[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
THE EXPANDING CYBER THREAT
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
JANUARY 27, 2015
__________
Serial No. 114-2
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
93-880PDF WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR. ZOE LOFGREN, California
DANA ROHRABACHER, California DANIEL LIPINSKI, Illinois
RANDY NEUGEBAUER, Texas DONNA F. EDWARDS, Maryland
MICHAEL T. McCAUL FREDERICA S. WILSON, Florida
STEVEN M. PALAZZO, Mississippi SUZANNE BONAMICI, Oregon
MO BROOKS, Alabama ERIC SWALWELL, California
RANDY HULTGREN, Illinois ALAN GRAYSON, Florida
BILL POSEY, Florida AMI BERA, California
THOMAS MASSIE, Kentucky ELIZABETH H. ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma MARC A. VEASEY, TEXAS
RANDY K. WEBER, Texas KATHERINE M. CLARK, Massachusetts
BILL JOHNSON, Ohio DON S. BEYER, JR., Virginia
JOHN R. MOOLENAAR, Michigan ED PERLMUTTER, Colorado
STEVE KNIGHT, California PAUL TONKO, New York
BRIAN BABIN, Texas MARK TAKANO, California
BRUCE WESTERMAN, Arkansas BILL FOSTER, Illinois
BARBARA COMSTOCK, Virginia
DAN NEWHOUSE, Washington
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
------
Subcommittee on Research and Technology
HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma DANIEL LIPINSKI, Illinois
MICHAEL T. MCCAUL, Texas
STEVEN M. PALAZZO, Mississippi
RANDY HULTGREN, Illinois
JOHN R. MOOLENAAR, Michigan
STEVE KNIGHT, California
BRUCE WESTERMAN, Arkansas
GARY PALMER, Alabama
LAMAR S. SMITH, Texas
C O N T E N T S
January 27, 2015
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Barbara Comstock, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 7
Written Statement............................................ 8
Statement by Representative Daniel Lipinski, Ranking Minority
Member, Subcommittee on Research and Technology, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 8
Written Statement............................................ 10
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 11
Written Statement............................................ 12
Witnesses:
Ms. Cheri McGuire, Vice President, Global Government Affairs &
Cybersecurity Policy, Symantec Corporation
Oral Statement............................................... 13
Written Statement............................................ 16
Dr. James Kurose, Assistant Director, Computer and Information
Science and Engineering (CISE) Directorate, National Science
Foundation
Oral Statement............................................... 30
Written Statement............................................ 32
Dr. Charles H. Romine, Director, Information Technology
Laboratory, National Institute of Standards and Technology
Oral Statement............................................... 56
Written Statement............................................ 58
Dr. Eric A. Fischer, Senior Specialist in Science and Technology,
Congressional Research Service
Oral Statement............................................... 66
Written Statement............................................ 68
Mr. Dean Garfield, President and CEO, Information Technology
Industry Council
Oral Statement............................................... 83
Written Statement............................................ 85
Discussion....................................................... 94
Appendix I: Answers to Post-Hearing Questions
Ms. Cheri McGuire, Vice President, Global Government Affairs &
Cybersecurity Policy, Symantec Corporation..................... 108
Dr. James Kurose, Assistant Director, Computer and Information
Science and Engineering (CISE) Directorate, National Science
Foundation..................................................... 110
Dr. Charles H. Romine, Director, Information Technology
Laboratory, National Institute of Standards and Technology..... 117
Dr. Eric A. Fischer, Senior Specialist in Science and Technology,
Congressional Research Service................................. 118
Mr. Dean Garfield, President and CEO, Information Technology
Industry Council............................................... 122
THE EXPANDING CYBER THREAT
----------
TUESDAY, JANUARY 27, 2015
House of Representatives,
Subcommittee on Research and Technology
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittee met, pursuant to call, at 2:03 p.m., in
Room 2318 of the Rayburn House Office Building, Hon. Barbara
Comstock [Chairwoman of the Subcommittee] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. The Subcommittee on Research and
Technology will come to order.
Without objection, the Chair is authorized to declare
recesses of the Subcommittee at any time. We might be having
some votes, I understand. I would just like to welcome everyone
to today's hearing entitled ``The Expanding Cyber Threat.''
Without objection, the Chair authorizes the participation
of Mr. Lipinski, Ms. Lofgren, Ms. Bonamici, Ms. Clark, and Mr.
Beyer for today's hearing. I understand Mr. Lipinski will serve
as the Ranking Minority Member today and give an opening
statement.
In front of you are packets containing the written
testimony, biographies, and truth-in-testimony disclosures for
today's witnesses.
Now, I will recognize myself for five minutes for an
opening statement.
Okay. I want to begin by thanking everyone for attending
the first hearing of the Research and Technology Subcommittee
in the 114th Congress. I look forward to working with the
Members of the Subcommittee on the many issues that fall under
the jurisdiction of this Subcommittee.
The need to secure our information technology systems is a
pervasive concern. Today's hearing marks the first of what will
be several hearings, I imagine, to examine the topic of
cybersecurity. We know we heard the President speak about this
and we have--and the Chairman has been a big advocate of
increased activity and concerns on this front so I look forward
to continuing to work on this issue.
The Subcommittee has jurisdiction over the National Science
Foundation, the National Institute of Standards and Technology
and the Department of Homeland Security's Science and
Technology Directorate. These organizations play a role in
supporting basic research and development, establishing
standards and best practices, and working with industry on
cybersecurity concerns. Advances in technology and the growing
nature of every individual's online presence means
cybersecurity needs to become an essential part of our everyday
life.
Instances of harmful cyber attacks are in the news
regularly and expose the very real threats growing in this
area. Financial information, medical records, personal data
maintained on computer systems by individuals and organizations
all continue to be vulnerable. Cyber attacks on companies like
Sony or Target, as well as the U.S. Central Command, will not
go away and we have to constantly adapt and intercept and stop
these threats and engage in finding the best practices so that
we make sure these attacks don't happen and we understand where
and how they are coming at us and how we can stay ever
vigilant.
Utilizing targeted emails, spam, malware, bots and other
tools, cyber criminals, ``hacktivists'' and nation states are
every day attempting to access information technology systems
all over the world and all over our country and in every area
of our activities. The defense of these systems relies on
professionals who can react to threats and proactively prepare
those systems for attack.
Our discussion about cybersecurity should examine the
research that supports understanding how to defend and support
our systems, as well as how to better prepare our workforce by
producing experts in these fields and learning of best
practices in both the public and private sector. Well-trained
professionals are essential to the implementation of the best
techniques. Institutions of higher education are working to
create and improve cyber education and training programs
focused on ensuring there are enough trained professionals to
meet the needs of this growing industry.
I look forward to hearing from our witnesses today as they
provide an overview of the state of cybersecurity from the
industry perspective and we learn how the federal government is
playing a role in this important area.
[The prepared statement of Ms. Comstock follows:]
Prepared Statement of Subcommittee
Chairwoman Barbara Comstock
I want to begin by thanking everyone for attending the first
hearing of the Research and Technology Subcommittee in the 114th
Congress. I look forward to working with the Members of the
Subcommittee on the many issues that fall under the jurisdiction of
this Subcommittee.
The need to secure our information technology systems is a
pervasive concern. Today's hearing marks the first of what will be
several hearings to examine the topic of cybersecurity.
The Subcommittee has jurisdiction over the National Science
Foundation, the National Institute of Standards and Technology and the
Department of Homeland Security's Science and Technology Directorate.
These organizations play a role in supporting basic research and
development, establishing standards and best practices, and working
with industry on cybersecurity concerns.
Advances in technology and the growing nature of every individual's
online presence means cybersecurity needs to become an essential part
of our vernacular.
Instances of harmful cyber-attacks are reported regularly and
expose the very real threats growing in this area. Financial
information, medical records, and personal data maintained on computer
systems by individuals and organizations continue to be vulnerable.
Cyber-attacks on companies like Sony or Target and the U.S. Central
Command will not go away and we have to constantly adapt and intercept
and stop these threats before they happen and understand where and how
they are happening and stay ever vigilant.
Utilizing targeted emails, spam, malware, bots and other tools,
cyber criminals, ``hacktivists'' and nation states are attempting to
access information technology systems all the time. The defense of
these systems relies on professionals who can react to threats and
proactively prepare those systems for attack.
Our discussions about cybersecurity should examine the research
that supports understanding how to defend and support our systems as
well as how to better prepare our workforce by producing experts in
these fields and learning of best practices in both the public and
private sector. Well-trained professionals are essential to the
implementation of security techniques. Institutions of higher education
are working to create and improve cyber education and training programs
focused on ensuring there are enough trained professionals to meet the
needs of industry.
I look forward to hearing from our witnesses today as they provide
an overview of the state of cybersecurity from the industry perspective
and we learn how the federal government is playing a role in this
important area.
Chairwoman Comstock. Now, I would like to recognize Ranking
Member Mr. Lipinski for his opening statement.
Mr. Lipinski. Thank you, Chairwoman Comstock, for holding
this hearing on cybersecurity and I want to welcome you to the
Science, Space, and Technology Committee. I am looking forward
to working with you. I know that you worked for former member
Frank Wolf and Frank Wolf was--I have a tremendous amount of
respect for him and he was a big supporter of funding for
research. He is a big supporter of research and technology,
science, so I think hopefully we will have a lot of things that
we can work together on on this Subcommittee, on the Committee.
I also want to thank our witnesses for being here today on
this very important topic.
Cybersecurity remains a timely topic, the topic on which
this Committee has an important role, and finally, is one for
which we have much more agreement than disagreement across the
aisle. So I am pleased that the Research and Technology
Subcommittee is starting off the new Congress with this
hearing.
Cyber crimes are ever increasing. The threats are not only
growing in number but in level of sophistication. Some cases,
such as the recent Sony hack and a 2013 Target breach, are very
high profile and are covered extensively in the media. Many,
many more receive less attention. Two weeks ago the New York
Times reported that hacking has gone mainstream. A website has
been created to connect hackers to potential clients. And as of
early January, at least 500 hacking jobs have been laid out to
bid and at least 50 hackers signed up to do the dirty work.
Cyber crime threatens our privacy, our pocketbooks, our
safety, our economy, and our national security. Arriving at any
precise value of losses to the American people and American
economy is impossible, but the Center for Strategic and
International Studies, in a study completed last June, reported
that on average the United States loses .64 percent of its GDP
to cybercrime. I know we will hear much more from our witnesses
about the extent and the nature of the cyber threat.
Two years ago President Obama signed an Executive Order to
begin the process of strengthening our networks and critical
infrastructure against cyber attack by increasing information-
sharing and establishing a framework for the development of
standards and best practices, and this plays a key role in
several of these efforts. You will hear about some of it today.
But the President reminded us just two weeks ago that Congress
must still act to pass comprehensive cybersecurity legislation.
Fortunately, this is one area in which this Committee has
responsibly legislated in the last few years.
At the very end of 2014, the Cybersecurity Enhancement Act
that I joined Mr. McCaul in introducing for several Congresses
in a row was finally signed into law. That law does a number of
things: it strengthens coordination and strategic planning for
federal cybersecurity R&D; it codifies the NIST-led voluntary
framework in the President's Executive Order; it strengthens
and streamlines NIST-led processes by which federal agencies
track security risks to their own systems; it codifies NSF's
long-standing CyberSecurity Scholarship for Service program to
ensure more qualified cyber experts are employed by federal,
state, and local governments; it codifies the cybersecurity
education and awareness efforts led by NIST; and finally, it
authorizes several more important actions and programs led by
NIST.
I list all of these things in part so that all of the new
members of the Science Committee understand just how essential
NIST is to our government's cybersecurity efforts. It is one of
the most important, least-known agencies in our government. I
look forward to hearing about NIST's effort from Dr. Romine and
how the new law will further strengthen NIST's leadership role
in cybersecurity.
I also look forward to hearing from Dr. Kurose about the
critical and potentially transformative cybersecurity research
programs funded by the National Science Foundation.
And I look forward to hearing from the other three
witnesses who can help educate us further about the importance
of public-private partnerships and the areas where this
Committee might look to address cybersecurity vulnerabilities
during this Congress.
Thank you, Madam Chairwoman, and I yield back the balance
of my time.
[The prepared statement of Mr. Lipinski follows:]
Prepared Statement of Subcommittee
Minority Ranking Member Daniel Lipinski
Thank you, Chairwoman Comstock for holding this hearing on
cybersecurity, and welcome to the Science, Space, and Technology
Committee. I look forward to working with you this Congress. I also
want to thank our witnesses for being here today.
Cybersecurity remains a timely topic, it is a topic on which this
Committee has an important role, and finally it is one for which we
have much more agreement than disagreement across the aisle. So I am
pleased that the Research and Technology Subcommittee is starting off
the new Congress with this hearing.
Cybercrimes are ever-increasing. The threats are not only growing
in number, but in the level of sophistication. Some cases, such as the
recent Sony hack and the 2013 Target breach, are very high profile and
are covered extensively in the media. Many, many more receive less
attention. Two weeks ago, the New York Times reported that hacking has
gone mainstream. A website has been created to connect hackers to
potential clients, and as of early January, at least 500 hacking jobs
had been laid out to bid and at least 50 hackers signed up to do the
dirty work.
Cybercrime threatens our privacy, our pocketbooks, our safety, our
economy, and our national security. Arriving at any precise value of
losses to the American people and the American economy is impossible.
But the Center for Strategic and International Studies, in a study
completed last June, reported that, on average, the U.S. loses 0.64
percent of its GDP to cybercrime. I know we will hear more from our
witnesses about the extent and nature of the cyber threat.
Two years ago, President Obama signed an Executive Order to begin
the process of strengthening our networks and critical infrastructure
against cyberattack by increasing information sharing and establishing
a framework for the development of standards and best practices. NIST
plays a key role in several of these efforts, and we will hear about
some of it today. But the President reminded us just two weeks ago that
Congress must still act to pass comprehensive cybersecurity
legislation.
Fortunately, this is one area in which this Committee has
responsibly legislated in the last few years. At the very end of 2014,
the Cybersecurity Enhancement Act that I joined Mr. McCaul in
introducing for several Congresses in a row was finally signed into
law. That law does a number of things.
It strengthens coordination and strategic planning for
federal cybersecurity R&D;
It codifies the NIST-led voluntary Framework in the
President's Executive Order;
It strengthens and streamlines the NIST-led processes by
which federal agencies track security risks to their own systems;
It codifies NSF's longstanding cybersecurity scholarship
for service program to ensure more qualified cyber experts are employed
by federal, state, and local governments;
It codifies the cybersecurity education and awareness
efforts led by NIST;
And finally it authorizes several more important actions
and programs led by NIST.
I list all of these things in part so that all of the new Members
to the Science Committee understand just how central NIST is to our
government's cybersecurity efforts. It is one of the most important
leastknown agencies in our government. I look forward to hearing about
NIST's efforts from Dr. Romine, and how the new law will further
strengthen NIST's leadership role in cybersecurity. I also look forward
to hearing from Dr. Kurose about the critical and potentially
transformative cybersecurity research programs funded by the National
Science Foundation. And I look forward to hearing from the other three
witnesses who can help educate us further about the importance of
public-private partnerships and the areas where this Committee might
look to address cybersecurity vulnerabilities during this Congress.
Thank you, Madam Chairwoman and I yield back the balance of my
time.
Chairwoman Comstock. And now I recognize the Chairman of
the full Committee, Mr. Smith.
Chairman Smith. And thank you, Madam Chair.
Madam Chair, let me say I look forward to your Chairing
this Subcommittee and also to the gentleman from Illinois, Mr.
Lipinski, continuing to be the Ranking Member of this
Subcommittee as well. He has been a great Ranking Member and I
know that we both will all be able to work together for more
bipartisan legislation that we enjoyed in the last Congress and
that we can look forward to in this new Congress as well.
I also look forward to today's hearing on cyber threats, a
topic that continues to grow in importance. With technological
advances come new methods that foreign countries, cyber
criminals and ``hacktivists'' use to attack and access our
networks.
America is vulnerable and there is an increasing need for
technically trained cybersecurity experts to identify and
defend against cyber attacks. Protecting America's cyber
systems is critical to our economic and national security.
As our reliance on information technology expands, so do
our vulnerabilities. A number of federal agencies guard
America's cybersecurity interests. Several are under the
jurisdiction of the Science Committee. These include the
National Science Foundation, the National Institute of
Standards and Technology, the Department of Homeland Security's
Science and Technology Directorate, and the Department of
Energy. All of these support critical research and development
to promote cybersecurity in hardware, software and our critical
infrastructure.
At the beginning of the last Congress, the Science
Committee considered two cybersecurity bills, the Cybersecurity
Enhancement Act and a bill to reauthorize the Networking and
Information Technology Research and Development program. Both
bills passed the House last April. At the end of the last
Congress, the House and Senate did come to an agreement on the
Cybersecurity Enhancement Act, which was signed into law in
December. The Science Committee will continue its efforts to
support the research and development essential to fortifying
our nation's cyber defenses.
From the theft of credit card information at retailers like
Target and Home Depot, to successful attacks at Sony and on the
U.S. Central Command, no further wakeup calls are necessary to
understand our call to action. As America continues to become
more advanced, we must better protect our information
technology systems from attack. Any real solution should adapt
to changing technology and tactics while also protecting
private sector companies, public institutions and personal
privacy.
Again, Madam Chair, I look forward to today's hearing and
yield back.
[The prepared statement of Mr. Smith follows:]
Prepared Statement of Full Committee
Chairman Lamar S. Smith
Thank you Madam Chair, I look forward to today's hearing on cyber
threats, a topic that continues to grow in importance.
In the 60 years since the last major patent reform, America has
experienced tremendous technological advancements. Computers the size
of a closet have evolved into wireless technology that fits in the palm
of our hand.
With technological advances come new methods that foreign
countries, cyber criminals and ``hacktivists'' can use to attack and
access our networks.
America is vulnerable and there is an increasing need for
technically-trained cybersecurity experts to identify and defend
against cyber-attacks. Protecting America's cyber-systems is critical
to our economic and national security. As our reliance on information
technology expands, so do our vulnerabilities.
A number of federal agencies guard America's cybersecurity
interests. Several are under the jurisdiction of the Science Committee.
These include the National Science Foundation (NSF), the National
Institute of Standards and Technology (NIST), the Department of
Homeland Security's Science and Technology Directorate, and the
Department of Energy.
All of these support critical research and development to promote
cybersecurity in hardware, software and our critical infrastructure.
At the beginning of the last Congress, the Science Committee
considered two cybersecurity bills, the Cybersecurity Enhancement Act
and a bill to reauthorize the Networking and Information Technology
Research and Development program. Both bills passed the House in April
2013.
At the end of the last Congress, the House and Senate came to
agreement on the Cybersecurity Enhancement Act, which was signed into
law in December. That law improves America's cybersecurity abilities.
It strengthens strategic planning for cybersecurity research and
development needs across the federal government. It supports NSF
scholarships to improve the quality of the cybersecurity workforce. And
it improves research, development and public outreach organized by NIST
related to cybersecurity.
The Science Committee will continue its efforts to support the
research and development essential to fortifying our nation's cyber
defenses.
From the theft of credit card information at retailers like Target
and Home Depot, to successful attacks at Sony and on the U.S. Central
Command, no further wake-up calls are necessary to understand our call
to action.
As America continues to become more advanced, we must better
protect our information technology systems from attack. Any real
solution should adapt to changing technology and tactics while also
protecting private sector companies, public institutions and personal
privacy.
I look forward to hearing from our witnesses today and yield back.
Chairwoman Comstock. If there are Members who wish to
submit additional opening statements, your statements will be
added to the record at this point.
Chairwoman Comstock. I would also like to welcome our
colleague from Washington, Mr. Newhouse, and authorize his
participation in today's hearing.
Okay. Now, at this time I would like to introduce our
witnesses. Our first witness today is Ms. Cheri McGuire. Ms.
McGuire is the Vice President of Global Government Affairs &
Cybersecurity Policy at Symantec Corporation. Before joining
Symantec, Ms. McGuire served as Director for Critical
Infrastructure and Cybersecurity in Microsoft's Trustworthy
Computing Group and as Acting Director at DHS's National
Cybersecurity Division. Ms. McGuire received her bachelor's
degree from the University of California Riverside and her MBA
from the George Washington University.
Our second witness is Dr. James Kurose. Dr. Kurose is the
National Science Foundation's Assistant Director for the
Computer and Information Science and Engineering Directorate.
He also serves as Co-Chair of the Networking and Information
Technology Research and Development Subcommittee at the
National Science and Technology Council Committee on
Technology.
Now, do you say all that when--in one introduction? That is
good.
Prior to joining NSF, Dr. Kurose was a distinguished
Professor in the School of Computer Science at the University
of Massachusetts Amherst where he served as Chair of the
Department of Computer Science. Dr. Kurose holds a bachelor's
degree in physics from Wesleyan University and a Master of
Science and Ph.D. in computer science from Columbia University.
Our third witness today is Dr. Charles Romine, Director of
the National Institute of Standards and Technology Information
Technology Laboratory, or ITL. Before working at NIST he served
as Senior Policy Analyst at the White House Office of Science
and Technology Policy and as a Program Manager at the
Department Of Energy's Advanced Scientific Computing Research
Office. Dr. Romine received his bachelor's degree in
mathematics and his Ph.D. in applied mathematics from the
University of Virginia. Yea.
Our fourth witness is Dr. Eric Fischer, who serves as a
Senior Specialist in the Science and Technology for the
Congressional Research Service. Prior to working for CRS, Dr.
Fischer worked as a faculty member at the University of
Washington in Seattle and as a Congressional Science and
Technology Policy Fellow for the American Association for the
Advancement of Science. Dr. Fischer received his bachelor's
degree in biology from Yale and his Ph.D. in zoology from the
University of California Berkeley.
Our final witness is Mr. Dean Garfield, President and CEO
of the Information Technology Industry Council, or ITI. Before
joining ITI, Mr. Garfield served as Executive Vice President
and Chief Strategic Officer for the Motion Picture Association
of America and as the Vice President of Legal Affairs at the
Recording Industry Association of America. Mr. Garfield
received a joint degree from New York University School of Law
and the Woodrow Wilson School of Public Administration and
International Affairs at Princeton University.
As our witnesses should know, spoken testimony is limited
to five minutes each, after which the Members of the Committee
will have five minutes each to ask questions.
I now recognize Ms. McGuire for five minutes to present her
testimony.
TESTIMONY OF MS. CHERI MCGUIRE, VICE PRESIDENT,
GLOBAL GOVERNMENT AFFAIRS & CYBERSECURITY POLICY,
SYMANTEC CORPORATION
Ms. McGuire. Chairwoman Comstock, Chairman Smith, Ranking
Member Lipinski, and other Members of the Subcommittee, thank
you for the opportunity to testify today on behalf of Symantec
Corporation.
My name is Cheri McGuire and I am the Vice President for
Global Government Affairs and Cybersecurity Policy. At Symantec
we are the largest security software company in the world and
our global intelligence network is made up of millions of
sensors that give us a unique view into the entire internet
threat landscape.
As I am sure you have read, most of the recent headlines
about cyber attacks have focused on data breaches and the theft
of personally identifiable information, including identities
and credit card numbers. According to Symantec's most recent
internet security threat report, over 550 million identities
were exposed in 2013 alone. Yet while the focus on these
breaches is certainly warranted, it is important not to lose
sight of other equally concerning types of cyber activity.
Attackers run the gamut and include highly organized criminal
enterprises, individual cyber criminals, so-called hacktivists,
and state-sponsored groups. Common attack types range from
distributed denial of service, or DDoS, to highly targeted
attacks, to widely distributed financial fraud scams. A DDoS
attack is an attempt to overwhelm a system with data, while
targeted attacks tried to trick someone into opening an
infected file or navigating to a bad website.
Of course, scams and blackmail schemes seeking money
continue. Some will fill a victim's screen with aggressive pop-
up windows that claim falsely that the system is infected.
Others lock the victim's computer and display a screen that
purports to be from law enforcement and demands payment of a
fine for having illegal content on the computer. The most
recent scheme has gone from trickery to straight up blackmail.
Criminals now will encrypt or scramble all the data on your
device and tell you to pay a ransom or they will erase all of
it.
Critical infrastructure such as the power grid, water
system, and mass transit are also at risk. In June 2014
Symantec released a report about a new threat that we named
Dragonfly. This was a campaign against a range of targets
mainly in the energy sector, but it was not the first to target
energy. As we saw in 2012, cyber attackers mounted a campaign
against the Saudi Arabian National Oil Company that destroyed
30,000 computers and made them display the image of a burning
American flag. Other sectors have seen attacks, too, and the
German Government recently disclosed that a cyber attack on a
steel plant resulted in massive physical damage.
All of the attacks that I have outlined started with a
common factor, a compromised computer. We frequently hear about
advanced persistent threats, or APTs, but the discussion of
cyber attacks too often ignores the psychology of the exploit.
Most rely on social engineering, in the simplest terms, trying
to trick people into doing something that they would never do
if fully aware of their actions.
Attack methods vary. Those spear fishing or customized
targeted emails containing malware are the most common, and
while good security will stop most of these attacks, which
often seek to exploit older known vulnerabilities, many
organizations and individuals do not have up-to-date security
or properly patched operating systems. Social media is also an
increasingly valuable tool for cyber criminals both to gather
information and to spread malicious links.
To combat cyber threats, Symantec partners with government
and industry here and abroad. Working extensively with the FBI
and international law enforcement, we have helped take down and
dismantle some of the world's largest botnets, which has also
led to charges against the criminal operators.
In addition, together with Palo Alto Networks, McAfee, and
Fortinet, we recently cofounded the Cyber Threat Alliance, a
group of cybersecurity providers who share advanced cyber
threat information. While we are competitors, we have found
that there is great benefit to sharing information that will
protect all of our customers and help fight cyber criminals.
This model has worked well in other sectors such as banking and
energy. And further, and even as important, the alliance has
strict guidelines that protect our customer privacy and their
proprietary information, and this of course must be included in
any information-sharing regime.
So what can we do? Good protection starts with a plan and
strong security should include intrusion protection,
reputation-based security, behavioral-based blocking, data
encryption, backups, and data loss prevention tools. And while
the criminals' tactics are constantly evolving, basic cyber
hygiene is still the simplest and most cost-effective first
step.
Last week, the Online Trust Alliance found that 90 percent
of last year's breaches could have been prevented if businesses
implemented basic cyber best practices. At Symantec we are
committed to improving online security across the globe and we
will continue to work collaboratively with our partners on ways
to do so.
Thank you again for the opportunity to testify today and I
look forward to your questions.
[The prepared statement of Ms. McGuire follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. I now recognize Dr. Kurose.
TESTIMONY OF DR. JAMES KUROSE,
ASSISTANT DIRECTOR,
COMPUTER AND INFORMATION SCIENCE AND
ENGINEERING (CISE) DIRECTORATE,
NATIONAL SCIENCE FOUNDATION.
Dr. Kurose. Thank you. Good afternoon, Chairwoman Comstock,
Chairman Smith, and Representative Lipinski, and Members of the
Subcommittee. I am Jim Kurose, National Science Foundation
Assistant Director for Computer and Information Science and
Engineering. As you know, NSF advances and supports fundamental
research in all disciplines, advances the progress of science
and engineering, and educates the next generation of innovative
leaders. I welcome this opportunity to provide an overview of
NSF-funded cybersecurity research and its impact on the nation.
Long-term unclassified research is critical to achieving a
secure and trustworthy cyberspace. In 2011 NSF contributed to
the Administration's Strategic Plan for Federal Cybersecurity
Research and Development. It specifies a coordinated research
agenda for agency investments that change the game by
establishing a science of cybersecurity, transitioning research
into practice, and bolstering cybersecurity education and
training.
With the rapid pace of technological advancement, we are
witnessing the tight integration of financial, business,
manufacturing, and telecommunications systems into a networked,
global society. These interdependencies can lead to
vulnerabilities and threats that challenge the security,
reliability, and overall trustworthiness of critical
infrastructure. The result is a dramatic shift in the size,
complexity, and diversity of cyber attacks.
In response to these changing threats, NSF has long
supported fundamental cybersecurity research resulting in many
powerful approaches deployed today. NSF continuously brings the
problem-solving capabilities of the nation's best minds to bear
on these challenges. It also promotes connections between
academia and industry.
In Fiscal Year 2014 NSF invested $158.28 million in
cybersecurity research, including $126 million in the cross-
cutting Secure and Trustworthy Cyberspace program. Projects
range from security at the foundational level, including
detecting whether a silicon chip contains a malicious circuit
or developing new cryptographic solutions, to the systems
level, including strategies for securing the electric power
grid.
Projects are increasingly interdisciplinary spanning
computer science, mathematics, economics, behavioral science,
and education. They seek to understand, predict, and explain
prevention, attack, and defense behaviors and contribute to
developing strategies for remediation while preserving privacy
and promoting usability.
Projects also include center scale activities representing
far-reaching explorations motivated by deep scientific
questions and grand challenge problems in, for example,
privacy, encryption, cloud, and healthcare systems.
In addition, NSF promotes the transition of discoveries
into the field as threats and solutions co-evolve over time.
Partnerships continuously improve the security of our critical
infrastructure ensuring U.S. leadership, economic growth, and a
skilled workforce. For example, with the Semiconductor Research
Corporation, NSF supports research into the design of secure
hardware. With Intel Corporation, NSF invests in the security
and privacy of cyber-physical systems such as transportation
networks and medical devices.
NSF also invests in industry university cooperative
research centers that feature high-quality industrially-
relevant fundamental research enabling direct transfer of
university-developed ideas to U.S. industry, improving its
competitiveness globally. In recent years, we have seen
research outcomes lead to new products and services and to
numerous startups in the IT sector bringing innovative
solutions to the marketplace.
Cybersecurity education is also important. For example, the
Scholarship for Service program provides tuition to
cybersecurity college majors in exchange for government service
following graduation. To date, this program has provided 1,700
scholarships at over 50 institutions and has placed graduates
in over 140 federal, state, local, and tribal government
agencies. NSF participates in the interagency Networking and
Information Technology Research and Development program. I
serve as the Co-Chair the NITRD Subcommittee and many NSF
division directors and program directors actively participate
in NITRD cybersecurity and information assurance activities
ensuring coordination of investments across 18 government
agencies.
To conclude, my testimony today has emphasized that the
pace and scope of today's cyber threats pose grand challenges
to our nation's critical infrastructure and that NSF continues
to make significant investments in fundamental cybersecurity
research. I have discussed how NSF partners with industry to
advance cybersecurity R&D that will effectively address cyber
threats as they evolve.
I very much appreciate the opportunity for dialogue with
Members of this Subcommittee on these very important topics.
With robust, sustained support for foundational and
multidisciplinary cybersecurity R&D in the executive and
legislative branches, there is a unique opportunity to protect
our national security and enhance our economic prosperity for
decades to come.
This concludes my remarks. I am happy to answer any
questions.
[The prepared statement of Dr. Kurose follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. All right. Thank you, Doctor.
And now we now recognize Dr. Romine for his testimony.
TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,
INFORMATION TECHNOLOGY LABORATORY,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Dr. Romine. Chairwoman Comstock, Chairman Smith, Mr.
Lipinski, and Members of the Subcommittee, I am Dr. Charles
Romine, Director of the Information Technology Laboratory at
NIST, and thank you for the opportunity to discuss our role in
cybersecurity.
In the area of cybersecurity, NIST has worked with federal
agencies, industry, and academia since 1972. Our role--to
research, develop, and deploy information security standards
and technology to protect information systems against threats
to the confidentiality, integrity, and availability of
information and services--was strengthened through the Computer
Security Act of 1987, broadened through the Federal Information
Security Management Act of 2002, and recently reaffirmed in the
Federal Information Security Modernization Act of 2014. The
Cybersecurity Enhancement Act of 2014 also authorizes NIST to
facilitate and support the development of voluntary, industry-
led cybersecurity standards and best practices for critical
infrastructure.
NIST accomplishes its mission in cybersecurity through
collaborative partnerships. The resulting NIST special
publications and interagency reports provide operational and
technical security guidelines for federal agencies and cover a
broad range of topics such as electronic authentication,
intrusion detection, access control, and malware.
NIST maintains the National Vulnerability Database, or NVD,
a repository of standards-based vulnerability management
reference data, which enables security automation capabilities
for all organizations. The payment card industry uses the NVD
vulnerability metrics to discern the IT vulnerability in point-
of-sale devices and determine acceptable risk.
NIST researchers develop and standardize cryptographic
mechanisms used worldwide to protect information. The NIST
algorithms and guidelines are developed in a transparent and
inclusive process leveraging cryptographic expertise around the
world. The results are standard, interoperable, cryptographic
mechanisms that can be used by all.
Recently, NIST initiated a research program on usability of
cybersecurity focused on password policies, user perceptions of
cybersecurity risk, and privacy. This will enhance
cybersecurity through increased attention to user interactions
with cybersecurity technologies.
The impacts of NIST's cybersecurity activities extend
beyond providing the means to protect federal IT systems. They
provide the cybersecurity foundations for the public trust that
is essential to realizing the national and global economic,
productivity, and innovation potential of electronic business.
Many organizations voluntarily follow NIST standards and
guidelines reflecting their worldwide acceptance.
NIST also houses the National Program Office of the
National Strategy for Trusted Identities in Cyberspace, or
NSTIC. The NSTIC initiative aims to address one of the most
commonly exploited vectors of attack in cyberspace, the
inadequacy of passwords for authentication. The 2013 data
breach investigations report noted that in 2012 76 percent of
network intrusions exploited weak or stolen credentials. NSTIC
is addressing this issue by collaborating with the private
sector, including funding 13 pilots, to catalyze a marketplace
of better identity and authentication systems.
Another critical component of NIST cybersecurity work is
the National Cybersecurity Center of Excellence, or NCCoE, a
partnership between NIST, the State of Maryland, Montgomery
County, and the private sector. NCCoE is accelerating the
adoption of applied, standards-based solutions to cybersecurity
challenges. The NCCOE is now supported by the nation's first
federally funded research and development center dedicated to
cybersecurity.
Through NCCoE, NIST works directly with businesses across
various industry sectors on applied solutions to cybersecurity
challenges with current activities addressing the healthcare,
financial services, and energy sectors.
Almost one year ago NIST issued the Framework for Improving
Critical Infrastructure Cybersecurity in response to Executive
Order 13636. The framework, created through collaboration
between industry and government, consists of standards,
guidelines, and practices to promote the protection of critical
infrastructure. The framework is being implemented by industry
and adopted by infrastructure sectors to reduce cyber risks to
our critical infrastructure.
As the cyber threats and technology environments evolve,
the cybersecurity workforce must continue to adapt so as to
continuously improve cybersecurity, including in our nation's
critical infrastructure. In 2010, the National Initiative for
Cybersecurity Education was established to enhance the overall
cybersecurity posture of the United States by accelerating the
availability of educational, training, and workforce
development resources designed to improve the cybersecurity
behavior, skills, and knowledge of every segment of the
population.
As the lead agency for this initiative, NIST works with
more than 20 federal departments and agencies, industry, and
academia to raise national awareness about risks in cyberspace,
broaden the pool of individuals prepared to enter the
cybersecurity profession, and cultivate a globally competitive
cybersecurity workforce.
NIST recognizes our essential role in helping industry,
consumers, and government to counter cyber threats. We are
extremely proud of our role in establishing and improving the
comprehensive set of cybersecurity technical solutions,
standards, guidelines, and best practices, and the robust
collaborations with our federal government partners, private
sector collaborators, and international colleagues.
Thank you for the opportunity to testify today on NIST's
work in cybersecurity. I would be happy to answer any questions
that you may have.
[The prepared statement of Dr. Romine follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you, Doctor.
And now I recognize Dr. Fischer for his testimony.
TESTIMONY OF DR. ERIC A. FISCHER,
SENIOR SPECIALIST IN SCIENCE AND TECHNOLOGY,
CONGRESSIONAL RESEARCH SERVICE
Dr. Fischer. Good afternoon, Chairwoman Comstock, Chairman
Smith, Ranking Member Lipinski, and distinguished Members of
the Subcommittee. On behalf of the Congressional Research
Service, thank you for the opportunity to testify today.
I will try to put what you have heard from previous
witnesses in context with respect to both long-term challenges
and near-term needs in cybersecurity and the federal role in
addressing them.
The technologies that process and communicate information
have become ubiquitous and are increasingly integral to almost
every facet of modern life. These technologies and the
information they manage are collectively known as a cyberspace,
which may well be the most rapidly evolving technology space in
human history. This growth refers not only to how big
cyberspace is but also to what it is. Social media, mobile
devices, cloud computing, big data, and the internet of
things-- these are all recent developments and all are
increasingly important facets of cyberspace. It is difficult to
predict how cyberspace will continue to evolve but it is
probably safe to expect the evolution to continue for many
years.
That is not to say that all of cyberspace has changed.
Basic aspects of how the internet works are decades old, and
obsolete hardware, software, and practices may persist for many
years. All of this makes the cyberspace environment a daunting
challenge for cybersecurity. Three other major challenges
relate to design, incentives, and consensus. Building security
into the design of cyberspace has proven to be difficult. The
incentive structure within cyberspace does not particularly
favor cybersecurity, and significant barriers persist for
developing consensus on what cybersecurity to involves and how
to implement it effectively.
No matter how important such challenges are, they do not
diminish the need to secure cyberspace in the short-term. That
includes reducing risk by removing threats, hardening
vulnerabilities, and taking steps to lessen the impacts of
cyber attacks. It also includes addressing needs such as
reducing barriers to information-sharing, building a capable
cybersecurity workforce, and fighting cybercrime.
Federal agencies play significant roles in addressing those
near-term needs and meeting the long-term challenges. Under the
Federal Information Security Management Act, known as FISMA,
all federal agencies are responsible for securing their own
systems. Private-sector contractors acting on behalf of federal
agencies must also meet FISMA requirements. In Fiscal Year
2013, federal agencies spent $10.3 billion on those activities,
about 14 percent of agency information-technology budgets.
federal agencies also have responsibilities for other
cybersecurity functions. Research and development, along with
education, are the two probably most focused on addressing
long-term challenges. Others, such as technical standards and
support, law enforcement, and regulation, focus more on meeting
immediate needs.
You have already heard about NIST and NSF. Among other
agencies, the Department of Energy supports cybersecurity
efforts in the energy sector. Several of its 17 National
Laboratories also engage in cybersecurity R&D and education.
The Department of Defense, in addition to military operations,
also engages in cybersecurity R&D and education. Altogether,
DOD agencies account for more than 60 percent of reported
federal funding for cybersecurity R&D.
The Department of Homeland Security fulfills several
cybersecurity functions. In the Science and Technology
Directorate, the Cybersecurity Division focuses on developing
and delivering new cybersecurity technologies and other tools.
The Department spent $75 million on cybersecurity R&D in 2013,
more than DOE and NIST but also less than NSF and much less
than DOD.
Another department responsibility is coordinating the
operational security of federal systems under FISMA. The
department also plays a significant role in law enforcement but
perhaps is best known for coordinating federal efforts to
improve the security of critical infrastructure, most of which
is controlled by the private sector.
Most private-sector department activities are voluntary,
but the department also has some regulatory authority over the
transportation and chemical sectors. Several other agencies
also have regulatory responsibilities relating to cybersecurity
in the 16 recognized critical infrastructure sectors.
The role of federal regulation in cybersecurity has been a
significant source of controversy, along with how to remove
barriers to information-sharing while protecting proprietary
and personal information, and the proper roles of different
federal agencies in various cybersecurity activities.
That concludes my testimony. Once again, thank you for
asking me to appear before you today.
[The prepared statement of Dr. Fischer follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you. I now recognize Mr. Dean
Garfield.
TESTIMONY OF MR. DEAN GARFIELD,
PRESIDENT AND CEO,
INFORMATION TECHNOLOGY INDUSTRY COUNCIL
Mr. Garfield. Thank you, Chairwoman Comstock, Chairman
Smith, Ranking Member Lipinski.
On behalf of 60 of the most dynamic and innovative
companies in the world that make up the global IT sector, I
would like to thank you for the opportunity to be in front of
you today and to thank you as well for focusing on this issue.
We think it is an issue that has the potential for bipartisan
collaboration and want to seize that opportunity.
With that in mind, I would like to focus on three things:
1) how we are experiencing the cybersecurity threat today; 2)
what we are doing about it; and then 3) how Congress can help.
With regard to the first, as Dr. Fischer pointed out, we are
living in an increasingly globally integrated and
interconnected world. As a result, cyber criminals are seeking
to exploit that. Gone are the days when we had intermittent
viruses and instead we face a world, as my colleague Cheri
McGuire pointed out, where we consistently face a threat that
is increasingly global, increasingly sophisticated, and
increasingly persistent. We are seeing advanced persistent
threats where cyber criminals are penetrating our networks in
phase, avoiding detection, and doing damage over a long period
of time. As well, the threat is increasingly asymmetric and so
the risks to the banking sector are often quite distinct from
the risks to the manufacturing sector or the tech sector.
The reality is there is no silver bullet solution so what
are we doing about it? In a word, a lot. Increasingly, our
approach is based on risk mitigation and resilience. You see
that both in the products that we are bringing into the
marketplace, as well as the processes that we are integrating
into our businesses. With the products in the marketplace, you
are already seeing the results of the billions of dollars that
we spend on R&D, whether that is through advanced data
analytics that is allowing us to get ahead of cyber criminals
or in the integration of biometrics, as you see in many of your
mobile devices today, including your cell phone, which are all
making a difference.
In addition to the work that we undertake with our products
that are making their way into the market, we are making
changes in our business processes that we would advocate for
all businesses generally. One, we are increasingly making
cybersecurity the default norm, so rather than turning on a
cybersecurity feature, we are building products and developing
systems where they come as a built-in part of the practice.
Secondly, we are increasingly relying on managed services.
So rather than relying on the IT person who may or may not know
anything about cybersecurity, we are relying heavily on
cybersecurity professionals in carrying out work on
cybersecurity within our company in network management.
As well, we are making sure that cybersecurity is a part of
every aspect of our business, and with that in mind, it is
worth commending NIST for the work that they have done on the
cybersecurity framework, which has done a great job in making
that the case for both large and small businesses.
So what can Congress do? There are four things that we
would recommend. One is making sure that the laws that are on
the books and our enforcement of those laws are adequate to
meet the challenge and the evolving nature of that challenge
that we face today.
Second, as all of the doctors on the panel have pointed
out, it is important to have adequate funding for early-stage
research, as well as for the work that NIST is doing to advance
a framework to make it increasingly the norm for all
businesses.
Third, it is important that we have legislation that helps
us to disseminate cyber threat information more broadly. That
is an opportunity for a bipartisan consensus in action and we
hope that Congress will act on that this year.
Fourth, cybersecurity and cybersecurity risk management is
not a technology issue; it is a national issue, and so it is
important that all of us, including the Members of Congress,
take advantage of the bully pulpit we have to educate the
public about cybersecurity. So when you have your roundtables
in your district, or I speak, it is important to include
cybersecurity as one of the default points that we share with
the public.
There is--the challenge, as all of the panelists have
pointed out, is quite significant, but if we take advantage of
those four steps and work collaboratively, we think there is an
opportunity to make significant headway in addressing this
issue. So thank you.
[The prepared statement of Mr. Garfield follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. I thank the witnesses for their
testimony and now the Committee rules limit our questioning to
five minutes and so as the Chair I will do the opening round of
questions.
So actually I would like to pick up on your four points,
Mr. Garfield, but have you all address. Given it is a national
issue, what would you recommend that we, when we go home, that
we tell people how to--you know, at our town halls, how to
engage, what they can do personally at home and maybe some of
these 90 percent of the breaches that we can prevent, what can
we do with the public education to prevent those most common?
Mr. Garfield. I can start and do something quite simple,
which is you have heard a lot of data around the risk that we
all present because oftentimes cyber breaches are caused by
human error, and so making sure that we are using multilevel
authentication, for example, so not just relying simply on a
password. To the extent that your technology isn't deploying
cyber as a default, turning it on so that you have the benefit
of all the research and development that is taking place.
The other thing that I would say is we often make common
mistakes. You know, we post our passwords on our computer, and
so moving away from doing things like that makes us vulnerable
is an impostant part of----
Chairwoman Comstock. Sort of like don't leave the keys in
the car.
Mr. Garfield. Exactly.
Chairwoman Comstock. Okay.
Ms. McGuire. So there are a couple of additional things
that I will add to Dean's list. The first is make sure that you
are using very strong and complex passwords. You have heard a
lot about the research and development going on today both
within the NSF and NIST around new authentication methods and
password technology but this is one of the most basic things
that people can do today. Be careful when you are developing
your passwords not to use things that you have posted on your
social media site. What an easy way to socially engineer your
password. Also make sure that you keep your security products
and your systems up-to-date, keep them patched, and that will
help give you quite a bit of protection, and then be aware--
always be aware. Just as you are walking down the street, being
aware of your surroundings, be aware of your surroundings when
you are online. Be careful about accepting emails or clicking
on attachments for things that you may not be sure of what they
are and be very aware of that because that is the most common
way of getting your computer infected is clicking on something
that maybe you shouldn't have.
Chairwoman Comstock. Any--sure.
Dr. Kurose. Yes. I would like to just raise two quick
points. First, in terms of what we do, certainly a sustained
investment in fundamental research is incredibly important, but
we need to really focus on the root causes of cybersecurity
challenges, not just treating the symptoms. I mean we do need
to do both but I think the need for fundamental research is
critical.
And something that I think you have heard all the panelists
talk about is that it is a socio-technical problem. Technology
alone is not going to solve the problem. It is technology
together with the correct application and the understanding of
the human dimension and the social dimension of security is
very important.
Chairwoman Comstock. And then maybe to all of you again,
how do you, as you gather this expertise and we constantly have
to adapt and change, how do you prevent the person who is
working with your company or working within the government
today, kind of catching the bad guys and catching the cyber
threats and the hacktivists, from not turning into the bad guy
who is now going out with that knowledge and doing that and how
do we prevent that and what kind of safety measures and
processes do we have to have in place in the public sector and
the private sector? I know that is pretty broad but----
Dr. Romine. Well, certainly I can--the insider threat is
one of the most challenging things to address principally
because, by definition, you are talking about someone that you
view as a trusted entity so you have to be very cautious about
demonstrating that you don't trust your own people, so you have
to be very careful about that.
From our perspective I think we are coming to a situation
where increasingly we have more tools at our disposal to do the
data analytics for some of the things that are going on within
an organization, and there are opportunities to detect
anomalous behavior that might reveal that kind of insider
threat.
Ms. McGuire. And I would just add to that that there are
technologies out there today such as data loss prevention
technologies, setting your controls appropriately within
corporations and governments that will allow you to see how
data traverses your network and actually alarm and trigger when
your data is moving to places that it shouldn't be. So those
are technologies that are very much available today and could
in fact prevent a lot of bad things from happening.
Chairwoman Comstock. Okay. Thank you. Thank you. And now I
recognize Mr. Lipinski for five minutes.
Mr. Lipinski. Thank you, Madam Chairwoman. I want to thank
the witnesses for their testimony and I just want to pick up on
one thing that we were discussing in the Chairwoman's questions
is that Dr. Kurose talked about--he said it was a socio-
technical problem in terms of security, and I think that points
out the importance of social science research that is done to
help us better understand and to teach people how to, you know,
avoid stepping into these--a lot of these cyber problems and
being victims of cyber crimes.
But I wanted to--my first question I wanted to ask Dr.
Kurose, Dr. Romine, and Dr. Fischer. For years we have heard
from nongovernmental experts about weaknesses in interagency
coordination of cybersecurity R&D. The civilian agencies with
cybersecurity research programs developed a federal
cybersecurity R&D strategy in December 2011. As I noted in my
opening, the Cybersecurity Enhancement Act that passed last
month strengthened interagency coordination in this area. And I
know the Cybersecurity Enhancement Act is very new so there may
or may not be anything much you can say about that.
But I want to also ask how the--how has the federal R&D
strategy influenced your own agency's cybersecurity R&D
portfolio and how has it strengthened interagency coordination
and collaboration. Dr. Kurose?
Dr. Kurose. Thank you. I would like to just quickly mention
then the Networking and Information Technology Research and
Development program, NITRD, that we talked about a little bit
earlier. This provides an interagency coordination mechanism
and there are specific subcommittees there, one on
cybersecurity and information assurance, and that is a vehicle
by which representatives from multiple agencies can get
together and activities can be coordinated. And one of the co-
chairs from the cybersecurity subcommittee there is from the
National Science Foundation and the activities there very much
find their way back into our discussions at the National
Science Foundation.
Mr. Lipinski. Thank you. Dr. Romine?
Dr. Romine. Yes, I would like to echo what Dr. Kurose said
about the value of having a standing interagency working group
on cybersecurity and information assurance. That is one of the
more robust groups I think under the NITRD program and there is
a lot of conversation that takes place across federal agencies
and a lot of coordination around specific topics.
There have been some strategic planning activities in the
past that the interagency working group has undertaken. The
agencies among the NITRD program established a senior steering
group in this arena to bring together more senior people who
have budget authority within their organizations to coordinate
some of the investments that are being made, and so I think
that has paid dividends, in particular, the emphasis on the
science of cybersecurity emerged from that conversation that
was taking place.
Mr. Lipinski. Dr. Fischer.
Dr. Fischer. I would just like to add that certainly I
think if one looks at the history of coordination across
federal agencies with respect to cybersecurity, clearly there
have been--that has increased. One of the questions one has to
keep in mind is that coordination also has some cost associated
with it. That is to say one doesn't want--potential costs I
should say. One doesn't want the coordination to reduce the
ability of individual agencies to invest in, you know,
consensus mission goals and so that has to be taken into
account. And sometimes for somebody like us looking at, you
know, trying to analyze some of the interagency documents, it
can be a little difficult to figure out exactly what they mean
just because it is relatively complicated.
Mr. Lipinski. Thank you. And I want to ask Mr. Garfield and
Ms. McGuire, anything quickly you could add about your view of
federal cybersecurity R&D, something else that--anything else
that should be done, done differently? Ms. McGuire, Mr.
Garfield, whoever wants to----
Mr. Garfield. I wouldn't necessarily suggest that something
different has to be done. I think there is research that has to
occur in early stages that have impact over the long-term that
the public sector is well-positioned to do, and so making sure
that there is adequate funding for that innovation and R&D to
occur so that we can stay ahead of the cybercriminals is
critically important.
Mr. Lipinski. Thank you. I yield back.
Chairwoman Comstock. Thank you. I now recognize Mr.
Hultgren for five minutes.
Mr. Hultgren. Thank you, Chairwoman.
Thank you all for being here. This is obviously a very
important subject for us and have--I have got a lot of
questions in a lot of different directions.
But first, I would like to just get a little bit of a
response from you. There was some mention--I think Dr. Romine
mentioned about passwords and effectiveness of passwords. It
seems like there was a lot of nodding heads going on with that.
To me it seems like passwords are very effective of keeping me
off my own computer because I keep forgetting them. I am
wondering if there could be a way that the hackers could remind
me of my passwords because I keep forgetting them.
But I wonder if you could talk just a little bit more about
that, of what is the next step, what is the research, where are
we at on that? Specifically, is there R&D that holds promise
for a better option or solutions in passwords?
Chairwoman Comstock. Great question.
Dr. Romine. Absolutely. I can talk from the NIST
perspective. We have started a program on what we call the
usability of security, and usability is a scientific
discipline, a quantitative discipline to determine--our mantra
in this case is we want to make it easy to do the right thing,
hard to do the wrong thing, and easy to recover when the wrong
thing happens anyway. Those are the three principles that I
like to talk about. By the way, I shamelessly stole that from a
colleague.
Mr. Hultgren. It is a good one.
Dr. Romine. From our perspective, we now have research
results suggesting exactly as you say. We have had, for years,
anecdotal evidence suggesting that passwords just don't work.
We have been able to collect validated data now suggesting that
when you make passwords more complex, which you have to do
because if they are easy, if they are simple, then they are
guessable. But if you make them too complex, then people find
ways around of the security by writing them down, by storing
them in plain text files and so on. So it is really sort of
counter--it can be counterproductive.
The NSTIC program that NIST manages, which is a nationwide
program where we have the program office, is pledged to
essentially deal with this authentication problem. Password is
only one way of authenticating to the system, and it is, as we
know, now a pretty poor way to do it in general and yet it is
ubiquitous. It is universal. And the NSTIC program is pledged
to, as they say, put a stake in the heart of the password. We
are trying to transition to other means but----
Mr. Hultgren. What is your guess on when that could happen?
I mean what is a timeline, possible time frame?
Dr. Romine. Well, the investments that have been made in
pilots, and we have 13 pilots running now, sort of span from,
you know, authentication through a mechanism, a token, through
biometrics, through two-factor authentication I think, as Dean
alluded to earlier, or as Dr. Fischer alluded to.
So I don't know the exact timeline. I know that we are
making strides in that area, we are making investments, and we
are making it clear that we have now validated evidence that
passwords are flawed as a mechanism for authentication.
Mr. Garfield. Some of those technologies are already in the
marketplace. I think Ms. McGuire made the point as well. I mean
many of the mobile devices that are being sold today do have
biometric authentication instead of passwords, and so
increasingly that is being deployed commercially.
Mr. Hultgren. Okay.
Dr. Kurose. So if I might add that I think you really hit
the nail on the head. Passwords are something that we all have
to wrestle with and I think research has shown that a one-size-
fits-all approach isn't really a good way to proceed forward.
There has been work that looks at trying to adapt the kinds of
authentication that a system is going to use to determine who
the individual is; there is a research project at Berkeley
going on, and also some very interesting research that went on
at Carnegie Mellon about passwords in particular. Is it length,
is it complexity--what are the best ways to have users work
with passwords when you have password-protected systems, and
then how do you feed information back to the user to help the
user along?
Mr. Hultgren. Let me switch gears real quick. As a parent,
I am amazed at how quickly young people pick up on new
technology. I have seen in my own office when I struggle with a
new technology, I call my staff and leave them a voicemail
message, wait for them to get back to me. If they can't figure
it out, they text my kids and get an answer right away. But
with the access kids have, there is also concern that comes
with that and I just wonder if you could talk briefly about
current parental control technology. Is it adequately
protecting minors? I still have a 10-year-old and 13-year-old
at home, as well as older kids, but concerned certainly of
protection but then also something that predators are coming
after them, not waiting for them to find problem areas. So I
wanted to just get your thoughts of how adequate this is and
what is happening there.
Ms. McGuire. So I will jump in on this one.
Mr. Hultgren. Thanks.
Ms. McGuire. So online child safety is a critical concern
that all of us have, and particularly, as you mentioned, as
kids are surfing and going everywhere, it is really hard to
monitor that as a parent so there are tools available.
Certainly we have them in our Norton Security products. Other
products out there have--give the parent to the ability to go
in and type in keywords, block certain websites, and so forth.
So those are there today.
Mr. Hultgren. Do you feel like they are pretty effective
in----
Ms. McGuire. Our customers tell us that they are effective
and so we believe that they help significantly that--there.
The other part of this, though, and it goes to this socio-
technological issue, is we have to start with our kids when
they are first picking up a device and start training them to
be careful, to be aware online, to be safe online. It has got
to start immediately and also we need to include that in our
school curriculum. You know, we teach kids in general safety
but we don't often teach them about cybersecurity, so that is a
big area that can help.
Mr. Hultgren. I see my time is up. Thank you, Chairwoman. I
appreciate your generosity.
Chairwoman Comstock. Thank you. And I now recognize Mr.
Moolenaar, our Vice Chairman.
Mr. Moolenaar. Thank you, Madam Chair. And I appreciate the
testimony today.
I also wanted to follow up on some of the areas of
cybersecurity with respect to our critical infrastructure, and
you had mentioned earlier, you know, the area of energy, our
electric grid, I would think water, our water supply. And I
guess my basic question is what is the role of research in this
area? How important is that? And also, if there is research
done and that is applied, how much time is it good for? Is this
something that, you know, it lasts for a year? Is it
something--you know, what is the length of duration that
information is valid?
Dr. Romine. So I would like to talk to the first half of
that question on the protection of critical infrastructure.
This is something that NIST was called upon to do in the
development of the framework under the Executive Order 13636.
And the way that we approached that was to hold a series of
workshops around the country with the vigorous participation of
industry across all of the sectors, as well as the information
technology industry itself, and I know Ms. McGuire's company
and Mr. Garfield's, the companies that he represents were also
vigorous participants in that process. That led to a consensus
document that was spearheaded principally by the private sector
but with our sort of guidance with regard to what is effective
as a document. So we were able to put together a framework that
I think really helps to improve--or has the potential to help
improve critical infrastructure cybersecurity and I think it is
beginning to have that effect.
Mr. Garfield. And if I may add, I think the approach that
was taken by NIST in putting that together is really a model
for undertaking this work.
Related to the second question you asked about the time
period, it is important to keep in mind that cybersecurity
criminals are always adapting and evolving and so it's
important that we continue this work and continue to evolve it
as well.
Dr. Kurose. So I would like to add also the notion of
``security by design'' rather than reacting to particular
threats--designing security is really a first-class
consideration and the systems that we are building and the
components in the system that we are building are critical. I
would point out--I had mentioned the collaboration NSF has with
the Semiconductor Research Corporation. There the notion is
that the chips that we are building we want to be able to make
sure that there haven't been back doors or other malware
actually inserted into the chips during the fabrication process
and during the design process, so that when those chips come
out we are sure that they are going to act and behave the way
they are supposed to be behaving. That is an instance of
security by design.
The other point I would make is critical infrastructure, it
is not just social networks that affect society, but personal
devices like medical devices as well, so a lot of activity is
going on there also.
Dr. Fischer. If I could just add that with respect to the
question of what kinds of R&D is needed, there are many
different aspects to protecting critical infrastructure--for
example, control systems which we really haven't talked about
today, many of which have been very much a legacy and not
really designed with security in mind. And so R&D to determine
what the best way is to design control systems so that they
work in a highly connected environment is important. The
question of to what degree you can actually separate out
critical infrastructure systems from the rest of the internet
is important.
And also worth noting, as some of the other witnesses have
mentioned, is the importance of social and behavioral research
in determining what are the best ways for operators to help
protect critical infrastructure.
Mr. Moolenaar. I guess just one final question also is when
you are working on something like this in the area of critical
infrastructure, let's just say in the electric grid, how--and
this gets to the question of oversight, collaboration with
different agencies. You have got, you know, Homeland Security
involved, you have the energy--FERC. I mean is that something
that is--are you collaborating industry by industry?
Dr. Romine. The workshops that we undertook were in general
inclusive of many different sectors. However, we have had
conversations with sector-specific groups as well, and in fact,
the output, the actual document or the framework itself is
reliant upon much of the input that we got from these regulated
sectors, including the regulators themselves who showed up at
the workshops and gave us input on what could be valuable for
them.
Mr. Moolenaar. Okay. Thank you, Madam Chair.
Chairwoman Comstock. Thank you. I now recognize Mr.
Newhouse for five minutes.
Mr. Newhouse. First of all, thank you, Madam Chair, for
allowing me to sit in on your Committee. You know, as a
freshman, we had the opportunity for several sessions on
cybersecurity at our orientation retreats. We learned just
enough to be concerned and not enough to know what to do about
it and so I appreciate the opportunity to sit here. In fact, in
one of those sessions, just an hour before we sat down, my wife
called me and told me someone was using our Visa card in Texas.
We hadn't been to Texas in several years so we were concerned
about that.
So I have a couple questions and just real quickly and I
know that we are probably going to be leaving for the Floor
shortly, but, first of all, last week--and since you read it in
the paper it must be true--the Associated Press reported at
least 50 data-mining companies are allowed to perch on the
HealthCare.gov website and access personal information entered
by millions of Americans who come to the website for health
insurance. As you know, these data-mining companies scour the
internet constantly for all kinds of information about us.
Without permission or consent from those who are being spied
on, they sell that information to any number of people. So
perhaps Dr. Romine and Ms. McGuire, first Dr. Romine, does the
NIST Cybersecurity Framework contemplate that, that a federal
agency would be certified and then allow scores of data-mining
companies to set up shop at a website like that and collect
sensitive information?
Dr. Romine. It certainly does not address that very
specific issue. What it does address, however, is privacy
considerations in a more general context. And I think one of
the things that the Framework spells out is the need for
companies who are setting up cybersecurity risk management
structures within their company, whether it is a 10-person
company or whether it is a multibillion-dollar, multinational
corporation, that they have to ensure that privacy
considerations are taken into account and there are guidelines
for how to do that.
So I don't have any remarks to make on the specific issues
in this case, but in general, the Framework does have a pretty
strong statement about privacy, and NIST has embarked on a
privacy engineering research activity partly as a result of
what we learned from the Framework process, that there needs to
be more guidance and more tools available for people to promote
privacy considerations.
Mr. Newhouse. And, Ms. McGuire, if you could comment on the
presence of so many of those data-mining companies and whether
or not that makes the website more vulnerable to attacks.
Ms. McGuire. So I can't obviously speak to the specifics of
the technology of what is being used as I am not intimately
familiar with the HealthCare.gov website. I do find it
surprising, though, that there are that many additive websites
or technologies that are able to access the data. Certainly
opening up the network, that would indicate that it would
provide some additional vulnerability but I don't know all the
specifics so----
Mr. Newhouse. Fair enough. Yeah. Then if I may, one last
question, Madam Chair. And perhaps again, Ms. McGuire and
perhaps Mr. Garfield, business sectors that may be most
vulnerable to cyber attack and, you know, we are in Congress
looking at what role government could or should play in helping
protect businesses from cyber threats, could you help us a
little bit, enlighten us there?
Ms. McGuire. Sure. So I talked briefly about what some of
our telemetry tells us about specific sectors and what--the
ones that are most targeted for attacks. Interestingly enough,
public sector entities, government institutions because they
are such a wealth of knowledge and information. From Social
Security identity numbers, all the way to healthcare to
retirement benefits, these public sector websites and data
repositories clearly are targeted at a very high rate.
Also, we see the banking and finance sector, pretty much
anywhere that you are going to have a rich set of data, that is
where the cyber criminals will target. And happy to provide and
follow up but we have a pretty good list of sort of a ranking
of the most targeted sectors that we see from our global
telemetry.
Mr. Newhouse. Maybe what can we do about that?
Mr. Garfield. Yeah, the one thing I would add is related to
that. The reality is that criminals are looking for
vulnerabilities wherever they can find them, and so to the
extent that we can figure out ways of sharing the threat matrix
more broadly, then I think it would be a great assistance to
us. And there is already movement in Congress around advancing
legislation that would deal with the sharing of cyber threat
information. Passing that legislation is one very concrete
thing that I think you could do in the short term.
Mr. Newhouse. Thank you.
Mr. Garfield. You are welcome.
Mr. Newhouse. Thank you, Madam Chair.
Chairwoman Comstock. Thank you.
I just had one. I think we have votes so we may not get to
a second round but I did have one question I wanted to follow
up on.
Do you see attacks sort of--the Christmas holidays and the
opportunity for financial attacks, is that a time to sort of
flood the zone and have attacks--like I usually would get
called--like the gentleman said, they call, hey, are you in
Hawaii buying such and such? Like no, that is not me, don't
okay it.
But I had a situation where after Christmas I show up in a
store, my card has a problem in a department store and they
said we have--we see something that you had $7,000 worth of
cosmetics that you sent to California right before Christmas.
No, we didn't do that. But they had not called me, which got me
thinking do they target that sort of Christmas time, that rush
time because they know sort of in their rush to get things
through, that may be the time they weren't calling people? In
this case it was the 23rd, the 24th, and the 26th but all those
things were purchased and shipped. Fortunately, they took them
off the card before they showed up at my home and horrified
everybody but----
Ms. McGuire. Yeah, so your observation is spot on in that
cyber criminals will take advantage of any social activity, any
major events. We saw, for example, around the Summer Olympics
we saw lots of new types of scams associated with that, the
World Cup, lots of new scams with that. Even the royals wedding
in the U.K., there were a plethora of new online scams that
were built around that knowing that people would be searching
and going to websites to look up these types of current events.
So, yes, in short those international events, major national
holidays, et cetera, do create additional levels of risk.
Chairwoman Comstock. So in terms of best practices, those
kind of things should be--set off bells or time frames so that
we are doing extra work in those time frames?
Ms. McGuire. Yeah. You should be careful all of the time
but those especially can be more intense if you will.
Dr. Fischer. I should mention that this relates certainly
to cybercrime aimed at consumers, but there is also the
question about timing of cyber attacks aimed at, say, critical
infrastructure, and one of the sort of hallmarks of cyber
criminals who are interested or spies who are interested in,
say, getting proprietary information, intellectual property
information, national security secrets, or whatever is that
they will try to target a system in such a way that they can
get in, exfiltrate the information, and then get out without
anybody knowing. So it is common--one of the sort of common
assessments is that businesses can often take months before
they actually realized that they have been the victim of a
successful cyber attack and it can just take hours to
exfiltrate the information. So to a certain extent, with
respect to--as I say, it really depends on the importance of
the timing really depends on what the sector is that is being
targeted.
Mr. Garfield. If I could add, too, just some things that
Congress can do very concretely around this question, one is
making sure that there adequate resources to address the
criminals, right, because if it is viewed as a crime without a
penalty, then people will be incentivized to continue to do it.
The second is you make the point that you would normally--in
the normal course be warned about it, but during that period of
time, it wasn't, making sure that there are adequate resources
around R&D so that the technologies that are being deployed
that detect abnormal behavior are widely distributed. And so
those are two things that Congress can do that can be helpful
in this area.
Chairwoman Comstock. And then how do we--because, you know,
the concerns of privacy, you know, people--you always
appreciate when you get that phone call but then the next
question is, well, how do you know where I am and what I am
buying? It gives people a bit--but obviously in this case I was
lucky they took it all off my credit card. You know, how do
they balance that?
Ms. McGuire. So today there are mostly algorithms that are
all predominantly----
Chairwoman Comstock. Right.
Ms. McGuire. --done by the machines themselves to catch
those exact kinds of flags if you will of unusual behavior or
unusual activity. And then of course you end up getting a phone
call from a real person hopefully to----
Chairwoman Comstock. So part of the public education that
we do with the public is we need to separate the algorithms and
the patterns that you are looking at there are separate from,
say, when Google is getting all of our HealthCare.gov
information. So there--these are two--they often get lumped
together whereas it is two very separate things. This is the
machine kind of going through data, not looking at what I am
buying at the department store, just flagging things as opposed
to somebody getting my data and knowing when I am on a
particular site and that getting pushed out somewhere. So those
are two very different types of situations, right?
Mr. Garfield. You could have a whole hearing around data
analytics. I am not suggesting--necessarily suggesting it but
you make a very good point that often people will hear big data
or data analytics and think that it is personal to them. In
almost all instances what is happening, there are computers
that are looking at patterns and then not looking at
individuals or individual data, and based on normal patterns,
then passing that on to someone else. And so in this instance
and in most instances it is actually an advancement that we
want to see because in the end it helps us in society.
Chairwoman Comstock. Right. Thank you.
And, Mr. Lipinski, did you have additional questions?
Mr. Lipinski. Yeah, thank you, Madam Chair. I think this
will be probably quick.
I just wanted to get back to HealthCare.gov, and my
understanding is that companies are not actually perched on the
HealthCare.gov but they are receiving--they are being given
data from there. Now, that is very different. It is still, I
understand, a privacy issue, which is something certainly
Congress can look at that, but as Mr. Garfield was talking
about data analytics, that is a whole different issue,
certainly something that, you know, we should be always
concerned about privacy.
But I want to ask Dr. Romine, HealthCare.gov is FISMA-
compliant. Could you just tell us what that means, what the
FISMA standards are and how federal agency computer systems
are--become FISMA-compliant?
Dr. Romine. Sure. The Federal Information Security
Management Act, or FISMA, provides NIST the opportunity to
develop a collection of standards and guidelines that are used
by federal agencies to secure their information systems. We do
that in a collaborative way with private sector involvement to
try to understand exactly what the right approach is for
securing those systems. What we don't really have very often is
insight into that because we don't have an operational role; we
have a guidance role. We don't have insight into how federal
agencies are doing--are complying with FISMA requirements or
FISMA guidelines.
And so in the case of HealthCare.gov, for example, I have
no direct information about the actual implementation of the
FISMA guidelines but it is predicated on taking cybersecurity
in a risk management approach, in an analogous way to what we
did with the framework for critical infrastructure
cybersecurity improvement. And so the idea is to identify the
risks associated with the system and a catalog of risks and a
catalog of mitigations to adopt steps that are necessary to
mitigate those risks and then assess the level of risk that the
individual organization that is appropriate for that
organization or for that particular system. So that is the
approach that is taken, but as I say, with regard to any
specific agency, it is really the CIO responsibility along with
the Inspector General who follows up on ensuring that the
guidelines are met.
Mr. Lipinski. Thank you very much. I don't want in any way
my statements or questions to suggest that everything is
wonderful with HealthCare.gov or especially the D.C. website,
which was completely atrocious once again for the second year
in a row as we had to deal with that being in the system this
year. But I think the important thing is looking here at
security and, you know, we--as I said, privacy is another issue
but the security is something that I think we have talked about
here and had hearings here and have not found any issues with
that. So thank you very much.
Chairwoman Comstock. Okay. I believe, Mr. Newhouse, you
wanted an additional question?
Mr. Newhouse. Well, I certainly could. We could talk about
some of these things for a long time but I guess following up a
little bit, Dr. Romine--and I hope you don't feel picked on
today, but----
Dr. Romine. Quite all right.
Mr. Newhouse. --that is the risk you take.
Dr. Romine. That is right.
Mr. Newhouse. You do play an important role, though, with
regard to FISMA and it is--you talked a little bit about that
role in your work up-to-date. I just wanted to know if there
are any recommendations that you might have that would be
valuable to us in any changes to the law?
Dr. Romine. Well, certainly I don't have any changes to the
statutes to recommend. I would--it will at least give me the
opportunity to thank this Subcommittee and the Committee for
the work that we have done collaboratively. We have had a
really good working relationship between NIST and the
Subcommittee and Committee over time and we appreciate that.
I think we are in a good spot with regard to a few things.
One is the FISMA risk management framework is really an
important--it provides an important understanding of the
appropriate balance between ensuring the ability of the private
sector to innovate in this space and provide new services while
at the same time maintaining an overall approach that balances
that against the associated risks. And because the information
technology space is so dynamic, the risk management framework
is also very adaptive and dynamic as well. And so I think it is
the appropriate mechanism. I appreciate the support.
Mr. Newhouse. And the Congress must be just as dynamic
then?
Dr. Fischer. If I may just mention with respect to FISMA
implementation, the last Congress enacted, as was mentioned,
the Federal Information Security Modernization Act of 2014, and
that act gave statutory authority to DHS for some operational
aspects of helping to ensure that agencies have adequate
cybersecurity. The Obama Administration had administratively
delegated it, but previous to that the responsibilities lay
entirely with OMB, which doesn't have operational capabilities.
So it remains to be seen to what extent the changes in the law
will lead to improvements in agencies' cybersecurity. Certainly
DHS has a number of programs and activities that are aimed at
that.
Chairwoman Comstock. Okay. Well, I want to thank the
witnesses for their very valuable testimony and we so
appreciate all of your expertise, both the public sector and
the private sector, and all that you are doing to bring that
information to us and to the public, and we look forward to
continuing to work with you. And I thank all the Members for
their questions.
And I do want to note that the record will remain open for
two weeks for additional comments or any information you would
like to provide and any written questions from the Members. So
the witnesses are now excused and this hearing is adjourned.
Thank you very much.
[Whereupon, at 3:28 p.m., the Subcommittee was adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]