
Designating information as PCII also provides a level of protection
that facilitates DHS's ability to work directly with the infrastructure
owners and operators to identify vulnerabilities, mitigation
strategies, and protective measures. Homeland security partners can be
confident that sharing their information with the Government will not
expose sensitive or proprietary data, while the Government can still
benefit from increased information sharing by analyzing and securing
critical infrastructure and protected systems, identifying
vulnerabilities and developing risk assessments, and enhancing recovery
preparedness measures. Furthermore, timely reporting of serious cyber
incidents allows for companies, or the Department, to provide
mitigation assistance as soon as possible, often limiting the damage
that can be caused and potentially saving on remediation costs.
The Executive Order on Improving Critical Infrastructure
Cybersecurity also initiates key information sharing improvements by
increasing the security clearances provided to critical infrastructure
personnel and expanding a program that enables advanced sharing of
cyber threat information to assist participating critical
infrastructure companies in their cyber protection efforts. While there
is bipartisan consensus on the need for additional information-sharing
legislation, the administration is focused on ensuring that the text of
any such law fully addresses several key objectives. Specifically,
information-sharing legislation must:
Carefully safeguard privacy and civil liberties, including
properly defining the type of information that can be shared,
the purposes for which such sharing can occur, establishing
adequate oversight, and procedures to remove identifying
information unrelated to cybersecurity threats;
Provide targeted liability protections that explicitly
authorize legitimate action without creating unintended
consequences;
Leverage all of the Government's cybersecurity capabilities,
while preserving the long-standing, respective roles and
missions of civilian and intelligence agencies; and
Clarify the type of assistance that DHS can provide to
quickly help a private-sector company, State, or local
government when that organization asks for its help.
Question From Honorable Susan W. Brooks for Gary W. Hayes
Question. In February, the Emergency Alert System of two television
stations in Montana was compromised and a fake emergency alert message
warning of a zombie apocalypse occurring in several counties. While
this incident did not cause any harm, my concern is that the American
people rely on public information during crisis and disasters to help
guide their actions and hacking into the system could cause great harm
or confusion. What are some measures that can be taken to prevent this
from occurring again and assure the American people the information we
provide through the emergency alert system is accurate?
Answer. Response was not received at the time of publication.
�