[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]





 UNDERSTANDING THE CYBER THREAT AND IMPLICATIONS FOR THE 21ST CENTURY 
                                ECONOMY

=======================================================================

                                HEARING

                               BEFORE THE

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 3, 2015

                               __________

                           Serial No. 114-17

  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                      
    


      Printed for the use of the Committee on Energy and Commerce
                        energycommerce.house.gov
                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

95-373                         WASHINGTON : 2016                        
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman
JOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey
  Chairman Emeritus                    Ranking Member
ED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois               ANNA G. ESHOO, California
JOSEPH R. PITTS, Pennsylvania        ELIOT L. ENGEL, New York
GREG WALDEN, Oregon                  GENE GREEN, Texas
TIM MURPHY, Pennsylvania             DIANA DeGETTE, Colorado
MICHAEL C. BURGESS, Texas            LOIS CAPPS, California
MARSHA BLACKBURN, Tennessee          MICHAEL F. DOYLE, Pennsylvania
  Vice Chairman                      JANICE D. SCHAKOWSKY, Illinois
STEVE SCALISE, Louisiana             G.K. BUTTERFIELD, North Carolina
ROBERT E. LATTA, Ohio                DORIS O. MATSUI, California
CATHY McMORRIS RODGERS, Washington   KATHY CASTOR, Florida
GREGG HARPER, Mississippi            JOHN P. SARBANES, Maryland
LEONARD LANCE, New Jersey            JERRY McNERNEY, California
BRETT GUTHRIE, Kentucky              PETER WELCH, Vermont
PETE OLSON, Texas                    BEN RAY LUJAN, New Mexico
DAVID B. McKINLEY, West Virginia     PAUL TONKO, New York
MIKE POMPEO, Kansas                  JOHN A. YARMUTH, Kentucky
ADAM KINZINGER, Illinois             YVETTE D. CLARKE, New York
H. MORGAN GRIFFITH, Virginia         DAVID LOEBSACK, Iowa
GUS M. BILIRAKIS, Florida            KURT SCHRADER, Oregon
BILL JOHNSON, Ohio                   JOSEPH P. KENNEDY, III, 
BILLY LONG, Missouri                     Massachusetts
RENEE L. ELLMERS, North Carolina     TONY CARDENAS, California
LARRY BUCSHON, Indiana
BILL FLORES, Texas
SUSAN W. BROOKS, Indiana
MARKWAYNE MULLIN, Oklahoma
RICHARD HUDSON, North Carolina
CHRIS COLLINS, New York
KEVIN CRAMER, North Dakota

              Subcommittee on Oversight and Investigations

                        TIM MURPHY, Pennsylvania
                                 Chairman
DAVID B. McKINLEY, West Virginia     DIANA DeGETTE, Colorado
  Vice Chairman                        Ranking Member
MICHAEL C. BURGESS, Texas            JANICE D. SCHAKOWSKY, Illinois
MARSHA BLACKBURN, Tennessee          KATHY CASTOR, Florida
H. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York
LARRY BUCSHON, Indiana               JOHN A. YARMUTH, Kentucky
BILL FLORES, Texas                   YVETTE D. CLARKE, New York
SUSAN W. BROOKS, Indiana             JOSEPH P. KENNEDY, III, 
MARKWAYNE MULLIN, Oklahoma               Massachusetts
RICHARD HUDSON, North Carolina       GENE GREEN, Texas
CHRIS COLLINS, New York              PETER WELCH, Vermont
KEVIN CRAMER, North Dakota           FRANK PALLONE, Jr., New Jersey (ex 
JOE BARTON, Texas                        officio)
FRED UPTON, Michigan (ex officio)

















  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Tim Murphy, a Representative in Congress from the 
  Commonwealth of Pennsylvania, opening statement................     1
    Prepared statement...........................................     3
Hon. Diana DeGette, a Representative in Congress from the state 
  of Colorado, opening statement.................................     4
    Prepared statement...........................................
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, opening statement..........................     6
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, opening statement.........................     7
Hon. Fred Upton, a Representative in Congress from the state of 
  Michigan, prepared statement...................................    65

                               Witnesses

Herbert Lin, Senior Research Scholar, Center for the 
  International Security and Cooperation, Senior Fellow, Hoover 
  Institution, Harvard University................................     9
    Prepared statement \1\.......................................    12
    Answers to submitted questions...............................    74
Richard Bejtlich, Chief Security Strategist, FireEye, 
  Incorporated...................................................    30
    Prepared statement...........................................    32
    Answers to submitted questions...............................    86
Gregory Shannon, Chief Scientist, CERT Division, Software 
  Engineering Institute, Carnegie Mellon University..............    38
    Prepared statement...........................................    40
    Answers to submitted questions...............................   101

                           Submitted Material

Majority memorandum..............................................    66

----------
\1\ Available at: http://docs.house.gov/meetings/if/if02/
  20150303/103079/hhrg-114-if02-20150303-sd006.pdf.

 
 UNDERSTANDING THE CYBER THREAT AND IMPLICATIONS FOR THE 21ST CENTURY 
                                ECONOMY

                              ----------                              


                         TUESDAY, MARCH 3, 2015

                  House of Representatives,
      Subcommittee on Oversight and Investigations,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:30 p.m., in 
room 2322 of the Rayburn House Office Building, Hon. Tim Murphy 
(chairman of the subcommittee) presiding.
    Members present: Representatives Murphy, McKinley, Burgess, 
Blackburn, Bucshon, Brooks, Mullin, Hudson, Collins, Cramer, 
DeGette, Clarke, Kennedy, Green, and Pallone (ex officio).
    Staff present: Charlotte Baker, Deputy Communications 
Director; Leighton Brown, Press Assistant; Melissa Froelich, 
Counsel, Commerce, Manufacturing, and Trade; Brittany Havens, 
Legislative Clerk; Charles Ingebretson, Chief Counsel, 
Oversight and Investigations; Paul Nagle, Chief Counsel, 
Commerce, Manufacturing, and Trade; John Ohly, Professional 
Staff, Oversight and Investigations; Chris Santini, Policy 
Coordinator, Oversight and Investigations; Peter Spencer, 
Professional Staff Member, Oversight; Jessica Wilkerson, 
Legislative Clerk; Christine Brennan, Democratic Press 
Secretary; Jeff Carroll, Democratic Staff Director; Chris 
Knauer, Democratic Oversight Staff Director; Una Lee, 
Democratic Chief Oversight Counsel; and Elizabeth Letter, 
Democratic Professional Staff Member.

   OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN 
         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA

    Mr. Murphy. Well, good afternoon. I now convene this 
hearing of the Oversight and Investigations Subcommittee, 
entitled, ``Understanding the Cyber Threat and Implications for 
the 21st Century Economy.'' This is the first in a series of 
hearings by this committee focused on cyberspace, the Internet, 
and the challenges and opportunities that they present for the 
21st century economy.
    These are big, important issues, so it is imperative that 
we establish a clear understanding of the issues we face. So 
today we are going to do something a little different. We are 
not here to examine a specific cybersecurity incident, policy 
issue, or legislative proposal. Today we are going to take a 
step back and explore some fundamental questions with our 
experts. Such things as what is the breadth and depth of the 
cyber threats? Is it something that can be solved? And what 
does this mean for the future?
    In 1969, computers at four universities connected to the 
ARPANET, thus proving a computer networking concept that 
evolved into what we now know as the Internet. Since its 
inception, the Internet has been an open platform, designed to 
facilitate the transfer of data and information between 
remotely located computing resources. It doesn't discriminate 
against any network or device, nor the transmission of the 
data. It is merely a conduit for information. This open 
architecture, end-to-end system design is what makes the 
Internet such a benefit to society. It provides endless 
possibilities for innovation. It gives any individual with an 
Internet connection an opportunity to share their opinion with 
the world, and to access a nearly infinite amount of 
information. It has revolutionized the way we conduct business, 
interact socially, learn, and consume information, be it true 
or false. As a result, the Internet fostered widespread 
development and adoption of computing and communications 
technologies, collectively known as information technologies. 
Today, we depend on these technologies for everything from 
social interaction to home security, the operation of critical 
services like power plants and the electric grid. This 
integration of the Internet and information technologies into 
nearly every aspect of modern life has created the virtual 
world commonly known as cyberspace.
    The Internet's strength, however, is also its weakness. It 
is by nature an open system with many interconnections, 
creating multiple opportunities for disruption. Likewise, 
information technologies are inherently complex systems, 
increasing the probability of ingrained vulnerabilities. As a 
result, the same technological and cultural factors that 
facilitate real-time global interaction, rapid innovation, and 
freedom of expression empower malicious actors to thrive and 
create risk in cyberspace.
    The challenge arises from the fact that cyberspace creates 
an asymmetric imbalance that strongly favors malicious actors. 
Anyone, from an individual to a nation state, can target a 
victim halfway around the world at minimal cost and with little 
risk of being caught. Because the cost of failure and the 
consequences of crime are minimal, the threat evolves rapidly. 
In contrast, the costs of defense, as well as potential 
consequences, are significant. Because this asymmetric threat 
is rooted in the fundamental structure of the Internet and 
information technology, there is no way to solve cybersecurity 
without undermining the benefits of the cyberspace. There is no 
silver bullet or technological solution. While we certainly can 
do more toimprove the security of cyberspace, these decisions 
require a thoughtful cost benefit analysis. How will a 
potential security measure affect the cost or convenience of a 
product? How will it affect the pace of innovation? What will 
it mean for privacy or civil liberties? Cyberspace is no longer 
a place that we visit; it is the place where we live. Ten years 
ago, smartphones were a novelty, in fact, the iPhone didn't 
even exist. Today, mobile devices serve as a credit card, they 
can track our health, unlock our homes, start our vehicles, and 
document our daily travels. A pacifier can monitor your 
infant's temperature and send that information directly to your 
computer or mobile device. Through what is known as the 
Internet of things, we have connected kitchen appliances, you 
can start dinner from the office, check social media accounts 
from your grill, or know when you are low on milk.
    Cyberspace is, and will increasingly be, the economic 
engine of the 21st century economy, and at the same time as the 
Internet and information technology become increasingly 
entwined in our daily routines, cyberspace becomes a limitless 
and adaptive attack surface. The security challenges will be 
more diverse and harder to predict, and the consequences will 
be more severe. We may not be able to secure cyberspace, but it 
is our collective responsibility to understand the threat in 
order to minimize its effect on our privacy, civil liberties, 
national security, and economic prosperity. We should embrace 
this unique opportunity this hearing presents, not to debate 
data breach legislation or other specific policy issues, but to 
listen.
    We are privileged to have an impressive panel of experts 
who can help us understand the challenges of cybersecurity in 
context. In particular, I want to recognize Dr. Shannon from 
Carnegie Mellon University in Pittsburgh, home to the Nation's 
first computer emergency response team. The Pittsburgh region 
boasts some of the Nation's foremost experts in the field of 
cybersecurity, and I am pleased to have one of those experts, 
Dr. Shannon, joining us here today.
    [The prepared statement of Mr. Murphy follows:]

                 Prepared statement of Hon. Tim Murphy

    This is the first in a series of hearings by this Committee 
focused on cyberspace, the Internet and the challenges and 
opportunities that they present for the 21st century economy. 
These are big, important issues, so it is imperative that we 
establish a clear understanding of the issues we face.
    So, today we are going to do something a little different. 
We are not here to examine a specific cybersecurity incident, 
policy issue or legislative proposal. Today, we are going to 
take a step back and explore some fundamental questions. Why 
does the cyber threat exist? Is it something that can be 
solved? And what does this mean for the future?
    In 1969, computers at four universities connected to the 
ARPANET, thus proving a computer networking concept that 
evolved into what we now know as the Internet. Since its 
inception, the Internet has been an open platform, designed to 
facilitate the transfer of data and information between 
remotely located computing resources. It does not discriminate 
against any network or device, nor the data they transmit. It 
is merely a conduit for information.
    This open architecture, end-to-end system design is what 
makes the Internet such a benefit to society. It provides 
endless possibilities for innovation. It gives any individual 
with an Internet connection an opportunity to share their 
opinion with the world. It has revolutionized the way we 
conduct business, interact socially, learn and consume 
information.
    As a result, the Internet fostered widespread development 
and adoption of computing and communications technologies, 
collectively known as information technology. Today, we depend 
on these technologies for everything from social interaction to 
the operation of critical services like the electric grid. This 
integration of the Internet and information technologies into 
nearly every aspect of modern life has created the virtual 
world commonly known as cyberspace.
    The Internet's strength, however, is also its weakness. It 
is by nature an open system with many interconnections, 
creating multiple opportunities for disruption. Likewise, 
information technologies are inherently complex systems, 
increasing the probability of ingrained vulnerabilities. As a 
result, the same technological and cultural factors that 
facilitate real-time global interaction, rapid innovation, and 
freedom of expression empower malicious actors to thrive and 
create risk in cyberspace.
    The challenge arises from the fact that cyberspace creates 
an asymmetric imbalance that strongly favors malicious actors. 
The nature of the Internet and complexity of information 
technology enables anyone--from an individual to a nation 
state--to target a victim halfway around the world at minimal 
cost and with little risk of being caught. Because the cost of 
failure is minimal, the threat evolves rapidly. In contrast, 
the costs of defense, as well as potential consequences, are 
significant.
    Because this asymmetric threat is rooted in the fundamental 
structure of the Internet and information technology, there is 
no way to solve cybersecurity without undermining the benefits 
of the cyberspace. There is no silver bullet or technological 
solution. While we certainly can do more improve the security 
of cyberspace, these decisions require a thoughtful cost 
benefit analysis. How will a potential security measure affect 
the cost or convenience of a product? How will it affect the 
pace of innovation? What will it mean for privacy or civil 
liberties?
    Cyberspace is no longer a place that we visit. It is a 
place where we live. Ten years ago, smartphones were a 
novelty--in fact, the iPhone didn't even exist. Today, mobile 
devices serve as a credit card, track our health, unlock our 
homes and start our vehicles. A pacifier can monitor your 
infant's temperature and send that information directly to your 
computer or mobile device. Through connected kitchen 
appliances, you can start dinner from the office, check social 
media accounts from your grill or know when you're low on milk. 
Cyberspace is, and will increasingly be, the economic engine of 
the 21st century economy.
    At the same time, as the Internet and information 
technology become increasingly entwined in our daily routines, 
cyberspace becomes a limitless and adaptive attack surface. The 
security challenges will be more diverse and harder predict. 
And the consequences will be more severe. We may not be able to 
secure cyberspace but it is our collective responsibility to 
understand the threat in order to minimize its effect on our 
privacy, civil liberties, national security and economic 
prosperity.
    I encourage all my colleagues, on both sides of the aisle, 
to embrace the unique opportunity this hearing presents. We are 
not here to debate data breach legislation or other specific 
policy issues. We are privileged to have an impressive panel of 
experts who can help us understand the challenge of 
cybersecurity in context. I look forward to hearing from each 
of our witnesses and the unique perspectives they bring to this 
important discussion. In particular, I want to recognize Dr. 
Shannon from Carnegie Mellon University, which is home to the 
nation's first computer emergency response team. The Pittsburgh 
region boasts some of the nation's foremost experts in the 
field of cybersecurity, and I am pleased to have one of those 
experts, Dr. Shannon, joining us here today.

    Mr. Murphy. I will now recognize the ranking member of the 
O&I Subcommittee, Ms. DeGette of Colorado, for 5 minutes.

 OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF COLORADO

    Ms. DeGette. Thank you, Mr. Chairman. I am glad we are 
having the time to do a deep dive into this important topic. 
O&I has a long history of exploring issues related to 
cybersecurity. Over the years, we have had hearings on 
cybersecurity risks. We have passed bipartisan legislation to 
promote security and resiliency for critical infrastructure 
systems. We have also examined in detail both cyber attacks and 
vulnerabilities within many of the sectors under this 
committee's jurisdiction. I hope that this series of hearings 
will help us have additional productive conversations about how 
both to understand the cyber risks and how to respond to them.
    Information systems connected to the Internet are integral 
to the operation of our economy. While this interconnectedness 
is essential, the vulnerabilities that it can pose, pose 
serious challenges. Every day, the Internet is under attack by 
those with malicious intent. In the last few years, cyber 
attacks on federal agencies and also on private entities have 
skyrocketed. Every week it seems, there is a new series of 
headlines about cyber attacks and vulnerabilities in our 
system. Last week, for example, Uber revealed a breach of its 
driver database that had gone unreported for months. Anthem 
reported that millions of people who were not its customers 
could be victims of cyber attacks on their systems. Last year, 
we heard of attacks on Home Depot, Target, and JP Morgan Chase 
that involved the personal information of tens of millions of 
Americans.
    So this past year alone has been a stark reminder that all 
industries are vulnerable, and neither the private sector or 
government is safe from cyber attacks. These attacks are 
becoming more and more frequent, and more and more 
sophisticated. I am personally concerned about how the loss of 
personally identifiable information is affecting American 
consumers. It is starting to appear that there are two types of 
these Americans. Number one, people whose data has been subject 
to a breach, and number two, people whose data will be subject 
to a breach. That seems to be how it is breaking out.
    So I look forward to hearing from our witnesses today about 
the cybersecurity landscape. I have a couple of questions. 
Number one, what are the threats that we now face, and number 
two, what are our biggest vulnerabilities. Also, I want to hear 
what we are doing now, and what we can improve in the future. 
What are the existing standards in both the government and 
private industry for keeping personal information safe, and 
providing notification when there is a breach. How can we make 
sure that both the public and private sectors are using their 
expertise to ensure that cybersecurity measures are 
appropriately tailored to address the specific needs in the 
different sectors. More fundamentally, what is the appropriate 
role of government and of the private sector in securing the 
systems, managing cyber risks, and assessing cyber threats. How 
do we promote the optimal level of cooperation and information 
sharing within this division of labor. Unfortunately, this is a 
problem that doesn't have an immediate or a fissile solution.
    So I am hoping that our witnesses throughout the hearings 
can advise us on how we can make the right strategic 
investments in cybersecurity in both the short and long-term. 
They are all smiling because they know what an impossible task 
this is. But this is a problem that exists far beyond our 
Nation's borders. We should be thinking about how we can ensure 
international cooperation to protect against cyber threats 
around the world. I understand we need to make substantial 
changes in the way we think about cybersecurity. This is not a 
problem that we have the tools to deal with immediately. And I 
do want to hear from our witnesses about that today, but even 
while we rethink our approach to cybersecurity and make 
necessary long-term investments, I want to know what we can do 
right now to protect consumers and their personal information. 
If data breaches have become inevitable, we need to think about 
how to make that data unusable once it is stolen, and that 
seems to be a short-term key. I want to hear from the witnesses 
about creative solutions in the post-breach environment. On the 
battlefield, a strategy for preventing the enemy from 
successfully using your technology against you is to render it 
useless if it falls into the wrong hands. I think we need to 
figure out ways to do this now with certain types of consumer 
information if it is stolen.
    As Chairman Murphy said, this is just the first in a series 
to explore cyber threats in a variety of sectors. I want to 
thank the witnesses, and I look forward to our continued work.
    I yield back.
    Mr. Murphy. Gentlelady yields back.
    Now recognize the vice chair of the full committee, Mrs. 
Blackburn of Tennessee, for 5 minutes.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Mrs. Blackburn. Thank you, Mr. Chairman, and thank you for 
the attention to this issue. And witnesses, we appreciate that 
you are here as we begin to think through this process.
    Cyberspace is really a place where a lot of our information 
now resides. It is not just something that we click onto and 
off of, but it is a place of residence for what I term our 
virtual you, which is you and all of your information. And 
interestingly enough, and the chairman noted the end-to-end 
open architecture of the system, the backbone that permits 
this, and you do have that original platform, that openness, 
which makes it what it is, and makes it a successful 
information service. So now, we have all of these incursions, 
and the malware and the spyware and the bots, and this and 
that, and some of these are embedded in hardware, some are 
there via software, and we are looking at an increased number 
of these attacks on our critical infrastructure every day.
    Now, the chairman mentioned a little bit about the Internet 
of things, or as I like to say, the Internet of everything. And 
we know that by the end of this decade, Sysco says we are going 
to have 50 billion, 50 billion devices that are connected to 
the Internet. That is a lot of vulnerabilities. So as we look 
at the steps that need to be taken for privacy and for data 
security, we welcome your expertise and your insights, and we 
thank you for helping us think forward on this.
    And I yield at this time to Dr. Burgess.
    Mr. Burgess. I thank the vice chairwoman for yielding. 
Chairman Murphy, thank you for having the subcommittee have 
this hearing on reviewing the current state of cybersecurity. 
It is an issue that is vital to the future of commerce and our 
economy. Developing a strong grasp of the engineering and 
technical realities underpinning computer networks, and what 
that means for business models is an integral part of 
understanding cybersecurity.
    I do want to acknowledge, Chairman Murphy, your comments 
that this is not a data breach hearing. The Subcommittee on 
Commerce, Manufacturing and Trade is working to finalize 
legislation establishing a data security requirement, and a 
single set of breach notification rules for entities under the 
Federal Trade Committee's jurisdiction. But that is just one 
piece of the broader puzzle, and I look forward to the broader 
discussion of cybersecurity at today's hearing.
    Thank you, Mr. Chairman. I will yield back the balance of 
the time.
    Mr. Murphy. Thank the gentleman.
    And now I turn to Mr. Pallone for 5 minutes.

OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Pallone. Thank you, Mr. Chairman.
    I want to borrow the words of one of our witnesses here 
today. Dr. Shannon, in summarizing the cybersecurity landscape, 
says this in his written testimony, and I quote, ``Currently 
there is no manner in which an entity, public or private, can 
be fully protected without simultaneously destroying its value. 
Today, there are neither the tools, technology, nor resources 
to stop all serious cyber attacks and allow for efficient 
function of electronic commerce. We simply do not yet know how 
to do both of these together, which makes enabling continued 
technology research an innovation essential.'' and that is the 
end of his quote.
    Dr. Shannon, you captured perfectly the problems we face in 
this area, and the challenges in responding. This committee has 
a long history on cybersecurity issues, and I look forward to 
this series of hearings as we continue to examine this area.
    Unfortunately, our ability to protect against cyber attacks 
while improving still appears to lack what is needed to prevent 
these intrusions. We are seeing more frequent and more severe 
attacks in both the public and private sectors. In just the 
past few years, millions of Americans have had their 
information compromised in data breaches. At the same time, our 
dependence on the Internet and interconnected information 
systems has only increased. Disconnecting from the Internet is 
not an option for a vast majority of individuals and companies 
alike.
    The private sector seems to be no better at preventing 
attacks than the Federal Government. In the last year or so, we 
have seen breach after breach where attacks are placing 
Americans' personal data at risk. Attacks on Target, JP Morgan, 
Home Depot, Sony, and now Anthem have all underscored this 
fact. And these attacks illustrate that even the biggest 
companies with considerable resources at their disposal are not 
immune to these intrusions. We must also face the reality that 
it is much cheaper for the attackers to infiltrate than it is 
for us to protect and respond, and unfortunately, there is no 
one solution at this time to guarantee that stored information 
will remain secure. But we can't ignore cybersecurity until we 
have a solution. Instead, we need to find ways to manage the 
problem, and I hope this series of hearings can bring out some 
creative solutions on how to do just that.
    In addition, we need to start thinking about post-breach 
protections, particularly as it relates to consumers. Clearly 
finding ways to strengthen existing systems is necessary, but 
we also need to make it harder for thieves to use stolen data 
after breaches occur. It is not enough for companies to simply 
offer a free year of credit monitoring as an answer. Rather, we 
need to explore ways to make consumer data less useful if it 
falls into the hands of the bad guys.
    So, Mr. Chairman, coming up with effective solutions to 
these problems will be a long process, but I applaud you and 
our ranking member, Ms. DeGette, for starting this series of 
hearings, and I look forward to working with you to better 
protect our institutions, companies, and citizens.
    I yield the remaining of my time to the gentlewoman from 
New York, Ms. Clarke.
    Ms. Clarke. I would first like to thank both our Chairman 
Murphy and Ranking Member DeGette for having this hearing, and 
I would like to thank the gentleman from New Jersey, the 
ranking member of our full committee, Mr. Pallone, for yielding 
me time.
    I thank our witnesses for lending their expertise, time, 
and talent to today's Oversight and Investigations hearing.
    As you know, I was on the Homeland Security Committee for 
the past 8 years, and of those 8 years, I was ranking member of 
the Cybersecurity and Critical Infrastructure Subcommittee for 
4 years, and chairwoman for 2 years. Needless to say, this 
issue is extremely important to me, but more importantly, to 
our Nation. There is no doubt that we face a challenge of 
incredible proportions when it comes to cyber threats. 
Comprehensive and effective cybersecurity policy has always 
been a complicated endeavor, but in the face of the 
technological landscape that is constantly evolving and 
developing new mechanisms that threaten the integrity of our 
Nation's virtual presence, we stand in unchartered territory as 
we try to shape a government and corporate response that is 
effective, adaptable, and a step ahead of any threat we may 
encounter.
    We hear about a new breach in security or impending cyber 
threat almost daily, so it is inarguable that the time to set 
our House in order has come and it is now. The security of our 
Nation's cyber infrastructure and our response to cyber threats 
is not a partisan issue. We have to work together: democrats 
and republicans, government and private industry, academics and 
public advocates, to not only protect the privacy of our 
citizens, but also identify and respond to security threats. 
Ultimately, however, it is the expertise of today's witnesses, 
and many others across the cyber community, that will allow us 
to act in the best interests of our Nation.
    I look forward to listening to and learning from what 
today's witnesses have to share with us.
    I yield back to Ranking Member DeGette.
    Mr. DeGette. I yield back.
    Mr. Murphy. All right, thank you. Thank you.
    We are expecting votes from between 2:15 and 2:45, so we 
will move quickly through these questions. 2:45, 3:15? All 
right, 2:45, 3:15, so we should have plenty of time.
    So now let me introduce the witnesses on the panel for 
today's hearing. First, Dr. Herbert Lin, Senior Research 
Scholar for Cyber Policy and Security at the Center for 
International Security and Cooperation, a Senior Fellow at the 
Hoover Institute in Stanford University, his research relates 
broadly to policy-related dimensions of cybersecurity and 
cyberspace, and particularly interested and is knowledgeable 
about the use of offensive operations, cyberspace, especially 
instruments of national policy. Welcome here, Dr. Lin.
    Next, Dr. Richard Bejtlich. I say that right?
    Mr. Bejtlich. Yes, sir.
    Mr. Murphy. Good. Is the chief security strategist at 
FireEye, Incorporated, and was Mandiant's chief security 
officer when FireEye was acquired by Mandiant in 2013. In this 
role, he empowers policymakers, international leaders, global 
customers, and concerned citizens to understand and mitigate 
digital risks through strategic security programs.
    Our third panelist is Dr. Greg Shannon, Chief Scientist for 
the CERT Program at the Software Engineering Institute at the 
Carnegie Mellon University. In this role, he is responsible for 
working with the director and SEI leadership to plan, develop, 
and implement research strategies, initiatives, and programs 
that further the mission of CERT and SEI, as well as 
developing, conveying, and executing innovative ideas for the 
Nation's cybersecurity research agendas. In addition, he was 
recently named chair of the Institute of Electrical and 
Electronics Engineers Cybersecurity Initiative.
    I will now swear in the witnesses. As you all are aware, 
the committee is holding an investigative hearing, and when 
doing so, has the practice of taking testimony under oath. Do 
any of you have objections to testifying under oath? Seeing no 
objections, the chair then advises you that under the rules of 
the House and the rules of the committee, you are entitled to 
be advised by counsel. Do any of you desire to be advised by 
counsel during your testimony today? And they have all 
indicated no. In that case, would you please rise and raise 
your right hand, I will swear you in.
    [Witnesses sworn.]
    Mr. Murphy. Thank you. All the witnesses answered in the 
affirmative. So you are now under oath and subject to the 
penalties set forth in Title XVIII, section 1001 of the United 
States Code. We will recognize you each for a 5-minute summary. 
The rules are press the button on the mic, pull it close to 
you. Watch for the red light, that means your time is up.
    Dr. Lin, you may begin.

 TESTIMONY OF HERBERT LIN, SENIOR RESEARCH SCHOLAR, CENTER FOR 
  THE INTERNATIONAL SECURITY AND COOPERATION, SENIOR FELLOW, 
HOOVER INSTITUTION, HARVARD UNIVERSITY; RICHARD BEJTLICH, CHIEF 
    SECURITY STRATEGIST, FIREEYE, INCORPORATED; AND GREGORY 
 SHANNON, CHIEF SCIENTIST, CERT PROGRAM, SOFTWARE ENGINEERING 
             INSTITUTE, CARNEGIE MELLON UNIVERSITY

                    TESTIMONY OF HERBERT LIN

    Mr. Lin. Mr. Chairman, members of the subcommittee, thanks 
for the opportunity to testify. Testimony today is personal, 
although my professional work informs it.
    Let me start with two definitions. Cyberspace is computers, 
smartphones, the Internet, stuff with computers inside them. It 
is also the information inside these things, and our dependence 
on all of this is growing.
    Here is a definition of cybersecurity that--with words like 
negative impact and bad guy. What is important here is that the 
definitions of these words are policy matters, and also 
cybersecurity isn't just technology. Economics, psychology, 
organizations, they all matter because they help to shape user 
behavior, which affects cybersecurity.
    On security, a computer in a sealed metal box, there is 
supposed to be a computer inside that one on the left. There is 
one on mine. And it is a sealed metal box, so I guess you can't 
see it. That is perfectly secure, but it is useless. OK. The 
one on the right is useful but potentially insecure because--it 
is useful because you get information in and out of it. You 
only want good data to get into it. That requires a judgment 
about what counts as good, and such judgments are fallible.
    Here is a network of nodes that represents the Internet. At 
each node there is another network or a computer. The Internet 
is designed with just one function really; to transport data 
from A to B without regard for what it means. Usefulness of the 
Internet comes from the computers that sit at the nodes, and 
this principle is what has really enabled the Internet to grow 
so quickly in the past. But if you believe in this principle, 
it also means that the network in the middle doesn't handle 
security. Many people want to put security in the middle, but 
that would violate this basic principle that has driven 
Internet growth and innovation, and also the change wouldn't 
entirely solve the cybersecurity problem. There are some 
exceptions to this description, but they don't really change 
the basic story.
    Complexity is the enemy of cybersecurity. What we want from 
our computers requires complex systems. We put components into 
a system. When the system is complex enough, nobody understands 
the system very well, and so the system, in fact, may not be 
secure. And here is an example of complexity at work. You have 
done this before, from a browser you type in the URL, like 
EnergyCommerce.House.gov, and then in less than a second the 
E&C Commerce site appears. OK. This is what is going on behind 
the scene. It is not worth going over each of these elements, I 
don't have time for it either, but at every one of these boxes, 
an adversary could interfere with your Web experience.
    Also, adversaries adapt, and here is an example from 
safecracking. Good guys don't get the last move here. When we 
put money in wooden boxes to protect them, robbers use axes. 
When we used metal safes to stop them, they drilled wedges 
between the door and the safe. When you put in step doors, they 
poured in nitroglycerine, and so on. And we still haven't 
entirely stopped bank robberies.
    The result of this is this chart. Over time, we get better 
at cybersecurity, that is the bottom line, but the top line, 
how much we depend on cyberspace and, therefore, how much the 
threat that we face has grown even faster, and that gap, 
therefore, is growing. The defenses of today would be good 
against the threats of 10 years ago, but the threat has changed 
too.
    This leads to conclusion one, which is that cybersecurity 
is a never-ending battle. You will not find a decisive solution 
forever, and so you have to find ways to manage it at an 
acceptable cost. This really leads to two questions: why bother 
with cybersecurity at all, and how can we manage the problem? 
On the why bother, here are some reasons. You deal with the 
unsophisticated threats, you make yourself less vulnerable so 
the bad guys go after the next guy rather than you. You can 
give the bad guy less time to do his dirty work, and you help 
law enforcement focus on the harder cases. OK. Second, why is 
it so hard to solve this as a policy problem? Well, the reason 
is that we want cybersecurity, but we want other good things as 
well. We want rapid innovation, and it is always faster to do 
something without attention to security. We want convenience on 
cybersecurity. It mostly gets in your way. How often have you 
been at a computer that you couldn't get on because you forgot 
a password? There is also interoperability, which means 
sometimes you can't fix a known security problem because you 
are afraid of damaging existing programs. And we want privacy 
for us but not the bad guys. That means when we try to collect 
data on the bad guys, sometimes we collect data inadvertently 
on the good guys. And the tradeoff is that we don't know how 
much inadvertent collection we should tolerate to gain 
security. Tradeoffs are unavoidable, and that means it makes 
consensus hard to reach. How do you do better? Well, part one 
is you reduce the gap between the average and the best, and 
part two is you reduce the gap between the best and what you 
actually need.
    So here is my summary of this, which is all in your--this 
is a one-page summary. And this reference, from which much of 
this testimony is drawn, I would like to incorporate that into 
the record of the hearing, if I may. And I think it has been 
distributed to members. So that is it. Thank you.
    [The prepared statement of Mr. Lin follows:]
    
    
    
    
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
    
    
        
    [The attachment to Mr. Lin's testimony has been retained in 
committee files and can be found at http://docs.house.gov/
meetings/if/if02/20150303/103079/hhrg-114-if02-20150303-
sd006.pdf.]
    Mr. Murphy. Thank you.
    Now our next witness, go ahead, 5 minutes.

                 TESTIMONY OF RICHARD BEJTLICH

    Mr. Bejtlich. Chairman Murphy, Ranking Member DeGette, 
members of the committee, thank you for the opportunity to 
testify. I am Richard Bejtlich, Chief Security Strategist at 
FireEye. Today I will discuss briefly digital threats, how to 
think about risk, and some strategies to address these 
challenges.
    So first, who is the threat? We have discovered and 
countered nation-state actors from China, Russia, Iran, North 
Korea, Syria, and other countries. The Chinese and Russians 
tend to hack for commercial and geopolitical gain. The Iranians 
and North Koreans extend these activities to include disruption 
via denied service and sabotage using destructive malware. 
Activity from Syria relates to the regional civil war, and 
sometimes affects Western news outlets and other victims. 
Eastern Europe continues to be a source of criminal operations, 
and we worry about the conflict between Ukraine and Russia 
extending into the digital realm.
    I began by saying who is the threat, and that brings about 
threat attribution. Threat attribution, or identifying 
responsibility for a breach, depends on the political stakes 
surrounding an incident. For high-profile intrusions such as 
those in the news over the last few months, attribution has 
been a priority. National technical means, law enforcement, and 
counterintelligence can pierce anonymity. Some elements of the 
private sector have the right experience and evidence to assist 
with this process. So attribution is possible, but it is a 
function of what is at stake.
    So who is being breached? In March of 2014, the Washington 
Post reported that in 2013, federal agents, most often the FBI, 
notified more than 3,000 U.S. companies that their computer 
systems had been hacked. This count represents clearly 
identified breach victims. Many were likely compromised more 
than once. How do victims learn of a breach? In 70 percent of 
the cases, someone else, likely the FBI, tells a victim about a 
serious compromise. Only 30 percent of the time, the victims 
learn of the intrusions on their own. The median amount of time 
for when an intruder first compromises a victim to when the 
victim learns of a breach is currently 205 days. This means 
that, unfortunately for nearly 7 months after gaining initial 
entry, intruders are free to roam within victim networks.
    Well, what is the answer? Before talking about solutions to 
digital risk, we need to define it. Always ask risk of what. 
Are we talking about the risk of a teenager committing suicide 
due to cyberbullying, or the risk of a retiree's 401(k) being 
emptied due to electronic theft, or the risk of a week-long 
power outage due to state-sponsored attack? Step one is to 
define the risk, and step two is to measure progress by 
combining means and ways to achieve defined ends.
    To measure success, I recommend that a security team track 
the number of intrusions that occur every year, and you will 
see this in the FISMA report that was just released yesterday, 
although, honestly, it seemed buried in the report. So you want 
to count the number of intrusions per year, but more 
importantly, you want to measure the amount of time from when 
the intruder first gets into the enterprise to when someone 
notices, and when from someone notices to when you kick them 
out. And these are the metrics that I don't see recorded too 
often.
    It is also important to think in terms of how to define 
risk, and security professionals, like the ones at this table, 
tend to think in terms of threat vulnerability and cost. And we 
use a pseudo equation where risk is the product of threat 
vulnerability and cost. We are not trying to calculate a 
number; just show that, as you influence each one of these 
factors, you either raise risk or lower risk.
    So I think in general, there is a lot of attention paid to 
the vulnerability in a computer and an iPhone, that sort of 
thing, but we need to spend a lot of time as well on the threat 
and the cost. Law enforcement and counterintelligence are the 
primary means by which you can mitigate the threat. In an 
editorial for Brookings that I wrote, I asked what makes more 
sense; expecting two billion Internet users to adequately 
secure their personal information, or reducing the threat posed 
by the roughly 100 top tier malware authors? So that is the 
threat side.
    On the cost side, we need to think of ways to reduce the 
cost of dealing with a security breach, not only for companies 
but also for consumers. So we are seeing this in a couple of 
different areas. One step in place is the tokenization of 
payment card system data where you replace a credit card number 
with a string of numbers in its place. A second step would be 
eliminating the value of the social security number to identity 
thieves. I recommend reading the Electronic Privacy Information 
Center suggestions on effective social security legislation for 
some policy changes.
    In brief, defenders win when they stop intruders from 
achieving their objective. It is ideal to stop the adversary 
from entering the network, but that goal is increasingly 
difficult. I recommend you quickly detect the intrusion, 
respond to contain the adversary, and then kick them out.
    And finally, we must appreciate that the time to find and 
remove intruders is now. There is no point in planning for 
future theoretical breaches. If you were to hire me to be your 
chief security officer, the very first step I would take would 
be to hunt for intruders already in the network.
    I look forward to your questions.
    [The prepared statement of Mr. Bejtlich follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
   
    
    Mr. Murphy. Thank you.
    Now, Dr. Shannon, you are recognized for 5 minutes.

                  TESTIMONY OF GREGORY SHANNON

    Mr. Shannon. Thank you. Thank you, Chairman Murphy, Ranking 
Member DeGette, and distinguished subcommittee members. I am 
honored to testify before you today on cyber threats and 
implications for the 21st century. I am Greg Shannon, the Chief 
Scientist for the CERT Division at the Software Engineering 
Institute, which is a DoD, FFRDC, operated by Carnegie Mellon 
University.
    To sustain and expand our economy, consumers and businesses 
need to trust the cyber infrastructure ecosystem upon which 
commerce and innovation now depend. Those ecosystems must also 
thwart capable adversaries who seek to execute economy-
disrupting cyber attacks. Today, in cyberspace, as noted 
before, there is no manner in which an entity, public or 
private, can fully protect itself without simultaneously 
eroding its own value. There are neither existing technologies 
nor any amount of money that would stop all serious cyber 
attacks, and allow for the efficient function of electronic 
commerce. We simply do not yet know how to do both.
    As technologists, what are we to do? In the short term, we 
need to push for more and better measurement of outcomes, as 
noted earlier. Security successes as well as breaches. 
Collectively, if most everyone practices good cyber hygiene, we 
are unlikely to be undone by the weakest link, however, you 
cannot expect everyone to adopt a new idea without proof of 
efficacy, especially when implementation isn't free. The 
opportunity of measuring outcomes directly applies to two 
promising risk management frameworks, the NIST Cybersecurity 
Framework, and the Department of Energy's Cybersecurity 
Capability Maturity Model. Both of these frameworks are being 
measured for efficacy and will soon produce data telling us 
which practices matter. We need that feedback. The best-secured 
organizations continuously monitor how their performance 
correlates with their practices. Without meaningful feedback, 
the state-of-the-art cannot improve.
    In the medium-term, we need to improve access to data, 
specifically for security and privacy innovation. Cyber 
solutions are only as good as the data they are created from. 
And currently, researchers and developers have limited access 
to data, resulting in subpar solutions and slower innovation. 
Sadly, just this morning, I listened to research results based 
on 15-year-old synthetic dataset with known serious 
limitations. Fortunately, I have also personally seen security 
innovation accelerated when scientists and engineers have 
access to good data; i.e., when modeling insider threats. If we 
can determine which subsets are essential for combatting those 
cyber threat, then less data would need to be shared and 
thereby possibly moderating privacy concerns.
    In the long-term, we need a coordinated national strategy 
to sustainably build trust and thwart our cyber adversaries. 
For example, we need to eliminate the possibility that a single 
weakness can threaten the economy. Considering computational 
and human energy as a barrier, it is possible to create and 
operate a strategically advanced cyber infrastructure that 
would require adversaries to expend exceptional energy in order 
to pose serious cyber threats to our economy. Today it takes 
only modest computing and human energy to find and execute 
economy-threatening attacks, creating an environment that 
favors the adversary by orders of magnitude. Given the energy 
we already expend on security defenses, we can optimize our 
energy investments to create a more robust defense, and 
simultaneously apply recent research results and new 
technologies that makes the computational cost of finding and 
executing a compromise exceptionally high. In June, a DIMACS- 
and IEEE-sponsored workshop at Carnegie Mellon will discuss the 
technical foundations of this strategy. If we can create and 
operate a strategically advanced cyber infrastructure that 
requires adversaries to expend astronomical amounts of energy 
to find and execute economy-threatening attacks, then energy 
becomes the currency in which one traffics to protect or attack 
commerce around the world. Ultimately, access to energy could 
become a deterrent to economy-threatening cyber attacks.
    Over the last 45 years, we have created the Internet and a 
modern evolving 21st century economy. Paradoxically, our own 
innovation and collective success have created today's trust 
and resiliency challenges. Nevertheless, I am optimistic that 
over the next 45 years, we will make our 21st century economy 
fully trustworthy and resilient.
    Thank you.
    [The prepared statement of Mr. Shannon follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
       
    Mr. Murphy. I thank all the panelists for their testimony. 
And now I am going to recognize myself for 5 minutes for 
questions.
    So we have heard a lot about the nature of cyber threats 
and cybersecurity. We heard it is very asymmetric, it favors 
those who wish to misbehave in cyberspace, and defenders have 
to spend a great deal of time and money and very complex 
systems all at once. So this is a question for any of you. Can 
this asymmetric imbalance be corrected to favor defenders 
instead of attackers? Any of you want to weigh in on that? Dr. 
Lin?
    Mr. Lin. Sure. I don't know if it will ever be able to 
favor the defense, but you can certainly make it a lot harder 
for the attackers. I think there is no question about that. I 
think all of my colleagues here basically said that, that we 
can do a much better job than we are doing now. For example, 
there are known technologies and known procedures, and so on, 
that we can deploy that will increase security, but we just 
don't use them, for a variety of reasons.
    Mr. Murphy. Anyone else want to weigh in on that before I 
go on to my next question?
    Mr. Bejtlich. Sir, just briefly, I could give you a 
tactical answer. The iPhone is an example of a more secure 
technology that people love, and the reason is is Apple has an 
App Store that it polices closely; it is very difficult to get 
something malicious in there. So when you look at 
vulnerabilities on phones, there is a fraction of what is on 
Android as compared to Apple because Android is much more open, 
Apple is more closed. Now, if you want to be able to run 
whatever you want on your iPhone, you lose that, but it is more 
secure.
    At a more strategic level though, we have to realize that 
it does take effort for intruders to get their objectives done. 
It is not like a silver bullet attack where they press a button 
and the end of the world happens. We have seen intruders take 
days, weeks, even months, to get to the data that they need. So 
sometimes it is a question of your perspective as well.
    Mr. Murphy. So let me jump onto that and, Dr. Shannon, 
maybe you could follow this. So are there opportunities that we 
can increase the cost for the bad guys in doing business, so we 
can do some technical things, which you just described Apple 
does, but are there other things, perhaps legal or 
technological solutions that we can take steps on?
    Mr. Shannon. At the technological level, as I point out in 
my written testimony, there are some long-term research and 
development opportunities. Technology that is coming to 
fruition is becoming practical. Essentially, it makes the 
computations similar to--if you were to break the computation, 
it would be similar to breaking encryption. And so the goal is 
to make it so that database queries, remote computation in the 
Cloud, is just as difficult of disrupting and compromising as 
it is encryption. And these typically are encryption-based 
technologies, and hence, my comments about high energy, that 
the amount of energy it would take an adversary to compromise 
those systems, or to find a way to thwart those systems, would 
be comparable to breaking encryption.
    Mr. Murphy. Let me jump onto a different part here. So let 
us talk about the Internet of things. We are going to have all 
these things controlling parts of our lives, from running our 
dishwasher to opening and closing garage doors, turning the 
heat on and off, tracking where we are, finding where our kids 
are, is it possible to keep pace with these threats, and let 
alone increase the cost of attackers, as we are talking about 
here, to malicious actors? Dr. Lin, can you weigh in on that?
    Mr. Lin. Is it possible to do better than they are likely 
to do? Sure, but the problem is that getting stuff out first to 
market is an effort-intensive thing, and you don't want to put 
in effort to focus on security before you can get to market. 
And they do this for perfectly reasonable economic reasons, but 
it is very hard to get people to focus on cybersecurity in the 
absence of some sort of mandate before they have gotten the 
product out.
    Mr. Murphy. So that becomes something we can work on in 
Congress.
    Mr. Bejtlich. Sir, there is an opportunity here, and that 
is, with traditional security, you have been relying on a 
person to secure their computer. Someone who is not an expert, 
someone who is just a user. With a vendor, you have a 
centralized place where you could apply some pressure of a 
variety of means to get them to have their act together as far 
as, for example, securing my refrigerator. There is nothing I 
can really do to my refrigerator. It is not like my PC. So you 
can apply some pressure on the vendor to make sure that they 
have their act together.
    Mr. Murphy. OK. Let me ask one more question in my brief 
amount of time. Dr. Shannon, you referred to the importance of 
trust and trustworthy things. We want to be able to trust so 
many things that we are involved, with interstate commerce, 
with energy, telecommunications, all the things within the 
jurisdiction of this committee. So let me go back here, if we 
were to redesign, if the Internet was starting up today, how 
would we design it differently to take care to have that trust, 
still have something that is accessible, but is secure?
    Mr. Shannon. A big part of it is to look at the ecosystem 
that actually creates the components for the environment, the 
software, the hardware. Part of the challenge is that there is 
a very large shared base, and those systems have been created 
in an insecure manner. And so it provides ample opportunities 
for adversaries to work their way into, and they really create 
the opportunity to steal the private data and to bring down a 
banking site, or whatever. So that is where the real 
opportunity is if you designed it properly from the beginning.
    Mr. Murphy. Thank you.
    Ms. DeGette, you are recognized for 5 minutes. My time is 
up.
    Ms. DeGette. Thanks, Mr. Chairman. As I mentioned in my 
opening statement, the Federal Government and also private 
businesses have been targeted by cybercriminals, and I talked 
about Target, I talked about Home Depot, JP Morgan Chase, the 
health insurer Anthem. From the Federal Government side, also 
we have had substantial attacks. In July of 2013, there were 
hackers who stole social security numbers and other information 
from over 100,000 employees at the Department of Energy, for 
just one example.
    So, Mr. Bejtlich, I heard a number that seems high, but if 
you add all these together, the number I heard is that over 100 
million Americans could potentially be at risk from these cyber 
attacks. Does that number sound plausible to you?
    Mr. Bejtlich. Yes, just given the Anthem hack alone, close 
to 80 million records including social security numbers. So you 
get to 100 million pretty quickly.
    Ms. DeGette. Yes. And so typically what companies do is 
they tell people they can have a year of free credit monitoring 
if they have had their data stolen. Do you think that is 
sufficient, or do we need to explore additional remedies?
    Mr. Bejtlich. I concur that that is not sufficient. I don't 
want to blame the victims in this case, but I was personally 
affected by the Anthem hack, as was my family, so the ability 
to recover from that doesn't exist in our system. It does exist 
for something like a credit card number. We have all had credit 
cards stolen and not suffered that much damage, but it is a 
whole other ballgame when you are dealing with social security 
numbers and other data.
    Ms. DeGette. And do you have some ideas what we could do, 
aside from giving people free credit monitoring?
    Mr. Bejtlich. Well, I think the first thing is to go 
through an exercise that says what data exists, and what 
happens when that data is an intruder's hands, in a criminal's 
hands, what can be done with that data. And if there is no 
friction from having the data to opening a new line of credit, 
getting a mortgage, whatever it is, we need to introduce some 
friction there, whether it is some type of physical agreement 
that has to be passed through the mail, or something that makes 
it more difficult for the intruder, and allows the victim to 
know something is going on here and not just wait until you 
have gotten an adverse credit report.
    Ms. DeGette. Yes, and is that something that you think 
Congress should be involved in?
    Mr. Bejtlich. It is not my place to say what you should do, 
I believe, but I do think we need more industries thinking in 
terms of what happens to data post-breach, because I agree with 
your statement that we are either post-breach or pre-breach for 
most organizations.
    Ms. DeGette. Right. Right, and I mean what you are saying 
is, if somebody hasn't had their data stolen, it is likely that 
they will have their data stolen, correct?
    Mr. Bejtlich. Some data, yes, of some type. As we have all 
heard, more of our data is out there.
    Ms. DeGette. So do you think it might make sense to let 
consumers lock their credit down with credit agencies? Do you 
think that might be one solution?
    Mr. Bejtlich. Ma'am, I am not an expert in the credit 
system, although my understanding of the current system is that 
that is not an easy proposition. I think we may need to look at 
something that would allow that to happen, for example, I have 
young children, there is no reason for them to have any credit 
taken out in their name until there is some type of formal 
approval.
    Ms. DeGette. And that was my next question is that would be 
one thing that would be easy to do. Is there some other way we 
can protect children from early identity theft?
    Mr. Bejtlich. I do know that the act of credit monitoring, 
and this has come out through the disclosures that I have 
received as a victim of some of these cases, the act of trying 
to do credit monitoring, or to do a credit check for a child 
makes them more likely, or makes it easier for an intruder to 
use their identity. So that seems like a situation that needs 
to be changed.
    Ms. DeGette. So I have one more question for anybody who 
wants to answer it. My staff here recently--you met with Sysco?
    Voice. Citigroup.
    Ms. DeGette. Citigroup? Citigroup. And they did a test on 
their own systems, and what they found was that these breaches 
were actually interactive. So they could breach one machine and 
then it would actually morph when it went to the next machine. 
It would actually change. And so that is the sophistication 
they are getting now. What can we do to start trying to protect 
against those sorts of breaches? Anybody.
    Mr. Shannon. Well, the cyber threat analysis is a key part 
of that in terms of being able to track an adversary, and track 
their TTPs, their tools, techniques and procedures, so that 
once you realize there is a breach, you realize what the next 
step for that adversary might be. And it is about using the 
cyber intelligence----
    Ms. DeGette. Do we have the ability to do that now?
    Mr. Shannon. There are commercial organizations that 
actually do that. I believe that is part of what you guys do 
for your bread and butter.
    Mr. Lin. The problem that you have described is what is 
known as a perimeter defense, and once you have breached the 
perimeter of an organization, you can do anything you want 
inside. Most organizations believe that they just erect a big 
enough of perimeter on the outside and they are safe, but they 
are not. And so organizations have to learn to practice and 
operate as though they had already been penetrated, and getting 
them to do that is a tough thing to do.
    Ms. DeGette. Thank you.
    Thank you, Mr. Chairman.
    Mr. Murphy. Thank you. They have called a vote, early as it 
is. So what we are going to--no, I guess it is on time. So what 
we are going to do is take a break. Don't go far because as 
soon as Members come back--I know Mr. McKinley ran so he will 
beat me back, so we can just continue on as soon as we get back 
here and have a chair. So don't wonder far, we will be right 
back. Thank you.
    [Recess.]
    Mr. McKinley [presiding]. Now that we have some balance 
here, we can continue. And so we will continue the hearing. I 
believe I am the next questioner. So thank you very much for 
your patience on that, and now that we have a balanced panel, 
we can continue.
    I am trying to follow some of the hyperbolae that goes on 
in Washington often about cybersecurity, terrorism, debt, 
climate change, I was interested in the last few days the--Lee 
Hamilton with the 9/11 Commission came out and said the biggest 
threat facing America is not ISIS, but cyber attacks. The FBI 
director said it is the greatest threat to national security. 
And the director of national intelligence, Clapper, said that 
the online assaults undermine U.S. national security.
    Do you agree that that is one of our biggest threats if not 
the biggest threat that we face is the issue we are talking 
about here today? Each of you, just kind of a yes or no.
    Mr. Shannon. It is clearly a big threat. I think given that 
many other threats will result in direct loss of life, I think 
in the cyber arena it is pretty hard to make a compelling case 
based on experience to date. Is the potential there? 
Absolutely, but it is not, thank God, it hasn't manifested 
itself on a regular basis like it has in other areas.
    Mr. Bejtlich. Sir, I tend to think in terms of the actor, 
so cyber is a vector and a target, but at the end of the day, 
there is someone behind it, whether we are talking about the 
Russians or someone else, and I think that is why DNI Clapper 
elevated the Russian threat as above the China threat right 
now. The Russian threat is seen as more acute. It is linked to 
geopolitical events. It could be seen as a potential response 
to activity that is going on in Ukraine, whereas the activity 
from China is more stealing secrets and it is more of a chronic 
issue. So I tend to think in terms of who is it that we worry 
about, and less the way that they are going to do it.
    Mr. McKinley. OK. Dr. Lin?
    Mr. Lin. I would agree with my two colleagues here, that it 
is one of the biggest threats. I would have a hard time 
thinking that it is worse than a nuclear weapon going off----
    Mr. McKinley. Sure.
    Mr. Lin [continuing]. Improvised nuclear weapon going off, 
you know. I----
    Mr. McKinley. But if I could just continue with that 
because if it is a threat, and I think of small businesses, the 
Mildred Schmidt who lives next door to you, lives next door to 
me, she has no idea that she has been hacked, and they are 
getting into her information. I think if small companies--like 
my former company, that we did business with the Federal 
Government, and people could hack into my computer, and by 
virtue of that, get into the Federal computers. So we know it 
is out there. But what I did not like was, I guess it was, Mr. 
Bejtlich, something in your testimony, you said it may take 7 
months before we know they are in there. This thing is just so 
broad, are we spending too much attention trying to focus on 
prevention and keeping actors out, or is there a better way to 
address this, because we seem like we may be shortening the 
time frame. Is this the best thing we should be doing?
    Mr. Shannon. Yes, that is certainly a concern. I mean we 
want to be able to build better infrastructure. You know, I am 
part of the Software Engineering Institute, part of our goal is 
to develop better methodologies for creating software 
assurance, and part of the challenges, as we were discussing 
during the break, is that the libraries that are out there that 
developers use, there are 15 million C programmers in the 
world, and they all go to places like GitHub and other open-
source repositories to get a lot of their code, or to look at 
the code to see how it is done. And those codes haven't been 
hardened.
    Mr. McKinley. But Doctor, how do we deal with the small 
businesses that can't afford to build in all the software 
protection? How do we deal with that?
    Mr. Shannon. You want to provide a national asset where 
they can go to and get that as a given. If you provide 
repositories where there are already pre-hardened components, 
the developers would be using that if they are going to 
actually do some development. That----
    Mr. McKinley. Well----
    Mr. Shannon [continuing]. Is part of the benefit of 
ecosystems like IOS. Developers go there and they already know 
that they are using components that have been tested and 
approved.
    Mr. McKinley. Tested, OK.
    Mr. Bejtlich. I think insurance----
    Mr. McKinley. Mr. Bejtlich, it looks like you--OK, you 
wanted to say something?
    Mr. Bejtlich. Sorry, sir. I think insurance is also going 
to play a much greater role here. It is important to think in 
terms of--cyber is unique in some senses but in other cases it 
is not. So there are plenty of other real-world elements we can 
bring to bear on this, and insurance would be one of them. 
There is no reason for your small business to go out of 
business because of a hack if you can buy a policy that would 
help you recover from that.
    Mr. McKinley. Dr. Lin?
    Mr. Lin. And I would say that there is a role for a single 
one-stop shopping for help if you have a computer security 
problem, that it would be helpful if your small business owner 
could know who to call. The problem with something like that is 
that what is going on in this person's computer is a very 
individual thing and there are going to be problems in 
responding, but at least people should be able to get help, and 
right now there isn't any good way to do that.
    Mr. McKinley. OK. So my time has run out on that, but thank 
you very much for that. I hope we can pursue that a little bit 
further.
    Now, who do we have next? Our chairman is back.
    Mrs. Blackburn, 5 minutes.
    Mrs. Blackburn. Thank you, sir. I appreciate that, and I 
appreciate the patience that you all are showing by hanging 
with us as we are back and forth to the floor and different 
things.
    Let me pick up right where Mr. McKinley left off. And as I 
said in my opening, that when you look at cyberspace, it is a 
place now where our information actually resides. Our virtual 
you lives there. And what we hear from constituents is how do I 
protect this, why can't they do something to make this safer? 
As my colleagues have heard me repeatedly say, there is nothing 
that women hate more than a peeping Tom, and they don't like 
them looking at their networks and their pictures and their 
photos and their passwords, and things of this nature, and the 
way they feel that violation is something that we hear about. 
So what I would like to hear from you all, and, Dr. Lin, you 
just alluded to this, when you said people want to know where 
to get help. So what do you see as a group of best practices 
that should be there for companies and their virtual space, 
whether they are a click business or a brick and mortar 
business, and then talk a little bit about B to C, and how 
businesses deal with consumers and inform and educate them as 
to what they are doing to make that virtual marketplace, and 
prohibit and incursions in cyber.
    So let us start and just go down the line. We have 3 
minutes, and I would like about 30 seconds from each of you on 
it.
    Mr. Lin. One thing that businesses can do with respect to 
the consumers is to be more transparent about the ways in which 
they protect data and are willing to use it. Many companies are 
less than fully transparent in the ways in which they----
    Mrs. Blackburn. So how they are crunching the data----
    Mr. Lin. That is correct.
    Mrs. Blackburn [continuing]. And what they are pulling from 
it, and go ahead and get permissions on the frontend.
    Mr. Lin. Well, that is right, and to be fully disclosive 
about what they are actually going to----
    Mrs. Blackburn. OK.
    Mr. Lin [continuing]. What they could do with it.
    Mrs. Blackburn. OK.
    Mr. Bejtlich. I would like to hear about the steps they 
take to protect data. Lots of times you hear, well, we can't 
talk about that because it will show too much to the adversary. 
I really don't believe that. I would like to know, for example, 
that my bank has an incident response team, that they exercise 
at regular intervals, they are staffed with these people that 
you may have heard of in the press. That, to me, would give me 
some comfort that they are taking that seriously.
    Mrs. Blackburn. OK.
    Mr. Shannon. I think, actually, the marketplace has an 
opportunity to make this decision. I have seen some startups 
coming out that are promoting security higher to the users. And 
so if the company can indicate we are making things maybe a 
little more inconvenient for you, but it also makes it 
extremely more inconvenient for the hacker.
    Mrs. Blackburn. Dr. Shannon, why do you think companies 
have not done that?
    Mr. Shannon. Well, because they see it as an impediment to 
their profit loss, they want to retain users, they want to make 
their services easy to use, and so they haven't been forced to, 
essentially, admit that----
    Mrs. Blackburn. But then their customers become very 
angry----
    Mr. Shannon. That is correct.
    Mrs. Blackburn [continuing]. When there is an incursion.
    Let me--and it is Mr. Bejtlich, right? Am I saying that 
right?
    Mr. Bejtlich. Bejtlich. Thank you.
    Mrs. Blackburn. Bejtlich. OK. I am close. That works. OK, 
let us see, Mandiant's M-trends 2015 report, something that 
caught my eye there was that you could have some malicious 
activity and a malicious actor on your system for 205 days. 
That was the average before it was discovered. And I found this 
so interesting because we had a company in my district there 
around Nashville that had a major breach this year, and the 
amount of time that the bad actor was on the system and then 
moved the information to a different system before they 
exported it and left----
    Mr. Bejtlich. Right.
    Mrs. Blackburn [continuing]. The country with it. So do you 
concur with that 205 days, or is there a different--I know you 
all do a lot of remediation work, so----
    Mr. Bejtlich. Right. That is absolutely our number. That is 
based----
    Mrs. Blackburn. OK.
    Mr. Bejtlich [continuing]. On our consulting work from last 
year. It is down from the year before which--we are moving in 
the right direction, but 7 months is still way too high.
    Mrs. Blackburn. I agree with you.
    And with that, I yield back. Thank you, Mr. Chairman.
    Mr. Murphy. Now recognize Mr. Collins for 5 minutes.
    Mr. Collins. Thank you, Mr. Chairman. I want to thank you 
for coming in today to testify. The last Congress, I was the 
subcommittee chairman of Health and Technology on small 
business. I had a hearing on cybersecurity, and I don't think 
we can say this too often to small business, there is a threat 
to them, there is a threat to their very existence. And so 
maybe today we could just, Mr. Bejtlich, continue this 
discussion more as a PR to small business.
    What I found was most small businesses are naive to the 
threat. They operate under, ``it won't happen to me.'' They are 
going to go after Target or Citibank or someone, they are not 
coming after my small business, which, in fact, and maybe you 
could expand on this, I think many of these folks see small 
businesses as the easy way into bigger companies. If they are a 
supplier to General Electric, if they are a supplier to a big 
company, an attacker can get into that small supplier and work 
through their connection to get through the supply chain, so to 
speak. But what we found was the staggering percentage of 
businesses that are out of business within 12 months of a data 
breach. It threatens their very existence because as, and you 
can expand on this really as well, if someone gets into their 
employee information, they have to provide credit insurance for 
that employee for some extended period of time, and that it out 
of their pocket, but also if a big corporation finds that that 
supplier was the access point, guess what, that big company is 
not going to buy from that supplier. If the customers find out, 
as we have seen, their data has been breached, they are not 
going to shop at that store.
    So we are trying to say, and alert to small business--most 
of them don't have security policies, cybersecurity policies, 
they are sloppy with passwords, and they are just begging to be 
the target. So I don't know if you would want to just expand on 
a little bit of what I just said to--the warning to small 
businesses----
    Mr. Bejtlich. Sure.
    Mr. Collins [continuing]. It can happen to you, and if it 
does----
    Mr. Bejtlich. I totally agree. The thing you should do as a 
small business is to say, first, what do we have that somebody 
else wants. That includes data as well as the money itself. I 
mean we have seen cases where ACH transfers of money just 
straight out the door and that is it, but it is also what data 
do we have, and what would be the consequences if that data 
were stolen. And then you have to go through the exercises of, 
well, how would that happen? Does it only take, say, an e-mail 
from the CEO that looks fake, that authorizes the money to be 
transferred out of our account. We have seen that happen as 
well. And once you figure out, OK, what do we have, what could 
happen to it, now you want to introduce friction into that 
system that would not make it easy for an intruder to carry 
that out. It could be something as simple as you have an email 
address, and if that single email is taken over by a bad guy, 
they could reset all your passwords, they could take over your 
bank account, so you want to make sure what are we doing to 
protect that.
    A lot of this is just sort of thinking this through, just 
as you would estate planning or that sort of thing.
    Mr. Collins. You would think it is commonsense, but it is 
not where you are worried about getting an order, getting it 
shipped, paying your bills, and it is just the thought that it 
can't happen to me. We have found so many companies, they don't 
even have a basic policy on passwords where many people use the 
same password at 100 different Internet sites. That way, they 
only have to remember one. But then these folks will get into 
that one, and then in a very short period of time, they can 
bounce that password into any number of other sites, and low 
and behold it hits. And the next thing you know, they are into 
that small business. They don't know it, as you pointed out. 
They are either taking their money, but worse yet, they are 
stealing customer information, IP, they are accessing the 
vendors and other customers. So to me, it starts with, you have 
to understand it can happen to you, number two, have a basic 
policy. We even published, when I was on the Small Business 
Committee, some dos and don'ts and the like, and just as an 
alert to small businesses who think it is only big companies. 
So you are confirming that small businesses are very much a 
target of the cyber----
    Mr. Bejtlich. Yes, sir. And I would add, talk to your bank 
and find out what can a bank do to tell you if something 
suspicious is happening. What is their policy, could they give 
you an alert of some kind, could you ask for a phone 
verification, an in-person verification. Put this friction in 
place so that it is not easy for a bad guy to steal all your 
money.
    Mr. Collins. Yes, because they are out there.
    Mr. Bejtlich. That is right.
    Mr. Collins. Thank you, Mr. Chairman. I yield back.
    Mr. Murphy. Gentleman yields back.
    Now recognize Mr. Green of Texas for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman. And I want to thank our 
witnesses. I apologize for goings and comings of the members 
because we had votes today. I guess for this hearing, the good 
news is that Homeland Security will stay in business.
    But as we all know, last month, with the health insurer, 
Anthem, disclosed a significant breach of up to 80 million of 
its customers and employees. It is my understanding that the 
breach does not involve any credit or banking information, nor 
that there is evidence at this time that any medical 
information was obtained. While I appreciate the steps Anthem 
has taken to make it right with their customers, I do have some 
general questions on cybersecurity in the healthcare sector.
    Dr. Shannon, is there any reason to believe that the 
healthcare industry is more vulnerable than other sectors to 
these type of data breaches, and do we have any reason to 
believe that the health sector is underinvesting in 
cybersecurity protections?
    Mr. Shannon. No, I think with the HIPAA Act that that has 
pretty much incented them to making investments.
    Mr. Green. Which--that was in 1996, so----
    Mr. Shannon. Well, and that is really what has driven a lot 
of the cybersecurity thinking in that sector for the last 15 
years. So I think similar to other organizations, they are 
investing. Fortunately, they are typically large organizations, 
so they often have resources and can--it is not quite the small 
business challenge that----
    Mr. Green. Yes.
    Mr. Shannon [continuing]. We just heard.
    Mr. Green. OK. Mr. Bejtlich?
    Mr. Bejtlich. Healthcare is definitely a target. They are 
not as well defended as the top tier. The top tier tends to be 
the defense companies and the financial sector. So yes, there 
is definitely an issue there.
    Mr. Green. OK. Mr. Bejtlich, a different question. Is the 
health sector a particularly attractive target to hackers 
seeking to sell that personally identifiable information in the 
black market because, even though they didn't get maybe medical 
records, but they get social security numbers and everything 
else. Is that----
    Mr. Bejtlich. Yes, and one way, sir, we can measure that is 
how much does that sort of information sell for? You can get 
credit cards from $1 to $10, maybe a little bit more for an 
Amex or something like that, but if you are looking at a 
healthcare record with a social security number and such, you 
are looking at $300 perhaps. And so clearly, that information 
is more valuable.
    Mr. Green. Who are the potential buyers for that kind of 
information?
    Mr. Bejtlich. It is not something we spend a lot of time on 
at Mandiant FireEye, although there are Eastern European 
criminal groups that apparently want to trade in that. I don't 
know if they are trading it in in bulk or individually. There 
is some thought that they trade for that information because it 
is so durable. You can change your credit card, you can't 
change a social security number.
    Mr. Green. OK. Could stolen medical data be used to falsely 
bill for medical services, such as Medicaid or Medicare?
    Mr. Bejtlich. That is not an area that we work, but I have 
heard of that, yes.
    Mr. Green. OK. I thank you. I would like to move the issue 
of notification of the patients in the event of a breach of 
medical information. Under current law, healthcare entities 
must provide notification of breaches of unsecured protected 
health information. Health information is considered unsecured 
essentially if it is not encrypted. Covered entities must 
notify affected individuals of a breach of unsecured protected 
health information within 60 days following the discovery of 
the breach. I think it is important to note that healthcare 
entities and medical information are already governed by a set 
of federal guidelines. I would like to ask all three panelists 
an open question about applying these standards. First, if you 
have 60 days to notify them, the cat is already out the door, 
it seems like, if you have that much time. Are there some basic 
standards such as encryption of certain data, or breach 
notification standards, that we may want to consider adopting 
as part of a federal cybersecurity guideline or national 
standard?
    Mr. Lin. One----
    Mr. Shannon. One--go ahead.
    Mr. Lin. One can certainly imagine mandates, well, 
encouragement for healthcare companies to protect their data. 
Internally, for example, you can do encryption of data even 
when it is within your system.
    Mr. Green. Yes.
    Mr. Lin. Theft of laptops has historically been an 
important vector where people steal information. If you encrypt 
the data on the laptop, it is a good thing. I caution that 
encryption is a costly--not costly, but I mean it is great--
that results in greater inconvenience for the companies, and so 
they are going to complain about such mandates.
    Mr. Shannon. One of the challenges with regulations is that 
it encourages a compliance mentality, and I think we would all 
agree that compliance mentalities do not usually improve 
security dramatically. That is why I would encourage the 
healthcare industry to look at the NIST Cybersecurity Framework 
as a basis for managing cybersecurity risks, as opposed to 
compliance as the real driver.
    Mr. Bejtlich. And I would briefly like to encourage those 
companies to first look to see if there are intruders already 
in your network, and secondly, to have someone test to see how 
difficult it is for them to get into your network, and then act 
on the results.
    Mr. Green. OK. Thank you, Mr. Chairman. I yield back my 
time.
    Mr. Murphy. Thank you.
    I know Mr. Mullin was on his way, but that may be it for 
the hearing. I really want to thank you. This is valuable 
information, and let me--do you have any final closing comments 
you want to make? First, Ms. DeGette.
    Ms. DeGette. I think this is a good scene-setter for our 
future hearings, and I would just advise the--I know, Mr. 
Chairman, you will let people know that people might give 
written questions after this hearing. I know some of the 
Members on our side wanted to come back but they got stuck 
after the vote. So we appreciate your wisdom and you may have 
some written questions coming after this. Thank you. I yield 
back.
    Mr. Murphy. I thank you. And we will probably be calling 
upon your expertise. We thank you for taking time out, and for 
the caliber of this. We will be dealing with a number of 
serious issues in this committee. Dr. Burgess is on this 
subcommittee, he is also chairman of Commerce, Manufacturing, 
and Trade legislation risk committee, but also Mr. Walden is 
chairman of Communications and Technology, we have the Energy 
and Power Committee, they have the Health and Subcommittee, all 
of these things here will be dealing with some multiple levels. 
The way I like to review it is we have the dot-coms, the dot-
mils, the dot-govs, the dot-orgs, the dot-edus. Have I left 
anything out? We have to do what the committee--the dot-Greens, 
the dot-Tex, whatever. But thank you so much for this. To that 
end, I ask unanimous consent that the Members' written opening 
statements be introduced into the record. So without objection, 
the documents will be entered into the record, including the 
one that you have, Dr. Lin.
    And in conclusion, I want to thank all the witnesses and 
Members that participated in today's hearing. I remind Members 
they have 10 business days to submit questions to the record, 
and I ask that all witnesses agree to respond promptly to the 
questions. Thank you so much.
    And with that, this committee is adjourned.
    [Whereupon, at 3:41 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

                 Prepared statement of Hon. Fred Upton

    Last December, in the wake of the Sony breach, I announced 
that the committee would hold a series of hearings to examine 
the growing cyber threats to electronic commerce and the 
American economy. That effort is now underway.
    So much of our daily existence depends on the Internet and 
information technologies that collectively comprise cyberspace. 
These technologies have brought tremendous convenience, 
opportunity, and prosperity to the United States and nations 
across the globe. They inspire innovation, freedom of 
expression, and international and cultural engagement. They 
continue to revolutionize the way we communicate, learn, 
innovate, govern, and interact with the world around us.
    At the same time, cyberspace has introduced us to new 
challenges. For the same reason a business in Michigan can 
reach customers across the globe, an unknown bad actor can 
target that business' intellectual property, customer 
information, or operations. The consequences and costs of such 
a breach can be significant, yet the costs of launching the 
attack, and consequences for failure, are minimal. As a result, 
the incentives strongly favor the bad guys--and they will keep 
coming, keep evolving--while the good guys struggle to keep 
pace.
    As more of our lives are entrusted to cyberspace, the 
threats will continue to grow. Already, barely a day goes by 
where we do not learn of a new breach or potential 
vulnerability. With everything from health records to toasters 
increasingly integrated into cyberspace, the challenge can 
appear daunting.
    We will hear today that there is no easy solution to the 
cyber threat. It exists for the same fundamental reasons that 
the Internet, information technology, and cyberspace provide 
benefit to society--that is, that the Internet remains an open 
system accessible to anyone who wants access. This may sound 
frightening or overwhelming, but I suggest it presents an 
opportunity. Today we have an opportunity to reframe our 
understanding of this challenge, to develop a level of context 
and perspective that so often gets lost in debates over 
specific incidents, policy issues, or legislation.
    I encourage my colleagues to embrace this opportunity. 
Let's learn from this discussion so we can approach 
cybersecurity with fresh perspective and a common understanding 
of the challenges it presents.
    Cyberspace has been, and will continue to be, an engine of 
economic, social, and cultural opportunity. We need to 
understand the nature and scope of the threat to the security 
of information in cyberspace, and develop an understanding of 
how to address these threats without jeopardizing the 
fundamental benefits that cyberspace provides.
    This hearing is just the beginning as our work continues.
    
                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 [all]