[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
OVERSIGHT OF EXECUTIVE ORDER 13636 AND
DEVELOPMENT OF THE CYBERSECURITY
FRAMEWORK
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
JULY 18, 2013
__________
Serial No. 113-27
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
86-034 PDF WASHINGTON : 2014
_____________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (856) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washngton, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Paul C. Broun, Georgia Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice Brian Higgins, New York
Chair Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Jeff Duncan, South Carolina Ron Barber, Arizona
Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania Filemon Vela, Texas
Chris Stewart, Utah Steven A. Horsford, Nevada
Richard Hudson, North Carolina Eric Swalwell, California
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
Greg Hill, Chief of Staff
Michael Geffroy, Deputy Chief of Staff/Chief Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama Yvette D. Clarke, New York
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Jason Chaffetz, Utah Filemon Vela, Texas
Steve Daines, Montana Steven A. Horsford, Nevada
Scott Perry, Pennsylvania Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Alex Manning, Subcommittee Staff Director
Dennis Terry, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Patrick Meehan, a Representative in Congress From
the State of Pennsylvania, and Chairman, Subcommittee on
Emergency Preparedness, Response, and Communications:
Oral Statement................................................. 1
Slides......................................................... 3
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Emergency Preparedness, Response, and Communications:
Oral Statement................................................. 8
Prepared Statement............................................. 10
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security.............................................. 11
Witnesses
Mr. Robert Kolasky, Director, Implementation Task Force, National
Protection and Programs Directorate, U.S. Department of
Homeland Security:
Oral Statement................................................. 13
Joint Prepared Statement....................................... 15
Mr. Charles H. Romine, PhD, Director, Information Technology
Laboratory, National Institute of Standards and Technology,
U.S. Department of Commerce:
Oral Statement................................................. 19
Joint Prepared Statement....................................... 21
Mr. Eric A. Fischer, PhD, Senior Specialist, Science and
Technology, Congressional Research Service, Library of
Congress:
Oral Statement................................................. 23
Joint Prepared Statement....................................... 25
OVERSIGHT OF EXECUTIVE ORDER 13636 AND DEVELOPMENT OF THE CYBERSECURITY
FRAMEWORK
----------
Thursday, July 18, 2013
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to call, at 10:05 a.m., in
Room 311, Cannon House Office Building, Hon. Patrick Meehan
[Chairman of the subcommittee] presiding.
Present: Representatives Meehan, Marino, Clarke, Keating,
and Vela.
Mr. Meehan. The Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies will come to order.
Subcommittee is meeting today to examine the implementation
of Executive Order 13636 and the administration's cybersecurity
framework, and I recognize myself now for an opening statement.
I would like to welcome everybody to today's hearing, which
continues our subcommittee's efforts to provide oversight over
the President's Cybersecurity Executive Order 13636. The focus
of the Executive Order is to provide protection for our
Nation's critical infrastructure sectors from cyber threats.
These sectors include our energy and nuclear facilities, our
Nation's transportation systems, our defense industrial base,
and financial services, among others.
Today we will focus on the cybersecurity framework, under
which the National Institute for Standards and Technology or
NIST, as it is often referred to, has the responsibility of
working with stakeholders to develop.
The framework is expected to be completed and released by
October 30. On July 1, NIST released an outline of that
framework, which will be the basis of the committee's
questioning today.
So far NIST has held three workshops to gather input from
industry, academia, other stakeholders, and a fourth is
expected in September, I believe, in Dallas, Texes.
I believe that the outline of NIST's framework provides an
important step to increasing our Nation's awareness and ability
to protect our networks from crippling cyber attacks.
In fact, I believe that the three are many mature actors in
both Government and the private sector working in great
coordination currently--including those at the Department of
Homeland Security--to shield our systems from cyber threats.
It is, however, those outliers--the ones without the
awareness, those with insufficient resources--who can present
immense vulnerabilities to entire networks.
It is this concern that our subcommittee seems to have
allayed. We must find answers to the question of: How do we
incentivize participation without creating counterproductive,
onerous standards and regulations?
Adopting the NIST framework would result in a positive
exercise for owners and operators of critical infrastructure.
However, I have concerns that a self-assessment may not be
sufficient to incentivize action to bolster cyber defenses in
all cases.
Our committee has held over 200 meetings with stakeholders
and one of the common themes emanating from the discussions is
that they are only as strong as their weakest links. I believe
an analysis of the incentives included in this framework is in
order.
I look forward to hearing from the panel today on ways we
can assist both the public and private sector to increase their
hygiene with limited resources.
Providing incentives for organizations to share information
and best practices is further complicated by the absence of
liability protections. In the Executive Order, our goal should
be to encourage that information sharing, and I have questions
about the ability of regulators to reform use--require use of
the framework, turning this into burdensome check-the-box rules
and regulations.
Ultimately, I believe it is the consensus of the committee
that Congress must pass legislation in order to address many of
these outstanding issues.
Existing structures within DHS must be authorized by
Congress to continue functioning. Liability protections,
information-sharing provisions, and industry-led incentives can
only be fully enacted by statute, not exclusively by
Presidential Directive.
I look forward to working with the committee, with our
panel, and DHS to craft legislation that will address these
issues.
I thank the panel for their participation today, and I look
forward to hearing from your testimony.
[The information follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Meehan. The Chairman now recognizes the Ranking
Minority Member of the subcommittee, the gentlelady from New
York, Ms. Clarke, for any statement that she may have.
Ms. Clarke. Thank you very much, Mr. Chairman.
Welcome to our panelists this morning.
Our country's reliance on cyber systems cover the
waterfront; everything from power plants to pipelines and
hospitals to highways, have increased cyber connections
dramatically and our infrastructure is more physically and
digitally interconnected than ever.
Yet for all of the advantages interconnectivity offers our
Nation's critical infrastructure, it is also increasingly
vulnerable to attack from an array of cyber threats.
It is vital that we as a country take action to strengthen
our National policy on critical infrastructure security and
resilience and includes measures to strengthen cybersecurity.
Because the majority of our critical infrastructure is
owned and operated by private companies, the public and private
sectors have a shared responsibility to reduce the threats to
critical infrastructure through a stronger partnership.
The current Federal legislative framework for cybersecurity
is complex with more than 50 statutes currently addressing
various aspects of it.
However, we can all agree that the current framework is not
sufficient to address the growing concerns about the security
of cyberspace in the United States and no major cybersecurity
legislation has been enacted since 2002, although the Executive
branch has taken several notable actions.
The Federal role in protection of privately-held critical
infrastructure has been one of the most contentious issues in
the debate about cybersecurity legislation.
There appears to be a broad agreement that additional
actions are needed to address the security risks, NCI, but
there is considerable disagreement about how much, if any,
additional Federal regulation is required.
So in February of this year, the President acted through an
extraordinary order of directives an Executive Order on
cybersecurity and a Presidential Policy Directive on critical
infrastructure security and resilience that will likely become
National and global references for cybersecurity policymaking.
Under the EO, the Secretary of Commerce is tasked to direct
the director of NIST to develop a framework of reducing cyber
risks to critical infrastructure.
The framework will consist of standards, methodologies,
procedures, and processes that align policy, business, and
technological approaches to cyber--to address cyber risks.
The Department of Homeland Security in coordination with
sector-specific agencies will then establish a voluntary
program to support the adoption of the cybersecurity framework
by owners and operators of critical infrastructure and any
other interested entities.
It is important that the United States set a positive
example regarding the essential role that global standards play
for both industry and Government. This framework presents an
important opportunity to develop a product that many other
countries can replicate and use in their policy environments.
The United States could encourage global acceptance of this
framework by seeking comments and support from our allies
during its development. This adoption would be beneficial by
creating consistent and cohesive approaches across these
geographies as well as a commitment to the global
standardization process.
A long-standing concern of mine is how we go about
addressing cyber workforce considerations and how they will be
included in the development of the framework we will be talking
about today.
Our National cybersecurity workforce must be trained and be
able to maintain the skills necessary to understand the
changing operating environment. They must also be able to
understand the threats, vulnerabilities to the environment, and
most importantly, they must be skilled at practices to combat
those threats and vulnerabilities.
I am hoping that you, Mr. Chairman, and I can work together
on this important need.
We also have a need of improvement in the fundamental
knowledge of cybersecurity. New solutions and approaches have
been recognized for well over a decade and those discoveries
were a factor in the passage of the Cyber Security Research and
Development Act in 2002.
However, the law focuses on cybersecurity R&D by NSF and
NIST. The Homeland Security Act of 2002 in contrast does not
specifically mention cybersecurity R&D, but DHS and several
other Departmental agencies make significant investments in it.
About 60 percent of reported funding by agencies in
cybersecurity and information assurance is defense-related and
we need to direct some of this R&D in the civilian arena.
I understand that you, Mr. Chairman, have some language
along this line, and I hope we can, together, work on this
issue.
What we all want for a cybersecurity framework is something
that is flexible, repeatable, performance-based, includes a
strong privacy and civil liberties protections, and something
that is cost-effective.
After all, the President is attempting to help the
privately-held owners and operators of the Nation's critical
infrastructure to identify, assess, and manage cybersecurity-
related risks while protecting business confidentiality and
individual privacy and civil liberties.
In short, we need to regain sovereignty over our National
and local assets that keep our small businesses running, our
city and State governments providing services to citizens, our
factories humming, and our essential services protected.
I look forward to testimony today about the progress that
is being made because of the President's leadership on
cybersecurity, and I hope that Congress can learn some lessons
from the process he has set in motion.
I just want to add that I recently received this copy of
the incentives study, Mr. Kolasky, and I understand that this
is in response to the Executive Order.
It was issued May 21, and it would be great if we engaged
in information sharing as well if we are going to demand it
from those who are tasked to give guidance to.
With that, Mr. Chairman, I yield back.
[The statement of Ranking Member Clarke follows:]
Statement of Ranking Member Yvette D. Clarke
July 18, 2013
Our country's reliance on cyber systems covers the waterfront,
everything from power plants to pipelines, and hospitals to highways
have increased cyber connections dramatically, and our infrastructure
is more physically and digitally interconnected than ever. Yet for all
the advantages interconnectivity offers, our Nation's critical
infrastructure is also increasingly vulnerable to attack from an array
of cyber threats.
It is vital that we, as a country, take action to strengthen our
National policy on critical infrastructure security and resilience, and
includes measures to strengthen cybersecurity. Because the majority of
our critical infrastructure is owned and operated by private companies,
the public and private sectors have a shared responsibility to reduce
the risks to critical infrastructure through a stronger partnership.
The current Federal legislative framework for cybersecurity is
complex, with more than 50 statutes currently addressing various
aspects of it. However, we can all agree that the current framework is
not sufficient to address the growing concerns about the security of
cyber space in the United States, and no major cybersecurity
legislation has been enacted since 2002, although the Executive branch
has taken several notable actions.
The Federal role in protection of privately-held Critical
Infrastructure has been one of the most contentious issues in the
debate about cybersecurity legislation. There appears to be broad
agreement that additional actions are needed to address the
cybersecurity risks to CI but there is considerable disagreement about
how much, if any, additional Federal regulation is required.
So, in February of this year, the President acted through an
extraordinary pair of directives, an Executive Order on Cybersecurity
and a Presidential Policy Directive on Critical Infrastructure Security
and Resilience, that will likely become National and global references
for cybersecurity policymaking. Under the EO, the Secretary of Commerce
is tasked to direct the Director of NIST to develop a framework for
reducing cyber risks to critical infrastructure. The Framework will
consist of standards, methodologies, procedures, and processes that
align policy, business, and technological approaches to address cyber
risks.
The Department of Homeland Security, in coordination with sector-
specific agencies, will then establish a voluntary program to support
the adoption of the Cybersecurity Framework by owners and operators of
critical infrastructure and any other interested entities.
It is important that the United States set a positive example
regarding the essential role that global standards play for both
industry and Government. This framework presents an important
opportunity to develop a product that many other countries can
replicate and use in their policy environments. The United States could
encourage global acceptance of this framework by seeking comments and
support from our allies during its development. This adoption would be
beneficial by creating consistent and cohesive approaches across those
geographies as well as a commitment to the global standardization
process.
A long-standing concern of mine is how we go about addressing Cyber
Workforce considerations and how they will be they included in the
development of the Framework we will be talking about today. Our
National cybersecurity workforce must be trained and be able to
maintain the skills necessary to understand the changing operating
environment. They must also be able to understand the threats and
vulnerabilities to that environment, and most importantly, they must be
skilled at practices to combat those threats and vulnerabilities. I am
hoping that the Chairman and I can work together on this important
need.
We also have a need for improvements in the fundamental knowledge
of cybersecurity. New solutions and approaches have been recognized for
well over a decade and these discoveries were a factor in the passage
of the Cybersecurity Research and Development Act in 2002. However,
that law focuses on cybersecurity R&D by NSF and NIST. The Homeland
Security Act of 2002, in contrast, does not specifically mention
cybersecurity R&D, but DHS and several other Departmental agencies make
significant investments in it. About 60% of reported funding by
agencies in cybersecurity and information assurance is defense-related,
and we need to direct some of this R&D in the civilian arena. I
understand the Chairman has some language along this line, and I hope
we can work together on this issue too.
What we all want from a Cybersecurity Framework is something that
is flexible, repeatable, performance-based, includes strong privacy and
civil liberties protections, and something that is cost-effective.
After all, the President is attempting to help the privately-held
owners and operators of the Nation's critical infrastructure to
identify, assess, and manage cybersecurity-related risk while
protecting business confidentiality and individual privacy and civil
liberties.
In short we need to regain sovereignty over our National and local
assets that keep our small businesses running, our city and State
governments providing services to citizens, our factories humming, and
our essential services protected. I look forward to the testimony today
to hear about the progress that is being made because of the
President's leadership on cybersecurity, and I hope that Congress can
learn some lessons from the process he has set into motion.
Mr. Meehan. I thank the gentlelady for her comments and
other Members of the committee are reminded that opening
statements may be submitted for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
July 18, 2013
Several years ago, this committee passed the legislation that
became the DHS' Chemical Facility Anti-Terrorism Standards (CFATS)
program. CFATS was one of this committee's first attempts to
proactively explore how to make this country safer by engaging the
private sector. We knew that no private facility wanted to become the
target of terrorists. But we also knew that the private sector does not
often view the Government as a partner.
We needed to create a structure that permitted Government and the
private sector to work together without fear of penalty or reprisal. I
believe we created such a system. Today, we are here to discuss another
instance in which the private sector is being asked to cooperate with
the Government to safeguard the American people. While the potential
danger posed by a terrorist attack on a chemical facility is easy to
understand, the threat posed by an attack on the cyber network of a
facility is difficult to envision.
But let's be clear--cyber attacks that cause large-scale system
failures among the businesses and organization that we use every day
would not only cause inconvenience, for some people, such system
failures could be life-threatening.
While something in our history and culture may not allow us to
admit it easily, we need to acknowledge that we rely on the everyday
presence of power plants, hospitals, manufacturing plants, mass transit
and subway systems, airports, and the system of electronic commerce.
And in our current world, none of these systems can exist without a
computer network that is linked to many other computer networks. Our
National and individual interests depend upon the protection of these
networks and the security of the information in them.
Government and the private sector must work together to assure that
the owners and operators of these facilities are able to safeguard
their operations and assets from the risk of cyber attack.
Also, we must be sure that if attacked by a cyber terrorist, these
facilities are able to quickly determine the damage, recover from the
injury and move forward.
The cybersecurity Executive Order attempts to achieve these goals.
Needless to say, I would prefer that this Congress take up legislation
to address the many cybersecurity threats facing the critical
infrastructure of this Nation. However, this Congress seems to have a
difficult time engaging in the legislative process. Thus, I look
forward to the implementation of Executive Order 13636, which directs
Federal agencies to coordinate the development and implentation of
risk-based standards.
Mr. Meehan. We are very pleased to have a distinguished
panel before us today, and we thank each of you for the work
that you are doing on behalf of our Nation and your efforts to
assure that we take every possible step to protect our cyber
infrastructure.
We are going to be joined today first by Mr. Robert Kolasky
who serves as the director of the Department of Homeland
Security's Integrated Task Force that was put together to
implement the Presidential Policy Directive 21 on Critical
Infrastructure Security and Resilience as well as the
President's Executive Order on Critical Infrastructure Cyber
Security.
Mr. Kolasky has served in many roles throughout DHS since
joining the Federal Government in 2002, and I thank you for
your service.
We will be joined by Dr. Charles Romine, the director of
Information Technology Laboratory, one of six research
laboratories within the National Institute of Standards and
Technology.
Dr. Romine oversees research programs designed to promote
U.S. innovation and industrial competitiveness by developing
and disseminating standards, measurements, and testing for
interoperability, security, usability, and reliability of
information systems.
Thank you, Dr. Romine.
We are joined by Dr. Eric Fischer. He is the senior
specialist in science and technology at the Congressional
Research Service. In this role, he provides expert written and
consultation support to Congress on a broad range of issues in
science and technology policy including cybersecurity,
environmental issues, and research and development.
He has authored more than 30 CRS reports--and I thank you
for that great work. They are a big help to us as we try to
negotiate our way through the thicket of issues to increase our
understanding--and more than 100 analytical memoranda for
Congressional offices on the subjects I just mentioned.
The witnesses' full written statements will appear in the
record, and so I ask that you use your time as best you can to
help us to hear what is important in your testimony.
I will now recognize Mr. Kolasky for 5 minutes to testify.
Thank you, Mr. Kolasky.
STATEMENT OF ROBERT KOLASKY, DIRECTOR, IMPLEMENTATION TASK
FORCE, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Kolasky. Good morning, Chairman Meehan, Ranking Member
Clarke, and distinguished Members of the committee. I want to
thank you for your support of the Department, particularly in
our mission to safeguard and secure the Nation's critical
infrastructure.
I am pleased to be here before you to discuss the
administration's role and DHS's role in implementing PPD 21 on
Critical Infrastructure Security Resilience and Executive Order
13636, Critical Infrastructure Cyber Security.
As you know, DHS supports critical infrastructure owners
and operators in preparing for, preventing, protecting against,
mitigating from, responding to, and recovering from all
hazardous events including cyber incidents, natural disasters,
and terrorist attacks.
To achieve this, DHS works with public and private-sector
partners to identify and promote effective solutions for
security and resilience that address the risk facing the
Nation's critical infrastructure.
As you mentioned, recognizing the need for collaborative
solutions to confront these risks and promote a more secure and
resiliant critical infrastructure, President Obama issued
Executive Order and the Presidential Policy on Critical
Infrastructure Security and Resilience in February of this
year.
These two directives aimed to enhance the security and
resilience of the Nation's critical structure to maintain a
cyber environment that encourages efficiency, innovation, and
economic prosperity while promoting safety, security, business
confidentiality, privacy, and civil liberties.
Promoting security resilience is a collaborative effort. It
involves participation from the private sector, owners and
operators, State, local, and Tribal territorial governments as
well.
To accomplish this collaborative effort, DHS stood up the
integrated task force to implement the EO and PPD and the
integrated task force has developed a consultative process for
the whole Federal Government to work with the private sector
and State and local and Tribal territorial governments as well
as nonprofits and academic communities.
At the integrated task force, we have developed nine
separate working groups and have conducted more than 100
working sessions involving 1,100 attendees to date.
Representatives from DHS have also conducted more than 100
briefings on our effort to nearly 10,000 stakeholders since
February 2013.
In addition, DHS has worked with our colleagues at the
Department of Commerce's National Institute of Standards and
Technology to utilize this consultative process in support of
the development of cybersecurity framework, which NIST is
leading the effort on.
We have accomplished much over the past 150 days, and I
would like to talk about that and I am eager to take questions
related to that.
Among the things that we have delivered, as Ranking Member
Clarke referenced, an incentives report which analyzes
potential incentives that can be used to promote to the
adoption of the cybersecurity framework, a description of
critical infrastructure functional relationships, instructions
on producing unclassified cyber threat reports from all sources
of information and making that information available to
critical infrastructure partners, procedures for the expansion
of the enhanced cybersecurity service program within DHS, which
is intended to share cyber threat information with
appropriately cleared private-sector cybersecurity providers
across all critical infrastructure sectors, recommendations on
the feasibility, security benefits, and merits of incorporating
security standards into acquisition planning and contract
administration, a process for expediting security clearances to
those in the private sector with the essential need to know
about cyber threat information, and a report outlining how well
the current public/private partnership model that is documented
in the National Infrastructure Protection Plan is working and
recommendations for enhancements to that model.
In addition, we have conducted an evaluation of and are
identifying critical infrastructure entities where a
cybersecurity incident has the potential to cause National or
regionally catastrophic incidents.
While we have made significant progress to date, there is
much work still to be done this year. DHS will be focusing its
efforts on the following steps throughout the rest of the year.
Updating the National infrastructure protection plan to
reflect new policies, a change in the risk environment, and
lessons learned working in collaboration across the public and
private sector to manage infrastructure risks.
Enhancing near-real-time situational awareness for critical
infrastructure, developing a draft of the National Critical
Infrastructure Security and Resilience Research and Development
Plan and collaborating with our colleagues at NIST on the
cybersecurity framework.
It is important to note that the EO and PPD work within
current authorities. They do not grant new regulatory authority
or establish additional incentives for participation in a
voluntary program.
The administration continues to believe that a
comprehensive suite of legislation is necessary to implement
the full ranges of steps necessary to build a strong public/
private partnership and we hope to continue to work with
Congress to achieve this.
Among our legislative priorities are: Facilitating
cybersecurity for information sharing between the Government
and the private sector while maintaining privacy and civil
liberties protections and reinforcing the appropriate roles of
intelligence and non-intelligence agencies.
Incentivizing the adoption of best practices and standards
for critical infrastructure by complementing the process set
forth in the Executive Order, updating Federal agency network
security laws and codifying DHS' cybersecurity
responsibilities, giving law enforcement the tools to fight
crime in the digital age, and creating a new National data
breach reporting requirement.
I will end my statements by saying that although we are
doing much within the EO and PPD, this is just a start and we
hope to continue to work with the owners and operators in State
and local and Tribal territorial governments to make progress
this year and in the future so that we all have confidence in
the security and the resiliency of our critical infrastructure
and key networks.
Thank you for the opportunity to discuss the Department's
role in improving critical infrastructure security and
resilience, and I look forward to the dialogue.
[The prepared statement of Mr. Kolasky follows:]
Prepared Statement of Robert Kolasky
July 18, 2013
introduction
Good morning Chairman Meehan, Ranking Member Clarke, and
distinguished Members of the committee. Let me begin by thanking you
for your support of the Department of Homeland Security (DHS),
particularly in its mission to safeguard and secure the Nation's
critical infrastructure. I am pleased to appear before you to discuss
the Department's role in implementing Executive Order (EO) 13636,
Improving Critical Infrastructure Cybersecurity, and Presidential
Policy Directive (PPD) 21, Critical Infrastructure Security and
Resilience.
DHS supports critical infrastructure owners and operators in
preparing for, preventing, protecting against, mitigating from,
responding to, and recovering from all-hazards events, including cyber
incidents, terrorist attacks, and natural disasters. These activities
promote the safety and security of the American public and ensure the
provision of essential services and functions, such as energy and
communications. To achieve this end, DHS works with public and private-
sector partners to identify and promote effective solutions for
security and resilience that address the risks facing the Nation's
critical infrastructure.
While this increased connectivity has led to significant
transformations and advances across our country--and around the world--
it also has increased the importance and complexity of our shared risk.
Our daily life, economic vitality, and National security depend on
cyberspace. A vast array of interdependent IT networks, systems,
services, and resources are critical to communication, travel, powering
our homes, running our economy, and obtaining Government services. No
country, industry, community, or individual is immune to cyber risks.
Critical infrastructure is the backbone of our country's National
and economic security. It includes power plants, chemical facilities,
communications networks, bridges, highways, and stadiums, as well as
the Federal buildings where millions of Americans work and visit each
day. DHS coordinates the National protection, prevention, mitigation,
and recovery from cyber incidents and works regularly with business
owners and operators to take steps to strengthen their facilities and
communities. The Department also conducts on-site risk assessments of
critical infrastructure and shares risk and threat information with
State, local, and private-sector partners.
Protecting critical infrastructure against growing and evolving
cyber threats requires a layered approach. DHS actively collaborates
with public and private-sector partners every day to improve the
security and resilience of critical infrastructure while responding to
and mitigating the impacts of attempted disruptions to the Nation's
critical cyber and communications networks and to reduce adverse
impacts on critical network systems.
Beyond evolving cybersecurity risks, the Nation's critical
infrastructure is potentially affected by more frequent and severe
weather events, by sustained under-investment in the integrity of aging
and degrading infrastructure, and by an evolving terrorist threat.
Recognizing the need for collaborative solutions to confront this
changing risk paradigm and promote a more secure and resilient critical
infrastructure, President Obama issued EO 13636 and PPD-21. These two
directives aim to ``enhance the security and resilience of the Nation's
critical infrastructure and to maintain a cyber environment that
encourages efficiency, innovation, and economic prosperity while
promoting safety, security, business confidentiality, privacy, and
civil liberties.''
Taken together, these two policy documents are intended to achieve
the following:
Encourage the adoption of effective measures across all
critical infrastructure sectors to improve security and
resiliency and reduce risk from cyber attacks to essential
functions and services by publishing a Cybersecurity Framework
(the Framework) that will provide owners and operators with a
prioritized, flexible, repeatable, performance-based, and cost-
effective set of validated security controls based upon
industry best practices.
Enhance timely, relevant, and accurate information sharing
on significant risks by implementing a program to develop and
rapidly share unclassified information with critical
infrastructure owners and operators, enabling the adoption of
effective mitigations to prevent or to reduce the consequences
of significant incidents.
Align responsibilities of public and private partners to
efficiently allocate risk reduction responsibilities by
conducting an analysis of the existing critical infrastructure
public-private partnership model and recommending options for
improving the effectiveness of the partnership in managing both
the physical and cyber risks.
Promote innovation in novel risk-reduction solutions by
developing a National Critical Infrastructure Security and
Resilience Research and Development (R&D) Plan to identify
priorities and guide R&D requirements and investments toward
those solutions that will help assure the provision of
essential functions and services over time.
Ensure that privacy, civil rights, and civil liberties are
protected as a foundational part of all risk management efforts
by conducting an assessment of the privacy, civil rights, and
civil liberties implications of all EO 13636 and PPD-21
programs and recommending revisions to proposed initiatives as
required.
Working in partnership with the Federal interagency, DHS
established an Integrated Task Force to:
Lead the Department's implementation of PPD-21 and EO 13636,
including coordination with the Department of Commerce's
National Institute of Standards and Technology, on the
Cybersecurity Framework;
Serve as the focal point for collaboration with industry;
Involve key stakeholders from all levels of government; and
Prioritize tasks, plan implementation, and coordinate
principal offices of responsibility.
The Integrated Task Force is further charged with ensuring the
production of various deliverables as mandated under EO 13636 and PPD-
21. These deliverables, however, are not an end in themselves; rather,
each deliverable is intended to contribute to future efforts that will
promote the security and resilience of the Nation's critical
infrastructure.
consultative process
Promoting security and resilience is a collaborative endeavor
requiring effort and investment from both the Federal Government and
private sector, as well as State, local, Tribal, and territorial
partners. Thus, to implement EO 13636 and PPD-21, the Federal
Government has actively sought the collaboration, input and engagement
of our partners. The Integrated Task Force has developed a
``consultative process'' pursuant to EO 13636, to work within the
Federal Government to collaborate with State, local, Tribal, and
territorial government officials as well as private-sector owners and
operators of critical infrastructure and the non-profit and academic
communities. The consultative process is based on the following
principles:
Seek out opportunities across the whole community;
Be systematic, transparent, and repeatable;
Focus on appropriate and meaningful multi-directional
communications and collaboration;
Establish protocols to ensure that progress reports, current
direction, and current messaging are broadly shared and
understood;
Document activities to track participation across the whole
community;
Identify and engage the full range of stakeholders across
the critical infrastructure and cybersecurity community;
Utilize established partnership organizations and regimes;
Promote innovative approaches to maximize opportunities for
input from stakeholders across the whole community;
Ensure that privacy and civil liberties protections are
incorporated into the tasks by coordinating with appropriate
senior Federal agency officials;
Foster development of an enduring engagement process that
can be used in other cyber and critical infrastructure security
and resilience efforts.
Using those principles, the Integrated Task Force developed nine
separate working groups and has conducted more than 100 working
sessions involving 1,100 attendees, to date. Representatives from DHS
have also conducted more than 100 briefings on our efforts to nearly
10,000 stakeholders since February 2013. Outside of the established
Integrated Task Force working groups, the cyber and critical
infrastructure communities are being engaged through working sessions,
conferences, meetings, and virtual collaboration methods such as the
Homeland Security Information Network, IdeaScale, and webinars. The
format and style of engagement varies according to the needs of the
community engaged and the purpose for engagement. The venue and
mechanism for engagement is also determined by the outcomes sought and
the nature of the constituency involved. In addition, DHS has worked
with the Department of Commerce's National Institute of Standards and
Technology (NIST) to utilize the consultative process in support of the
development of the Framework.
status of current efforts
We have accomplished much over the past 150 days using the
Consultative Process to engage whole community stakeholders. The
Secretary has already submitted several EO 13636 and PPD-21
deliverables to the White House, to include:
An Incentives Report, which analyzes potential Government
incentives that could be used to promote the adoption of the
Framework;
A description of critical infrastructure functional
relationships, which illustrates the Federal Government's
current organizational structure to deliver risk management
support to stakeholders and make it easier for them to
collaborate with the Government;
Instructions on producing unclassified cyber threat reports
from all sources of information, including intelligence, to
improve the ability of critical infrastructure partners to
prevent and respond to significant threats;
Procedures for expansion of the Enhanced Cybersecurity
Services (ECS) program to all critical infrastructure sectors.
The ECS program promotes cyber threat information sharing
between Government and the private sector, which helps critical
infrastructure entities protect themselves against cyber
threats to the systems upon which so many Americans rely. DHS
will share with appropriately cleared private sector
cybersecurity providers the same threat indicators that we rely
on to protect the .gov domain. Those providers will then be
free to contract with critical infrastructure entities and
provide cybersecurity services comparable to those provided to
the U.S. Government;
Recommendations on feasibility, security benefits, and
merits of incorporating security standards into acquisition
planning and contract administration, addressing what steps can
be taken to make existing procurement requirements related to
cybersecurity consistent;
A process for expediting security clearances to those in the
private sector with an essential ``need to know'' regarding
Classified cybersecurity risk information. This processing is
intended only for those who need access to Classified
information. While it is important to ensure that our private-
sector partners who have a valid need for access to Classified
information receive appropriate security clearances, we believe
that most information sharing can be conducted at the
Unclassified level; and
A report outlining how well the current critical
infrastructure public-private partnership model as articulated
in the National Infrastructure Protection Plan (NIPP) is
working toward promoting the security and resilience of the
Nation's critical infrastructure, and recommendations to
strengthen those partnerships.
In addition, we have conducted an initial evaluation of and
are identifying critical infrastructure entities which would
reasonably result in catastrophic consequences from a
cybersecurity incident. While we are incorporating lessons from
this analysis in developing a repeatable system of critical
infrastructure assessments, the results from this preliminary
evaluation identified a relatively small list of U.S. critical
infrastructure that if impacted by a cybersecurity incident
could cause catastrophic consequence to our National security,
economic security, public health, and safety.
moving forward
While we have made significant progress to date, there is much work
still to be done this year to fulfill the vision set forth in EO 13636
and PPD-21. To that end, DHS will be focusing its efforts on the
following steps via the Integrated Task Force:
Updating the NIPP to reflect new policies, a change in the
risk environment, and lessons learned working in collaboration
across the public and private sectors to manage infrastructure
risk;
Enhancing near-real-time situational awareness for critical
infrastructure, with a particular focus on multi-directional
information sharing and understanding of interdependencies
between physical and cyber systems and critical infrastructure
sectors;
Developing a draft of the National Critical Infrastructure
Security and Resilience Research and Development Plan; and
Collaborating with NIST on the Cybersecurity Framework.
DHS is developing the Performance Goals described in EO 13636 for
the Framework collaboratively with critical infrastructure owners and
operators using the Consultative Process. By framing the importance of
cyber risk in a business context, the Performance Goals will encourage
adoption of the Framework. The goals complement the Framework which
will outline what businesses should do to manage cyber risk. In turn,
the specific standards and controls suggested under the Framework will
explain how businesses should manage cyber risk.
Through the Performance Goals, critical infrastructure owners and
operators will be able to adopt a common approach to evaluating the
effectiveness of risk management investments based upon business
outcomes. While DHS will not require nor evaluate the adoption of the
Performance Goals among critical infrastructure owners and operators,
the Goals will encourage businesses to frame cybersecurity risk in the
context of economic sustainability, and thereby facilitate strategic
planning and investment to identify changing risks and implement
measurably effective solutions.
The Framework will also serve as a basis for a DHS Voluntary
Program, which will result in on-going collaboration with industry to
promote market-based solutions to higher levels of cybersecurity.
cyber legislative priorities
It is important to note that EO 13636 directs Federal agencies to
work within current authorities and increase voluntary cooperation with
the private sector to provide better protection for computer systems
critical to our National and economic security. We continue to believe
that a comprehensive suite of legislation is necessary to implement the
full range of steps needed to build a strong public-private
partnership, and we will continue to work with Congress to achieve
this.
Consistent with the proposal that the administration transmitted
last Congress, legislation should:
Facilitate cybersecurity information sharing between the
Government and the private sector as well as among private-
sector companies. We believe that such sharing can occur in
ways that uphold privacy and civil liberties protections,
expand upon existing best practices from industry leaders in
this area, reinforce the appropriate roles of intelligence and
non-intelligence agencies, and include targeted liability
protections;
Incentivize the adoption of best practices and standards for
critical infrastructure by complementing the process set forth
under the Executive Order;
Give law enforcement the tools to fight crime in the digital
age;
Update Federal agency network security laws, and codify DHS'
cybersecurity responsibilities; and
Create a National Data Breach Reporting requirement.
In each of these legislative areas, we want to incorporate robust
privacy and civil liberties safeguards. The administration stands ready
to work with Congress to pass important cybersecurity legislation.
conclusion
Critical infrastructure security and resilience to cyber incidents
and other risks is an on-going capability development effort rather
than an end-state to be achieved on a given date, or via a defined
deliverable. All partners in this National effort will need to continue
to contribute to its progress over time. The implementation of EO 13636
and PPD-21 is a key step in achieving these desired outcomes; progress
will require sustained effort by both public and private partners, and
a recognition of the rapidly evolving risk environment. The desired
end-state of the critical infrastructure partnership model is an
environment in which public and private partners work in a networked
manner to effectively and efficiently share information and allocate
risk-reduction responsibilities. If achieved, this result will maximize
the comparative advantage of each and reduce duplication or under-
investment, resulting in collaborative solutions to reduce the
likelihood of the highest-consequence incidents.
Thank you for the opportunity to discuss the Department's role in
improving critical infrastructure security and resilience. I look
forward to any questions you may have.
Mr. Meehan. Thank you, Mr. Kolasky. That is a--you got a
lot on your agenda. That is a big report, and I know we will be
looking forward to talking with you about some of that.
Dr. Romine. The Chairman now recognizes you for your 5
minutes of testimony. Thank you.
STATEMENT OF CHARLES H. ROMINE, PH D, DIRECTOR, INFORMATION
TECHNOLOGY LABORATORY, NATIONAL INSTITUTE OF STANDARDS AND
TECHNOLOGY, U.S. DEPARTMENT OF COMMERCE
Mr. Romine. Thank you, Chairman Meehan, Ranking Member
Clarke, and Members of the subcommittee. Thank you very much
for the opportunity to testify today.
As directed in the Executive Order, NIST is working with
industry to develop the cybersecurity framework to improve the
cybersecurity of critical infrastructures and working with the
Department of Homeland Security to establish performance goals.
Our partnership with industry and with DHS is driving much
of our effort. Earlier this year, we signed a memorandum
agreement with DHS to ensure that our work on the framework and
also with cybersecurity standards best practices and metrics is
fully integrated with information sharing, threat analysis,
response, and operational work of DHS.
We believe this will enable a more holistic approach to
addressing the complex challenges that we face. The framework
is an important element in addressing the challenges of
improving the cybersecurity of our critical infrastructure.
A NIST-coordinated and industry-led framework will draw on
standards and best practices that industry already develops and
uses. NIST is ensuring that the process is open and transparent
to all stakeholders and will ensure a robust technical
underpinning to the framework.
This approach will significantly bolster the relevance of
the resulting framework to industry making it more appealing
for industry to adopt. This multi-stakeholder approach
leverages the respective strengths of the public and private
sectors and helps to develop solutions in which both sides will
be invested.
The approach does not dictate solutions to industry but
rather facilitates industry coming together to develop and
offer solutions that the private sector is best positioned to
embrace.
I would also like to note that this is not a new or novel
approach for NIST. We have used very similar approaches in the
recent past to address other pressing National priorities.
For example, NIST's work in the area of cloud computing
technologies enabled us to develop important definitions and
architectures and is now enabling broad Federal Government
deployment of secure cloud computing technologies. The lessons
learned from this experience and others are informing how we
are planning for and structuring our current effort.
NIST's initial steps toward implementing the Executive
Order included issuing a request for information or RFI this
past February to gather relevant input from industry and other
stakeholders and asking stakeholders to participate in the
cybersecurity framework process.
The responses to the RFI, a total of 244, were posted on
NIST's website. Those responding ranged from individuals to
large corporations and trade associations and they provided
comments as brief as a few sentences on specific topics as well
as so comprehensive that they ran over 100 pages. We published
an analysis of these comments in May.
NIST is also engaging with stakeholders through a series of
workshops and events to ensure that we can cover the breadth of
considerations that will be needed to make this National
priority a success. Our first such session held in April
initiated the process of identifying existing resources and
gaps and prioritized the issues to be addressed as part of the
framework.
At the end of May, a second workshop at Carnegie Mellon
University brought together a broad cross-section of
participants representing critical infrastructure owners and
operators, industry associations, standards developing
organizations, individual companies, and Government agencies.
This 3-day working session using the analysis of the RFI
comments as input was designed to identify and achieve
consensus on the standards, guidelines, and practices that will
be used in the framework.
Last week, NIST held its third workshop to present initial
considerations for the framework. This workshop had a
particular emphasis on issues that have been identified from
the initial work including the specific needs of different
sectors.
During the workshop, NIST gained consensus on several
elements that the framework will include. At 8 months, we will
have a preliminary framework that builds on these elements.
After a year-long effort, once we have developed an initial
framework, there will still be much to do.
For example, we will work with specific sectors and DHS to
build strong voluntary programs for specific critical
infrastructure areas. Their work will then inform the needs of
critical infrastructure and the next versions of the framework.
The goal at the end of this process will be for industry
itself to take ownership and update the cyber secure framework
ensuring that the framework will continue to evolve as needed.
We have made significant progress, but we have a lot of
work still ahead of us, and I look forward to working with this
committee and others to help us address these pressing
challenges.
I will be pleased to answer any questions you may have for
me. Thank you.
[The prepared statement of Mr. Romine follows:]
Prepared Statement of Charles H. Romine
July 18, 2013
introduction
Chairman Meehan, Ranking Member Clarke, Members of the
subcommittee, I am Chuck Romine, director of the Information Technology
Laboratory of the National Institute of Standards and Technology
(NIST), a non-regulatory bureau within the U.S. Department of Commerce.
Thank you for this opportunity to testify today on NIST's role under
Executive Order 13636, ``Improving Critical Infrastructure
Cybersecurity'' and our responsibility to develop a framework for
reducing cyber risks to critical infrastructure.
the role of nist in cybersecurity
NIST's mission is to promote U.S. innovation and industrial
competitiveness by advancing measurement science, standards, and
technology in ways that enhance economic security and improve our
quality of life. Our work in addressing technical challenges related to
National priorities has ranged from projects related to the Smart Grid
and electronic health records to atomic clocks, advanced nanomaterials,
and computer chips.
In the area of cybersecurity, we have worked with Federal agencies,
industry, and academia since 1972 starting with the development of the
Data Encryption Standard. Our role to research, develop, and deploy
information security standards and technology to protect information
systems against threats to the confidentiality, integrity, and
availability of information and services, was strengthened through the
Computer Security Act of 1987 and reaffirmed through the Federal
Information Security Management Act of 2002.
Consistent with this mission, NIST actively engages with industry,
academia, and other parts of the Federal Government including the
intelligence community, and elements of the law enforcement and
National security communities, coordinating and prioritizing
cybersecurity research, standards development, standards conformance
demonstration, and cybersecurity education and outreach.
Our broader work in the areas of information security, trusted
networks, and software quality is applicable to a wide variety of
users, from small and medium enterprises to large private and public
organizations including agencies of the Federal Government and
companies involved with critical infrastructure.
executive order 13636, ``improving critical infrastructure
cybersecurity''
On February 13, 2013, the President signed Executive Order 13636,
``Improving Critical Infrastructure Cybersecurity,'' which gave NIST
the responsibility to develop a framework to reduce cyber risks to
critical infrastructure (the Cybersecurity Framework). As directed in
the Executive Order, NIST, working with industry, will develop the
Cybersecurity Framework and the Department of Homeland Security (DHS)
will establish performance goals. DHS, in coordination with sector-
specific agencies, will then support the adoption of the Cybersecurity
Framework by owners and operators of critical infrastructure and other
interested entities, through a voluntary program.
Our partnership with DHS will drive much of our effort. Earlier
this year, we signed a Memorandum of Agreement with DHS to ensure that
our work on the Cybersecurity Framework, and also with cybersecurity
standards, best practices, and metrics, is fully integrated with the
information sharing, threat analysis, response, and operational work of
DHS. We believe this will enable a more holistic approach to addressing
the complex challenges we face.
A Cybersecurity Framework is an important element in addressing the
challenges of improving the cybersecurity of our critical
infrastructure. A NIST-coordinated and industry-led Framework will draw
on standards and best practices that industry already develops and
uses. NIST is ensuring that the process is open and transparent to all
stakeholders, and will ensure a robust technical underpinning to the
Framework. This approach will significantly bolster the relevance of
the resulting Framework to industry, making it more appealing for
industry to adopt.
This multi-stakeholder approach leverages the respective strengths
of the public and private sectors, and helps develop solutions in which
both sides will be invested. The approach does not dictate solutions to
industry, but rather facilitates industry coming together to offer and
develop solutions that the private sector is best positioned to
embrace.
I would also like to note that this is not a new or novel approach
for NIST. We have utilized very similar approaches in the recent past
to address other pressing National priorities. For example, NIST's work
in the area of cloud computing technologies enabled us to develop
important definitions and architectures, and is now enabling broad
Federal Government deployment of secure cloud computing technologies.
The lessons learned from this experience and others are informing how
we are planning for and structuring our current effort.
developing the cybersecurity framework
The Cybersecurity Framework will consist of standards,
methodologies, procedures, and processes that align policy, business,
and technological approaches to address cyber risks for critical
infrastructure. Once the final Framework is established, the Department
of Homeland Security (DHS), in coordination with sector-specific
agencies, will then support the adoption of the Cybersecurity Framework
by owners and operators of critical infrastructure and other interested
entities through a voluntary program. Regulatory agencies will also
review the Cybersecurity Framework to determine if current
cybersecurity requirements are sufficient, and propose new actions to
ensure consistency.
This approach reflects both the need for enhancing the security of
our critical infrastructure and the reality that the bulk of critical
infrastructure is owned and operated by the private sector. Any efforts
to better protect critical infrastructure need to be supported and
implemented by the owners and operators of this infrastructure. It also
reflects the reality that many in the private sector are already doing
the right things to protect their systems and should not be diverted
from those efforts through new requirements.
current status of the cybersecurity framework
Underlying all of this work, NIST sees its role in developing the
Cybersecurity Framework as partnering with industry and other
stakeholders to help them develop the Framework. NIST's unique
technical expertise in various aspects of cybersecurity-related
research and technology development, and our established track record
of working with a broad cross-section of industry and Government
agencies in the development of standards and best practices, positions
us very well to address this significant National challenge in a timely
and effective manner.
NIST's initial steps towards implementing the Executive Order
included issuing a Request for Information (RFI) this past February to
gather relevant input from industry and other stakeholders, and asking
stakeholders to participate in the Cybersecurity Framework process.
Given the diversity of sectors in critical infrastructure, the initial
efforts are designed help identify existing cross-sector security
standards and guidelines that are immediately applicable or likely to
be applicable to critical infrastructure.
The responses to the RFI--a total of 244--were posted on NIST's
website. Those responding ranged from individuals to large corporations
and trade associations and they provided comments as brief as a few
sentences on specific topics, as well as so comprehensive that they ran
over a hundred pages. We published an analysis of these comments in
May.
NIST is also engaging with stakeholders through a series of
workshops and events to ensure that we can cover the breadth of
considerations that will be needed to make this National priority a
success. Our first such session--held in April--initiated the process
of identifying existing resources and gaps, and prioritized the issues
to be addressed as part of the Framework.
At the end of May, a second workshop at Carnegie Mellon University
brought together a broad cross-section of participants representing
critical infrastructure owners and operators, industry associations,
standards-developing organizations, individual companies, and
Government agencies. This 3-day working session, using the analysis of
the RFI comments as input, was designed to identify and achieve
consensus on the standards, guidelines, and practices that will be used
in the Framework.
Based on the responses to the RFI, conclusions from the workshops,
and NIST analyses, the preliminary Framework is designed and intended:
To be an adaptable, flexible, and scalable tool for
voluntary use;
To assist in assessing, measuring, evaluating, and improving
an organization's readiness to deal with cybersecurity risks;
To be actionable across an organization;
To be prioritized, flexible, repeatable, performance-based,
and cost-effective;
To rely on standards, guidelines, and practices that align
with policy, business, and technological approaches to
cybersecurity;
To complement rather than to conflict with current
regulatory authorities;
To promote, rather than to constrain, technological
innovation in this dynamic arena;
To focus on outcomes;
To raise awareness and appreciation for the challenges of
cybersecurity but also the means for understanding and managing
the related risks;
To be built upon international standards and other
standards, best practices and guidelines that are used
globally.
Last week, NIST held its third workshop to present initial
considerations for the Framework. This workshop had a particular
emphasis on issues that have been identified from the initial work--
including the specific needs of different sectors. During the workshop,
NIST gained consensus on the elements of the Framework that include:
A section for senior executives and others on using this
Framework to evaluate an organization's preparation for
potential cybersecurity-related impacts on their assets and on
the organizations ability to deliver products and services. By
using this Framework, senior executives can manage
cybersecurity risks within their enterprise's broader risks and
business plans and operations.
A User's Guide to help organizations understand how to apply
the Framework.
Core Sections to address:
Five major cybersecurity functions and their categories,
subcategories, and informative references;
Three Framework Implementation Levels associated with an
organization's cybersecurity functions and how well that
organization implements the Framework.
A compendium of informative references, existing
standards, guidelines, and practices to assist with
specific implementation.
At 8 months, we will have a preliminary Framework that builds on
these elements. In a year's time, once we have developed an initial
Framework, there will still be much to do. For example, we will work
with specific sectors to build strong voluntary programs for specific
critical infrastructure areas. Their work will then inform the needs of
critical infrastructure and the next versions of the Framework. The
goal at the end of this process will be for industry itself to take
``ownership'' and update the Cybersecurity Framework--ensuring that the
Framework will continue to evolve as needed.
conclusion
The cybersecurity challenge facing critical infrastructure is
greater than it ever has been. The President's Executive Order reflects
this reality, and lays out an ambitious agenda founded on active
collaboration between the public and private sectors. NIST is mindful
of the weighty responsibilities with which we have been charged by
President Obama, and we are committed to listening to, and working
actively with, critical infrastructure owners and operators to develop
a Cybersecurity Framework.
The approach to the Cybersecurity Framework set out in the
Executive Order will allow industry to protect our Nation from the
growing cybersecurity threat while enhancing America's ability to
innovate and compete in a global market. It also helps grow the market
for secure, interoperable, innovative products to be used by consumers
anywhere.
Thank you for the opportunity to present NIST's views regarding
critical infrastructure cybersecurity security challenges. I appreciate
the committee holding this hearing. We have a lot of work ahead of us,
and I look forward to working with this committee and others to help us
address these pressing challenges. I will be pleased to answer any
questions you may have.
Mr. Meehan. Thank you, Dr. Romine.
The Chairman now recognizes Dr. Fischer for 5 minutes of
testimony.
Dr. Fischer.
STATEMENT OF ERIC A. FISCHER, PH D, SENIOR SPECIALIST, SCIENCE
AND TECHNOLOGY, CONGRESSIONAL RESEARCH SERVICE, LIBRARY OF
CONGRESS
Mr. Fischer. Good morning, Chairman Meehan, Ranking Member
Clarke, and distinguished Members of the subcommittee. On
behalf of the Congressional Research Service, thank you for the
opportunity to testify today.
Over the past several years, evidence has grown that U.S.
critical infrastructure is vulnerable to potentially damaging
cyber attacks. Calls for action have come from many corridors.
The 111th and 112th Congresses considered but did not enact
legislation to address those vulnerabilities.
Last year, the Obama administration announced that it was
in developing Executive Order, which as you heard was--as, you
know, was released in February of this year.
Five goals in the order have received the most public
attention. They are No. 1, expanded information sharing
including Classified information between the Government and the
private sector.
No. 2, identification of critical infrastructure for which
successful cyber attacks could have catastrophic impacts.
No. 3, a voluntary framework of cybersecurity standards and
best practices for critical infrastructure developed with the
private sector.
No. 4, incentives for voluntary adoption of that framework.
No. 5, review of regulatory requirements on cybersecurity
and recommendations on how to improve them.
The order called for fulfillment of its information-sharing
requirements and certain others by mid-June of this year and
for the high-risk critical infrastructure to be designated by
mid-July.
The framework is to be finalized by next February along
with the report addressing privacy and civil liberties
protections. The review of regulatory requirements is to be
completed in two stages with gaps to be identified by next
March and the problematic requirements by February 2016.
The administration issued Presidential Policy Directive 21
along with the Executive Order. The Directive makes
cybersecurity an integral component of critical infrastructure
security and resilience.
Generally, reaction to the Executive Order and Directive
from stakeholders has been positive. Criticisms have tended to
fall into five categories: Whether the Order does anything new,
the implementation time table, adoption of the framework, the
critical infrastructure designation process, and the Order's
influence on Congressional action. For all five categories,
arguments have been made on both sides.
One criticism of the Order was also raised against some of
the legislative proposals in the 112th Congress that it would
result in increased industry regulation that would be both
ineffective and burdensome.
Such critics say that even a voluntary framework can become
mandatory in practice. An alternative view is that voluntary
approaches have not been particularly effective in this area
and regulation appears to be working in sectors such as
electric power. Others believe that voluntary approaches can be
effective without causing undue burdens.
Some argue that it will be better for this Congress to wait
until the Order is fully implemented before considering
legislation. Others believe, however, that the Order merely
clarifies what changes are needed to current law.
It may be too early to determine how at least some of those
concerns above will be addressed, let alone whether the
responses will satisfy critics. Overall, however, response from
the private sector appears to be cautiously optimistic.
With respect to current legislation, the Cybersecurity
Enhancement Act, H.R. 756, would require a triennial strategic
plan for cybersecurity R&D. It would be prepared using an
interagency process similar to that established under the High
Performance Computing Act of 1991 and related laws.
PPD 21 also requires a periodic R&D plan, but it would
focus specifically on critical infrastructure and cover
physical as well as a cybersecurity.
It would also be quadrennial rather than triennial, and it
would be led by the Secretary of Homeland Security rather than
the Office of Science and Technology Policy.
CISPA, H.R. 624, would permit sharing of classified
information with private-sector critical infrastructure
entities. Under the bill, procedures would be established by
the Director of National Intelligence. The Executive Order in
contrast puts the Secretary of Homeland Security in the lead.
CISPA also requires that the establishment of new
procedures relating to privacy and civil liberties; whereas the
Order requires agencies to apply protections consistent with
established principles.
Finally, I should mention that CISPA would address one of
the perceived gaps in current law. It would explicitly permit
information sharing between private entities and would provide
liability protections. Significant debate has centered on the
scope of those changes and the potential impacts on privacy and
civil liberties.
That concludes my testimony. Once again, thank you for
asking me to appear before you today.
[The prepared statement of Mr. Fischer follows:]
Prepared Statement of Eric A. Fischer
July 18, 2013
Chairman Meehan, Ranking Member Clarke, and distinguished Members
of the subcommittee:
Thank you for the opportunity to discuss Executive Order 13636,
Improving Critical Infrastructure Cybersecurity, with you today. In my
testimony, I will provide some background on the development of the
Order and describe its major provisions, including the roles it
proposes for the private sector and reaction to it by those
stakeholders, as well as its relationship to Congressional legislation
and the new Obama administration policy directive on critical
infrastructure.
development of the executive order
Both the George W. Bush administration and the Obama administration
have made improvements to the cybersecurity of critical infrastructure
a priority. The Bush administration created the Comprehensive National
Cybersecurity Initiative (the CNCI) in 2008 via a Classified
Presidential Directive.\1\ The Obama administration performed an
interagency review of Federal cybersecurity initiatives in 2009,
culminating in the release of its Cyberspace Policy Review\2\ and the
creation of the White House position of Cybersecurity Coordinator.
---------------------------------------------------------------------------
\1\ National Security Presidential Directive 54/Homeland Security
Presidential Directive 23 (NSPD-54/HSPD-23).
\2\ The White House, Cyberspace Policy Review, May 29, 2009, http:/
/www.whitehouse.gov/assets/documents/
Cyberspace_Policy_Review_final.pdf; The White House, ``Cyberspace
Policy Review [Supporting Documents],'' May 2009, http://
www.whitehouse.gov/cyberreview/documents/.
---------------------------------------------------------------------------
Both those efforts and a number of reports from agencies, think
tanks, and other groups identified gaps in Federal efforts. Both the
111th and 112th Congresses considered legislative proposals to close
those gaps, but none were enacted. In the absence of enacted
legislation, the Obama administration began drafting a cybersecurity
Executive Order in 2012. The development involved a lengthy interagency
process, with both agencies and stakeholders in the private sector
providing input.
The White House released Executive Order 13636 on February 12,
2013, along with a new policy directive on critical infrastructure.
Relevant legislation is also being developed by the 113th Congress.
Four bills with cybersecurity provisions (H.R. 624, H.R. 756, H.R. 967,
and H.R. 1163) that were introduced in the month after the release of
the Executive Order passed the House in April, and additional bills in
the House and the Senate are reportedly being drafted.
requirements in the executive order
The Order uses existing statutory and Constitutional authority to:
Expand information sharing and collaboration between the
Government and the private sector, including sharing Classified
information by broadening a program developed for the defense
industrial base to other critical-infrastructure sectors;
Develop a voluntary framework of cybersecurity standards and
best practices for protecting critical infrastructure, through
a public/private effort;
Establish a consultative process for improving critical-
infrastructure cybersecurity;
Identify critical infrastructure with especially high
priority for protection, using the consultative process;
Establish a program with incentives for voluntary adoption
of the framework by critical-infrastructure owners and
operators;
Review cybersecurity regulatory requirements to determine if
they are sufficient and appropriate; and
Incorporate privacy and civil liberties protections in
activities under the Order.
The information-sharing and framework provisions in particular have
received significant public attention.
Information Sharing
The Order formalizes a previously existing program, now called
Enhanced Cybersecurity Services, in the Department of Homeland Security
(DHS), for providing classified threat information to eligible critical
infrastructure companies and to their eligible internet, network,
communications, and cybersecurity service providers (known jointly as
commercial service providers or CSPs). The program developed out of a
pilot involving the Department of Defense and companies in the defense
industrial base, which is one of the 16 recognized critical-
infrastructure sectors.
The Order also requires the Secretary of Homeland Security, the
Attorney General, and the Director of National Intelligence to expedite
dissemination to targeted entities of unclassified and, where
authorized, classified threat indicators. Additionally, the Secretary
of Homeland Security is to expedite processing of security clearances
to appropriate critical-infrastructure personnel and expand programs to
place relevant private-sector experts in Federal agencies on a
temporary basis.
Cybersecurity Framework
Executive Order 13636 requires the National Institute of Standards
and Technology (NIST) to lead the development of a Cybersecurity
Framework that uses an open, consultative process to identify cross-
sector, voluntary consensus standards and business best practices that
can reduce cybersecurity risks to critical infrastructure. The
framework is to be technology-neutral. It must identify areas for
improvement and be reviewed and updated as necessary.
The Secretary of Homeland Security is required to set performance
goals for the framework, establish a voluntary program to support its
adoption, and coordinate establishment of incentives for adoption. The
sector-specific agencies must coordinate review of the framework and
development of sector-specific guidance, and report annually to the
President on participation by critical-infrastructure sectors. Agencies
with regulatory responsibilities for critical infrastructure are
required to engage in consultative review of the framework, determine
whether existing cybersecurity requirements are adequate, report to the
President whether the agencies have authority to establish requirements
that sufficiently address the risks, propose additional authority where
required, and identify and recommend remedies for ineffective,
conflicting, or excessively burdensome cybersecurity requirements.
The development of the framework is arguably the most innovative
and labor-intensive requirement in the Executive Order. It builds on
the involvement of NIST in the development of cybersecurity technical
standards \3\ and its statutory responsibilities to work with both
Government and private entities on various aspects of standards and
technology.\4\
---------------------------------------------------------------------------
\3\ See, e.g., National Institute of Standards and Technology,
``Computer Security Resource Center,'' February 20, 2013, http://
csrc.nist.gov/.
\4\ 15 U.S.C. �272.
---------------------------------------------------------------------------
None of the major legislative proposals in the 111th and 112th
Congresses had proposed using NIST to coordinate an effort led by the
private sector to develop a framework for cybersecurity, such as is
envisioned by the Executive Order. Hundreds of entities have been
involved in NIST's efforts to date, beginning with a Request for
Information in February and including public workshops in April, May,
and July of 2013.\5\ An additional workshop is planned for September.
---------------------------------------------------------------------------
\5\ National Institute of Standards and Technology, ``Cybersecurity
Framework,'' July 2, 2013, http://www.nist.gov/itl/cyberframework.cfm.
---------------------------------------------------------------------------
Other Requirements
Acquisition and Contracting. The Secretary of Defense and the
Administrator of General Services must make recommendations to the
President on incorporating security standards in acquisition and
contracting processes, including harmonization of cybersecurity
requirements.
Consultative Process. The Secretary of Homeland Security is
required to establish a broad consultative process to coordinate
improvements in the cybersecurity of critical infrastructure.
Cybersecurity Workforce. The Secretary of Homeland Security is
required to coordinate technical assistance to critical-infrastructure
regulatory agencies on development of their cybersecurity workforce and
programs.
High-Risk Critical Infrastructure. The Order requires the Secretary
of Homeland Security to use consistent and objective criteria, the
consultative process established under the Order, and information from
relevant stakeholders to identify and update annually a list of
critical infrastructure for which a cyber attack could have
catastrophic regional or National impact, but not including commercial
information technology products or consumer information technology
services. The Secretary must confidentially notify owners and operators
of critical infrastructure that is so identified of its designation and
provide a process to request reconsideration.
Privacy and Civil Liberties. The Order requires agencies to ensure
incorporation of privacy and civil liberties protections in agency
activities under the Order, including protection from disclosure of
information submitted by private entities, as permitted by law. The DHS
Chief Privacy Officer and Officer for Civil Rights and Civil Liberties
must assess risks to privacy and civil liberties of DHS activities
under the Order and recommend methods of mitigation to the Secretary in
a public report. Agency privacy and civil liberties officials must
provide assessments of agency activities to DHS.
Implementation Deliverables and Deadlines
The Order contains several requirements with deadlines, and other
requirements with no associated dates. In March 2013, DHS announced
that it had formed a task force with eight working groups focused on
the various deliverables for which it is responsible.\6\ There are 12
deliverables with specific associated dates:
---------------------------------------------------------------------------
\6\ Department of Homeland Security, ``Integrated Task Force,''
March 18, 2013, http://www.dhs.gov/sites/default/files/publications/EO-
PPD%20Fact%20Sheet%2018March13.pdf.
---------------------------------------------------------------------------
June 12, 2013
Instructions for producing unclassified threat reports
(Secretary of Homeland Security, Attorney General, Director of
National Intelligence) (Sec. 4(a)).
Procedures for expansion of the Enhanced Cybersecurity
Services Program (Secretary of Homeland Security) (Sec. 4(c)).
Recommendations to the President on incentives to
participate in the framework (Secretaries of Homeland Security,
Commerce, and the Treasury) (Sec. 8(d)).
Recommendations to the President on acquisitions and
contracts (Secretary of Defense, Administrator of General
Services) (Sec 8(e)).
July 12, 2013
Designation of critical infrastructure at greatest risk
(Secretary of Homeland Security) (Sec. 9(a)).
October 10, 2013
Publication of preliminary Cybersecurity Framework (Director
of the National Institute of Standards and Technology) (Sec.
7(e)).
February 12, 2014
Report on privacy and civil liberties, preceded by
consultations (Chief Privacy Officer and Officer for Civil
Rights and Civil Liberties of DHS) (Sec. 5(b)).
Publication of final Cybersecurity Framework (Director of
the National Institute of Standards and Technology) (Sec.
7(e)).
May 13, 2014
Reports to the President on review of regulatory
requirements (agencies with regulatory responsibilities for
critical infrastructure) (Sec. 10(a)).
Proposed additional risk mitigation actions (agencies with
regulatory responsibilities for critical infrastructure) (Sec.
10(b)).
February 12, 2016
Reports to the Office of Management and Budget on
ineffective, conflicting, or burdensome requirements (agencies
with regulatory responsibilities for critical infrastructure)
(Sec. 10(c)).
The Order also includes more than 20 actions for which no specific
date is provided. While many of the activities under the Order are in
the process of development, some provisions may already have had some
effect. For example, the provision on expedited security clearances was
apparently used in responses to a cyber attack this past spring on
several banks, to facilitate communication by the FBI with the
banks.\7\
---------------------------------------------------------------------------
\7\ Joseph Menn, ``FBI Says More Cooperation with Banks Key to
Probe of Cyber Attacks,'' Reuters, May 13, 2013, http://
www.reuters.com/article/2013/05/13/us-cyber-summit-fbi-banks-
idUSBRE94C0XH20130513.
---------------------------------------------------------------------------
relationship of the executive order to the presidential policy
directive
Presidential Policy Directive 21 (PPD 21),\8\ Critical
Infrastructure Security and Resilience, on protection of critical
infrastructure, was released in tandem with Executive Order 13636. PPD
21 supersedes Homeland Security Presidential Directive 7 (HSPD 7),
Critical Infrastructure Identification, Prioritization, and Protection,
released December 17, 2003. PPD 21 includes cybersecurity broadly as a
need to be addressed along with physical security. It seeks to
strengthen both the cyber- and physical security and resilience of
critical infrastructure by:
---------------------------------------------------------------------------
\8\ The White House, ``Critical Infrastructure Security and
Resilience,'' Presidential Policy Directive 21, February 12, 2013,
http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-
policy-directive-critical-infrastructure-security-and-resil.
---------------------------------------------------------------------------
clarifying functional relationships among Federal agencies,
including the establishment of separate DHS operational centers
for physical and cyber-infrastructure;
identifying baseline requirements for information sharing,
to facilitate timely and efficient information exchange between
Government and critical-infrastructure entities while
respecting privacy and civil liberties;
applying integration and analysis capabilities in DHS to
prioritize and manage risks and impacts, recommend preventive
and responsive actions, and support incident management and
restoration efforts for critical infrastructure; and
organizing research and development (R&D) to enable secure
and resilient critical infrastructure, enhance impact-modeling
capabilities, and support strategic DHS guidance.
Implementation Deliverables and Deadlines
June 12, 2013
Description of functional relationships within DHS and
across other Federal agencies relating to critical
infrastructure security and resilience (Secretary of Homeland
Security).
July 12, 2013
Analysis of public-private partnership models with
recommended improvements (Secretary of Homeland Security).
August 11, 2013
Convening of experts to identify baseline information and
intelligence exchange requirements (Secretary of Homeland
Security).
October 10, 2013
Demonstration of ``near-real-time'' situational-awareness
capability for critical infrastructure (Secretary of Homeland
Security).
Updated National Infrastructure Protection Plan that
addresses implementation of the directive (Secretary of
Homeland Security).
February 12, 2015
First quadrennial National Critical Infrastructure Security
and Resilience R&D Plan (Secretary of Homeland Security).\9\
---------------------------------------------------------------------------
\9\ PPD 7 gave primary responsibility for coordinating R&D to the
Office of Science and Technology Policy.
In addition to DHS, the Directive describes specific
responsibilities for the Departments of Commerce, Interior, Justice,
and State, the intelligence community, the General Services
Administration, the Federal Communications Commission, the sector-
specific agencies, and all Federal departments and agencies.\10\
---------------------------------------------------------------------------
\10\ PPD 7 did not describe specific responsibilities of the
intelligence community, the General Services Administration, or the
Federal Communications Commission.
---------------------------------------------------------------------------
relationship of the executive order to the cyber intelligence sharing
and protection act (cispa, h.r. 624) and other legislation
A number of observers, both in the Federal Government and the
private sector, have stated that Executive Order 13636 is not
sufficient to protect U.S. critical infrastructure from cyber threats,
and that legislation is needed. In 2011, the White House proposed
legislation with provisions on personnel authorities, criminal
penalties, data breach notification, authorities of the Department of
Homeland Security (DHS), a regulatory framework for cybersecurity of
critical infrastructure, and reform of the Federal Information Security
Management Act (FISMA). Related provisions also appeared in bills
introduced in recent Congresses. Both the White House proposal and
several bills have contained incentives for information sharing by the
private sector with the Federal Government and other private entities,
including protection from legal liability and exemption from provisions
in the Freedom of Information Act.
At a hearing before the Senate Committee on Homeland Security and
Governmental Affairs in September 2012, Secretary of Homeland Security
Janet Napolitano stated that in addition to the Executive Order, there
were at least three things for which legislation would be necessary:
Personnel authorities, liability protections, and criminal penalties
(S. Hrg. 112-639, p. 23). A number of private-sector entities have also
stated that liability and disclosure protections are needed to
encourage private-sector information sharing.
Among the cybersecurity bills that have been introduced in the
113th Congress, H.R. 624, the Cyber Intelligence Sharing and Protection
Act (CISPA), which passed the House in April, addresses information
sharing. Some provisions in CISPA, as in the Executive Order, would
provide for expedited security clearances and sharing of classified
information by the Federal Government with the private sector. The bill
would additionally permit entities providing cybersecurity services to
themselves or others (which the bill calls cybersecurity providers) to
obtain and share threat information for purposes of protection,
notwithstanding any other provision of law.
CISPA would also make such entities and those they protect exempt
from liability for good-faith use of cybersecurity systems to obtain or
share threat information and decisions based on such information.
In the Senate, the Committee on Commerce, Science, and
Transportation is reportedly drafting a bill that would provide a
legislative basis for NIST's role in developing and updating the
framework in the Executive Order.\11\ The draft bill would also
reportedly require a Federal cybersecurity research and development
plan, as would H.R. 756, the Cybersecurity Enhancement Act of 2013,
which passed the House in April. PPD-21 requires an R&D plan that
addresses security and resiliency for critical infrastructure,
including cybersecurity.
---------------------------------------------------------------------------
\11\ John Eggerton, ``Rockefeller, Thune Circulate Cybersecurity
Draft,'' Broadcasting & Cable, July 12, 2013, http://
www.broadcastingcable.com/article/494447-Rockefeller_Thune_-
Circulate_Cybersecurity_Draft.php.
---------------------------------------------------------------------------
private-sector reactions to the executive order
Given the absence of enacted comprehensive cybersecurity
legislation, some security observers contend that the Executive Order
is a necessary step in securing vital assets against cyber threats.
Some observers, however, have raised concerns.\12\ Common themes by
such critics include the following claims:
---------------------------------------------------------------------------
\12\ See, for example, Paul Rosenzweig and David Inserra, Obama's
Cybersecurity Executive Order Falls Short, Issue Brief No. 3852,
February 14, 2013, http://www.heritage.org/research/reports/2013/02/
obama-s-cybersecurity-executive-order-falls-short; Dave Frymier, ``The
Cyber Security Executive Order Is Not Enough,'' Innovation Insights:
Wired.com, March 1, 2013, http://www.wired.com/insights/2013/03/the-
cyber-security-executive-order-is-not-enough/.
The Order offers little more than do existing processes.
Such critics point out that, for example, the Enhanced
Cybersecurity Services program was in place before the release
of the Order, and that a variety of efforts have been underway
to develop and adopt voluntary standards and best practices in
cybersecurity for many years. Proponents of the Order argue
that it lays out and clarifies Obama administration goals,
requires specific deliverables and time lines, and that the
framework and other provisions are in fact new with the
Executive Order.
The Order could make enactment of legislation less likely.
These critics express concern that Congress might decide to
wait until the major provisions of the Order have been fully
implemented before considering legislation. Proponents state
that immediate action was necessary in the absence of
legislation, and that changes in current law are necessary no
matter how successful the Executive Order might be, to provide
liability protections for information sharing and to meet other
needs.
The process for developing the framework is either too slow
or too rushed. Some observers believe that some actions to
protect critical infrastructure are well-established and should
be taken immediately, given the nature and extent of the
current threat. They state that the year-long process to
develop the framework may delay implementation of needed
security measures\13\ and creates unnecessary and unacceptable
risks. Others counter that widespread adoption of the framework
requires consensus, which takes time to achieve, and that the
1-year time frame may be insufficient, given that the process
for developing and updating consensus standards often takes
several years. Some also state that the framework process does
not preclude entities from adopting established security
measures immediately.
---------------------------------------------------------------------------
\13\ For example, some suppliers to the Federal Government have
reportedly called for suspension of procurement rulemaking relating to
cybersecurity until the framework has been published (Aliya Sternstein,
``Contractors Ask GSA to Freeze Cyber-Related Regulations,'' Nextgov,
May 17, 2013, http://www.nextgov.com/cybersecurity/2013/05/contractors-
ask-gsa-freeze-cyber-related-regulations/63244/
?oref=nextgov_cybersecurity).
---------------------------------------------------------------------------
The framework risks becoming a form of de facto regulation,
or alternatively, its voluntary nature makes it insufficiently
enforceable. Another concern of some is that it could lead to
Government intrusiveness into private-sector activities, for
example through increased regulation under existing statutory
authority,\14\ while others contend that voluntary measures
have a poor history of success. Some others, however, have
argued that changes in the business environment--such as the
advent of continuous monitoring, more powerful analytical
tools, and a better prepared workforce--improve the likelihood
that a voluntary approach can be successful.\15\
---------------------------------------------------------------------------
\14\ For example, some believe that the framework, while voluntary,
``could develop in such a way that companies will be forced to adopt
prescriptive standards due to the fact that information on program
adoption for `high-risk' industries may be made public. More
concerning, this could be done without a review process and could be
used to leverage [sic] in ways that may not be beneficial to lowering
overall risk'' (Testimony of David E. Kepler, Senate Committee on
Homeland Security and Governmental Affairs and Senate Committee on
Commerce, Science, and Transportation, ``The Cybersecurity Partnership
Between the Private Sector and Our Government: Protecting Our National
and Economic Security,'' hearing, March 7, 2013, http://
www.hsgac.senate.gov/hearings/the-cybersecurity-partnership-between-
the-private-sector-and-our-government-protecting-our-national-and-
economic-security).
\15\ CRS Report R42984, The 2013 Cybersecurity Executive Order:
Overview and Considerations for Congress, by Eric A. Fischer et al.;
Mike McConnell et al., The Cybersecurity Executive Order (Booz Allen
Hamilton, April 26, 2013), http://www.boozallen.com/media/file/BA13-
051CybersecurityEOVP.pdf.
---------------------------------------------------------------------------
The Order could lead to overclassification or
underclassification of high-risk critical infrastructure by
DHS. Some observers have expressed concern that the requirement
in the Order for DHS to designate high-risk critical
infrastructure may be insufficiently clear and could lead to
either harmfully expansive designations or inappropriate
exclusions of entities.\16\ This might be particularly a
problem if the criteria are not sufficiently validated.\17\
---------------------------------------------------------------------------
\16\ Testimony of Roger Mayer, House Committee on Energy and
Commerce, ``Cyber Threats and Security Solutions,'' hearing, May 21,
2013, http://energycommerce.house.gov/hearing/cyber-threats-and-
security-solutions.
\17\ The Government Accountability Office (GAO) expressed similar
concerns about DHS's National Critical Infrastructure Prioritization
Program (NCIPP) list of highest-priority U.S. infrastructure
(Government Accountability Office, Critical Infrastructure Protection:
DHS List of Priority Assets Needs to Be Validated and Reported to
Congress, GAO-13-296, March 2013, http://www.gao.gov/assets/660/
653300.pdf). The relationship between the NCIPP list and that under the
Executive Order has raised some concerns. There appear to be some
differences between the lists that have resulted in some disagreements
with the private sector (see, for example, Testimony of Dave McCurdy,
House Committee on Energy and Commerce, Cyber Threats and Security
Solutions, hearing, May 21, 2013, http://energycommerce.house.gov/
hearing/cyber-threats-and-security-solutions).
It appears to be too early in the development of the components of
the Executive Order to determine how the concerns described above will
be addressed and whether the responses will satisfy critics and
skeptics. Overall, however, response to the Order from the private
sector--including critical-infrastructure entities, trade associations,
---------------------------------------------------------------------------
and cybersecurity practitioners--appears to be cautiously optimistic.
Mr. Meehan. Well, thank you Dr. Fischer.
I thank each of the panelists for your opening statements.
Now I recognize myself for 5 minutes of questions.
Dr. Romine, let me just start with you because the focus of
our hearing today is NIST and the work that has been done, and
I know you gave a little bit of an opening with regard to some
of the progress, but give me a sense as to where you are by
virtue of the three separate meetings that have been done and
what you expect will be the next most critical steps moving
into the meetings in Dallas next month.
Mr. Romine. Thank you for the question. I am actually quite
excited by the progress that we have made and the response that
we have gotten from the private sector.
One of the concerns that you always have when you begin an
issue like this is ensuring that you get a good participation
and a vigorous discussion with the private sector if you are
going to establish a voluntary program with the framework as
the backbone.
I am really gratified in two ways. We have gotten vigorous
discussions and vigorous debate and we have achieved over the
course of a relatively short time a lot of consensus on the
overall structure of the framework. We are going to take that,
the consensus that we have received in San Diego just last week
on elements of it and establish a pretty solid draft framework
in preparation for the meeting in Dallas.
As you know, the deliverable will be immediately after or
just a short time after the Dallas----
Mr. Meehan. What do you think the essence of that
deliverable is going to be? What was going to come out at the
conclusion of this process?
Mr. Romine. So I think there are a few key elements to the
framework that have to be there. One is an executive summary
that is digestible by the very senior leadership of
corporations, companies, the owners and operators of the
critical infrastructure.
This is something that they are going to have to integrate
into their business decision process, and so we have to convey
enough information in a way that is digestible to them so that
they----
Mr. Meehan. I guess--who and how? That is part of what a
lot of this is--you know, the questions become--we often talk
about the weakest link, but there is also the--when you talk
about business and other kinds of, you know, public and
private-sector entities that it is an endless process of who
may or may not be included.
Who do we think this is targeted to, you know, to be
received by, and what kind of activity are we expecting them to
undertake as a result of the creation of the standards?
Mr. Romine. Well, I think the goal is for all of the
critical infrastructure sectors that have been identified
through the DHS process and are going to be responsive to the
adoption of this voluntary framework and that includes
companies at various levels of both sophistication and various
levels of import in terms of the critical infrastructure.
So there are going to be some very major corporations who
already have a lot of mature business processes in place and
cybersecurity risk assessment in place to adopt the framework
because they may be the most critical of the critical
infrastructures and I am sure Mr. Kolasky----
Mr. Meehan. Mr. Kolasky, let me jump onto that with you in
terms of the identification of this most critical
infrastructure because this is one of the pieces as well, and
while I know you can't talk with specificity about that at this
point in time because my understanding is that it will be
something that will be more or less protected information, but
where do you come off of the work that is being done in here
and how will the identification of specific sectors uniquely
vulnerable relate to what is being done and how about those
that are not identified as the most vulnerable but will still
be out there in commerce?
Mr. Kolasky. Sure. Thank you, Chairman Meehan.
First and foremost, to do the work to identify the critical
infrastructure where cybersecurity incident could cause
catastrophe, we had to work with all of the 16 critical
infrastructure sectors and we set up a process to do so.
In doing so, we identified the critical functions that each
of those infrastructure produce. That and analytic work done in
collaboration with industry is very helpful for understanding
the overall scope of critical infrastructure in a relationship
with cybersecurity which will help the framework adoption.
In terms of the actual critical infrastructure that we have
identified or are in the process of identifying, it is a
relatively small list. It is a list where we think a
cybersecurity incident can cause public safety or significant
economic damage or National security implications, we plan to
work with those industries, those entities, those businesses--
--
Mr. Meehan. Are many or most of those industries already
pretty far along in terms of their commitment to cybersecurity
or are you concerned about some real outliers?
Mr. Kolasky. I think it is fair to say that we are
confident that they are very well along with cybersecurity.
Most of those entities we have on-going relationships with and
we plan to continue those on-going relationships. We will work
with them to identify risk management approaches and provide
Federal resources to support them, but we are confident that
they have taken a cybersecurity problem very seriously and that
they have gone a long way in mitigating their vulnerabilities.
Mr. Meehan. Okay.
Well, thank you.
My time is expired, but I know we are going to have an
opportunity to ask a series of questions, so I look forward to
exploring it further.
The Chairman now recognizes the gentlelady from New York,
Ms. Clarke.
Ms. Clarke. Thank you--thank you very much, Mr. Chairman.
The privacy and the civil liberties protections established
in the Executive Order process are to be consistent with the
fair information practice principles including the principle of
data minimization.
What steps are being taken to ensure that once a final
framework is in place personally identifiable information that
is irrelevant and unnecessary to accomplish a specified
cybersecurity purpose will not be collected?
I want to extend that question to all of the panelists.
Mr. Romine. Well, I can certainly start on the development
on the framework through the workshops. I will give a specific
example in San Diego. We had a separate breakout section
specifically devoted to privacy and civil liberties issues
where we got the chance to engage with a broad cross-section of
stakeholders and received their input on the importance and
some of the techniques that are already being used by these
industries to ensure protection of privacy and civil liberties.
That was led by my laboratory's senior advisor for privacy,
a position that I am committed to. I think that is an important
position for an information technology laboratory to have. So I
am very proud of that.
We also at NIST have the information security and privacy
advisory board or ISPAB, a Federal advisory committee that we
keep apprised of our activities that are relevant in that space
and so we engage with them and we are hoping to engage with the
privacy and civil liberties board that has been recently
reconstituted as well. It is baked into many of the discussions
that we have during the framework development.
Ms. Clarke. Do either of you have----
Mr. Kolasky. Sure. I would just add that across the EO, the
PPD as part of the integrated task force, we have stood up an
assessments working group particularly thinking of privacy and
civil liberties assessments for all of the work that is going
on with the EO PPD.
We did this at the front end of the work and these members
have been sitting on our working groups and working in
collaboration across the interagency because we very much want
to bake privacy and civil liberties into all the work we are
doing rather than review and assess at the end of it.
Ms. Clarke. Very well. Let me move on to my second question
then.
Section 5(a) of the Executive Order requires agencies to
coordinate their activities with their senior privacy and civil
liberties officials. Are senior privacy and civil liberties
officials at each agency, being NIST and DHS--excuse me--are
these civil liberty officials at each agency given the
opportunity to provide substantive policy recommendations
during the development of the phase of the framework? Can you
expand on their role in the process?
Mr. Kolasky. As I was just talking about with the
assessments working group, very much so. This is a
collaboration across the senior civil liberties and privacy
officials.
It has been a great opportunity in some of the departments
and agencies. Traditionally these folks haven't worked on
critical infrastructure issues.
It has created a community practice and they been given an
opportunity in addition, you know, with all our work we are
briefing the advocacy community and other interested parties
regularly on what is going on.
Ms. Clarke. Very well.
Mr. Romine. I would say within the Department of Commerce,
the privacy and civil liberties officer at NIST is our chief
information officer. He is down the hall from me. I get the
opportunity to talk with him on a regular basis about
everything that our laboratory is doing including this effort.
At the Department of Commerce, as you know, it is the
Secretary of Commerce who was directed by the President to
direct the director of NIST under the Executive Order to
undertake this framework development and they are certainly
aware of all of the actions that we are taking.
They are at the Secretary's level--they have the Privacy
and Civil Liberties Office and they are certainly aware as
well.
Ms. Clarke. Very well.
Let me ask Mr. Kolasky, Presidential Policy Directive 21
which accompanied the Executive Order requires an evaluation of
existing public-private partnership model and recommendations
for improving public/private collaboration.
Can you characterize for the committee the current status
of the public/private partnership model and what steps are
being considered to improve the model?
Mr. Kolasky. Sure, yes, ma'am. First of all, we delivered
this report last week and I think the good news is we really do
believe that the model has been established over the last 15
years to work on critical infrastructure security and
resilience is working and has the potential to work to solve
tough critical infrastructure security and resilience issues.
I think the process that we have been undergoing over the
last 6 months is a great demonstration of that. There were
improvements that can be made but the key is to understand that
we have been able to collaborate with the private sector
through these processes and work with State and local and
Tribal territorial governments.
The reason I think we can do that is there is a shared
sense of purpose. We have improved communications. We are
working toward joint priorities and things like that. That all
leads to trust. Nothing is more important to trust that
industry and Government and at different levels of government
can come together to work on these issues.
In terms of recommendations going forward, we--as I said,
although it is working we think there are some enhancements
that can be made. We would like to move from more of a process-
focused and outcome-focused partnership.
We would like to use the partnership to set joint National
priorities, and I think that is an important step. We would
like to explore how to promote regional networks and bring some
of the good work down to the regional level, and finally we
would like to look at new methods to unleash innovation through
public and private programs.
Ms. Clarke. Thank you all very much. I yield back, Mr.
Chairman.
Mr. Meehan. I thank the gentlelady.
The Chairman now recognizes the distinguished gentleman
from Pennsylvania, the former United States attorney, from the
middle District of Pennsylvania, Congressman Marino.
Mr. Marino.
Mr. Marino. Thank you, Chairman.
Good morning, gentlemen, and I apologize for being late and
not hearing all of the opening statements. I am trying to
juggle three and four things as my colleagues know that we do.
I have a concern following up on my colleague across the
aisle as far as security but from a different perspective. We
have certainly seen where this administration has a series of
bungles concerning IRS, Benghazi, Fast and Furious, but the
President happens to come up with, ``I didn't know about it,''
``I don't know anything about it,'' and usually there is a low-
level person that gets blamed for it--who is still on the
payroll as a matter of fact.
So what can you do, what can be done if the President is
going to take the responsibility for this to make sure that we
don't have Snowdens running around gathering critical
information about what we are doing and those involved and then
sharing it with our enemies?
Mr. Kolasky, perhaps you could start with this.
Mr. Kolasky. Sure. Thank you, Congressman, and thank you
for the question.
As you know, this is an important issue that whatever we do
we need to protect the security of the information that we are
providing and that we are collecting.
The security approaches within the Executive Order relate
to information sharing and we are thinking of it in two
different ways; one of which is we are working to separate
Classified information from Unclassified information and focus
on getting Unclassified information on how to mitigate cyber
vulnerabilities based on cyber threats out as efficiently and
quickly as possible in an actual manner to help industry take
action to mitigate those threats.
That is a very important step. This doesn't have to be done
at a Classified level in a lot of places and if we can improve
those processes, that will help very much.
The second side to promote the protection of Classified
information, we have made improvements in our enhanced
cybersecurity service program and made that available to a
limited number of commercial service providers to promote the
airing of information we have about cyber threat indicators and
these are particular cyber threat indicators.
They are things like malware and email language and we want
to make sure that is available but we want to make sure that
security is protected in doing so and finally we want to make
sure that anyone that gets a security clearance in Government
has undergone proper vetting.
Mr. Marino. Thank you.
Doctor, please.
Mr. Romine. Congressman, from the standpoint of the
framework, I think your question really relates principally to
the idea of risk mitigation strategies for the insider threat.
So that has been a source of on-going discussion, but as a
part of a more general discussion among owners and operators of
critical infrastructure to ensure the, sort of, full risk
management approach for cybersecurity and that includes both
the insider threat as well as Congresswoman Clarke's concerns
about protection of privacy and civil liberties.
Mr. Marino. Doctor.
Mr. Fischer. Thank you, Mr. Marino. I would just like to
add that I would say that a lot of experts believe that it
would--it is basically impossible to prevent any, you know,
insider threat from being successful----
Mr. Marino. As a prosecutor, I am aware it is basically--it
is impossible to prevent anything, but it does happen, but it
just seems that it is happening ad nauseam with this
administration.
Mr. Fischer. Right. So the question then becomes, what are
the levels at which that kind of problem can be tolerated, and
how does it relate to the potential benefits of what is being
done.
So for example, with respect to the information sharing,
you know, one of the things that DHS has been doing with the
enhanced cybersecurity services program is to focus--if I
understand correctly--on what they call cybersecurity service
or commercial service providers which have to do with the
internet service providers and that sort of thing rather than
opening up the dissemination of this threat information to all
sorts of critical infrastructure entities, and so the critical
infrastructure entities work through these CSPs.
So to the extent that that sort of thing is successful, the
idea of narrowing the vulnerabilities to specific areas may be
useful.
Mr. Marino. Thank you.
I have another question, but perhaps we will have another
round, and so I yield back.
Mr. Meehan. I thank the gentleman.
The Chairman now recognizes the distinguished gentleman
from Texas, Mr. Vela.
Mr. Vela. Thank you for your testimony today.
Dr. Romine, Executive Order 13636 specifically provides
that the cybersecurity framework and protection against cyber
threats should include physical threats; not just computer
viruses and hacking.
The White House Strategic National Risk Assessment includes
natural electromagnetic pulse from a geomagnetic super-storm as
an example of a physical threats to critical infrastructures.
Does the cybersecurity framework as you envision it include
threats not only from computer viruses and hacking but physical
threats especially from EMP?
Mr. Romine. I would say yes in general although EMP is not
spotlighted as much as just the overall risk assessment that
each of these owners and operators is going to be involved in.
When we talk about a cybersecurity and protection of
critical infrastructure, we are keenly aware of the cyber
physical systems nature of many of these infrastructures that
the information systems are not in fact independent but rather
often interact with physical or other kinds of systems.
So the risk assessment approach that we are taking or the
risk management approach that we are taking in the framework is
intended to encompass the impact or the risks holistically
rather than just with regard to viruses and other kinds of
cyber threats, traditional cyber threats.
Mr. Vela. Dr. Fischer, what additional challenges are
imposed globally in terms of privacy protection and the sharing
of personally identifiable information across borders?
Mr. Fischer. Sir, Mr. Vela, could I clarify? You say what
challenges to with respect to the Executive Order and----
Mr. Vela. Yes, no it is: What additional challenges are
imposed globally in terms of privacy protection and the sharing
of personal identifiable information across borders?
Mr. Fischer. I see, okay.
Yes, well, two quick things I can say to that. First of
all, there obviously--the work is being done within the United
States is done in the context, international context and there
is quite a network of international agreements.
There is no, currently, no global cybersecurity treaty.
Some people have tried to--tried to draft such a thing, but it
hasn't been adopted, and there are a lot of bilateral
agreements which often would be the vehicles in which these
sorts of concerns would, I think, be addressed.
With respect to specific--or specific questions or with
respect to privacy and civil liberties, I would say that is
outside of my expertise, but we do have experts on our
cybersecurity team within CRS who deal specifically with those
issues and we would be happy to talk with you about that or
answer questions for the record.
Mr. Vela. Okay. I guess we will wait for another day on
those.
For the whole panel, what are examples of effective risk-
based approach in the framework?
Mr. Romine. So one of the exciting things that we have had
in the workshops is seeing the representatives of various
industries talking with each other about the approaches that
they take and the effectiveness of those approaches.
One of those approaches involves something that in the
energy sector is called the C2M2 which essentially regardless
of that, the expansion of that, the idea is to have a, sort of,
set of maturity levels associated with specific functions.
If you take a look at the framework outline that we
provided in San Diego and some of the consensus that we
received, that model seems to be very attractive to the vast
majority of the participants and the critical infrastructures.
So that kind of risk assessment--NIST has a very strong
history in risk-based management of cybersecurity through the
Federal Information Security Management Act or FISMA,
activities.
We have had special publications that are quite influential
in this space with regard to the private sector and have been
adopted widely by the public sector and have been adopted
widely by the private sector as well because of their
effectiveness.
Mr. Kolasky. I would just add one of the things I have
observed through the process is an example of what works is if
corporate leadership gets involved in the process and we have
heard that repeatedly that you have to produce a framework that
resonates at the board level and resonates as the CEO level and
in doing so, that will help organizations make risk management
decisions.
Mr. Fischer. I don't believe I would have anything to add
it to those comments at this point. Thank you, sir.
Mr. Vela. I yield back.
Mr. Meehan. I thank the gentleman from Texas.
I recognize myself now for 5 minutes of follow-up
questions.
One of the issues that we have been dealing with throughout
the concept of not only the creation of the NIST standards but
as the underlying concept of voluntary adoption of those
standards and it permeates the language in the report, I mean
in the Executive Order that these are voluntary.
But at the same time we are creating a framework, and I
would like to explore the extent to which people begin to see
this framework as a basis for further activity, not the least
of which could become further activity in which that framework
is used as the basis for other regulatory agencies to say that
they are now authorized to begin to create required adherence
to certain of these standards.
I would like the panel to individually address your
perception of what voluntariness means and where you believe
and to the extent certainly, Mr. Kolasky and Dr. Romine, to the
extent that you are dealing with NIST, where you believe this
goes to and what you believe the intention is with regard to
whether these will ultimately be utilized in some way to become
requirements.
Because I am aware of a number of shalls in the Executive
Order and, you know, the shall-proposed, prioritized, risk-
based, coordinated actions, you know, if the current regulatory
requirements are deemed to be insufficient.
So please, Dr. Romine, first.
Mr. Romine. I can start with that. NIST has a long history
of developing in coordination with industry guidelines and best
practices and ultimately industry-led standards that do govern
the industry in a purely voluntary way, and that has been very
effective in the past, and we expect it to be effective in the
future with the Executive Order and the framework.
The only way that works is vigorous participation on the
part of the private sector so that they have buy-in and a stake
in the outcome of the framework itself.
So I think with that understanding and the fact that we
believe that we have that vigorous participation, I am not as
concerned about this being a, sort of, a hidden way of getting
regulatory authority. I really think the voluntary nature of it
is quite explicit and quite transparent and we expect it to
continue to be that way.
Mr. Meehan. Mr. Kolasky, what is your impression of this
from DHS?
Mr. Kolasky. Sure. First principle of ours as we
participated in this is for the framework to be successful and
in the attached assessments--incentives it has to make sense
for businesses to make business decisions.
Businesses make rational decisions and they have to see
that this is in their business interest and because of that, as
Dr. Romine just referred to, it is very important to listen to
businesses and we have taken that obligation----
Mr. Meehan. I mean, you don't question--and I often talk to
businesses. Businesses will say we are way ahead of the
Government in many ways because we appreciate that the exposure
that we have to our business--so we are asking you, what are
you doing to help us, and then I get that part. What I am
concerned about is when we begin to get to a point where some
businesses say hey, we think we are doing something and we
start to get Washington coming in and creating a requirement.
Mr. Kolasky. Right. That is why the voluntary nature of
this is so important. If we can create confidence in the
marketplace that businesses are doing something, if we can
offer information to continue to incentivize them to do
something, then I don't think Government needs to get involved
in that kind of manner that you are talking about.
So it is really important for us to set up a framework that
gives the market confidence so businesses can do business with
each other and with the Government is that they are taking----
Mr. Meehan. So to the extent said that you speak for
Department of Homeland Security and you are allowed to discuss
it as a matter of policies, it is your perception that the
Department is looking at this as a voluntary program?
Mr. Kolasky. I can speak with certainty that the Department
is looking at this----
Mr. Meehan. Dr. Fischer, you have had the ability to see
these kinds of things not just in this particular area with
cyber, but in the broader spectrum with other agencies in which
there have been standards that have been utilized, Department
of Defense, EPA, other kinds of things and in your own
testimony you discussed the different pieces of this issue.
Would you articulate more fully your sense as to whether or not
these kinds of the voluntary standards may or have been
utilized in other situations to become regulations and
requirements?
Mr. Fischer. So there are a few points I think might be
useful to make here.
No. 1 is that we have been asked particularly in the last
Congress by a number of Congressional offices about the
question of what the current regulatory capabilities or powers
are of the Federal Government with respect to cybersecurity.
Our answer had to be that there--except for cases in which
they are explicitly laid out and clear--where there are such
regulations such as a width of the electric power sector--it is
difficult to say because until the agency actually tries to
create a regulations, one doesn't know what is really going to
happen because the regulatory process is a separate process. It
involves industry and other stakeholders in----
Mr. Meehan. But do you believe as it stands right now and I
am sorry to cut you off and please go forward if you can, but I
do want to ask this question. Do you believe that the way the
Executive Order is written right now as it moves in it opens
the door to the ability of agencies to say, in our
interpretation and it may be a particular agency that may look
in just say, in our interpretation, there is an opportunity
here for us to use this as a basis to ask for, you know, more
cyber protection in a particular area?
Mr. Fischer. Certainly the Executive Order explicitly
requires that agencies make recommendations with respect to
where the gaps are. So to the extent that those gaps would be I
guess fillable under current law, then it is clear that
agencies could in fact attempt to create regulations in those
areas.
To the extent that they are not as capable under current
law, then that is the interpretation, then they would have to
come to Congress for additional authority.
Mr. Meehan. Well, this is where they have to come to
Congress for additional authority to do what? To do rulemaking
of regulations because as I see this they are talking about----
Mr. Fischer. Well, to be able to--right--so if for example
the current--if the current regulation--if the current
authority of an agency to create regulations is limited or the
agency determines that it doesn't have the authority
currently----
Mr. Meehan. Well, I have never--we don't have a problem
here in Washington with agencies who believe that they have
limited authority to enter into issues and that is why I am
trying to explore this provision in the Order which says, you
know, if the current regulatory requirements are deemed to be
insufficient--now I don't know who deems them to be
insufficient but it may be the agency itself that says hey, we
believe that this is, you know, the current regulatory
requirements are insufficient, you know, within 90 days we will
publish a final of the--published final framework, we are going
to propose, you know, further coordinated actions and that
appears to me to be regulation or rulemaking.
Mr. Fischer. Right. So to me, the question becomes whether
or not the agency currently has the authority to make those
rules and regulations. If they do have that authority, then
they may do it anyways.
So for example, with respect to the pipeline sector and
certainly we have people who can talk to very specifically
about that, but with respect to pipelines, the TSA has the
capability of or says that it has the capability of creating
cybersecurity regulations, but they have decided that those
regulations are not needed and might in fact be
counterproductive to date. That is my understanding of what
they have said.
So, you know, so there are examples in which they clearly--
agencies apparently have not----
Mr. Meehan. That is left to the discretion of the agency or
are they constrained by law?
Mr. Fischer. Well, TSA appears to have that authority under
current law. Now whether that is true for others is hard to
say.
So for example, I would say that, generally speaking, you
know, we certainly haven't found anything with respect to the
IT sector that would permit such things, which isn't to say
that some agency might not claim that they have it, that
authority, though.
Mr. Meehan. All right.
Well, thank you Dr. Fischer.
I now turn it to the distinguished lady from New York.
Ms. Clarke. Thank you, Mr. Chairman.
Just following up on the line of inquiry that our Chairman
posed to you.
Mr. Romine, what does flexibility mean in the context of
the framework?
Mr. Romine. I would say the primary reason for the need for
flexibility is the different sectors have very different
characteristics in the way that they operate and you have to
have a framework that is capable of recognizing that.
In addition, the owner-operators might range from
multibillion-dollar international corporations to relatively
small regional concerns who still own and operate some portion
of what is deemed to be critical infrastructure. The
capabilities represented by those two things also mandates that
we have a flexible approach.
Ms. Clarke. So in effect, it is addressing the nuances of
the specificity of industry and company size, what have you?
Mr. Romine. That is right, and I think an additional point
I would make is that many of these critical infrastructures
have in place a series of protections that they have invested
in and believe are quite effective.
We want to be sure that the framework is flexible enough to
recognize that those measures that are already being taken if
they are effective should not be replaced by something else as
a result of the framework. So we are trying to be mindful of
that as well.
One final point I would make is that in many cases, these
particular critical infrastructures are regulated already to
one degree or another and in some cases, very heavily
regulated, and I think the intent of this notion of regulation
review is to ensure that we harmonize the framework in a way
that recognizes the regulations that are already in place so
that we are not committing sectors to an onerous change in the
way that they do their business.
Ms. Clarke. Very well.
Mr. Kolasky, Dr. Fischer, how can implementation of the
framework be used to demonstrate compliance with existing
regulatory requirements? That is, sort of, I think, where Dr.
Romine was going. Is that something that you have also
recognized?
Mr. Kolasky. Yes, it is. Let me talk about it in a couple
of terms. One of which you mentioned earlier, the incentives
work that we have done in analysis and over and over again we
heard from our private-sector partners as well as some of our
advisory councils that one potential incentive would be to
allow the cybersecurity framework to meet the information
security requirements for already-regulated industry ergo
reducing compliance costs and we think that that is something
that needs to be pursued and thought about because if you can
demonstrate you have got good cybersecurity in place you
shouldn't have to demonstrate it twice to the Government.
Second, just to echo Dr. Romine, I think it is really
important to think about the idea of regulatory relief and are
there regulations in place that are going to impede the
adoption of the cybersecurity framework and the Executive Order
asks the regulatory agencies to think about that because we
don't want regulations that are in place that will cause people
from not adopting good positive flexible cybersecurity
solutions.
Mr. Fischer. I guess the only question I might have about
that would be--obviously--if to the extent you have let's say
many private-sector entities are--feel more comfortable with--
those that are regulated--feel have developed good relations
within their current regulatory environment and feel
comfortable with the like, for example the electric sector, but
others as well.
So they are somewhat concerned if in fact they feel that
that environment will be changed to the extent that other
agencies would end up being involved say in the regulation.
So to the extent that the current environment could be kept
stable for them, I think they would be more receptive to the
possibility of--to compliance.
I think I will stop there.
Ms. Clarke. Dr. Fischer, that is a very intriguing
statement you have made for me because I understand how
industry could want to remain in a stable environment but the
environment around them is changing and so to the extent, I
guess it is an evolutionary process in terms of adaptation, but
the status quo wouldn't necessarily work.
Mr. Fischer. Well, we are--yes. So with respect to
cyberspace, the situation is somewhat different than it may be
with--in other areas. So, you know, I often say cyberspace is
the most rapidly evolving technology space in human history,
and the technology is evolving, the threat environment is
evolving, things are changing constantly.
I think it is widely recognized within experts in this
area, and the private-sector people have paid attention to
this, that in fact that kind of rapid evolution means that
static, particularly design-based standards, for example, have
a very limited usefulness.
Now performance standards are usually considered to be
better but the problem with performance standards is of course
that you have to come up with what the performance criteria are
and that can be sometimes more difficult and they can sometimes
be more difficult to enforce.
But I think that most people who have looked at this
question seriously have in fact said that well, there is
basically kind of a baseline of standards that are going to be
true no matter what, performance standards, but there has to be
the flexibility to be able to change things on a much more
rapid basis in reaction to what happens with respect to, you
know, with respect to the environment.
Now I just want to say one more thing about that. There is
this--it has been some time ago that, right, there is this
design problem in cybersecurity that is that the cyberspace was
not designed with security in mind is often said.
One of the reactions to that is well, what you have to do
is build security in. Now right now, I mean, everybody kind of
seems I think to agree with that, but there are two things.
No. 1 is there is always going to be a need to add things
on because there is always going to be problems that you
couldn't possibly anticipate when you design something.
The second point I think is that there are always or there
appear to be in the current--with the current incentive
structure with respect to cybersecurity--there appear to be,
sort of, counter incentives to building security in from the
get-go.
Now whether those are essentially fundamental or not is
something that I don't think anybody really understands, but
that is always, you know, an issue. So to the extent that you
are going to have to add this stuff on later is a question.
Ms. Clarke. I yield back, Mr. Chairman.
Thank you, gentlemen.
Mr. Meehan. I thank the gentlelady.
Just using the prerogative of the Chairman for one second,
Dr. Fischer, you are articulating something which is at the
heart of where we, I think, appreciate and need to be sensitive
to, which is the dynamic nature of the cyber threat.
Such that what you build today as a defense will not only
be analyzed but it will be--there are those who will spend
their time purposely trying to get around it; therefore we have
got--it is a constant state of cat and mouse, so to speak, for
lack of a better word.
The framework itself that we are talking about is very
admirable in the sense that it creates a place for people to
begin to have a sense about what they can and should be doing,
but do we create a problem if they see the framework as a
check-the-box kind of thing that says, okay, now I am cyber
safe.
Mr. Fischer. Right. I appreciate the question, Mr.
Chairman. One of the criticisms that has been leveled by some
people, and I can't say to the degree to which they are
accurate about this, but one of the things that has been
leveled is that for example, by analogy with FISMA, one of the
criticisms of the Federal Information Security Management Act
has been that it has become something of a check-box exercise
where, you know, it is very process-oriented and it doesn't
really focus on the question of how you keep systems actually
safe and secure.
Now there are obviously attempts to revise FISMA, to amend
FISMA, and also I would say the administration has been doing--
the current administration and the Bush administration as
well--have been doing things to try to actually make systems
secure and focus more on that aspect of what the law intends,
the goals of the law.
But to the extent that the framework of, would it become a
kind of bureaucratic, you know, check list, that would be a
problem. I certainly wouldn't want to speak to how NIST and DHS
are trying to avoid having that happen, but I am sure that they
are aware of that problem as well.
Mr. Meehan. Thank you.
Thank you for the indulgence.
The Chairman now recognizes the gentleman from
Pennsylvania.
Mr. Marino. Thank you, Chairman.
My colleague, the Chairman and of course my colleague is a
former U.S. attorney as well-spawned a thought based on his
questioning and the question I am asking and that I am going to
follow up with a little statement is who or whom, what person
as far as general, what people, or what entities are we
focusing on because several weeks ago, Mayor Giuliani came in
and testified before the full committee, and I agreed with him
100 percent on his observations.
He said we cannot take our eye off of the ball but we have
several balls in the air that we must be watching
simultaneously.
We cannot take our eye off of al-Qaeda and there are those
that think that al-Qaeda is defeated and we really don't have
to worry about them anymore. I think that couldn't be any more
from the truth than anything at all.
But then there are individuals that think we need to focus
on individual terrorists, who the leaders of the terrorist
organizations persuade some fanatic, young terrorist to do
something whether that is through propaganda or initial
contact--and by the way, you never see the terrorists who are
running the organizations strap bombs to themselves or their
families, it is always that they convince somebody else to do
it.
But Giuliani was very specific saying we have to keep our
eye on the rogue such as the Boston terrorists and
organizations such as al-Qaeda and without tipping the cards,
what say each of you about where we are as far as watching the
whole scheme? Do you understand my question?
Mr. Kolasky.
Mr. Kolasky. Sure. Thank you, Congressman Marino.
It is a hard challenge, and that is what is so important
about the intelligence component of this and we have made a lot
of investments in trying to understand both the adversaries'
tactics and the nature of the adversary and, you know, their
incentives and what they are trying to do and we will continue
to make those investments and as we learn from that, as I
talked about earlier, one of our jobs is to get the information
out to those who are protecting the networks so they know what
to be looking for.
This threat, unfortunately, is coming from a lot of
different places. It is coming from international, it is coming
from domestically, it is coming from the mid-level hackers in
the organized coalitions, and in criminals.
And so because of that, we have to learn and we had to get
that information out to folks at an Unclassified level so that
they can protect their networks.
Mr. Marino. Sure, and as you mentioned, we do have the
individual hackers, we do have the genius kid and we have, I
think, still al-Qaeda and other organizations, and we have the
Chinese. So I am just hoping that we are keeping--I am pretty
sure we are keeping our eye on each one of these entities.
Doctor, would you please respond?
Mr. Romine. I would say from the framework's standpoint and
though work that NIST is doing, the threat space is very broad
and evolving as you have correctly noted and part of
Congresswoman Clarke's question, if I could amend my answer, I
would also include the evolution of the threat space as an
important component of being flexible in our response.
I think the goal of the framework is to assist the private-
sector owners and operators to raise the bar as much as we can
in the cybersecurity space so that all of these threat vectors
are--it is much, much more difficult to cause harm to the
United States regardless of whether you are in a basement or in
a foreign country.
Mr. Marino. Thank you, Doctor.
Mr. Fischer. Yes. Well, I tend to--we tend to think about
different classes of potential actors with respect to threats.
So clearly as you mentioned, I mean, you have on the one hand
there is the criminal element and often they are interested in,
you know, financial gain through illegal means; basically
ordinary crime through cyber means is what it amounts to. But
increasingly, there appears to be an organized crime element
of--with respect to cyber attacks as well.
Then there is what you might call the cyber hacktivists--
the--or--you know, sometimes there is just, sort of, you know,
the script kiddie types, you know, people who are trying to
just, you know, created an exploit of some sort. But also,
those are making some political statement.
Then the third is would be the terrorists, the al-Qaeda
types, and the like that are more organized and have a specific
political goal and then finally the, kind of, state actors, you
know, which sometimes called the advanced, persistent threats
if you don't want to give a name to a particular country.
But all those are going to have--those actors are going to
have different goals. They are going to have different levels
of sophistication. I think that to the extent that the--you
know, that the framework and the other aspects of the EO and
PPD can in fact take those into account, obviously they will be
more effective.
Mr. Marino. Gentlemen, your task is monumental and I
appreciate what you are doing for this country.
I yield back.
Mr. Meehan. Thank the gentleman from Pennsylvania.
The Chairman now recognizes the distinguished former
prosecutor from Massachusetts.
Mr. Keating. Thank you, Mr. Chairman.
Thank you, Ranking Member Clarke, for having this important
meeting.
Just quickly, I just want to hone in on one thing is that
as you go about the task, both with, you know, establishing the
framework around the Executive Order of the President and as
you are dealing with the National Institute responsibility of
developing a framework to secure the information, in this whole
process, is it going to be role carved out more specifically,
or at least the flexibility for universities to get more
involved and other involved Northeastern, in my own home State,
has worked very closely with some of you folks.
But I want to just see what your view is and is there
because I think it is critically important. I think it is an
area where you have maybe information gathering and research
done that may not be biased by existing economic impacts to an
individual business although there are some.
Also it is another important area for us not just with
Homeland Security but in terms of other Government agencies and
private agencies as well to really develop trained people which
I see as one of the major problems that we will continue to
have as people move in and out of the private-sector jobs.
That we really need the intellectual and educational
brainpower to keep up as well. So I see the benefits of
universities being great. Could you just comment on what you
are going to do; how they have a place in this?
Mr. Romine. Certainly, and thank you very much for the
question.
You are absolutely right. It is no accident that the three
working sessions or workshops that we--two that we have already
held and one that we are going to be holding are at university
venues--we had our second overall workshop was at Carnegie
Mellon University. The third one which we had last week was at
the University of California at San Diego and the next is going
to be at the University of Texas, Dallas.
That is an attempt, an explicit attempt on our part to
engage a cross-section of the academic community as well. We
have strong relationships with many academic institutions and I
couldn't agree more.
One of the risks that has been identified consistently in
many of our cybersecurity efforts but certainly during the
framework development with industry is industry telling us as
well that workforce--a cyber-educated workforce is a key risk
that they see--the lack of the ability to attract cybersecurity
talent.
So, I agree with you. I think the other thing, the other
role that the universities can play is at the point where we
have identified a substantial gap whether it is in the
standards space or whether it is in the technology space,
universities are well-poised to help us in that area as well.
Mr. Keating. Great. Well, thank you, and I would
particularly appreciate anything that you might offer to me and
the committee as a whole to tell us what we can do to try and
encourage that because I see those gaps and I see them as
becoming more and more of a problem going forward.
So with that, I will yield back my time and I think my
colleague also for letting me go. Thank you.
Mr. Meehan. The Chairman now recognizes the gentleman from
Texas, Mr. Vela.
Mr. Vela. Yes, I have a couple more questions for the
panel.
Section 9(b) of the Executive Order allows other Federal
agencies to share information with the Department of Homeland
Security to identify at-risk infrastructure.
Since the Executive Order was issued in February, what has
been the nature of this inter-agency information sharing?
Mr. Kolasky. Sure, thank you, Congressman.
So that specific task has been met by us working with the
sectors of the critical infrastructure sectors to identify
critical infrastructure. So this has necessitated close
collaboration with the sector-specific agencies particularly
agencies like the Department of Energy, the EPA, the Department
of Transportation, and others, Health and Human Services and
others.
So the nature of that engagement is really to understand
how these sectors come to work and to bring in private-sector
partners to have a conversation. We have focused largely in
doing that work in understanding the most critical
infrastructure in the infrastructure that can cause high
consequences so it is critical that we have the folks who
understand how those industries work, bringing them to the
table, and then we work with our industry partners to
understand if there is any nexus to cyber technologies.
Mr. Vela. Have the Department of Defense, law enforcement,
or intelligence communities shared information with DHS under
this provision?
Mr. Kolasky. Sure. The Department of Defense is also a
sector-specific agency. It is the sector-specific agency for
the defense industrial base and so we work closely with them in
that regard.
The law enforcement community and intelligence community
were involved in the discussions on the methodology and the
approach we took, but given that the approach largely focused
on understanding how systems work and consequences related to
systems failing, those are questions that are largely outside
of the sphere of the intelligence community and the law
enforcement community.
So although they participated in the discussions, they have
not really been the focus of the information sharing.
Mr. Vela. Mr. Kolasky, Section 9(a) requires that the
Secretary of Homeland Security in consultation with private-
sector partners and other relevant agencies identify critical
infrastructure at the greatest risk. What criteria is being
used for this purpose?
Mr. Kolasky. Sure, sure. The Executive Order talks about
the criteria in terms of public safety and health consequences,
economic consequences, and the impact to National security.
So as we defined that, when we are talking--and it uses the
phrase catastrophic--and we take that phrase to be a fairly
high threshold--so catastrophe is something that is very
significant to this country either at a National or regional
level.
So as we have developed a criteria, we have looked to pass
critical infrastructure efforts and we thought about economic
security and economic loss in terms of tens of billions of
dollars, significant loss of life, and negative ability for us
to project power, our military to protect power through
National security needs.
Mr. Vela. Last week, the administration held its first
strategic economic dialogue with Chinese officials.
Administration officials cited progress in the talks while
stating that continued intellectual property theft originating
from China was unacceptable. How does the Executive Order help
stem the loss of intellectual property? I don't know who is
best to answer that question.
Mr. Kolasky. I think very much intellectual property theft
is one of the cybersecurity incidents that we are very
cognizant of, so our information-sharing efforts certainly take
that into account; so do our protective efforts in the work
that is being done via the framework.
Mr. Romine. I would just add that intellectual property
loss is one of the risks that the owners and operators do face
in the critical infrastructure domain and so to that extent, it
fits into the overall risk management and risk mitigation
strategy that the framework promotes.
Mr. Fischer. You know, I would just like to add that the
economics of cybersecurity both even with respect to the
question of what real losses are and what it means is an area
that is currently undergoing a lot of examination. A lot of
things about it aren't clear.
It depends on the scale at which one is looking at it,
whether you are looking at it on the scale of an individual
company or the scale of a country or global scale, and from
some of the efforts I have seen, I think there is a pretty good
chance that there will be a lot of clear understanding of that
over the next year or so.
Mr. Vela. Thank you. I yield back my time.
Mr. Meehan. I thank the gentleman.
I just have some closing questions. If I may, and they
really go into two areas. Let me start with one. You know, we
have mentioned the issue of liability a number of times as we
move into this and it is sort of the back-end of incentives in
some ways because we are trying to incent our partners to step
up to the plate.
But I also, in my experience, and of course we have work to
jointly here on this committee with ourselves and with staff
from both sides of the aisle reaching out to a cross-section of
participants in the various sectors, and the input has been
good because it really gives you a sense as to the way they see
the world why they are trying to evaluate the threat.
But one of the concerns is a lot of folks are already
struggling with where they make commitments of resources when
it is hard to define what the impact of, you know, protective
stances is so that you could do an endless amount of investment
and not be certain how much you are increasing your security.
Therefore, there is a concern about, you know, steps that
are being taken. What happens if we create this framework that
then is utilized as a basis for somebody to say rightly or
wrongly in litigation you should have taken some steps? Where
does it start to become a standard that becomes something that
is used?
Dr. Fischer, do you have a thought on that?
Mr. Fischer. Well, I just--sort of following up on a
previous question with respect to this--one of the things that
can happen with voluntary standards is that if they become a
business norm, then of course businesses that don't follow
those standards can be subject to certainly criticism and
potentially lawsuits.
So that would certainly be something that would have to be
paid attention to. I think that is what you are referring to
and what some critics of the framework have said with respect
to a voluntary framework becoming effectively de facto
mandatory.
Now I should mention that, you know, with respect to the
particular legal issues, that is outside of my area of
expertise, but we do have experts on our team who can talk with
you about it.
Mr. Meehan. All right. Thank you.
Let me just step into one last thing so long as we are
here. The gentlelady from New York in her opening statement
identified a document that I am also in possession of and it is
called as the ``DHS Incentive Study Preliminary Analysis and
Findings'', Mr. Kolasky, and of course it is as I am sure with
anything, when it is called preliminary, this represents some
of the current thinking.
But I would like to explore if I can some of this which is
before us because it looks at the very concept of incentives
and maybe you can explain to me what the document is first and
then there are a few specific questions----
Mr. Kolasky. That is a work product that we shared on May
21 in advance of us delivering a document to the White House on
June 12. That work product was shared broadly with our working
group in the integrated task force, which includes
representatives from industry.
What we were trying to do there is present a look at the
research that is out there and get feedback from the owner-
operator community to help us shape our final recommendations.
So I think it is fine that you have the document because we
made it regularly--we made it widely available so we could
collect feedback so we could hone in on our recommendations and
then I am happy to talk about----
Mr. Meehan. Well, if you can, can we walk down a couple of
things here because I know that you know, we are discussing
first the idea of a legislative proposal. Can you indicate to
me what is meant by a legislative proposal and what is the
intention of DHS or the administration or others to introduce
new or additional legislation in the area of cybersecurity?
Mr. Kolasky. Sure. Again, we are still, at the
administration level, we are still having conversations. DHS
issued a report. So did the Department of Treasury. So did to
the Department of Commerce as well as GSA and DOD on Federal
procurement incentives and so my understanding and in talking
with administration, is those four reports that are up there
and we are now talking at the administration level, the policy
process and steps forward as you refer to in the document.
Some of the incentives that have been recommended by
various folks along the way and incentives reports would take
legislative action and so there is a possibility that the
administration would come and talk to you all about
particularly----
Mr. Meehan. So as you are looking into the future, but, you
know, we have been working on a bipartisan basis to try to
consider whether there are legislative steps that ought to be
taken in addition to and some argue that legislation is
necessary--legislation, we believe necessary to help you in
your job in terms of codifying the ability of DHS and then
further to give DHS the ability to be a point of importance as
we move forward.
So in light of the fact that legislation generally begins
in the Congress, it would be very good if conversations about
legislation include us.
Mr. Kolasky. I think we are happy to do that and happy to
have conversations particularly on the incentives and I will
echo my opening statements that as we pointed out, we
appreciate the fact that one of the things that we hope is in
the new legislation is to codify some of DHS's roles in general
and cybersecurity and also that some of these incentives if we
think they make sense, we have to work together to put them in
place because they are outside of the authority of the
Executive branch.
Mr. Meehan. Okay. Can I ask, there is a couple of things in
here--you talk about insurance, removed as an independent
category of incentives and we are going to put it into the
cybersecurity act. What steps are being considered with
respected to insurance?
Mr. Kolasky. So what we said in our incentives report is we
are very much in favor of the evolution of the cyber insurance
market. We think that a lot of progress has been made
independent of Government action to create a cyber insurance
market and we hope that that will continue. The best incentives
are market-based incentives.
In terms of if you are thinking about--and what that refers
to--if you are thinking about any liability protections of that
need to be put in place, we have to think carefully as you have
talked about, Congressman Meehan, we have to think carefully
about not creating liability protections that incent bad
behavior and that any liability protections may have to be tied
with insurance requirements.
Mr. Meehan. Well, since insurance is generally a market-
based thing, what is the legislative aspect that relates to
insurance?
Mr. Kolasky. We do not recommend any legislative aspects
related to insurance. We think that the Government has
convenient power to promote the insurance market, but----
Mr. Meehan. I am only saying final incentive category--I am
reading the document--remove as independent category, include
in cybersecurity act, which I am presuming is the legislation.
Mr. Kolasky. That was an acronym that was created. We do
not recommend that specifically in our----
Mr. Meehan. Would that be the same thing for liability
considerations and legal benefits? I mean, those are two and so
is there I guess I would ask liability considerations--is there
some discussion of legislation that would deal with liability?
Mr. Kolasky. Not that I am aware of at DHS.
Mr. Meehan. And legal benefits. I am just, again, coming
from the document. Do you understand what that might refer to
in any specific sense?
Mr. Kolasky. Sure. Other legal benefits could be things
like antitrust protections, which obviously is something that--
--
Mr. Meehan. Right. FOIA?
Mr. Kolasky. It could be another legal benefit, and again,
the document that you are looking at is a review of incentives
that are available, not a review of our recommended incentives.
Mr. Meehan. Well, do you have recommended incentives? Are
you going to make recommendations in these particular areas?
Mr. Kolasky. We have made general recommendation pending
the creation of the cybersecurity framework. As I said, our
recommendations were done in coordination with Treasury and
Commerce but are independent of each other and the
administration is considering all of those and all of us will
work together to chart a path forward.
Mr. Meehan. Okay. Let me just ask one then. I am sorry for
overrunning my time, but I want to work with this document. If
I could ask just one last question. Just the--tell me where you
are on the expedited security clearance process because this
seems to suggest that you are going to remove that incentive,
that there is a sense that this is moving along at an
appropriate enough pace.
Mr. Kolasky. Yes. We do not believe that that is an
incentive. We believe that should be done on a need-to-know
basis and that we should work with owners and operators.
We should not attach that to the cybersecurity framework
but instead, work with owners and operators to identify
critical infrastructure and individuals within critical
infrastructure owner and operators companies who have the need
to get Classified cyber threat information; at the 150-day mark
we deliver to the administration, update on DHS's program to
get private-sector individuals clearances, and improvements and
enhancements----
Mr. Meehan. You know, because that is the thing that I hear
again and again and again and you are a little bit better than
another agency we hear frequently about but it--you know, we
get asked for all kinds of information to be dumped into the
Government and then we never hear anything again.
Mr. Kolasky. We have made a lot of progress since February,
but in doing so, we wanted it to be measured progress related
to Congressman Marino's question to make sure we aren't giving
clearances to people who don't need clearances.
Mr. Meehan. Okay. I thank you for your testimony.
Does the gentlelady have any follow-up questions?
Ms. Clarke. No, I am fine.
Mr. Meehan. Okay.
Well, I want to express my deep appreciation for your
testimony today. The witnesses' testimony has been very
valuable to us. There may be possible questions from some of
the other Members of the committee and if in fact there are and
they are forwarded to you, I ask that you would do your best to
respond in writing.
So without objection, the subcommittee stands adjourned.
[Whereupon, at 11:41 a.m., the subcommittee was adjourned.]
�