[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
ASSESSING PERSISTENT AND EMERGING CYBER
THREATS TO THE U.S. IN THE HOMELAND
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON COUNTERTERRORISM
AND INTELLIGENCE
and the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
MAY 21, 2014
__________
Serial No. 113-69
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
89-764 WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Paul C. Broun, Georgia Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice Brian Higgins, New York
Chair Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Jeff Duncan, South Carolina Ron Barber, Arizona
Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi Filemon Vela, Texas
Lou Barletta, Pennsylvania Eric Swalwell, California
Richard Hudson, North Carolina Vacancy
Steve Daines, Montana Vacancy
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
Vacancy
Brendan P. Shields, Staff Director
Michael Geffroy, Deputy Staff Director/Chief Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Subcommittee Staff Director
------
SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE
Peter T. King, New York, Chairman
Paul C. Broun, Georgia Brian Higgins, New York
Patrick Meehan, Pennsylvania, Vice Loretta Sanchez, California
Chair William R. Keating, Massachusetts
Jason Chaffetz, Utah Bennie G. Thompson, Mississippi
Vacancy (ex officio)
Michael T. McCaul, Texas (ex
officio)
Mandy Bowers, Subcommittee Staff Director
Dennis Terry, Subcommittee Clerk
Hope Goins, Minority Subcommittee Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama Yvette D. Clarke, New York
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Jason Chaffetz, Utah Filemon Vela, Texas
Steve Daines, Montana Vacancy
Scott Perry, Pennsylvania, Vice Bennie G. Thompson, Mississippi
Chair (ex officio)
Michael T. McCaul, Texas (ex
officio)
Alex Manning, Subcommittee Staff Director
Dennis Terry, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Peter T. King, a Representative in Congress From
the State of New York, and Chairman, Subcommittee on
Counterterrorism and Intelligence.............................. 1
The Honorable Brian Higgins, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Counterterrorism and Intelligence:
Oral Statement................................................. 3
Prepared Statement............................................. 3
The Honorable Patrick Meehan, a Representative in Congress From
the State of Pennsylvania, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies................................................... 4
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 19
Prepared Statement............................................. 21
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 5
Witnesses
Mr. Glenn Lemons, Senior Intelligence Officer, Cyber Intelligence
Analysis Division, Office of Intelligence and Analysis, U.S.
Department of Homeland Security................................ 6
Mr. Joseph Demarest, Assistant Director, Cyber Division, Federal
Bureau of Investigation:
Oral Statement................................................. 8
Prepared Statement............................................. 10
Mr. Larry Zelvin, Director, National Cybersecurity and
Communications Integration Center, National Protection and
Programs Directorate, U.S. Department of Homeland Security:
Oral Statement................................................. 14
Prepared Statement............................................. 16
ASSESSING PERSISTENT AND EMERGING CYBER THREATS TO THE U.S. IN THE
HOMELAND
----------
Wednesday, May 21, 2014
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Counterterrorism and
Intelligence, and
Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies,
Washington, DC.
The subcommittees met, pursuant to call, at 10:04 a.m., in
Room 311, Cannon House Office Building, Hon. Peter T. King
[Chairman of the Subcommittee on Counterterrorism and
Intelligence] presiding.
Present: Representatives King, Broun, Meehan, Perry,
Clarke, Higgins, and Vela.
Mr. King. Good morning. The Committee on Homeland Security,
Subcommittee on Counterterrorism and Intelligence, and the
Subcommittee--chaired by Mr. Meehan--on Cybersecurity,
Infrastructure Protection, and Security Technologies will come
to order.
The subcommittees are meeting today to hear testimony
examining persistent and emerging cyber threats to the United
States. It is particularly fortuitous or appropriate that we
hold this hearing in view of the fact that just the other day
the Justice Department announced indictments of several Chinese
Army officials for their role in violating cybersecurity.
Again, this hearing had been scheduled for several weeks.
Ranking Member Higgins and I have been working on this for
quite a while now. But again I think the fact that we are
holding it this week is particularly appropriate.
Due to the sensitivity of today's hearing, the
subcommittees will enter a closed portion with the witnesses to
discuss Classified and sensitive matters, and I ask unanimous
consent that at the appropriate time the subcommittees recess
and reconvene in closed session in the committee's secure
space. Without objection, so ordered.
I will now recognize myself for an opening statement.
The expanding number of cyber actors, ranging from nation-
states to terrorists to criminals, as well as increasing attack
capability and the increasing intensity of cyber attacks around
the globe, have made cyber warfare and cyber crime one of the
most significant threats facing the United States. This week
the Department of Justice unsealed an indictment against five
Chinese individuals working for the Chinese military for
hacking into multiple private-sector U.S. businesses to steal
their sensitive proprietary information. Additionally, this
week the FBI and international law enforcement arrested over
100 people for using malicious software called Blackshades,
which is used remotely to take over a computer, turn on the web
cam, and access passwords and other information without the
owner's knowledge.
I am encouraged by the DOJ indictment and the recent law
enforcement operation. I hope it is a signal of more aggressive
U.S. actions to address the cyber threat as we move forward,
because this threat is not going away. Cyber attacks have
economic consequences, harm our National security, and could be
used to carry out attacks on the U.S. homeland.
Over the last decade the threats facing the United States
have become more diverse, as have the tools for conducting
attacks and waging war. While the United States has made great
strides to secure the homeland since 9/11, our enemies have
evolved, and we must now consider that a foreign adversary,
terrorist network, or a criminal organization will use
cyberspace to penetrate America's defenses.
Director of National Intelligence James Clapper featured
the cyber threat prominently in his annual threat update to
Congress this year. Along with other U.S. officials, he painted
a sobering picture of the potential fallout from a cyber
attack.
Nation-states comprise the most capable cyber actors around
the globe. Countries such as Russia, China, and Iran have
demonstrated a willingness to use cyber space to steal our
military secrets, target our critical infrastructure, and even
attack our free press and financial sector. Each has invested a
great deal in cyber defenses and offensive capabilities, and
some have even used cyber attacks as a proxy in a physical
military confrontation. Many experts have suggested that
Russian actors engaged in offensive attacks in Estonia to
support military forces during their 2008 invasion of Georgia
and again during the recent annexation of Crimea.
In addition to the threat from foreign powers, American
citizens and companies lose billions from organized cyber crime
every year. Traditional criminal networks have wasted no time
in developing their on-line tradecraft to scam, steal, and
destroy valuable data. The recent data breach at Target is a
great example of exactly how far-reaching and sophisticated
these operations are. Department of Homeland Security plays a
major role in helping private companies keep their networks
secure, and this will only become more important in years to
come.
Finally, we are accustomed to think of the physical damage
caused by terrorist networks to life and property. We must now
be prepared to defend against groups like al-Qaeda using
increasingly sophisticated cyber attacks and cyber crimes to
their advantage. For many years we have also seen these groups
and violent Islamist extremists use the internet to
communicate, radicalize, and spread their hate.
Today we will hear about these issues from witnesses
provided by the FBI and DHS. I am pleased that we will begin
this hearing in an open session and subsequently move into a
closed, executive session.
I am particularly pleased that Chairman Pat Meehan is here
today and that his subcommittee is engaged in this hearing,
because he, along with Chairman McCaul, have led this
committee's efforts to enact serious cybersecurity legislation.
With the support of the private sector and privacy advocates,
their bill was passed unanimously out of this committee. It is
a testament to their hard work; also to the importance of the
issues. I am really privileged to have Pat working with us here
today.
I welcome those on the front line of the issue and I look
forward to their testimony.
I now recognize the Ranking Minority Member of the
Subcommittee on Counterterrorism and Intelligence, the
gentleman from New York, Mr. Higgins, for any statement he may
have.
Mr. Higgins. I would like to thank the Chairman for holding
this hearing, and in deference to the Chairman and our guests
today, I will submit my opening statement for the record so we
can get right to it.
[The statement of Mr. Higgins follows:]
Statement of Ranking Member Brian Higgins
May 21, 2014
I would like to thank the Chairman for holding today's hearing. I
look forward to hearing the testimony of our witnesses as the committee
continues to expand our interests and understanding of the current and
evolving cyber threats. I have gone on record before to state that
cyber threats know no limits and have no boundaries. As a Member
representing the Buffalo and Niagara region, I dedicate a significant
amount of my time and interests to issues related to border security
and the facilitation of commerce.
However, I understand the threats to our country and our way of
life are not limited to the reach of planes, trains, and automobiles,
and also that these threats cannot be contained by Congressional
districts. As technology continues to mature and our on-line world
continues to grow, the threats and the means to carry out those threats
grow as well. For the second consecutive year, the director of national
intelligence, James Clapper has designated cybersecurity as the top
global threat. Also, the No. 2 global threat for the United States on
this same list is related to concerns of espionage.
As a reflection of the growing espionage cyber threats, on Monday,
for the first time in U.S. history, the Department of Justice issued
indictments related to cybersecurity against foreign state actors.
Pursuant to that indictment, five members of the Chinese military were
charged with a total of 155 counts of crimes related to computer
hacking, economic espionage, and other offenses related to
cybersecurity. I believe this indictment sends a strong message for
state-actors that the United States will not be intimidated by cyber
hackers and we will remain vigilant against attempts against cyber
espionage. While I understand that the unprecedented nature of this
indictment has and will continue to interest Members of this committee
and Congress as a whole, I will refrain from interfering with the on-
going judicial process.
However, I would request that as information can be shared with us,
our witnesses will return to brief Members of this committee in the
appropriate setting. America's economic prosperity depends on
cybersecurity, and that is why we need effective oversight and robust
cyber legislation that includes strategic initiatives, including
public-private partnerships that protect our Nation from hackers,
nefarious state actors, and foreign intelligence services from
countries such as China.
While I understand that it would be inappropriate for our witnesses
to go into detail about specific cyber threats in this open setting;
when possible, I believe an open discussion of the threats that we do
know about, the technologies being used, and massive vulnerabilities
can be helpful to the American public. It is clear to everyone that our
dependence on technology is growing exponentially by the day.
Therefore our Nation depends on us, both Congress and Federal
agencies and departments, to have a robust, comprehensive set of
cybersecurity policies and procedures in place. Therefore, we must not
only examine the threat, but also protect critical infrastructure and
safeguard our personal and financial information, while promoting
research and development to ensure that we have the proper protocols in
place.
Mr. King. The Ranking Member yields back.
Chairman Meehan.
Mr. Meehan. I thank the Ranking Member for yielding, and I
thank the Chairman for sharing the opportunity to collaborate
on, as Chairman King said, this very, very important issue. I
want to thank everybody for attending this important hearing.
This is the latest in a series of hearings the Subcommittee
on Cybersecurity, Infrastructure Protection, and Security
Technologies has held examining the threat to our computer
networks and what the U.S. Government is doing to mitigate and
respond to that threat. The threat of cyber attack is real, and
it is a growing menace in American security and prosperity.
Over the past year alone we have seen Iranian hackers disrupt
the computer systems of Saudi energy company Aramco in an
attempt to take down the American financial sector. We have
also seen criminals attack some of the icons of our retail
sector, compromising the personal information of over 100
million customers. Just this week the Department of Justice
announced indictments against five Chinese military operatives
for hacking into U.S. companies to steal proprietary
information.
Last month I had the opportunity to travel to China with a
number of my colleagues, including House Majority Leader Eric
Cantor, and we met with a number of China's most senior
leaders, up to and including the Premier, and we specifically
raised concerns about state-sponsored industrial espionage and
the importance of protecting and respecting intellectual
property and the trade secrets of American businesses. China
has a responsibility to adhere to international law, a
responsibility it has repeatedly failed to acknowledge.
The response we received from Chinese officials where we
raised these concerns was disciplined. The Chinese refused to
admit that they condoned or supported their state-sponsored
corporate espionage, and they refused to concede that American
businesses were routinely targeted by Chinese hackers for
intrusion.
In addition to state-sponsored and criminal organizations,
ideologically motivated actors, including terrorist groups and
activists, use the internet to attack us and to finance their
illicit activities. As the 2014 report by the cybersecurity
firm Mandiant states, threat actors are not just interested in
seizing the corporate crown jewels, but are also looking for
ways to publicize their views, to cause physical destruction,
and to influence global decision makers.
Defending against and responding to these attacks has a
real cost, and the cost is primarily borne by the American
private sector. Companies spend hundreds of millions of dollars
per year defending their networks. At a hearing we held last
month in Philadelphia, just an area community bank testified
that they had to spend a million dollars a year--this is a
small community bank--on its cybersecurity efforts, and they
suggested they could spend much more.
Attacks that cause business disruptions cost companies an
average of nearly $300,000 each to mitigate the damage, and
certainly it can be significantly higher where there is real
damage, and companies that have lost untold amounts of
intellectual property have found themselves at a competitive
disadvantage with their global competitors. Identity theft
alone costs U.S. banks, retailers, and consumers roughly $780
million a year, and as the Chairman himself said, literally
billions of dollars in value associated with stolen
intellectual property.
All of these losses directly contribute to job losses,
missed business opportunities, and American companies at a
competitive disadvantage on the world stage. The question then
becomes: How do we respond to this?
First, we must ensure that our Federal agencies have
defined roles and are coordinating with each other and the
private sector to share threat information. We must also crack
down on the perpetrators of these attacks by arresting
malicious hackers and pressuring other countries to do the
same. It is especially true in China and Eastern Europe, where
these companies' spies and criminals hide.
The indictments of the Chinese military hackers and the
arrest of over 100 hackers linked to the malicious software
called Blackshades are a good start, but there is more work to
do. Importantly, we in Congress need to continue to study this
threat and to understand who the adversaries are, what they
want, where they live, and what they are capable of doing.
I want to thank each of the members of this panel who are
before us today for their work in this area, and we look
forward to your testimony both in here and in the closed
hearings to better understand and to better continue to educate
not only our colleagues, but the American people on this very,
very important and challenging issue. I thank Chairman King for
the opportunity to share it with him.
I yield back.
Mr. King. Thank you, Chairman Meehan.
Other Members of the committee are reminded that opening
statements may be submitted for the record.
[The statement of Mr. Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
May 21, 2014
This hearing is timed only days after the Department of Justice
announced indictments against five Chinese military officials for
conducting cyber espionage against U.S. industries related to nuclear
power and solar and metal products. I understand the investigative role
of the FBI in this investigation and that our judicial process limits
the information which can be shared at such a critical point in this
process. Therefore, I look forward to working with all of our witnesses
to discuss and review this case at the appropriate time.
During this Congress and in previous Congresses, I have maintained
and expanded this committee's cybersecurity jurisdiction by conducting
effective oversight and offering both responsive and responsible
legislation. I continue to be encouraged as DHS assumes its role as the
primary agency charged with securing Federal Government systems from
cyber attacks, while working with other agencies to collect
information, analyze threats, and respond accordingly.
It is important for DHS to continue to make progress in addressing
one of the greatest homeland security challenges of our day--how to
help Government agencies and private-sector infrastructure owners and
operators protect critical infrastructure from cyber threats.
Too often when we discuss cyber threats or cybersecurity, we group
all bad actors into the same category. Today, our witnesses should
explain not only the on-going threats, but also distinguish the threat
actors. Specifically, I am interested in hearing about the organized
crime groups and their efforts to target financial service sectors,
terrorist groups' use of on-line networks to recruit and organize
attack efforts, and foreign governments with an interest in obtaining
data and information from Government agencies and major manufacturers,
including those with defense contracts.
I would also like to hear how the witnesses and their agencies
manage and analyze the volumes of open-source information and postings
that can be found on various social networking websites.
I have gone on record several times to emphasize social media as an
integral tool in recognizing and preventing emerging threats, but
warning that a balance must be created to manage this information. We
must still heed that warning and make our Federal security regime as
effective as possible.
Mr. King. Now I am pleased to introduce the distinguished
panel that we have here today.
Mr. Glenn Lemons is the senior intelligence officer for the
Cyber Intelligence Analysis Division in Homeland Security's
Office of Intelligence and Analysis. His responsibilities
include providing all-source cyber intelligence support for DHS
senior personnel and owners and operators of critical
infrastructure. Additionally, he manages and leads a diverse
cyber workforce that, in coordination with the National
Protection and Programs Directorate, provides operational
intelligence support to our Nation's 16 critical infrastructure
partners and all applicable State, local, territorial, Tribal,
and private-sector entities.
Mr. Joseph Demarest is the assistant director of the Cyber
Division at the Federal Bureau of Investigation. The FBI helps
lead the National effort to investigate high-tech crimes,
including cyber-based terrorism, espionage, computer
intrusions, and cyber fraud. Joe Demarest has been with the FBI
for more than a quarter of a century, and I had the personal
privilege of seeing him operate first-hand when he headed the
Joint Terrorism Task Force in New York and later as the
assistant director in charge, where he did a truly outstanding
job in coordinating efforts against terrorism in the New York
City, Long Island, New York area.
So, Joe Demarest, it is great to see you here today. Thank
you.
Larry Zelvin is the director of National Cybersecurity and
Communications Integration Center at the Department of Homeland
Security--easier to say NCCIC. It is comprised of several
components, including the U.S. Computer Emergency Readiness
Team, the National Coordination Center for Telecommunications,
the Industrial Control Systems Cyber Emergency Response Team,
and a 24/7 operations center. Mr. Zelvin is a retired U.S. Navy
captain and naval aviator with 26 years of active service.
I want to thank all of you for appearing here today, and
let you know that your written testimony is being submitted for
the record. I will now recognize Mr. Lemons for 5 minutes for
his testimony.
Mr. Lemons.
STATEMENT OF GLENN LEMONS, SENIOR INTELLIGENCE OFFICER, CYBER
INTELLIGENCE ANALYSIS DIVISION, OFFICE OF INTELLIGENCE AND
ANALYSIS, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Lemons. Thank you, sir.
Chairman King, Chairman Meehan, Ranking Member Higgins, and
distinguished Members of the committee, I am pleased to be here
today to discuss the continued threat to the homeland from
malicious cyber actors and the Office of Intelligence and
Analysis role in assessing these threats.
Cyber intrusions into critical infrastructure and
Government networks are increasing in sophistication and
seriousness. Although the persistent cyber threat to the
homeland remains theft of data and espionage, the complexity of
emerging threat capabilities, the inextricable link between
physical and cyber domains, and a diversity of cyber actors
present challenges to DHS and all of our customers.
With the private sector owning and operating over 85
percent of our Nation's critical infrastructure, information
sharing becomes especially important between public and private
sector. Malicious cyber actors who target the homeland include
nation-states, cyber criminals, criminal hackers, asymmetric
actors, to include terrorists, with the insidious and/or
unwitting insider presenting unique cybersecurity concerns that
can magnify any threat.
Nation-states aggressively target and gain persistent
access to public and private-sector networks to exploit and
steal massive quantities of data. Given the increasing world
view of cyber space as a domain of warfare, we cannot discount
that adversaries currently support planning for contingencies
by mapping and evaluating U.S. networks and infrastructure.
Cyber criminals are largely motivated by profit and are
extremely capable, representing a long-term global and common
threat. We see sophisticated financial criminals in many
countries throughout the world.
Criminal hackers are politically or ideologically motivated
and target for publicity, which can result in high-profile
operations in both, but often with limited effectiveness. The
May 2000 Middle East and North Africa-based hacker campaign
known as OpUSA showed the group's desire for media attention,
despite its lack of capability to disrupt websites of U.S.
Government, financial, and commercial entities.
Asymmetrical actors, to include terrorists, primarily use
the internet for on-line recruitment, communication,
propaganda, and research. While limited by persistent
counterterrorism pressures and difficulty in recruiting
experts, we believe they will continue to seek cyber targets of
opportunity. Therefore, despite the low probability of a
destructive terrorist cyber attack occurring, such an event may
have a high-profile impact, even if unsuccessful. Success in
this case may be determined by press coverage by its
destructive network activity.
The outlook of these threats is that malicious cyber
activity targeting Government and private-sector networks can
result in intentional and in some cases unintentional
consequences which can threaten National and economic security,
critical infrastructure, as well as public health and welfare.
It is reasonable to assess both disruptive and possibly
destructive cyber activity are the goals of malicious cyber
actors who target our Nation's critical infrastructure in an
effort to cause harm.
I&A has an important role in supporting the Department in
carrying out its cyber responsibilities by assessing these
emerging threats and ensuring both public and private sector
are made aware of them through robust information sharing. The
I&A support for public and private-sector owners and operators
is multidimensional. Since the implementation of Executive
Order 13636, which charges the Department to increase the
value, the quantity, and quality of Unclassified cyber threat
reporting, DHS I&A has increased Unclassified cyber outreach by
382 percent from fiscal year 2012 to 2013, and for 2014 we are
on a trajectory to bypass last year's numbers. These activities
are in addition to our regularly scheduled Unclassified and
Classified production, and weekly, monthly, and quarterly
security engagements.
Additionally, we are partnering with State and local fusion
centers to deconflict production, solicit requirements, and
participate in joint production opportunities. These are just
some of our efforts to increase threat awareness, decrease
duplicative reporting, and align priorities.
Thank you for providing me the opportunity to speak with
you today about these important issues. I look forward to your
questions both here and in the follow-on Classified session.
Mr. King. Thank you for your testimony, Mr. Lemons.
Now I am pleased to recognize Mr. Demarest.
STATEMENT OF JOSEPH DEMAREST, ASSISTANT DIRECTOR, CYBER
DIVISION, FEDERAL BUREAU OF INVESTIGATION
Mr. Demarest. Good morning, Chairmen King, Meehan, and
Ranking Member Higgins, and distinguished Members. I am pleased
to appear before you today to discuss the cyber threats facing
our Nation and how the FBI and our partners, most importantly
DHS and a broadband of others domestically and abroad, what we
are doing together to protect the United States.
Today's FBI is a threat-focused, intelligence-driven
organization. Just as our adversaries continue to evolve, so,
too, must the FBI. We live in a time of acute and persistent
terrorist, state-sponsored, and criminal threats to our
National security, our economy, and our communities. These
diverse threats facing our Nation and our neighborhoods
underscore the complexity and breadth of the FBI's mission
today.
The United States faces cyber threats from state-sponsored
hackers, hackers for hire, global cyber criminal syndicates,
and terrorists. They seek our trade and state secrets, our
technology, our personal and financial information, and our
ideas, all of which are of incredible value to us here in the
United States. Given the scope of the cyber threat, agencies
across the Federal Government are making cybersecurity
obviously a top priority. Within the FBI we are prioritizing
high-level intrusions. The biggest and most dangerous botnets,
criminal forums, state-sponsored hackers, and global cyber
criminal syndicates are our priorities. We want to predict and
prevent attacks and get to the position where we can, rather
than simply react to after the fact.
FBI agents, analysts, and computer scientists are using
technological capabilities and traditional investigative
techniques to fight cyber crime today. We are working side-by-
side with our Federal, State, and local partners on cyber task
forces in each of our 56 field offices and through the National
Cyber Investigative Joint Task Force in Chantilly, Virginia.
Through our 24/7 cyber command center, CyWatch, we combine the
resources of the FBI and the NCIJTF, allowing us to provide
connectivity to the other Federal cyber centers, NCCIC being
chief among them, Government agencies, FBI field offices, legal
attaches, and the private sector in the event of a cyber event.
As the committee is well aware, the frequency and impact of
cyber attacks on our Nation's private sector and Government
networks have increased dramatically in the past decade and are
expected to grow exponentially. The FBI and our partners have
had multiple recent investigative successes against the threat
and we are continuing to push ourselves to respond more rapidly
to prevent attacks before they occur.
On Monday the Western District of Pennsylvania unsealed an
indictment naming five members of the People's Liberation Army
of the People's Republic of China on 31 counts, including
conspiring to commit computer fraud, accessing a computer
without authorization for the purpose of commercial advantage
and private financial gain, damaging computers through the
transmission of code and commands, aggravated identity theft,
economic espionage, and theft of trade secrets. Each of the
defendants provided his individual expertise to a conspiracy to
penetrate the computer networks of six U.S. companies while
those companies were engaged in negotiations or joint ventures
with or were pursuing legal action against state-owned
enterprises in China. This marks the first time criminal
charges have been filed against known state actors for hacking.
Also on Monday the FBI announced a world-wide operation
against those individuals who created and purchased malware
known as Blackshades. This operation involved 18 countries.
More than 90 arrests have been made so far, and more than 300
searches have been conducted around the world in support of the
operation. Blackshades products were offered on their website.
Their products include Blackshades Remote Access Tool and
Blackshades Password Recovery, to name just a few.
The most popular product was the Blackshades Remote Access
Tool. The tool contained a key logger feature that allowed
users to record each key the victim typed on their computer
keyboards. To help users steal a victim's password and other
log-on credentials, the tool also had a form-grabber feature
which automatically captured log-on information that victims
entered into the forms on their infected computers. The tool
also provided its users with complete access to all the files
contained on a victim's computer. A tool user could use this
access to view or download photographs, documents, or other
files on the victim's computer. Further, the tool enabled users
to encrypt or lock a victim's files and demand ransom payment
to unlock them, much like ransomware. The tool even came with a
prepared script to demand such a ransom. As you can imagine,
this tool alone poses a significant threat to individual
victims across the United States and certainly around the
world.
These successes are just the beginning. The FBI has
redoubled its efforts to strengthen our cyber capabilities
internally. The FBI's Next Generation Cyber Initiative, which
we launched in 2012, included a wide range of developments,
like establishing the cyber task forces throughout each of our
field offices; also focusing on cyber intrusion or intrusion
investigations. We have also hired additional computer
scientists to assist in the technical investigations in the
field and at headquarters; and then certainly expanded our
partnerships to enhance collaboration through the NCIJTF and
within the U.S. Government.
The NCIJTF, which serves as a coordination, integration,
and information-sharing center among 19 U.S. agencies and our
Five Eyes partners for cyber threat investigations has provided
unprecedented coordination. This coordination involves senior
personnel at key agencies. NCIJTF, which is led by the FBI, has
deputy directors from the NSA, DHS, CIA, U.S. Secret Service,
and U.S. Cyber Command.
In addition to strengthening our partnerships in Government
and law enforcement, we recognize that to effectively combat
the cyber threat we must significantly enhance our cooperation
with the private sector, which we are doing through our
InfraGard program; our DSAC program as well. We recognize that
understanding the cyber threat is critical to effectively
combatting that, and the private sector is a key ingredient. As
part of our enhanced private-sector outreach, we have begun to
provide industry partners with Classified threat briefings and
indicators in advance of attacks that we are knowledgeable of.
In conclusion, sir, to counter the threats we face today,
we are engaging in an unprecedented level of collaboration
within the U.S. Government, with the private sector, and with
our international partners. We are grateful for the committee's
continued support and look forward to working with you and
expanding our partnerships as we determine a successful course
forward for this Nation to defeat the cyber adversaries we face
today. Thank you again, sir.
[The prepared statement of Mr. Demarest follows:]
Prepared Statement of Joseph Demarest
May 21, 2014
Good morning Chairmen Meehan and King and Ranking Members Clarke
and Higgins. I'm pleased to appear before you today to discuss the
cyber threats facing our Nation and how the FBI and our partners are
working together to protect the United States Government and private-
sector networks.
Today's FBI is a threat-focused, intelligence-driven organization.
Each employee of the FBI understands the key threats facing our Nation
and we must constantly strive to be more efficient and more effective.
Just as our adversaries continue to evolve, so, too, must the FBI. We
live in a time of acute and persistent terrorist, state-sponsored, and
criminal threats to our National security, our economy, and our
communities. These diverse threats facing our Nation and our
neighborhoods underscore the complexity and breadth of the FBI's
mission.
We remain focused on defending the United States against terrorism,
foreign intelligence, and cyber threats; upholding and enforcing the
criminal laws of the United States; protecting civil rights and civil
liberties; and providing leadership and criminal justice services to
Federal, State, local, and international agencies and partners.
the cyber threat & fbi response
The United States faces cyber threats from state-sponsored hackers,
hackers for hire, global cyber syndicates, and terrorists. They seek
our state secrets, our trade secrets, our technology, our personal and
financial information, and our ideas, all of which are of incredible
value to all of us. They may seek to strike our critical infrastructure
and our economy.
Given the scope of the cyber threat, agencies across the Federal
Government are making cybersecurity a top priority. Within the FBI, we
are prioritizing high-level intrusions--the biggest and most dangerous
botnets, state-sponsored hackers, and global cyber syndicates. We want
to predict and prevent attacks, rather than simply react after the
fact.
FBI agents, analysts, and computer scientists are using technical
capabilities and traditional investigative techniques, such as sources
and communication intercepts, as well as forensics, to fight cyber
crime. We are working side-by-side with our Federal, State, and local
partners on Cyber Task Forces in each of our 56 field offices and
through the National Cyber Investigative Joint Task Force (NCIJTF).
Through our 24/7 cyber command center, CyWatch, we combine the
resources of the FBI and NCIJTF, allowing us to provide connectivity to
Federal cyber centers, Government agencies, FBI field offices and legal
attaches, and the private sector in the event of a cyber intrusion.
We also work with the private sector through partnerships such as
the Domestic Security Alliance Council, InfraGard, and the National
Cyber Forensics and Training Alliance. The FBI is training our State
and local counterparts to triage local cyber matters, so that we can
focus on the most pressing issues with National impact.
In addition, our Legal Attache offices overseas work to coordinate
cyber investigations and address jurisdictional hurdles and differences
in the law from country to country. We are supporting partners at
Interpol and The Hague as they work to establish international cyber
crime centers. We continue to assess other locations to ensure that our
cyber personnel are in the most appropriate locations across the globe.
We know that to be successful in the fight against cyber crime, we
must continue to recruit, develop, and retain a highly-skilled
workforce. To that end, we have developed a number of creative staffing
programs and collaborative partnerships with private industry to ensure
that over the long term we remain focused on our most vital resource,
our people.
As the committee is well aware, the frequency and impact of cyber
attacks on our Nation's private sector and Government networks have
increased dramatically in the past decade and are expected to continue
to grow.
recent successes
While the FBI and our partners have had multiple recent
investigative successes against the threat, we are continuing to push
ourselves to respond more rapidly and prevent attacks before they
occur.
One area in which we recently have had great success with our
overseas partners is in targeting infrastructure we believe has been
used in Distributed Denial of Service (DDOS) attacks, and preventing
that infrastructure from being used for future attacks. A DDOS attack
is an attack on a computer system or network that causes a loss of
service to users, typically the loss of network connectivity and
services by consuming the bandwidth of the victim network. Since
October 2012, the FBI and the Department of Homeland Security (DHS)
have released nearly 168,000 Internet Protocol addresses of computers
that were believed to be infected with DDOS malware. We have released
this information through Joint Indicator Bulletins (JIBs) to more than
130 countries via DHS's National Cybersecurity and Communications
Integration Center (NCCIC), where our liaison officers provide expert
and technical advice for increased coordination and collaboration, as
well as our Legal Attaches overseas.
These actions have enabled our foreign partners to take action and
reduced the effectiveness of the botnets and the DDOS attacks. We are
continuing to target botnets through this strategy and others.
In April 2013, the FBI Cyber Division initiated an aggressive
approach to disrupt and dismantle the most significant botnets
threatening the economy and National security of the United States.
This initiative, named Operation Clean Slate, was implemented to
appropriately address the threat neutralization actions through
collaboration with the private sector, Department of Homeland Security
and other United States Government partners, and our foreign partners.
This includes law enforcement action against those responsible for the
creation and use of the illegal botnets, mitigation of the botnet
itself, assistance to victims, public-service announcements, and long-
term efforts to improve awareness of the botnet threat through
community outreach. Although each botnet is unique, Operation Clean
Slate's strategic approach to this significant threat ensures a
comprehensive neutralization strategy, incorporating a unified public/
private response and a whole-of-Government approach to protect U.S.
interests.
The impact of botnets has been significant. Botnets have caused
over $113 billion in losses globally, with approximately 378 million
computers infected each year, equaling more than 1 million victims per
day, translating to 12 victims per second.
To date, Operation Clean Slate has resulted in several successes.
Working with our partners, we disrupted the Citadel Botnet. This botnet
was designed to facilitate unauthorized access to computers of
individuals and financial institutions to steal on-line banking
credentials, credit card information, and other personally identifiable
information. Citadel was responsible for the loss of over a half
billion dollars. As a result of our actions, over 1,000 Citadel domains
were seized, accounting for more than 11 million victim computers
world-wide. In addition, working with foreign law enforcement, we
arrested a major user of the malware.
Building on the success of the disruption of Citadel, in December
2013, the FBI and Europol, together with Microsoft and other industry
partners, disrupted the ZeroAccess Botnet. ZeroAccess was responsible
for infecting more than 2 million computers, specifically targeting
search results on Google, Bing, and Yahoo search engines, and is
estimated to have cost on-line advertisers $2.7 million each month.
In January 2014, Aleksandry Andreevich Panin, a Russian national,
pled guilty to conspiracy to commit wire and bank fraud for his role as
the primary developer and distributer of the malicious software known
as ``Spyeye'' which infected over 1.4 million computers in the United
States and abroad. Based on information received from the financial
services industry, over 10,000 bank accounts were compromised by Spyeye
infections in 2013 alone. Panin's co-conspirator, Hamza Bendelladj, an
Algerian national who helped Panin develop and distribute the malware,
was also arrested in January 2013 in Bangkok, Thailand.
next generation cyber initiative
The need to prevent attacks is a key reason the FBI has redoubled
our efforts to strengthen our cyber capabilities while protecting
privacy, confidentiality, and civil liberties. The FBI's Next
Generation Cyber Initiative, which we launched in 2012, entails a wide
range of measures, including focusing the FBI Cyber Division on
intrusions into computers and networks, as opposed to crimes committed
with a computer as a modality. The Cyber Division established Cyber
Task Forces in each of our 56 field offices to conduct cyber intrusion
investigations and respond to significant cyber incidents. The Cyber
Division has also hired additional computer scientists to assist with
technical investigations in the field and expanded partnerships to
enhance collaboration with the NCIJTF.
The NCIJTF, which serves as a coordination, integration, and
information-sharing center among 19 U.S. agencies and our Five Eyes
partners for cyber threat investigations has resulted in unprecedented
coordination. This coordination involves senior personnel at key
agencies. NCIJTF, which is led by the FBI, now has deputy directors
from the NSA, DHS, the Central Intelligence Agency, U.S. Secret
Service, and U.S. Cyber Command. In the past year, we have had our Five
Eyes partners join us at the NCIJTF. Australia embedded a liaison
officer in May 2013, the United Kingdom in July 2013, and Canada in
January 2014. By developing partnerships with these and other nations,
NCIJTF is working to become the international leader in synchronizing
and maximizing investigations of cyber adversaries.
While we are primarily focused with our Federal partners on cyber
intrusions, we are also working with our State and local law
enforcement partners to identify and address gaps in the investigation
and prosecution of internet fraud crimes.
Currently, the FBI's Internet Crime Complaint Center (IC3) collects
reports from private industry and citizens about on-line fraud schemes,
identifies emerging trends, and produces reports about them. The FBI
investigates fraud schemes that are appropriate for Federal prosecution
(based on such factors as the amount of loss). Others are packaged
together and referred to State and local law enforcement.
The FBI is also working to develop the Wellspring program in
collaboration with the International Association of Chiefs of Police,
the Major Cities Chiefs Association, and the National Sheriffs'
Association to enhance the internet fraud targeting packages IC3
provides to State and local law enforcement for investigation and
potential prosecution. During the first phase of this program's
development, IC3 worked with the Utah Department of Public Safety to
develop better investigative leads for direct dissemination to State
and local agencies.
Through IC3, Operation Wellspring provided Utah police 22 referral
packages involving over 800 victims, from which the FBI opened 14
investigations. Additionally, another 9 investigations were opened and
developed from the information provided.
The following are reported loss totals:
IC3-referred investigations=$2,135,264.
Cyber Task Force initiated investigations=$385,630.
Operation Wellspring/Utah Total=$2,520,894.
The FBI is also partnering closely with DOJ's Bureau of Justice
Assistance to support efforts of the International Association of
Chiefs of Police to develop a National Cyber Center designed
specifically to identify and share resources from across Government to
assist local, State, and Tribal law enforcement agencies better address
their cyber crime needs.
The FBI's newly-established Guardian for Cyber application, being
developed for Cyber use by the Guardian Victim Analysis Unit (GVAU),
provides a comprehensive platform that tracks U.S. Government
coordination and efforts to notify victims or targets of malicious
cyber activity.
The FBI is working toward the full utilization of Guardian for
Cyber across FBI, other Government agencies, State, local, Tribal, and
territorial (SLTT) governments, as well as industry partners, in order
to provide forward understanding of cyber-related threats, increase
awareness of victim actions to mitigate those threats, and facilitate a
coordinated overall cyber incident response by the U.S. Government.
private sector outreach
In addition to strengthening our partnerships in Government and law
enforcement, we recognize that to effectively combat the cyber threat,
we must significantly enhance our collaboration with the private
sector. Our Nation's companies are the primary victims of cyber
intrusions and their networks contain the evidence of countless
attacks. In the past, industry has provided us information about
attacks that have occurred, and we have investigated the attacks, but
we have not always provided information back.
The FBI's newly-established Key Partnership Engagement Unit (KPEU)
manages a targeted outreach program focused on building relationships
with senior executives of key private-sector corporations. Through a
tiered approach the FBI is able to prioritize our efforts to better
correlate potential National security threat levels with specific
critical infrastructure sectors.
The KPEU team promotes the FBI's Government and industry
collaborative approach to cybersecurity and investigations by
developing a robust information exchange platform with its corporate
partners.
Through the FBI's InfraGard program, the FBI develops partnerships
and working relationships with private sector, academic, and other
public/private entity subject-matter experts. Primarily geared toward
the protection of critical, National infrastructure, InfraGard promotes
on-going dialogue and timely communication between a current active
membership base of 25,863 (as of April 2014).
InfraGard members are encouraged to share information with
Government that better allows Government to prevent and address
criminal and National security issues. One of the resources available
to members is the Guardian for Cyber program, which facilitates real-
time incident reports to the FBI. InfraGard members also benefit from
access to robust on- and off-line learning resources, connectivity with
other members and special interest groups, and relevant Government
intelligence and information updates that enable them to broaden threat
awareness and protect their assets.
The FBI's Cyber Initiative & Resource Fusion Unit (CIRFU) maximizes
and develops intelligence and analytical resources received from law
enforcement, academia, international, and critical corporate private-
sector subject-matter experts to identify and combat significant actors
involved in current and emerging cyber-related criminal and National
security threats. CIRFU's core capabilities include a partnership with
the National Cyber Forensics and Training Alliance (NCFTA) in
Pittsburgh, Pennsylvania, where the unit is collocated. NCFTA acts as a
neutral platform through which the unit develops and maintains liaison
with hundreds of formal and informal working partners who share real-
time threat information and best practices, and who collaborate on
initiatives to target and mitigate cyber threats domestically and
abroad. In addition, the FBI, Small Business Administration, and the
National Institute of Standards and Technology (NIST) partner together
to provide cybersecurity training and awareness to small business as
well as citizens leveraging the FBI InfraGard program.
The FBI recognizes that understanding the cyber threat is critical
to effectively combating it. As part of our enhanced private-sector
outreach, we have begun to provide industry partners with Classified
threat briefings and other information and tools to better help them
repel intruders. Earlier this year, in coordination with the Treasury
Department, we provided a Classified briefing on threats to the
financial services industry to executives of more than 40 banks who
participated via secure video teleconference in FBI field offices. We
provided another Classified briefing on threats to the financial
services industry in April 2014, with 100 banks participating. Another
illustration of the FBI's commitment to private-sector outreach is our
increase in production of our external use products such as the FBI
Liaison Alert System (FLASH) reports and Private Industry Notifications
(PINs).
conclusion
In conclusion, to counter the threats we face, we are engaging in
an unprecedented level of collaboration within the U.S. Government,
with the private sector, and with international law enforcement.
We are grateful for the committee's continued support and look
forward to working with you and expanding our partnerships as we
determine a successful course forward for the Nation to defeat our
cyber adversaries.
Mr. King. Thank you, Mr. Demarest.
Now Mr. Zelvin.
STATEMENT OF LARRY ZELVIN, DIRECTOR, NATIONAL CYBERSECURITY AND
COMMUNICATIONS INTEGRATION CENTER, NATIONAL PROTECTION AND
PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Zelvin. Chairman King, Chairman Meehan, Ranking Members
Higgins, Ranking Member Clarke, distinguished Members of the
committee, thank you for the opportunity to appear before you
today.
As you well know, the Nation's economic vitality and
National security depend on a secure cyber space where
reasonable risk decisions can be made and the flow of digital
goods, transactions, and on-line interactions can occur safely
and reliably. In order to meet this objective, the technical
characteristics of malicious cyber activity must be shared in a
timely fashion so cyber defenders can discover, address, and
mitigate a variety of threats and vulnerabilities.
In carrying out our particular responsibilities, the NCCIC
promotes and implements a unified approach to cybersecurity
which enables the rapid sharing of cybersecurity information in
a manner that ensures the protection of individuals' privacy,
civil liberties, and rights.
The NCCIC is a civilian organization that provides an
around-the-clock center where Government, private sector, and
international partners can work together in both physical and
virtual environments. As mentioned, the NCCIC is comprised of
four branches, US-CERT, ICS-CERT, NCC, and an ops and
integration component.
From October 1, 2013, to May 20, 2014, the NCCIC has
received over 350,000 cyber incident reports from Government
partners, critical infrastructure organizations, and
international partners, a significant increase from the nearly
230,000 reports received in all of fiscal year 2013. These
reports included incidents such as distributed denial of
service attacks, phishing campaigns, and intrusions into a
variety of technology information systems.
In response to these incidents, the NCCIC regularly
publishes technical and nontechnical information products,
often co-authoring with the FBI, analyzing the characteristics
of malicious cyber activity, improving the ability of the
organizations, their ability to reduce risk. Additionally, when
appropriate, all NCCIC components have on-site incident
response teams that can assist asset owners and operators and
their facilities, in close cooperation with our Government
partners.
US-CERT's global partnerships with more than 200 other
CERTs world-wide are particularly useful as our team works to
develop analysis across international borders to develop a
comprehensive picture of malicious cyber activity. Data from
the NCCIC and US-CERT can also be shared in machine-readable
formats called a Structured Threat Information eXpression
language, also known as STIX, which is currently being
implemented and utilized.
When looking at cyber threats, one of our greatest
challenges in cybersecurity is, is our information technology
systems are not nearly as secure as they could or should be.
While there are a number of cases I could use to highlight my
statement, I would like to use my remaining time to talk about
how we in DHS aided Federal departments and agencies respond to
and mitigate to the Heartbleed vulnerability across the dot-gov
domain.
On April 17, 2014, the NCCIC learned of a vulnerability in
the widely-used Secure Sockets Layer encryption software dubbed
Heartbleed. On April 8, US-CERT issued a public alert on the
Heartbleed vulnerability and deployed signatures into our
EINSTEIN 2 intrusion detection system to enable the detection
of possible exploitation of the Heartbleed in the dot-gov
domain. On April 10, mitigation guidance was distributed to our
national world-wide partners, and then the NCCIC's National
Cybersecurity Assessment & Technical Services team collaborated
with well over 100 Federal agencies, receiving their
authorization to scan for the Heartbleed vulnerability,
identify their public IP space, schedule times to conduct the
scanning, and then deliver individualized reports and results
to each agency for their mitigation.
To date, the NCATS team has scanned Federal IP space of
approximately 15.5 million IPs on 11 different occasions and
assisted reducing the number of Federal Heartbleed
vulnerability occurrences from 270 to about 2 in less than 3
weeks. More than half of these vulnerabilities were identified
and mitigated in the first 6 days of scanning.
The Industrial Control System CERT, in partnership with
private-sector research groups, conducted two webinars
regarding Heartbleed, one with the Industrial Control System
vendor community on April 16 and one with 16 critical
infrastructure sectors directly impacted by the vulnerability
on April 25. Approximately 140 vendors attended the first
session and nearly 500 critical infrastructure asset and owner-
operators, as well as representatives from sector-specific
agencies and information-sharing and analysis centers, attended
the second.
Fortunately, due to the hard work throughout the Federal
Government, the impact of the Heartbleed on the dot-gov domain
has been minimal. I am very proud of how the team responded and
continues to counter this significant vulnerability as it
serves as yet another example of how we collaborate with and
serve a large community of stakeholders. We still can do
better, and we are asking for the help of the committee to
clarify DHS' authorities so it can better mitigate threats to
the dot-gov and our dot-com domains closer to the time in which
they occur.
In conclusion, I would like to again thank the committee
for the ability to appear today and highlight that we in DHS
and across the NCCIC strive every day to enhance the security
and resilience across cyber space and the information
technology enterprise. We accomplish our mission using
voluntary means and ever-mindful of the need to respect
privacy, civil liberties, and the law. I truly appreciate the
opportunity to speak with you today and look forward to your
questions.
[The prepared statement of Mr. Zelvin follows:]
Prepared Statement of Larry Zelvin
May 21, 2014
introduction
Chairman King, Chairman Meehan, Ranking Member Higgins, Ranking
Member Clarke, and distinguished Members of the committee, I am pleased
to appear today to discuss the Department of Homeland Security (DHS)
National Protection and Programs Directorate (NPPD) and the National
Cybersecurity and Communications Integration Center (NCCIC) efforts to
assess persistent and emerging cyber threats to the U.S. homeland.
On February 12, 2013, the President signed Executive Order (E.O.)
13636, Improving Critical Infrastructure Cybersecurity and Presidential
Policy Directive (PPD) 21, Critical Infrastructure Security and
Resilience, which set out steps to strengthen the security and
resilience of the Nation's critical infrastructure, and reflect the
increasing importance of integrating cybersecurity efforts with
traditional critical infrastructure protection. The President also
highlighted that it is important for Government to encourage
efficiency, innovation, and economic prosperity while promoting safety,
security, business confidentiality, privacy, and civil liberties. DHS
partners closely with critical infrastructure owners and operators to
improve cybersecurity information sharing and encourage risk-based
implementation of standards and guidelines in order to strengthen
critical infrastructure security and resilience.
In my testimony today, I would like to highlight how DHS helps
secure cyber infrastructure and then discuss a few specific examples
where we have prevented incidents and responded to a variety of
cybersecurity challenges.
enhancing the security of cyber infrastructure
Based on our statutory authorities, and in response to policy
requirements, DHS coordinates the National protection, prevention,
mitigation of, and recovery from significant cyber and communications
incidents; disseminates domestic cyber threat and vulnerability
analysis across various sectors; and investigates cyber crimes under
DHS's jurisdiction. DHS has a unique responsibility in securing Federal
civilian systems against all threats and hazards. DHS components
actively involved in cybersecurity include NPPD, the United States
Secret Service, the U.S. Coast Guard, U.S. Customs and Border
Protection, Immigration and Customs Enforcement, the DHS Office of the
Chief Information Officer, and the DHS Office of Intelligence and
Analysis (I&A), among others. In all of its activities, DHS coordinates
all of its cybersecurity efforts with public, private-sector, and
international partners.
The DHS National Cybersecurity & Communications Integration Center
(NCCIC) is a 24x7 cyber situational awareness and incident response and
management center that serves as a centralized location where
operational elements involved in cybersecurity and communications
reliance coordinate and integrate cybersecurity efforts. NCCIC partners
include all Federal departments and agencies; State, local, Tribal, and
territorial governments (SLTT); the private sector; and international
entities. NCCIC's activities include providing greater understanding of
cybersecurity and communications vulnerabilities, intrusions,
incidents, mitigation, and recovery actions. The NCCIC is composed of
the United States Computer Emergency Readiness Team (US-CERT), the
Industrial Control System Cyber Emergency Response Team (ICS-CERT), the
National Coordination Center for Communications (NCC), and an
Operations and Integration Team. NCCIC operations are currently
conducted from three States--Virginia, Idaho, and Florida. During the
first 7 months of fiscal year 2014, the NCCIC has received 31,593
reports of incidents, detected over 28,000 vulnerabilities, issued over
4,006 actionable cyber alerts, and had over 252,523 partners subscribe
to our cyber threat warning sharing initiative.
The NCCIC actively collaborates with public and private-sector
partners every day, including responding to and mitigating the impacts
of attempted disruptions to the Nation's critical cyber and
communications networks. In fiscal year 2014 so far, the Industrial
Control Systems Cyber Emergency Response Team (ICS-CERT) has provided
over 161 alerts, bulletins, and other products to the ICS community
warning of various threats and vulnerabilities impacting control
systems, tracked 85 unique vulnerabilities affecting ICS products,
conducted 41 assessments across critical infrastructure sectors, and
deployed the Cyber Security Evaluation Tool to 2,412 critical
infrastructure owners and operators to assist in performing their own
cybersecurity self-assessments against known control systems standards.
DHS also directly supports Federal civilian departments and
agencies in developing capabilities that will improve their own
cybersecurity posture. Through the Continuous Diagnostics and
Mitigation (CDM) program, led by the NPPD Federal Network Resilience
Branch, DHS enables Federal agencies to more readily identify network
security issues, including unauthorized and unmanaged hardware and
software, known vulnerabilities, weak configuration settings, and
potential insider attacks. Agencies can then prioritize mitigation
actions for these issues based on potential consequences or likelihood
of exploitation by adversaries. The CDM program provides diagnostic
sensors, tools, and dashboards that provide situational awareness to
individual agencies, as well as general situational awareness at the
Federal level. Memoranda of Agreement with the CDM program encompass
over 97 percent of all Federal civilian personnel.
Complementing these efforts, the National Cybersecurity Protection
System (NCPS), a key component of which is referred to as EINSTEIN, is
an integrated intrusion detection, analysis, information sharing, and
intrusion-prevention system, utilizing hardware, software, and other
components to support DHS's mandate to protect Federal civilian agency
networks. In fiscal year 2014 and beyond, the program will expand
intrusion prevention, information sharing, and cyber analytic
capabilities at Federal agencies. EINSTEIN 3 Accelerated (E3A)
currently provides Domain Name System and/or email protection services
to a total of seven departments and agencies, and we are working with
our service providers to bring coverage to the rest of the Executive
branch. However, this process has been significantly delayed by the
lack of clear authorities for DHS. E3A gives DHS an active role in
defending .gov network traffic and significantly reduces the threat
vectors available to malicious actors seeking to harm Federal networks.
securing the homeland against persistent and emerging cyber threats
Cyber intrusions into critical infrastructure and Government
networks are serious and sophisticated threats. The complexity of
emerging threat capabilities, the inextricable link between the
physical and cyber domains, and the diversity of cyber actors present
challenges to DHS and all of our customers. Because the private sector
owns and operates a significant percentage of the Nation's critical
infrastructure, information sharing becomes especially critical between
the public and private sectors.
Heartbleed
The Department recently learned of a serious vulnerability, known
as ``Heartbleed,'' a weakness in the widely-used OpenSSL encryption
software that protects the electronic traffic across two-thirds of the
internet and in scores of electronic devices. Although new computer
``bugs'' and malware crop up almost daily, this vulnerability is
unusual in how widespread it is, the potentially damaging information
it allows malicious actors to obtain, and the length of time before it
was discovered.
NCCIC learned of the of the Heartbleed vulnerability on April 7,
2014. Less than 24 hours later, NCCIC released alert and mitigation
information on the US-CERT website. In close coordination with the
Departments of Defense and Justice, as well as private-sector partners,
the NCCIC then created a number of compromise detection signatures for
the EINSTEIN system that were also shared with additional critical
infrastructure partners. DHS worked with civilian agencies to scan
their .gov websites and networks for Heartbleed vulnerabilities, and
provided technical assistance for issues of concern identified through
this process. The NCCIC and its components also began a highly active
outreach to cyber researchers, critical infrastructure owners,
operators, and vendors, Federal, and SLTT entities, and international
partners to discuss measures to mitigate the vulnerability and
determine if there had been active exploits.
Once in place, DHS began notifying agencies that EINSTEIN
signatures had detected possible activity, and immediately provided
mitigation guidance and technical assistance.
The administration's May 2011 Cybersecurity Legislative Proposal
called for Congress to provide DHS with clear statutory authority to
carry out this operational mission, while reinforcing the fundamental
responsibilities of individual agencies to secure their networks, and
preserving the policy and budgetary coordination oversight of the
Office of Management and Budget and the Executive Office of the
President. While there was rapid and coordinated Federal Government
response to Heartbleed, the lack of clear and updated laws reflecting
the roles and responsibilities of civilian network security caused
unnecessary delays in the incident response.
Point-of-Sale Compromises
On December 19, 2013, a major retailer publically announced it had
experienced unauthorized access to payment card data from the
retailer's U.S. stores. The information involved in this incident
included customer names, credit and debit card numbers, and the cards'
expiration dates and card verification value security codes (i.e., the
three- or four-digit numbers that are usually on the back of the card).
Separately, another retailer reported a malware incident involving its
Point-of-Sale (POS) system on January 11, 2014, that resulted in the
apparent compromise of credit card and payment information.
In response to this activity, NCCIC/US-CERT analyzed the malware
identified by the Secret Service as well as other relevant technical
data and used those findings, in part, to create two information-
sharing products. The first product, which is publically available and
can be found on US-CERT's website, provides a non-technical overview of
risks to POS systems, along with recommendations for how businesses and
individuals can better protect themselves and mitigate their losses in
the event an incident has already occurred. The second product provides
more detailed technical analysis and mitigation recommendations, and
has been shared through non-public, secure channels with industry
partners to enable their protection efforts. When possible, NCCIC's
goal is always to share information broadly, including by producing
products tailored to specific audiences.
These efforts ensured that actionable details associated with a
major cyber incident were shared quickly and accurately with the
private-sector partners who needed the information in order to protect
themselves and their customers, while also providing individuals with
practical recommendations for mitigating the risk associated with the
compromise of their personal information. NCCIC especially benefited
from close coordination with the private-sector Financial Services
Information Sharing and Analysis Center (FS-ISAC) during this response.
Energy Sector
In March 2012, DHS identified a campaign of cyber intrusions
targeting natural gas pipeline sector companies with spear-phishing e-
mails that dated back to December 2011. The attacks were highly-
targeted, tightly-focused, and well-crafted.
ICS-CERT kicked off an ``Action Campaign'' in partnership with the
Federal Bureau of Investigation, Department of Energy (DOE),
Electricity Sector-Information Sharing and Analysis Centers,
Transportation Security Administration, and others to provide
Classified briefings to private-sector critical infrastructure
organizations across the country. In May and June 2012, DHS deployed
on-site assistance to two of the organizations targeted in this
campaign: An energy company that operates a gas pipeline in the United
States and a manufacturing company that specializes in producing
materials for pipeline construction. ICS-CERT and the Federal Bureau of
Investigation (FBI) provided 14 briefings in major cities throughout
the United States to over 750 personnel involved in the protection of
energy assets and critical infrastructure.
ICS-CERT, in coordination with DOE and the Federal Energy
Regulatory Commission (FERC), has also started an initiative dubbed
``SAFEGUARD'' to assess the cybersecurity of major energy sector asset
owners (e.g., electric and gas utilities, petroleum companies) to
proactively understand the state of security. Customized services
include cybersecurity assessments, network architecture reviews,
network scanning to look for static indicators and indicators of
adversary persistence and anomalies, and control systems network
traffic visualization.
Our I&A colleagues have increased outreach to the Energy Sector,
providing expertise on malicious capabilities and intentions of
emerging cyber threat actors targeting the sector, including in
Unclassified forums. I&A leveraged partnerships with DHS and other
Federal experts, including colleagues at DOE, to provide threat
briefings to CEOs, CIOs, CISOs, and other private and public-sector
leaders. These included engagements with the leadership and members of
the American Petroleum Institute, alongside NPPD partners and National
Security Staff colleagues, and a joint briefing with the FBI to the
Federal Energy Regulatory Commission.
Financial Sector Distributed Denial of Service (DDoS) Attacks
The continued stability of the U.S. financial sector is often
discussed as an area of concern, as U.S. banks are consistent targets
of cyber attacks. DDoS incidents impacting leading U.S. banking
institutions in 2012 and 2013 and periodically in 2014 have gotten more
powerful as the DDoS campaign has persisted. US-CERT has a distinct
role in responding to a DDoS: To disseminate victim notifications to
United States Federal Agencies, Critical Infrastructure Partners,
International CERTs, and U.S.-based Internet Service Providers.
US-CERT has provided technical data and assistance, including
identifying 600,000 DDoS-related IP addresses and supporting contextual
information in order to help financial institutions and their
information technology security service providers improve their
defensive capabilities. In addition to sharing with the relevant
private-sector entities, US-CERT has provided this information to over
120 international partners, many of whom have contributed to our
mitigation efforts. US-CERT, along with the FBI and other interagency
partners, has also deployed on-site technical assistance to provide in-
person support. US-CERT works with Federal civilian agencies to ensure
that no U.S. Government systems are infected with botnet software that
launches DDoS attacks and to increase the U.S. Government's domestic
and international sharing and coordination efforts with public and
private-sector partners.
During these attacks, our I&A partners bolstered long-term and
consistent threat engagements with the Department of Treasury and
private-sector partners throughout the Financial Services Sector. I&A
analysts presented numerous sector-specific Unclassified briefings on
the relevant threat intelligence, including at the annual FS-ISAC
conference, alongside the Office of the National Counterintelligence
Executive and the U.S. Secret Service. Additionally, at the request of
the Treasury and the Financial and Banking Information Infrastructure
Committee (FBIIC), I&A analysts provided Classified briefings on the
malicious cyber threat actors to cleared individuals and groups from
several financial regulators, including the Federal Deposit Insurance
Corporation (FDIC), Securities and Exchange Commission (SEC), and the
Federal Reserve Board (FRB).
conclusion
DHS is committed to creating a safe, secure, and resilient cyber
environment while promoting cybersecurity knowledge and innovation and
protecting confidentiality, privacy, and civil liberties in
collaboration with our public, private, and international partners. We
work around the clock to ensure that the peace and security of the
American way of life will not be interrupted by opportunist enemies or
terrorist actors. Each incarnation of threat has some unique traits.
Mitigation requires agility and adaptation. Cybersecurity is not an
end-state, but a continuous process of risk management.
We continue to believe that carefully-crafted information-sharing
provisions, as part of a comprehensive suite of cybersecurity
legislation, are essential to improving the Nation's cybersecurity, and
we will continue to work with Congress and the White House to achieve
this objective. We continue to seek legislation that clarifies and
strengthens DHS responsibilities and allows us to respond quickly to
vulnerabilities like Heartbleed. We continue to seek legislation that
incorporates privacy, civil liberties, and confidentiality safeguards
into all aspects of cybersecurity; strengthens our critical
infrastructure's cybersecurity by further increasing information
sharing and promoting the adoption of cybersecurity standards and
guidelines; gives law enforcement additional tools to fight crime in
the digital age; and creates a National Data Breach Reporting
requirement.
DHS plays an integral role in promoting National cybersecurity: We
are building a foundation of voluntary partnerships with private owners
of critical infrastructure and Government partners working together to
safeguard stability. We form a crucial underpinning for ensuring the
on-going continuation of services. We work through information sharing,
threat and indicator technical tools, sector-specific outreach, on-site
technical assistance, education and awareness campaigns, and other
mechanisms--in other words, we use a multi-dimensional approach that
provides layered security. We look forward to continuing the
conversation and continuing to serve the American goals of peace and
stability, and we hope for your continued support.
Mr. King. Thank you, Mr. Zelvin.
Now I would recognize Ms. Clarke for opening remarks.
Ms. Clarke. I thank you, Mr. Chairman, and I thank Chairman
Meehan and Ranking Member Higgins, for holding this hearing
this morning.
As we have just heard and are keenly aware, threats to
systems supporting U.S. critical infrastructure and Federal and
corporate information systems are evolving and growing.
Advanced persistent threats where adversaries possess
sophisticated levels of expertise and significance pose
increasing threats.
Soon after his election in 2008, President Obama declared
the cyber threat to be one of the most serious economic and
National security challenges we face as a Nation and stated
America's economic prosperity in the 21st Century will depend
on cybersecurity. The Director of National Intelligence has
also warned us of the increasing globalization of cyber
attacks, including those carried out by foreign militaries or
organized international crime.
As has been mentioned already this morning, on Monday we
saw the Department of Justice indict members of a foreign
military involved in economic espionage cyber crime, most
likely espionage in support of its state-owned companies. It
appears that the Department of Justice has been working on this
indictment for more than a year. Prosecutors in the DOJ's
National Security Division had to show there was strong
specific evidence, and there had to be companies that were
willing to go public against China.
The evolving array of cyber-based threats facing the Nation
pose threats to National security, commerce, and intellectual
property, as well as individuals. International threats include
both targeted and untargeted attacks from a variety of sources.
These sources include business competitors, criminal groups,
hackers, and foreign nations engaged in espionage and
information warfare.
These sources of cybersecurity threats make use of various
techniques to compromise information or adversely affect
computers, software, a network or organization's operation and
industry, or the internet itself. Such threat sources vary in
terms of the types and capabilities of the actors, their
willingness to act, and their motives. Adversarial
cybersecurity threats can range from, as I like to say, from
botnets to business competitors.
Addressing international cybersecurity threats involves
many Government and private entities, including internet
service providers, security vendors, software developers, and
computer forensic specialists. Their focus is on developing and
implementing technology systems to protect against computer
intrusions, internet fraud and spam, and if a crime does occur,
detecting it and helping to gather evidence for an
investigation. Also, because cyber crime threats cross National
and State borders, law enforcement organizations have to deal
with multiple jurisdictions with their own laws and legal
procedures, a situation that complicates and hobbles
investigations.
Law enforcement's challenge in investigating and
prosecuting malicious 21st Century cyber criminals is this:
Modern criminals can readily leverage technology to victimize
targets across borders, and the criminals themselves need not
cross a single border to do so. This creates a unique test in
identifying and locating the criminals and in apprehending and
prosecuting them.
The United States has extradition treaties and mutual legal
assistance agreements with some, but not all countries, and
even with these agreements in place, the process may be slow.
We must continue to search for ways that Congress can help
enhance international law enforcement capabilities and to get
criminals off the streets or, shall we say, out of cyberspace,
and thus protect U.S. critical infrastructure, Government
systems, and consumers.
I appreciate hearing the informed testimony of our
witnesses this morning. It is reassuring to know that our
Nation benefits from your diligence, knowledge, and expertise.
With that, Mr. Chairman, I yield back.
[The statement of Ms. Clarke follows:]
Statement of Ranking Member Yvette D. Clarke
May 21, 2014
We all know that threats to systems supporting U.S. critical
infrastructure, and Federal and corporate information systems are
evolving and growing. Advanced persistent threats--where adversaries
possess sophisticated levels of expertise and significant--pose
increasing risks.
Soon after his election in 2008, President Obama declared the cyber
threat to be ``one of the most serious economic and National security
challenges we face as a Nation'' and stated ``America's economic
prosperity in the 21st Century will depend on cybersecurity.'' The
Director of National Intelligence has also warned of the increasing
globalization of cyber attacks, including those carried out by foreign
militaries or organized international crime.
On Monday, we saw the Department of Justice indict members of a
foreign military involved in economic espionage cyber crime, most
likely espionage in support of its state-owned companies. It appears
that the Department of Justice has been working on this indictment for
more than a year. Prosecutors in the DOJ's National Security Division
had to show there was strong, specific evidence, and there had to be
companies that were willing to go public against China.
The evolving array of cyber-based threats facing the Nation poses
threats to National security, commerce and intellectual property, and
individuals. Intentional threats include both targeted and untargeted
attacks from a variety of sources. These sources include business
competitors, criminal groups, hackers, and foreign nations engaged in
espionage and information warfare.
These sources of cybersecurity threats make use of various
techniques to compromise information or adversely affect computers,
software, a network, an organization's operation, an industry, or the
internet itself. Such threat sources vary in terms of the types and
capabilities of the actors, their willingness to act, and their
motives. Adversarial cybersecurity threats can range from, as I like to
say, ``From Botnets to Business Competitors''.
Addressing international cyber crime threats involves many
Government and private entities--including internet service providers,
security vendors, software developers, and computer forensics
specialists. Their focus is on developing and implementing technology
systems to protect against computer intrusions, internet fraud, and
spam and, if a crime does occur, detecting it and helping to gather
evidence for an investigation.
Also, because cyber crime threats cross National and State borders,
law enforcement organizations have to deal with multiple jurisdictions
with their own laws and legal procedures, a situation that complicates
and hobbles investigations. Law enforcement's challenge in
investigating and prosecuting malicious, 21st Century cybercriminals is
this--modern criminals can readily leverage technology to victimize
targets across borders, and the criminals themselves need not cross a
single border to do so.
This creates a unique test in identifying and locating the
criminals, and in apprehending and prosecuting them. The United States
has extradition treaties and mutual legal assistance agreements with
some, but not all countries. Even with these agreements in place, the
process may be slow.
We must continue to search for ways that Congress can help enhance
international law enforcement capabilities and to get criminals off the
streets, or shall we say, out of cyberspace, and thus protect U.S.
critical infrastructure, Government systems, companies, and consumers.
Mr. King. I thank Ranking Member Clarke.
Now we will open up the hearing for a few questions. I just
want to remind Members, however, that we are going to be moving
to a closed session where these questions can be better
addressed. But, again, if we can keep it to a few questions, I
think it will be to everyone's benefit because there is much to
be learned in closed session.
I just basically have one question, and I would ask it to
the panel. Are terrorist organizations actively targeting the
United States and have you seen cases of terror groups
coordinating with criminal organizations to carry out attacks
or to gain capability? Again we are in an open session, so you
can tailor your answer accordingly.
Mr. Demarest. Yes, Chairman. So for this session, sir, yes,
we are seeing that, but it is focused against the websites that
are hosted in the United States, and they tend to be low-level
attacks, website defacements and the like, maybe some DDoS
activity. There are three principal groups that have the
capabilities or are developing the capabilities today or are
looking for the capabilities today to do something more I will
say in the physical realm.
As far as your second part of the question about joining
with criminal organizations, we have not seen that yet, though
we do actively watch for terrorist organizations crossing over
to the criminal forums that are on-line today to acquire a
skill or talent or tools to perpetrate some greater crime.
Mr. King. Do you believe that we have the defense
capability? I know you said you want to head them off, but also
do we have the defense capability against these type attacks?
Mr. Demarest. I think it is sector by sector, Chairman. I
think in the dot-gov space we are fairly well-prepared, along
with the dot-mil, but once you get into the dot-com space it is
varying degrees of preparedness I would say, and I would
probably defer to Larry on that, or Mr. Zelvin, as far as the
sectors and how well they are prepared. But we see finance in
particular doing a stellar job. They have invested heavily.
Transportation and some of the others, energy. Then as you get
down lower on the priority scale, less so.
Mr. King. Mr. Lemons, Mr. Zelvin, any comment?
Mr. Lemons. I would say I concur with Mr. Demarest at this
point.
Mr. Zelvin. Mr. Chairman, the only thing I think I would
add is just that obviously law enforcement intelligence is
doing their collection. Where we see this is reporting from
victims, and then we turn it over to the FBI and other law
enforcement both at the State and local level.
You know, most of the terrorist groups, especially
domestic, are going after faith-based groups, so that has been
mostly trying to influence and having an impact with those
groups. We are working with them. Many of these groups don't
have very sophisticated cyber defenses. So we are working with
them not only to understand what may be targeting them, but
also what companies out there can assist, and then obviously we
offer assistance as well. I can cover more in the closed
session if you like.
Mr. King. Thank you.
Ranking Member Higgins.
Mr. Higgins. Thank you, Mr. Chairman.
It seems as though capability and desire are hard things to
monitor and to detect, and it seems as though the cyber threat
is coming from both state and non-state actors. So I would be
interested in your assessment as to the terrorist threat from
non-state actors like Hezbollah, Syria, and al-Qaeda.
Terrorists second generation, post-9/11, are younger, more
aggressive, and more technologically savvy. So I am just
interested in your assessment of that relative to capability
and desire to strike U.S. targets.
Mr. Demarest. Ranking Member, I would say the desire is
strong. I will say the capability is developing. What we have
seen among the three groups you mentioned, Lebanese Hezbollah
is certainly an organization that is looking to develop a
significant capability in this arena. They focus primarily on
regional enemies, I will say their enemies, but not so much
against the United States.
Mr. Zelvin. Sir, I would concur with Mr. Demarest.
Mr. Lemons. Me also, sir.
Mr. Higgins. What about the threat posed by state actors
like Iran, China, and Russia? Is the level of activity
increasing, and what are we doing to combat that?
Mr. Demarest. I will say certainly more for the closed
session, sir, but significantly increasing on all three. I
would say Russia, China, and Iran are certainly developing
significant capabilities.
Mr. Lemons. I would also concur with Mr. Demarest. As we
see these nations also increase in complexity, their
information needs also increase. Part of those information
needs are also developing a cyber program to meet those needs
as they go forward. We will get into more detail in the closed
session, sir.
Mr. Higgins. I would just say in closing, the terrorist
mentality is to target high-impact targets obviously, and 9/11,
in addition to the death and destruction that was exacted on
the United States, there was also a symbolic attack as well,
which the cyber threat seems to confirm, and that is to disrupt
our way of life. They attacked the Twin Towers because it was a
sign of America's economic superiority. They attacked the
Pentagon because it was a symbol of America's military
superiority. Presumably a plane was headed for either the
Capitol or the White House because of our democratic freedoms
that we enjoy.
So it would seem to me that the potential of cyber attacks
and the motivation and desire of those who seek to hurt us and
our way of lives is pretty imminent and pretty significant. So
I will yield back.
Mr. King. Chairman Meehan.
Mr. Meehan. I thank you, Chairman King.
I thank, again, the panel for your work in this area.
We have looked at a variety of issues, and a lot of the
focus continues to be, appropriately so, on the nation-state
activity and the very sophisticated criminal gangs and the
potential for them to do massive disruption, not only to our
infrastructure, but also theft of intellectual property and
things of that nature.
But Special Agent Demarest, you used a term, and it struck
me, because you talked about this kind of a threat affecting
not just our nations, but also our neighborhoods. I often think
about the average American thinking about us discussing these
issues and believing that somehow it is very remote from them--
something might happen to some bank in New York, but it doesn't
affect me. I praise law enforcement across the board, including
the great work done by the Justice Department taking on
sophisticated Chinese operations that have been sponsored,
nation-sponsored activity, hacking into our most sophisticated
systems.
But in your testimony you also talked about this process
Blackshades, and in effect this is a market that exists out
there in the world, you touched 19 countries with this very
important indictment. Effectively, Blackshades, for anywhere
between $5 and $40, individuals can go into the black market
and purchase malware that if they are sophisticated enough,
effectively they could go into the home of any American and
take over their computer. As I understand your testimony, it is
not only the ability to use that malware if it is invited in,
in some capacity to take over the operation of a computer,
including tracking the key strokes and things of that nature,
but in reading the publicly-available information. So I am not
talking about anything that hasn't been spoken about publicly.
Is it not accurate that in addition there was the capacity
to be able to manipulate remotely the same kind of control
functions that the individual would, including the use of
cameras? So the reality is an individual could be sitting in
their own home, they could be sitting in their own bedroom, and
a remotely-controlled access would be able to not only have
access to what is contained within their computer, but maybe
actually in real time be actually viewing what is going on in
that home. So we are inviting into our own homes, an average
American, for as little as $5 some criminal in Eastern Europe
or across the street would be able to have that access.
So I don't think we talk enough about this. Could you
explain to me just what is Remote Access Tool? How is it
available? What can it do? What are we doing to be able to take
steps to prevent its use?
Mr. Demarest. Chairman Meehan, you are exactly right. You
can imagine as a citizen sitting anywhere in the United States
today, you could have an actor sitting in some remote region of
the world actually viewing you through your own laptop or a
computer at home through your camera.
Basically Remote Access Tool provides access by an actor to
your box or to your computer to take it over. They own your PC
or laptop or device that you are using. It gives them access,
as you mentioned, to the web cam or the camera, and they can
turn it on and off at will. As I mentioned, ransomware, they
can lock files, take photos, whether they be sensitive photos
to the individual, the owner of the computer or not, they
collect all this information, financial information, passwords
and the like. So it is completely owned. Then the information
is taken and either used by that particular actor or sold in
different environments on-line in these criminal forums.
So you are being exposed and exploited once, and then
potentially multiple times by other actors who purchase the
information on-line. Separately more, I guess, salt to the
wound, they have the ability to send out chat messages to your
contacts within your computer, so it looks like Chairman Meehan
is sending Joe Demarest an email or chat and I respond to that.
In that is a link that has the malware that is attached, so it
then spreads the Blackshades now to my computer.
Mr. Meehan. So a friend could pick up what I think is a
message to me that would just be in the normal course, I
respond and send back a picture of our vacation that we took
down to the Jersey shore, but because of that communication
they now have access into my computer and now they can begin to
do the same process, not only the taking over of the files and
the key strokes, but potentially even manipulating the camera
in my bedroom?
Mr. Demarest. Friends and family. What it would require
from me when you send or after sending that chat to me, for me
to click on a link that you send me via the chat message.
Mr. Meehan. How do we identify something like that in our
system and what are we doing to be able to educate Americans to
take steps to protect their most intimate and most private and
most secure information, that which they do in the comfort of
their own home?
Mr. Demarest. Excellent question. So throughout the
investigation and in the culmination of the enforcement is a
significant technical aspect to it where we are seizing the
infrastructure used by the actors. Specifically, administrative
servers, which has most of the victim information on it. So
then we work with the victim, I will say the internet service
providers for the various countries, to identify the victims
and to get information to them, the fact that they have been
impacted, and tools made available for them to actually
mitigate or remediate what is on their computer. That again is
the relationship we have forged with DHS, as offering through
the DHS portal, but either tools or instructions on how to
actually eliminate a given malware.
Mr. Meehan. Well, I will look forward to more communication
with this as we go into private session and otherwise. But I
thank all of you for your work. I think it is very important
for the American people to recognize these issues and don't
think of them always as just remotely affecting just big
businesses or corporations, that everyday Americans, as you
said, affecting not just our Nation, but our neighborhoods. I
think this is part of our responsibility, is to open up an
awareness and appreciation for the very scope and nature of
this threat.
Thank you for your testimony. Look forward to hearing more
at a later time. Yield back.
Mr. King. Thank you, Chairman Meehan.
Ranking Member Clarke.
Ms. Clarke. Thank you, Mr. Chairman.
Monday's indictment of the five Chinese military hackers
for computer hacking and economic espionage was the sort of
legal action taken by the AG as a standard tactic in espionage.
It sends a clear signal to the other side that their actions
have become intolerable. But it is just the beginning of a long
process. The indictment alleged that the defendants conspired
to hack into American computer systems, maintain authorized
access, stealing information to advantage economic competitors
in China.
As I understand, the Department of Homeland Security's role
in these types of situations is usually led by US-CERT because
it leads mitigation and forensic efforts in coordination with
the FBI, Secret Service, and other Federal agencies. Would you
describe the kind of interagency coordination that is in place
for agencies as a collaborative model where DHS' involvement is
stood up through US-CERT, and does the role go beyond that
jurisdiction?
Mr. Zelvin. Ranking Member, thank you for the question. So
let me talk about it in broad terms, and we can get into more
narrow as you like.
When there is an incident now we have a ranking system as
to the importance of it. There are certain things that are low
threshold and certain things are high threshold. It is a high
threshold if somebody is into a database system. If there is a
compromise of personal identifiable information, if there is a
disruption or a destruction event, those are obviously very
high-scale events. Fortunately they don't happen often, but
they do happen.
On a given day we see between 150 and 200 incidents through
our EINSTEIN system, which is monitoring the dot-gov through
intrusion detection and intrusion prevention. At the high level
we will make an outreach directly to the victim, and we will
notify them of the event and making sure that they are
tracking. Then we will offer assistance, if needed, to actually
go and investigate on their servers and other information
technology capabilities to determine how deep is the
compromise.
We will do this in full partnership with the FBI, which
will be leading law enforcement and domestic intelligence
collection, we will do this with our own intelligence community
members so they can develop the tactics, techniques, and
procedures to see where else. Then US-CERT will go across the
Federal community and create that awareness.
At the same time, we are creating signatures into the
intrusion detection system to make sure that these events
cannot be repeated, and then we are sharing it with the private
and international partners through the Enhanced Cybersecurity
Services or ECS, and also through our CISP program. So it is
interagency, it is private sector, it is international, and
even on the lower events we are still doing the notification.
So I described the high end as more of an example. Then I would
ask, see if Mr. Demarest wants to offer some thoughts as well.
Mr. Demarest. Madam Clarke, so what is great about today is
that what Mr. Zelvin and the NCCIC in DHS learns informs the
investigation, and what we learn through the investigation or
intelligence collection efforts inform the protectors or the
defenders, DHS. This is a cycle that has developed mightily, I
will say, over the past 2 years where it this effective
transfer of knowledge and information that better safeguards
the country, but then informs and helps us spearhead and focus,
finely focus investigations.
Ms. Clarke. Very well. That is a very robust and holistic
approach, and I think that that will serve our Nation well.
My next question is the debate around protecting U.S.
networks is often focused on U.S. critical infrastructure.
Currently the Department of Homeland Security from Presidential
Policy Directive 21 lists 16 critical infrastructure sectors.
Which of these sectors are targeted with probes and intrusions
most frequently and what sectors are most at risk?
Mr. Zelvin. Ranking Member, it really depends on the
awareness. I will tell you, our energy sector, our finance
sector, information technology, communications, transportation,
we are seeing a lot of instances. There are other sectors that
I haven't mentioned where we are not seeing it, but I wonder if
that is because they are not being reported, and that is a huge
challenge. When it comes to the critical infrastructure in the
private sector, there is no requirement, it is all voluntary,
so we know what we know, we don't know what we don't know, and
I really worry about what we don't know.
So I have talked to groups and other sectors, and they
said, we really don't have a cybersecurity problem. I said, oh,
my gosh, yes, you do, you just don't know about it.
I will tell you my experience, and I think Mr. Lemons and
Mr. Demarest will tell you the same thing. Adversaries are
going after any vulnerability they can find. So it doesn't
matter what State you are in, what city you are in, what
critical infrastructure you are in, if there is an opening,
there is an adversary that is going to see where they can go
and what information they can steal.
Mr. Demarest. I would agree with Mr. Zelvin. Depending on
the actor sometimes alters the focus or the most threatened
sector. We talked about our Middle East actor in recent DDoS
activity against New York over the past year or so. But again I
think it depends on them, but I think Larry has mentioned the
priority sectors for us today are finance, transportation,
energy, IT, or communications.
Mr. Lemons. Ranking Member, I think to the point from Mr.
Zelvin and Mr. Demarest also, as we increase our outreach
efforts within the private sector and our State and local
partners, we see an increased willingness of people to come
forward and work with us. So I believe that number continues to
go higher and higher as we work with public and private
partners.
Mr. King. Thank the Ranking Member.
The gentleman from Georgia, Mr. Broun.
Mr. Broun. Thank you, Mr. Chairman.
When CISPA was passed--several times now--a lot of people
that are concerned about privacy and civil liberties all across
the Nation were very fearful of that act because of the
potential sharing of their own personal private information
with the Federal Government. Can you tell me how that kind of
information is being protected or is there any protection on
people's privacy or civil liberties under CISPA?
Mr. Zelvin. Congressman, at the forefront of everything we
do is the protection of people's identifiable information,
privacy, and civil liberties. It is an hourly, daily focus for
us. I will tell you, my folks are trained on a routine basis,
we are audited not only internally but also externally as far
as our processes and procedures on how are we protecting that
data.
We don't require that as cyber defenders, and that is what
we do at DHS, at least in the NCCIC, we do not require
information that is privacy, civil liberties in nature. The
defense mechanisms are really those 1's and 0's from an
attacking IT or malicious software.
I will tell you there have been instances, although rare,
and also small, where we will get something from something that
we thought was completely secure, and then we stop everything
we do, and we go through a process with attorneys, with privacy
experts, with civil liberties experts and making sure that if
there is an incursion that we are treating it properly, that
there is an ability to mitigate and to make sure that the spill
doesn't go beyond what we have already detected, and then, as I
said, go through the process and procedures and see where we
may have failed that may have led to that. But as I said, that
is a very rare occasion.
Mr. Broun. So there is no guarantee, though, that privacy
information is not shared either direction, from the company to
the Federal Government or the Federal Government to other
entities?
Mr. Zelvin. Congressman, despite our best efforts and every
process and procedure we have, there will be occasions where I
regret there may be times where there may be spills, where that
goes over. I think what is important is that we have the right
processes, procedures, and oversight to make sure that when
those occasions occur that we do the right things in accordance
with the law, policy, and directives.
Mr. Broun. Mr. Chairman, I will wait until the closed
session for further questions.
Mr. King. Okay. In accordance with the unanimous consent
request at the beginning of the hearing, we will now recess the
hearing and reconvene in 10 minutes for closed session in HVC-
302. I would ask the audience if they would just wait and allow
the witnesses to leave so we can take them to the location.
We stand in recess.
[Whereupon, at 11:00 a.m., the subcommittees proceeded in
closed session and were subsequently adjourned at 12:18 p.m.]
�