[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
BOLSTERING THE GOVERNMENT'S CYBERSECURITY:
LESSONS LEARNED FROM WANNACRY
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT &
SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
June 15, 2017
__________
Serial No. 115-17
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
26-234PDF WASHINGTON : 2017
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California ZOE LOFGREN, California
MO BROOKS, Alabama DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois SUZANNE BONAMICI, Oregon
BILL POSEY, Florida ALAN GRAYSON, Florida
THOMAS MASSIE, Kentucky AMI BERA, California
JIM BRIDENSTINE, Oklahoma ELIZABETH H. ESTY, Connecticut
RANDY K. WEBER, Texas MARC A. VEASEY, Texas
STEPHEN KNIGHT, California DONALD S. BEYER, JR., Virginia
BRIAN BABIN, Texas JACKY ROSEN, Nevada
BARBARA COMSTOCK, Virginia JERRY MCNERNEY, California
GARY PALMER, Alabama ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia PAUL TONKO, New York
RALPH LEE ABRAHAM, Louisiana BILL FOSTER, Illinois
DRAIN LaHOOD, Illinois MARK TAKANO, California
DANIEL WEBSTER, Florida COLLEEN HANABUSA, Hawaii
JIM BANKS, Indiana CHARLIE CRIST, Florida
ANDY BIGGS, Arizona
ROGER W. MARSHALL, Kansas
NEAL P. DUNN, Florida
CLAY HIGGINS, Louisiana
------
Subcommittee on Oversight
HON. DRAIN LaHOOD, Illinois, Chair
BILL POSEY, Florida DONALD S. BEYER, Jr., Virginia,
THOMAS MASSIE, Kentucky Ranking Member
GARY PALMER, Alabama JERRY MCNERNEY, California
ROGER W. MARSHALL, Kansas ED PERLMUTTER, Colorado
CLAY HIGGINS, Louisiana EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas
------
Subcommittee on Research and Technology
HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois ELIZABETH H. ESTY, Connecticut
STEPHEN KNIGHT, California JACKY ROSEN, Nevada
DARIN LaHOOD, Illinois SUZANNE BONAMICI, Oregon
RALPH LEE ABRAHAM, Louisiana AMI BERA, California
DANIEL WEBSTER, Florida DONALD S. BEYER, JR., Virginia
JIM BANKS, Indiana EDDIE BERNICE JOHNSON, Texas
ROGER W. MARSHALL, Kansas
LAMAR S. SMITH, Texas
C O N T E N T S
June 15, 2017
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Darin LaHood, Chairman, Subcommittee
on Oversight, Committee on Science, Space, and Technology, U.S.
House of Representatives....................................... 4
Written Statement............................................ 6
Statement by Representative Donald S. Beyer, Jr., Ranking Member,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 9
Written Statement............................................ 10
Statement by Representative Ralph Abraham, Vice Chairman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 12
Written Statement............................................ 14
Statement by Representative Daniel Lipinski, Ranking Member,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 16
Written Statement............................................ 18
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 20
Written Statement............................................ 22
Witnesses:
Mr. Salim Neino, Chief Executive Officer, Kryptos Logic
Oral Statement............................................... 24
Written Statement............................................ 28
Dr. Charles H. Romine, Director, Information Technology
Laboratory, National Institute of Standards and Technology
Oral Statement............................................... 33
Written Statement............................................ 35
Mr. Gregory J. Touhill, CISSP, CISM; Brigadier General, USAF
(ret); Adjunct Professor, Cybersecurity & Risk Management,
Carnegie Mellon University, Heinz College
Oral Statement............................................... 44
Written Statement............................................ 46
Dr. Hugh Thompson, Chief Technology Officer, Symantec
Oral Statement............................................... 54
Written Statement............................................ 56
Discussion....................................................... 64
Appendix I: Answers to Post-Hearing Questions
Dr. Charles H. Romine, Director, Information Technology
Laboratory, National Institute of Standards and Technology..... 82
Mr. Gregory J. Touhill, CISSP, CISM; Brigadier General, USAF
(ret); Adjunct Professor, Cybersecurity & Risk Management,
Carnegie Mellon University, Heinz College...................... 84
Dr. Hugh Thompson, Chief Technology Officer, Symantec............ 87
Appendix II: Additional Material for the Record
Statement submitted by Representative Eddie Bernice Johnson,
Ranking Member, Committee on Science, Space, and Technology,
U.S. House of Representatives.................................. 90
BOLSTERING THE GOVERNMENT'S CYBERSECURITY:
LESSONS LEARNED FROM WANNACRY
----------
Thursday, June 15, 2017
House of Representatives,
Subcommittee on Oversight and
Subcommittee on Research and Technology
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittees met, pursuant to call, at 10:05 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. Darin
LaHood [Chairman of the Subcommittee on Oversight] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. The Subcommittee on Oversight and the
Subcommittee on Research and Technology will come to order.
Without objection, the Chair is authorized to declare a
recess of the Subcommittee at any time.
Good morning, and welcome to today's hearing titled
``Bolstering the Government's Cybersecurity: Lessons Learned
from WannaCry.'' I recognize myself for five minutes for an
opening statement.
I want to welcome the witnesses here today, and I would
also welcome Chairman Smith, Oversight Subcommittee Ranking
Member Beyer, Research and Technology Subcommittee Vice
Chairman Abraham, Research and Technology Ranking Member
Lipinski, Members of the Subcommittees, our expert witnesses,
and members of the audience.
Cybersecurity--a concept we hear mentioned frequently,
especially in this period of rapidly emerging threats--is an
ever-evolving concept. Maintaining an effective cybersecurity
posture requires constant vigilance as new threats emerge and
old ones return. Too often, however, when we hear about the
importance of cybersecurity, we are left without concrete steps
to take to ensure our systems are best positioned to defend
against emerging threats.
One of the goals of today's hearing is to learn about real,
tangible measures the government can take to ensure its IT
security systems are appropriately reinforced to defend against
new and emerging threats, including novel and sophisticated
ransomware threats.
The specific focus of today's hearing will be the recent
WannaCry ransomware attack, a new type of ransomware infection,
which affected over one million unique systems last month in a
worldwide attack that impacted nearly every country in the
world.
Although the concept of ransomware is not new, the type of
ransomware employed by WannaCry was novel. WannaCry worked by
encrypting documents on a computer, instructing victims to pay
$300 in Bitcoin in order to regain access to their user's
documents. Unlike typical forms of ransomware, however,
WannaCry signaled the ushering in of a new type of worming
ransomware, which caused the attack to spread faster and more
rapidly with each new infection.
In light of the novelty built into WannaCry's method of
attack, cybersecurity experts, including those we will hear
from today, have expressed significant concerns that WannaCry
is only a preview of a more sophisticated ransomware infection
that many believe will inevitably be launched by hackers in the
near future.
Beginning May 12, 2017, the WannaCry ransomware infection
moved rapidly across Asia and Europe, eventually hitting the
United States. The attack infected 7,000 computers in the first
hour and 110,000 distinct IP addresses in 2 days and in almost
100 countries, including the U.K., Russia, China, Ukraine, and
India. Experts now believe WannaCry affected approximately 1 to
2 million unique systems worldwide prior to activating the kill
switch.
In Illinois, my home state, Cook County's IT systems were
compromised by WannaCry, reportedly one of a few local
governments subject to the attack. Although Cook County has
worked to appropriately patch their systems, it is important
that we ensure that all vulnerabilities are appropriately
remedied in the event of a more sophisticated attack.
Fortunately, the hackers responsible for WannaCry
mistakenly included a kill switch, which was uncovered by an
employee of Kryptos Logic and used to terminate the attack. The
Kryptos Logic employee exploited a key mistake made by the
hackers when he registered the domain connected to the
ransomware attack. Experts estimate that the kill switch
prevented 10 to 15 million unique worldwide system infections
and reinfections.
Although based on information available thus far the
federal government's systems were fortunately spared from
WannaCry, we want to ensure that the government is sufficiently
prepared in the likely event of a more sophisticated attack.
Additionally, the Committee wants to hear what Congress can
do to appropriately address this Committee--I'm sorry--this
climate of new and improving cybersecurity threats.
Through the lens of the aftermath of WannaCry, today's
witnesses will help shed light on key steps the government
should take to ensure its systems are protected. We will also
hear today about how public-private partnerships are an
instrumental tool to help bolster the government's
cybersecurity posture. Finally, we will learn about how the
President's recent cybersecurity order, which makes NIST's
cybersecurity framework mandatory on the Executive Branch, is a
significant step toward ensuring the federal government's
cybersecurity posture incorporates the most innovative security
measures to defend against evolving threats.
It is my hope that our discussions here today will
highlight areas where improvement is necessary, while offering
recommendations as we move forward to ensure the federal
government is prepared to respond to emerging cybersecurity
threats. I look forward to hearing from our distinguished
witnesses.
[The prepared statement of Chairman LaHood follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. I now recognize the Ranking Member of the
Oversight Subcommittee, Mr. Beyer, for an opening statement.
Mr. Beyer. Thank you very much, Mr. Chairman. I'd like to
thank you and Chairman Comstock for holding this hearing.
Cybersecurity should be a chief concern for every
government, business, and private citizen. In 2014, the Office
of Personnel Management's information security systems, and two
of the systems used by OPM contractors, were breached by state-
sponsored hackers, compromising the personal information of
millions of Americans. That same year, hackers released the
personal information of Sony Pictures executives, embarrassing
e-mails between Sony Pictures employees, and even copies of
then-unreleased Sony movies. In 2015, hackers also took control
of the power grid in western Ukraine and shut off power for
over 200,000 residents. These three quick examples show the
varied and widespread effects of cybersecurity breaches.
So we know the cybersecurity breach that was the genesis
for this hearing was the WannaCry outbreak. WannaCry ransomware
infected at least 300,000 computers worldwide, and could have
been much worse, so I want to thank CEO Neino, head of Kryptos
Logic, for being wise enough to find an employee who found that
kill switch, unless you did it yourself. And we're very lucky
that that was found quickly, and we are fortunate that federal
systems were resistant to WannaCry. But we know we may not be
as lucky the next time. We must continue to strengthen our
cybersecurity posture.
By the way, in preparing for this, I've learned from our
wonderful staff that I really need to upload our security
upgrades every time we get a chance on our personal computers
and on our smartphones.
The May 11th Executive Order on strengthening the
cybersecurity of federal networks seeks to build on the Obama
Administration's successes in the cybersecurity arena, and I'm
happy that the Trump Administration--I don't agree with them on
every topic--but they've taken this next good step. The
Executive Order calls for a host of actions and a myriad of
reports on federal cybersecurity from every government agency.
Simultaneously, the Trump Administration has been slow to
fill newly vacant positions in nearly every government agency,
and my concern is that understaffed agencies are going to have
significant difficulty meeting the dictates of the Executive
Order. Frankly, I'm also concerned that proposed budget cuts in
the original Trump-Mulvaney budget across all agencies will
make the task a lot harder to strengthen the security of
federal information systems. We've got to make sure that the
federal government has the resources and staffing to meet the
need in this vital area.
The Executive Order also calls for agencies to begin using
the NIST Framework for cybersecurity efforts, and I'm glad that
we have NIST here with us today. They play a very important
role in setting cybersecurity standards that could help thwart
and impede cyber-attacks.
You know, NIST is world renowned for its expertise in
standards development, and federal agencies will be well served
by using the NIST Framework. On a precautionary note, though, I
believe some efforts to expand NIST's cybersecurity role beyond
their current mission and expertise are well intentioned but
perhaps misplaced. We recently had a debate of H.R. 1224 here,
the ``NIST Cybersecurity Framework, Assessment, and Auditing
Act of 2017,'' which gives NIST auditing authority for all
federal civilian information systems. Currently, this is a
responsibility of the Inspector Generals at each agency. They
have the statutory authority, the experience, the expertise.
They respond directly, responsible to Congress. NIST has no
such experience or expertise, and I at least remain concerned
about this proposal, and I'd be interested in any of the expert
witnesses' thoughts on NIST's role in cybersecurity and
auditing.
So I look forward to hearing from all of you today. I
especially look forward to hearing from our General, the former
federal CISO, about his experience in these positions and
thoughts.
One final note. Bloomberg reported this week that the
Russian meddling in our electoral system was far worse than
what's been previously reported. According to the report,
hackers attempted to delete or alter voter data, accessed
software designed to be used by poll workers, and, in at least
one instance, accessed a campaign finance database. These
efforts didn't need to change individual votes in order to
influence the election, and we really should take these sorts
of cyber threats very seriously. I think Vice President Cheney
called this a war on our democracy.
So Mr. Chairman, this Committee held more than a half dozen
hearings on cybersecurity issues during the last Congress,
including one on protecting the 2016 elections from cyber and
voting machine attacks, so given what we now know about the
hacking and meddling in 2016, I hope that this hearing today
will be a precursor to more hearings on how we can better
protect our voting systems.
Mr. Chairman, thank you so much, and I yield back.
[The prepared statement of Mr. Beyer follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Beyer, for your opening
statement.
I now recognize the Vice Chair of the Research and
Technology Subcommittee, Mr. Abraham, for an opening statement.
Mr. Abraham. Thank you, Mr. Chairman.
Over the last few years, we've seen an alarming increase in
the number and intensity of our cyber-attacks. These attacks by
cyber criminals and by unfriendly governments have compromised
the personal information of millions of Americans, jeopardized
thousands of our businesses and their employees, and threatened
interruption of critical public services.
The recent WannaCry ransomware attack demonstrates that
cyber-attacks are continuing to go from bad to worse. This most
recent large-scale cyber-attack affected more than one to two
million systems in more than 190 countries. Nevertheless, it
appears that the impact could have been much more catastrophic
considering how fast that ransomware spread.
And while organizations and individuals within the United
States were largely unscathed, due in part to a security
researcher identifying a web-based ``kill switch,'' the
potential destructiveness of WannaCry warns us to expect
similar attacks in the future. Before those attacks happen, we
need to make sure that our information systems are very ready.
During a Research and Technology Subcommittee hearing
earlier this year, a witness representing the U.S. Government
Accountability Office--the GAO--testified, and I quote, ``Over
the past several years, GAO has made about 2,500
recommendations to federal agencies to enhance their
information security programs and controls. As of February
2017, about 1,000 recommendations had not been implemented.''
It is clear that the status quo in federal government cyber
security is a virtual invitation for more cyber-attacks. We
must take strong steps in order to properly secure our systems
and databases before another cyber-attack like WannaCry happens
and puts our government up for ransom.
On March 1, 2017, this Committee approved H.R. 1224, the
NIST Cybersecurity Framework, Assessment, and Auditing Act of
2017, a bill that I introduced as part of my ongoing interest
over the state of our nation's cybersecurity. This bill takes
concrete steps to help strengthen federal government
cybersecurity. The most important steps are encouraging federal
agencies to adopt the National Institute of Standards and
Technology's (NIST) Cybersecurity Framework, which is used by
many private businesses, and directing NIST to initiate
individual cybersecurity audits of priority federal agencies to
determine the extent to which each agency is meeting the
information security standards developed by the Institute.
NIST's in-house experts develop government-wide technical
standards and guidelines under the Federal Information Security
Modernization Act of 2014. And NIST experts also developed,
through collaborations between government and private sector,
the Framework for Improving Critical Infrastructure
Cybersecurity that federal agencies are now required to use
pursuant to the President's recent Cybersecurity Executive
Order. I was very pleased to read that language.
Considering the growing attempts to infiltrate information
systems, there is an urgent need to assure Americans that all
federal agencies are doing everything that they can to protect
government networks and sensitive data. The status quo simply
is not working. We can't put up with more bureaucratic excuses
and delays.
NIST's cyber expertise is a singular asset. We should take
full advantage of that asset, starting with the very important
step of annual NIST cyber audits of high priority federal
agencies.
As cyber-attacks and cyber criminals continue to evolve and
become more sophisticated, our government's cyber defenses must
also adapt in order to protect vital public services and shield
hundreds of millions of Americans' confidential information.
We will hear from our witnesses today about lessons learned
from the WannaCry attack and how the government can bolster the
security of its systems. We must keep in mind that the next
cyber-attack is just around the corner, and it could have a far
greater impact than what we have seen thus far. Our federal
government--our government systems need to be better protected,
and that starts with more accountability, responsibility, and
transparency by federal agencies.
Thank you, and I look forward to hearing our panel.
[The prepared statement of Mr. Abraham follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Abraham.
I now recognize the Ranking Member of the Research and
Technology Subcommittee, my colleague from Illinois, Mr.
Lipinski, for an opening statement.
Mr. Lipinski. Thank you, Chairman LaHood, and I want to
thank you and Vice Chair Abraham for holding this hearing on
cybersecurity and lessons learned from the WannaCry ransomware
attack last month.
The good news is that U.S. government information systems
were not negatively impacted by the WannaCry attack. This was a
clear victory for our cyber defenses. However, I believe there
are lessons to be learned from successes as well as failures. A
combination of factors likely contributed to this success,
including getting rid of most of our outdated Windows operating
systems, diligently installing security patches, securing
critical IT assets, and maintaining robust network perimeter
defenses.
As we know, Microsoft sent out a security patch for this
vulnerability in March, two months before the WannaCry attack.
These and other factors played a role in minimizing damage to
U.S. businesses as well. However, WannaCry and its impact on
other countries serves as yet another reminder that we must
never be complacent in our cybersecurity defenses. The threats
are ever evolving, and our policies must be robust yet flexible
enough to allow our defenses to evolve accordingly.
The Federal Information Security Modernization Act, or
FISMA, laid out key responsibilities for the security of
civilian information systems. Under FISMA, DHS and OMB have
central roles in development and implementation of policies as
well as in incident tracking and response. NIST develops and
updates security standards and guidelines both informing and
responsive to the policies established by OMB. Each agency is
responsible for its own FISMA compliance, and each Office of
Inspector General is required to audit its own agency's
compliance with FISMA on an annual basis. We must continue to
support agencies in their efforts to be compliant with FISMA
while conducting careful oversight.
In 2014, NIST released the Cybersecurity Framework for
Critical Infrastructure, which is currently being updated to
Framework Version 1.1. While it is still too early to evaluate
its full impact, it appears the Framework is being widely used
across industry sectors.
Our Committee recently reported out a bipartisan bill, H.R.
2105, that I was pleased to cosponsor, that would ensure that
the Cybersecurity Framework is easily usable by our nation's
small businesses. I hope we can get it to the President's desk
quickly. In the meantime, the President's recent cybersecurity
Executive Order directs federal agencies to use the Framework
to manage their own cybersecurity risk. As we have heard in
prior hearings, many experts have called for this step, and I
applaud the Administration for moving ahead.
I join Mr. Beyer in urging the Administration to fill the
many vacant positions across our agencies that would be
responsible for implementing the Framework as well as
shepherding the myriad reports required by the Executive Order.
Finally, I will take this opportunity to express my
disappointment in the Administration's budget proposal for
NIST. The top-line budget cut of 25 percent was so severe that
if it were implemented, NIST would have no choice but to reduce
its cybersecurity efforts. This represents the epitome of
penny-wise, pound-foolish decision making. NIST is among the
best of the best when it comes to cybersecurity research and
standards, and our modest taxpayer investment in their efforts
helps secure the information systems not just of our federal
government, but our entire economy. I trust that my colleagues
will join me in ensuring that NIST receives robust funding in
the fiscal year 2018 budget and doesn't suffer the drastic cut
requested by the President.
Thank you to the expert witnesses for being here this
morning, and I look forward to your testimony. I yield back.
[The prepared statement of Mr. Lipinski follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Lipinski.
At this time I now recognize the Chairman of the full
Committee, Mr. Smith.
Chairman Smith. Thank you, Mr. Chairman. I appreciate your
holding this hearing as well as the Research and Technology
Subcommittee Vice Chairman sitting next to me, Ralph Abraham,
for holding the hearing as well.
In the wake of last month's WannaCry ransomware attack,
today's hearing is a necessary part of an important
conversation the federal government must have as we look for
ways to improve our federal cybersecurity posture. While
WannaCry failed to compromise federal government systems, it is
almost certain that outcome was due in part to a measure of
chance.
Rather than seeing this outcome as a sign of bulletproof
cybersecurity defenses, we must instead increase our vigilance
to better identify constantly evolving cybersecurity threats.
This is particularly true since many cyber experts predict that
we will experience an attack similar to WannaCry that is more
sophisticated in nature, carrying with it an even greater
possibility of widespread disruption and destruction. Congress
should not allow cybersecurity to be ignored across government
agencies.
I am proud of the work the Committee has accomplished to
improve the federal government's cybersecurity posture. During
the last Congress, the Committee conducted investigations into
the Federal Deposit Insurance Corporation, the Internal Revenue
Service, and the Office of Personnel Management, as well as
passed key legislation aimed at providing the government with
the tools it needs to strengthen its cybersecurity posture.
President Trump understands the importance of bolstering
our cybersecurity. He signed a recent Executive Order on
cybersecurity, which is a vital step towards ensuring the
federal government is positioned to detect, deter, and defend
against emerging threats.
Included in the President's Executive Order is a provision
mandating that Executive Branch departments and agencies
implement NIST's Cybersecurity Framework. While continuously
updating its Cybersecurity Framework, NIST takes into account
innovative cybersecurity measures from its private-sector
partners. NIST's collaborative efforts help to ensure that
those entities that follow the Framework are aware of the most
pertinent, effective, and cutting-edge cybersecurity measures.
I strongly believe the President's decision to make NIST's
Framework mandatory for the federal government will serve to
strengthen the government's ability to defend its systems
against advanced cyber threats like with the recent WannaCry
ransomware attack.
Similarly, the Committee's NIST Cybersecurity Framework,
Assessment, and Auditing Act of 2017, sponsored by
Representative Abraham, draws on findings from the Committee's
numerous hearings and investigations related to cybersecurity,
which underscore the immediate need for a rigorous approach to
protecting U.S. cybersecurity infrastructure and capabilities.
Like the President's recent Executive Order, this
legislation promotes federal use of the NIST Cybersecurity
Framework by providing guidance that agencies may use to
incorporate the Framework into risk mitigation efforts.
Additionally, the bill directs NIST to establish a working
group with the responsibility of developing key metrics for
federal agencies to use.
I hope that our discussions here today will highlight
distinct areas where cybersecurity improvement is necessary,
while offering recommendations to ensure cybersecurity
objectives stay at the forefront of our national security
policy discussions.
And with that, I'll yield back, Mr. Chairman.
[The prepared statement of Chairman Smith follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Chairman Smith.
At this time let me introduce our witnesses here today.
Our first witness is Mr. Salim Neino, Founder and Chief
Executive Officer of Kryptos Logic. Mr. Neino is credited with
discovering new solutions for companies such as IBM, Dell,
Microsoft, and Avaya. He received his bachelor's degree in
computer science from California State University at Long
Beach. A Kryptos Logic employee, as we've discussed, in the
U.K. is credited with largely stopping the WannaCry attack.
We'll hear more about that during Mr. Neino's testimony today.
Our second witness today is Dr. Charles Romine, Director of
the Information Technology Laboratory at NIST. Dr. Romine
received both his bachelor's degree in mathematics and his
Ph.D. in applied mathematics from the University of Virginia.
Our third witness, Mr. Touhill, is a retired Brigadier
General in the United States Air Force. He is currently an
Adjunct Professor of Cybersecurity and Risk Management at
Carnegie Mellon University. Previously, he was chosen by
President Obama to serve as the Nation's Chief Information
Security Officer. Mr. Touhill received his bachelor's degree
from Penn State University and a master's degree in systems
management and information systems from the University of
South--I'm sorry--Southern California.
And our final witness today is Dr. Hugh Thompson, Chief
Technology Officer for Symantec. Dr. Thompson also serves as an
Advisory Board Member for the Anti-Malware Testing Standards
Organization and on the Editorial Board of IEEE Security and
Privacy magazine. Dr. Thompson received his bachelor's degree
and master's degree and Ph.D. in applied mathematics from the
Florida Institute of Technology.
We're glad you're all here today and look forward to your
valuable testimony. I now recognize Dr. Neino for five minutes
to present his testimony.
TESTIMONY OF MR. SALIM NEINO,
CHIEF EXECUTIVE OFFICER,
KRYPTOS LOGIC
Mr. Neino. Thank you, Chairman. Chairman LaHood, Vice
Chairman Abraham, Chairman Smith, Ranking Member Beyer, and
Ranking Member Lipinski, thank you for the opportunity to
appear before you today at this joint Subcommittee hearing. We
greatly appreciate your interest in cybersecurity and look
forward to sharing our thoughts and perspectives with you and
your members.
On May 12, 2017, Kryptos Logic identified a high-velocity,
high-impact global security threat with the immediate potential
to cause an immeasurable amount of damage. While the intent of
this threat was unclear and its motives and origins ambiguous,
it was immediately evident that its approach was unusually
reckless. This threat has now popularly become known as
``WannaCry.'' It was at this time that Marcus Hutchins, our
Director of Threat Intelligence for Kryptos Logic's Vantage,
our breach monitoring platform, notified me of our team's
active monitoring of the developing situation. On this date at
approximately 10:00 a.m. Eastern time, while investigating the
code of WannaCry, we identified what looked like an anti-
detection mechanism, which tested for the existence of a
certain random-looking domain name. Our team proceeded to
register the domain associated to this mechanism and directed
it to one of the sinkholes controlled by and hosted on the
Kryptos Logic network infrastructure. We then noticed and
confirmed that the propagation of the WannaCry attack had come
to a standstill because of what we refer to as its kill switch
having been activated by our domain registration.
While our efforts effectively stopped the attack, and
prevented WannaCry from continuing to deploy its ransom
component, we knew that by then the attack had already
propagated freely for many hours, at minimum. Based on the
velocity of the attack, estimated by sampling data we collected
from our infrastructure currently blocking the attack, we
believe had that anywhere between 1 to 2 million systems may
have been affected in the hours prior to activating the kill
switch, contrary to the widely reported and more conservative
estimate of 200,000 systems.
One month after registering the kill-switch domain, we have
mitigated over 60 million infection attempts. Approximately 7
million of those in the United States, and we estimate that
these could have impacted at minimum 10 to 15 million unique
systems.
I will note that the largest attack we thwarted and
measured to date from WannaCry was not on May 12th or 13th when
the attack started, but began suddenly on June 8th and 9th on a
well-funded hospital in the east coast of the United States. It
is very likely the health system is still unaware of the event.
We measured approximately 275,000 thwarted infection attempts
within a 2-day period. Another hospital was also hit on May
30th in another part of the country. A high school in the
Midwest was just hit at the beginning of June 9th.
Presumably every system at this location would have had its
data held hostage if not for Kryptos Logic's kill switch.
Moreover, Kryptos Logic has been under constant attack by
unidentified attackers attempting to knock our systems offline,
thus disabling the kill switch and further propagating the
attack. The earlier of these attacks came by the well-known
Mirai botnet which took down large portions of the United
Kingdom, Germany and parts of the East Coast of the United
States earlier this year. Despite these attempts, our systems
remained resilient and we increased counter-intelligence
measures to mitigate the amplitude of the attacks against us.
We believe the success of WannaCry illustrates two key
facts about our nation's systems: Vulnerabilities exist at
virtually every level of our computer infrastructure, ranging
from operating systems to browsers, from media players to
Internet routers. Exploiting and weaponizing such
vulnerabilities has a surprisingly low entry barrier: anyone
can join in, including rogue teenagers, nation states, and
everyone in between.
So, how do we adapt and overcome/mitigate these weaknesses?
While many cybersecurity experts who have come before me offer
the usual gloomy ``there are no silver bullets,'' I've had the
opportunity to play on both fronts; on offense, via penetration
testing and red team competitions, and on defense, providing
protection to Global 100 organizations with very high
enterprise risks. Our attack responses must be more agile and
with higher velocity and intensity.
While the nation has considerable literature on risk,
maturity models and various frameworks, the actual resources
for cyber defense are scarce as there simply is not presently
an adequate level of highly skilled, highly experienced, and
highly available operators in the cybersecurity field. While
there is no shortage of good ideas which claim to be able to
solve an infinite amount of problems, every subsequent idea
needs development, support, testing, maintenance, et cetera,
all of which we characterize as developer debt.
Unfortunately, many of these solutions take too long to
procure and end up being outdated and essentially useless
before the ink dries on the paper it is written on. I am
optimistic, however, that there is a successful path and
strategy forward. Application and software-level mitigations
which protect against the exploitation techniques used by
hackers have moved the needle to protect against exploitation
of the very fabric on which we build our defense assumptions.
Mitigations able and incomplete are nonetheless effective and
have increased the cost of identifying vulnerabilities in
systems and developing programs to exploit them. Other
mitigations include various design approaches like
compartmentalization of data, systems and transmissions. Such
mitigations have measurably raised the bar required for mass
exploitation in critical communications software like Internet
browsers, web servers, and other protocols which are
fundamental to business continuity.
Investing in technology doesn't necessarily guarantee any
actual improvement. In fact, one could argue that introducing
more technology stack exacerbates the maintenance debt and
creates immediate monetary loss because there are few metrics
or analytics to actually measure the effectiveness of any
particular technology. This is because we are typically years
behind the attack in terms of the sword and shield battle.
As these resources ebb and flow, knowledge gaps are created
and the loss of a domain knowledge specialists who cannot
immediately fill these gaps and replace them.
We also must be less risk averse in terms of the defensive
operations we undertake, more open to failure, and ready to
adapt and learn from these failures. We need a stronger focus
on threat modeling and fire-drill simulations that will be
focused on the events of a magnitude which would cause
significant damage. A significant response with the WannaCry
incident was that there was no real guidance or course of
action that was well communicated. The media focused on the
points contrary to defense--whodunit?--and this incident could
have resulted in a complete breakdown of processes had this
been an unpatched zero-day vulnerability and there was no
luxury of a kill switch.
The largest success, though incomplete, was the ability for
the FBI and the NCSC of the United Kingdom to aggregate and
disseminate the information Kryptos Logic provided so that
affected organizations could respond. Information sharing can
be valuable but our framework can be vastly improved by
triaging cybersecurity threats and events of magnitude in a
clear and repeatable scale, not too dissimilar to the Richter
scale, which measures the energy released in an earthquake.
Likewise, a scale that takes the technical and social elements
of a threat into account to evaluate its destructive power
enables first responders--us--to better organize and mobilize
focus on the most important areas of risk.
While there do exist various scoring systems for evaluating
the purely technical element of a threat, they fall short in
terms of clear and actionable information outside of
information technology. We focus too much on application-
specific vulnerabilities with abstruse names like MS17-010, and
none of these values are effective in quantifying the overall
impact potential of a wider global environment. We need an
easier-to-grasp method of prioritizing threats that have a
large-scale destructive potential in context, like WannaCry.
To this end, once we have determined a method to evaluate
the risks with respect to the aforementioned technical and
contextual specifics, we can do--we can apply the appropriate
mitigations.
In conclusion, one of the largest issues is the transitory
nature of a crisis. This message still has not resonated of the
destructive potential of these attacks and the importance of
its awareness. We think this can be explained simply by the
fact organizations are too slow to adapt to such a volatile
landscape, there is a vast human resource shortage, and little
by way of metrics to demonstrate return on investment in
defensive technologies.
Again, I thank the Subcommittee for inviting me to appear
today to discuss Kryptos Logic's involvement in lessons learned
for WannaCry, and I welcome the opportunity to answer any
questions you may have when they're fielded.
[The prepared statement of Mr. Neino follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Neino.
I now recognize Dr. Romine for five minutes to present his
testimony.
TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,
INFORMATION TECHNOLOGY LABORATORY, NATIONAL
INSTITUTE OF STANDARDS AND TECHNOLOGY
Dr. Romine. Chairmen LaHood and Abraham, Chairman Smith,
Ranking Members Beyer and Lipinski, and members of the
Subcommittees, thank you for the opportunity to appear before
you today to discuss NIST's key roles in cybersecurity and how
they relate to recent incidents.
In the area of cybersecurity, NIST has worked with federal
agencies, industry and academic since 1972 starting with the
development of the Data Encryption Standard when the potential
commercial benefit of this technology became clear.
NIST's role to research, develop, and deploy information
security standards and technology to protect the federal
government's information systems against threats to the
confidentiality, integrity, and availability of information and
services was recently reaffirmed in the Federal Information
Security Modernization Act of 2014.
NIST provides resources to assist organizations in
preventing or, at least, quickly recovering from ransomware
attacks with trust that the recovered data are accurate,
complete, and free of malware, and that the recovered system is
trustworthy and capable. NIST's Guide for Cybersecurity Event
Recovery provides guidance to help organizations plan and
prepare for recovery from a cyber event and integrate the
processes and procedures into their enterprise risk management
plans. The Guide discusses hypothetical cyber-attack scenarios
including one focused on ransomware and steps taken to recover
from the attack.
Three years ago, NIST issued the Framework for Improving
Critical Infrastructure Cybersecurity, or the Framework. The
Framework created through tight collaboration between industry
and government consists of voluntary standards, guidelines and
practices to promote the protection of critical infrastructure.
In the case of WannaCry and similar ransomware, the
Framework prompts decisions affecting infection by the
ransomware, propagation of the ransomware, and recovery from
it. While the Framework does not prescribe a baseline of
cybersecurity for organizations, for instance, a baseline that
would have prevented WannaCry, it does prompt a sequence of
interrelated cybersecurity risk management decisions, which
should help prevent virus infection and propagation and support
expeditious response and recovery activities.
On May 11th, President Trump signed Executive Order 13800,
strengthening the cybersecurity of federal networks and
critical infrastructure that mandated federal agencies to use
the Framework. Under the Executive Order, every federal agency
or department will need to manage their cybersecurity risk by
using the framework and provide a risk management report to the
Director of the Office of Management and Budget and to the
Secretary of Homeland Security.
On May 12th, NIST released a draft interagency report, the
Cybersecurity Framework Implementation Guidance for Federal
Agencies, which provides guidance on how the Framework can be
used in the United States Federal Government in conjunction
with the current and planned suite of NIST security and privacy
risk management standards, guidelines and practices developed
in response to the Federal Information Security Management Act,
as amended, or FISMA.
Another NIST resource that can assist system administrators
in protecting against similar future attacks is the most recent
release of the NIST National Software Reference Library, or
NSRL. The NSRL provides a collection of software from various
sources and unique file profiles, which is most often used by
law enforcement, government, and industry organizations to
review files on a computer by matching the profiles in the
system.
NIST maintains a repository of all known and publicly
reported IT vulnerabilities such as the one exploited by the
WannaCry malware. The repository, called the National
Vulnerability Database, or NVD, is an authoritative source of
standardized information on security vulnerabilities that NIST
updates dozens of times daily. NIST analyzes and provides a
common severity metric to each identified security
vulnerability.
NIST recently initiated a project at our National
Cybersecurity Center of Excellence, or NCCOE, on data integrity
specifically focused on recovering from cyber-attacks.
Organizations will be able to use the results of the NCCOE
research to recover trusted backups, roll back data to a known
good state, alert administrators when there is a change to a
critical system, and restore services quickly after a WannaCry-
like cyber-attack.
NIST is extremely proud of its role in establishing and
improving the comprehensive set of cybersecurity technical
solutions, standards, and guidelines to address cyber threats
in general and ransomware in particular.
Thank you for the opportunity to testify today on NIST's
work in cybersecurity and in preventing ransomware attacks. I'd
be happy to answer any questions that you may have.
[The prepared statement of Dr. Romine follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Dr. Romine.
I now recognize Mr. Touhill for five minutes to present his
testimony.
TESTIMONY OF MR. GREGORY J. TOUHILL, CISSP, CISM;
BRIGADIER GENERAL, USAF (RET);
ADJUNCT PROFESSOR, CYBERSECURITY & RISK MANAGEMENT,
CARNEGIE MELLON UNIVERSITY, HEINZ COLLEGE
General Touhill. Thank you. Good morning, Chairman LaHood,
Chairman Smith, Vice Chairman Abraham, Ranking Member Beyer,
Ranking Member Lipinski, and members of the Committee. Thank
you very much for the opportunity to appear today to discuss
cyber risk management.
I'm retired Air Force Brigadier General Greg Touhill. I
currently serve on the faculty of Carnegie Mellon University's
Heinz College, where I instruct on cybersecurity and risk
management. Prior to my current appointment, I served as the
United States Chief Information Security Officer, and before
that in the United States Department of Homeland Security,
where I served as the Deputy Assistant Secretary for
Cybersecurity and Communications. During that period, I also
served as the Director of the National Cybersecurity and
Communications Integration Center, which is commonly referred
to by its acronym, NCCIC.
During my Air Force career, I served as one of the Air
Force's first cyberspace operations officers, and I currently
maintain both the Certified Information Systems Security
Professional and Certified Information Security Manager
professional certifications.
Cybersecurity is a risk management issue. However, many
people mistakenly view it solely as a technology concern.
Cybersecurity indeed is a multidisciplinary risk management
issue and is an essential part of an enterprise risk management
program.
I recognize we have a very full agenda of topics today, and
I'm sensitive to your time. I have submitted for the record a
written statement, and in that statement, I discuss the recent
WannaCry attack and my assessment of how future attacks may
impact the public and private sectors. In short, I view
WannaCry as a slow-pitched softball whereas the next one may be
a high-and-tight fastball coming in. We need to be ready.
I also discuss and share recommendations on topics the
Committee has identified for today's agenda including the
President's recent Cybersecurity Executive Order, public and
private sector partnerships, the Cybersecurity Framework, and
proposed legislation. In short, on that I urge the Congress to
continue its great efforts to strengthen our enterprise risk
posture. I urge you to authorize and empower the federal Chief
Information Security Officer position, which currently is not
an authorized or specified position. I also suggest that
instead of calling it the NIST Cybersecurity Framework--and I'm
a huge fan of this Framework--I suggest we start calling it the
National Cybersecurity Framework to reinforce the fact that it
applies to everyone, and further, NIST did a brilliant job in
crowdsourcing the development of this framework but it was
really people from around the country that brought to the table
best practices. NIST was a great trail boss for this but it
really is a national cybersecurity framework.
And then finally, in regards to the proposed H.R. 1224
legislation, I congratulate the Committee and the Members of
the Congress for taking the initiative to really reinforce the
need to implement the Framework across the federal government.
I do suggest, based upon my experience in both the military
and the government sectors of the federal government, that we
do two things with that Act. One is we amend that Act to make
it apply to national security systems as well. Having served
extensively in the military and in the federal government, I
believe that the National Cybersecurity Framework applies
equally to national security systems, and I recommend that you
make that amendment. Further, I concur with my colleagues who
suggest that let's leverage the Inspector General and auditing
communities that are currently in the different departments and
agencies and reinforce their need to conduct appropriate audits
using that Cybersecurity Framework.
Again, I thank you for inviting me to discuss cyber risk
management with you today, and I look forward to addressing any
questions you may have.
[The prepared statement of General Touhill follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Touhill.
I now recognize Dr. Thompson for five minutes to present
his testimony.
TESTIMONY OF DR. HUGH THOMPSON,
CHIEF TECHNOLOGY OFFICER, SYMANTEC
Mr. Thompson. Good morning. Thanks for having me, and
Chairman LaHood, Vice Chairman Abraham, Chairman Smith, Ranking
Member Lipinski, and Ranking Member Beyer, I really appreciate
the opportunity to be here today to talk about what is a
critical subject.
Understanding the current threat environment is essential
to crafting good policy and effective defenses, and last
month's WannaCry ransomware attack is just one of the latest
manifestations of the kinds of disruptive attacks that we are
now facing.
The timeline of WannaCry I think has been well covered by
the other folks on this panel, but I did want to share with you
a graphical timeline that hopefully you can see in the monitor.
Apologies for the small print. What's interesting I think about
that and where I'd like to add some color is to give you
Symantec's perspective on the events as they unfolded, and to
give you some context, Symantec is the world's largest
cybersecurity company with technology protecting over 90
percent of the Fortune 500 and being used extensively by
government agencies around the world. In addition, we protect
tens of millions of home users through our Norton and LifeLock
branded products.
The threat telemetry we get from these deployments
represents the largest civilian threat intelligence network in
the world. WannaCry was unique and dangerous because of how
quickly it could spread. It was the first ransomware as a worm
that had such a rapid global impact. Once on a system, it
propagated autonomously by exploiting a vulnerability in
Microsoft Windows. After gaining access to a computer, WannaCry
installs the ransomware package. This payload works in the same
fashion as most crypto-ransomware. It finds and encrypts a
range of files and then displays essentially a ransom note to
victims demanding payment, this time in Bitcoin. Symantec
worked closely with the U.S. Government from the first hours of
the outbreak. We connected DHS researchers with our experts,
provided indicators of compromise and analysis to DHS, and
received the same back. During the outbreak, DHS had twice-
daily calls with private sector to coordinate operational
activities. From our perspective, this was one of the most
successful public-private collaborations that we've been
involved in.
Our analysis of WannaCry revealed that some of the tools
and infrastructure it used have strong links to a group
referred to as Lazarus by the security community, which the FBI
has connected with North Korea. Lazarus was linked to the
destructive attacks against Sony Pictures in 2014 and also the
theft of approximately $81 million from the Bangladesh Central
Bank last year. The links we saw between WannaCry and Lazarus
included shared code, the reuse of IP addresses, and similar
code obfuscation techniques. As a result, we believe it is
highly likely that the Lazarus group was behind the spread of
WannaCry.
Beyond WannaCry, the threat landscape continues to evolve
very quickly. We're seeing attacks become more sophisticated,
not just in technology but in social engineering approaches
that these attacks use. We're also seeing more attacks being
leveraged against IOT devices such as the massive weaponization
of IOT devices that we saw the Mirai botnet last fall. Mirai
launched one of the largest distributed denial-of-service
attacks on record and led to significant disruption of major
cloud services. The explosive growth of attacks like WannaCry
and Mirai I think underscores the need for preparation and
deploying integrated and layered defenses.
These attacks also show the response and recovery planning
and tools is an essential part of cyber risk management because
when good defenses will stop many attacks, we have to be
prepared that a determined adversary may get through those
initial defenses and we must lay a foundation for recovery.
There's no question that WannaCry was an important event
but unfortunately, it will not be the last of its kind. In
fact, it's more likely an indicator of what's to come. Good
fortune played a significant role in minimizing its impact,
particularly in the United States, but we will not always have
luck on our side, which is why we must learn the lessons of
WannaCry and make the necessary improvements to our defenses
and response capabilities.
This hearing is an important part of that effort, and we
appreciate the opportunity to be here. I look forward to
answering any questions that you may have. Thank you.
[The prepared statement of Mr. Thompson follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Dr. Thompson, and thank all the
witnesses for your testimony. The Chair recognizes himself for
five minutes, and we'll begin questioning.
As I talked about in the beginning, the title of this
hearing today is ``Lessons Learned from WannaCry,'' and we've
talked a lot this morning about WannaCry and how that played
out across the world, but in terms of what we've learned about
the genesis and origin of where this came from, I know the
Washington Post came out with an article yesterday that the NSA
has linked the WannaCry computer worm to North Korea. I'm
wondering if, Dr. Neino, you can talk a little bit about the
genesis and origin of where this came from, particularly
because it appears it's from a nation-state, and I know there's
references to what occurred with Sony Pictures and also with
the Bangladesh Bank, and what we know about it and what's being
implemented I guess on the government side to prevent this or
hold an entity or the government accountable.
Mr. Neino. Thank you, Chairman. I think if I understand
your question, you're asking about, one, the origin, and our
conjecture to that, and number two, perhaps, if I understood
also correctly, what would be the rules of engagement for
something like that if it was another nation-state. While I may
not be--while we think it's ambiguous to conjecture over the
origins of WannaCry, there are tails of code in there that
suggest one way or another that some nation-state could have
been responsible. Unfortunately, and as I said in my written
testimony, anyone could have created this level of attack, and
often misdirection is found typically in binaries like these
attacks we see. I would compare it perhaps an analogy to
photoshopping a program to look a certain way or it could have
simply just been what it is, which is exactly what we see. It's
hard to tell so we won't--I won't say that I know the origin of
the attack nor should I conjecture on it but what I can say is
that these attacks are very difficult to attribute, and Kryptos
Logic is a cybersecurity company, not an intelligence agency,
so it would be very difficult for us to pursue an answer to
that.
As far as rules of engagement, I also think that the
question segues the same way. It would be difficult to create
attribution or origin to any attack and therefore rules of
engagement would be very difficult for us to give any kind of
assessment on.
Chairman LaHood. Dr. Thompson?
Mr. Thompson. This was truly an interesting attack. We
spend a lot of time in our research labs looking at both the
code that was used in WannaCry but also where WannaCry
communicated out to, and there were very, very close
similarities to other kinds of attacks that we've seen,
specifically attacks that we attribute to a group called
Lazarus, and these attacks, this malware, the reuse of strings
in that malware, the reuse of command-and-control
infrastructure out on the internet by that malware led our
researchers to believe that this is strongly linked to the
Lazarus group.
Now, similar to my colleague on the end, we're not the
intelligence community either, and I agree with those comments
that attribution is often difficult, but what we've seen leads
us to believe that it was a part of this Lazarus Group and
separately the FBI has linked the Lazarus group with North
Korea, and I think, Chairman LaHood, the article that you're
referring to from yesterday is another potential evidence point
on that as well from the NSA.
Chairman LaHood. Thank you.
Dr. Neino, we talked about the kill switch and how that
stopped the attack, but we also reference the fact that last
week a hospital on the East Coast and a high school were
subject to attack. Can you explain how if the kill switch was
implemented correctly, how the hackers responsible for WannaCry
were able to continue to perpetuate the attack despite the
registration of the kill switch.
Mr. Neino. Absolutely. Although I'd like to be a doctor,
it's Mr. Neino.
So you have to understand the material makeup of the actual
malware and how it works. Why WannaCry was so significant is
that it's self-propagating. That's what gives it the title a
worm, if you will, meaning the actors don't need to even be in
existence, and sometimes we refer to these things as zombies,
zombie botnets, because they continue to proliferate regardless
of the actors or parents or creators of the particular attack.
In the case of the examples I gave in the testimony regarding
the health system, of which there are many, that was just,
let's say, a corner case that was very significant. The worm
continues to propagate because it is scanning and seeking to
expand itself, and that portion of the worm is not subject to
the kill switch so its expansion and spreading which in effect
is still exploiting systems worldwide. What it's not triggering
is the payload, if you will, the ransom component, and that
component therefore doesn't trigger. Most of these
organizations worldwide right don't know they're getting
actively exploited still because it's because they don't see
the ransom portion of it, so that's why we have 60 million
attacks thwarted to date, if not more, and just nobody knows
it's still happening, and that's why I said it was--I don't
think the message has resonated given those figures that this
still needs to be patched and this again points to the point of
resources.
Chairman LaHood. Thank you, Mr. Neino.
I'm out of time. I will yield to the Ranking Member, Mr.
Beyer.
Mr. Beyer. Thank you, Chairman LaHood, very much, and I'm
so impressed by our panel today. There's so much information
here, and I congratulate Dr. Romine and Dr. Thompson for being
Ph.D. mathematicians. That's wonderful. Jerry McNerney was here
just a little while ago, a Member of Congress, who's I believe
our only mathematician in Congress. And Mr. Neino,
congratulations on winning the hacking tournament. I never had
a chance to say that before, but that's very cool. And General
Touhill, it's very cool that you're now after all the things
you've done in your life, combat and diplomacy and first CISO
to be up there at Carnegie Mellon with their buggy races around
Chandlee Park. Every university has something that makes them
cooler than everyplace else.
And General, I want to start with you. You talked in your
long written testimony about H.R. 1224 cosponsored by--a
bipartisan bill here, but we have expressed a lot of concern
about the audit function that NIST would be asked to take on,
and I was particularly fascinated by your points which we
didn't raise when we had the hearing here that it would make it
much more difficult for NIST to be viewed as an honest broker
that this would change their perceptions about the current and
future roles and have a chilling effect on many of the
relationships that NIST has within government and industry that
a lot of these relationships are, quote, unquote, learning
relationships based on a common quest to identify and
incorporate best practices, and NIST would change those
relationships and not in a good way. It might inhibit or stifle
the free exchange of information from public and private
entities to NIST. Can you expand on that at all? This seems to
be a pretty powerful argument against that audit function.
General Touhill. Yes, sir. You know, frankly, I'm a fan of
the intent of the legislation. Section 20(a) in making sure
that folks are in fact using the Cybersecurity Framework across
federal government I think is brilliant. We need to follow
through on that big time, and frankly, it was something I was
promoting while I was the United States Chief Information
Security Officer. As a matter of fact, in my last federal Chief
Information Security Officer Council meeting in January of this
year, I proposed and we had a unanimous vote amongst the
council to do a risk assessment for the federal government
based on the Framework. That portion of the legislation I'm
wholly supportive of.
Section 20(b), the proposal to do the auditing and
compliance activities, I'm also a fan of. I think it's
important that we do auditing and compliance. However, I do
stand by what I wrote in the written testimony that I think
that NIST is not the best place to put that. It doesn't have
the culture, it doesn't have the mission, it doesn't have the
personnel to do it as effectively as the existing Inspector
General and auditing functions. And from a practical
standpoint, NIST is a great organization that I've been working
with for the last 35-plus years, and the relationships that
NIST has is in fact as a neutral party that is on the quest to
choreograph efforts to find the best ways of doing things. An
auditing function or a compliance function on the other hand is
looking to see if you are in fact following the checklist. I
think that if we want to have an auditing and compliance
function, which I definitely think that we should be doing, we
should be giving direction to those folks whose job it is to do
that auditing and compliance function. Frankly, this is an
operational issue, and Inspector Generals have always been in
my book the folks that do performance inspections, that are the
ones that are going to help those commanders in the field in
the military as well as the executives in the federal
government do their job better and have better visibility into
their risk posture. I believe we need to have the Inspector
Generals and auditing functions that are currently in place be
the ones who execute the intent of the Committee and the
Congress.
Mr. Beyer. Thank you, General, very much.
Mr. Neino, based on your testimony, you should be a doctor.
It's filled with really interesting things, and your three-part
conclusion that the largest issues were A, that organizations
are too slow to adapt; B, that we have a vast human resource
shortage; and C, there are little by way of metrics to
demonstrate return on investment, and you talk about creating a
method to prioritize threats, something like the Richter Scale,
magnitude and a clear and repeatable scale. Who should put this
together? Who should manage it? Who should maintain it? How do
we make this happen?
Mr. Neino. I think it would be interesting to see NIST
participation in something of this where it's basically
crowdsourced through various academics and commercial and
private entities that could look together and see how they're
prioritizing risks and threats, and then see if that could be
in some way put into some sort of simulation system that allows
to be scalable where people as a resource is not scalable,
technology can be, and that would be an effective area.
I also see that the commercial sector alone can produce
that as well and that could be adopted, but I think that any
time you have some sort of regulatory mandate, it's taken much
more seriously, and what I mean by that is, for instance, if we
had an event of magnitude that was measured and if we put an
arbitrary number on WannaCry, let's say it was a 7.5 magnitude
by some arbitrary figure, shouldn't that particular event be
required to be fixed by organizations whereas right now it's
mostly voluntarily. So if a water system or a power grid
doesn't fix it even after WannaCry, shouldn't we see that sort
of mandate where we can know that that is regulated because
that event of magnitude has context versus you can't boil the
ocean when it comes to patching vulnerabilities. We're not
going to win that war; it's infinite. But we should be able to
win the war of at least the attacks we know about.
Mr. Beyer. Thank you very much.
Mr. Chair, I yield back.
Chairman LaHood. Thank you, Mr. Beyer.
I now recognize Vice Chairman Abraham.
Mr. Abraham. Thank you, Mr. Chairman. I also stand in awe
of the brain cell power on our panel. We could probably use a
couple of guys as mathematicians when we work through our
budget process.
And Dr. Thompson, if indeed North Korea has a role in this
virus exploitation, I find it ironic that a country as North
Korea that not only suppresses but quashes religious freedom
would use a biblical name, Lazarus, as its codename, so just an
aside.
Dr. Romine, my question is to you. When news of WannaCry
started spreading, what, if any, steps did NIST take to ensure
federal agencies information systems were protected and was
NIST involved in any government meeting that took place around
that time?
Dr. Romine. Thank you very much for the question. The
response for an event like WannaCry from the NIST perspective,
the primary goal as a scientific institution and as an
institution that provides guidance is to learn as much as we
can about the incident and about the origin--not the origin
from a country point of view but the technical origins, and to
determine whether the guidance that we issue is sufficiently
robust to help organizations prevent this kind of attack.
I'm not aware of specific meetings that we were involved in
that were discussing the operational side of WannaCry. I think
the law enforcement and intelligence communities were certainly
meeting. You heard reference to DHS being quite active in
helping the private sector to deal with this issue. From our
perspective, it's more learning whether we can improve the
guidance that we make available to entities to try to not only
prevent these attacks but also recover from them and to be
prepared for them in the future.
Mr. Abraham. Okay. And I'll stay with you for my second
question. In your testimony, which I did read, you said that
NIST recommendations in the NIST guide for the cybersecurity
event recovery and Cybersecurity Framework would sufficiently
address the WannaCry incidents. Will the requirement in the
cyber Executive Order to agencies to implement the Framework
help them be better prepared in the future to defend against
these types of incidences and will this be enough or should
more be done?
Dr. Romine. Thanks for the question. It's difficult to know
whether it will be enough for the next event, but I can say
this. One of the important things that emerged in our
discussions with the private sector during the development of
the Framework was that we are often thinking about detection
and prevention of attacks. Sometimes, we don't pay enough
attention to response and recovery, and so one of the things
that the Framework does is to spell out the five functions--
identify, protect, detect, respond and recover--and we're
providing a lot of guidance now with the incident response
guidance, for example, to help different organizations be
better prepared to respond and recover. One of the analogies
that I've drawn recently is the Boy and Girl Scouts are right:
their motto is ``be prepared.'' And the fact is, the better
prepared an organization is through its risk management
activities, which we think the risk management framework from
FISMA coupled with for federal agencies and under the umbrella
of the Cybersecurity Framework now, we think those are the
tools that are necessary to implement the kind of preparedness
that organizations should have.
Mr. Abraham. One quick follow-up. What specific steps in
lieu of this WannaCry should NIST take to help federal and
state agencies be better prepared as well as the private
sector?
Dr. Romine. So we're already looking at some of the
consequences associated with it, some of the incident response
work that we have, some of the data integrity work that I
talked about earlier. We launched the Data Integrity Project at
the National Cybersecurity Center of Excellence, which has a
very strong tie-in with ransomware-type attacks. We launched
that actually before the WannaCry came out but in light of this
new event, we're accelerating the work that's going on in the
NCCOE so we hope to be able to provide very practical guidance
or practical examples of how to be prepared so that
organizations can see how it's done.
Mr. Abraham. Thank you.
And General, thank you for your service to the country.
Mr. Chairman, I yield back.
Chairman LaHood. Thank you, Vice Chairman Abraham.
I now recognize Ranking Member Lipinski for his
questioning.
Mr. Lipinski. Thank you, Mr. Chairman. I want to thank the
witnesses for their testimony and for all the work that you do.
We are I think finally beginning to take cybersecurity more
seriously here in Washington although there's much more that I
think we need to do. Part of the problem is understanding what
this really means and the impact that it can have. We also need
to make sure that the American public knows the significance of
cybersecurity and what could happen.
We know when we're dealing with cybersecurity that
technology is just part of the solution. What often matters
more is we saw with WannaCry is personal behavior and
organizational behavior. Individuals and information systems
managers must regularly install security patches and phase out
outdated software. Organizations must prioritize cybersecurity
and have plans in place for quick response when there are
attacks. These are social-science issues.
Another social-science angle is understanding criminal and
terror networks as well as foreign state actors, and using that
understanding to help inform our intelligence gathering and our
cyber defenses.
So I'd like to hear from each of our witnesses your
thoughts on whether we're investing enough in the human factors
of cybersecurity and what more can be done, what more would you
like to see us do to--so that we are taking care of these
issues? We'll start with Mr. Neino.
Mr. Neino. Thank you, Mr. Lipinski. I think it's a great
point that you bring up. There are other issues other than
technology at play. Cybersecurity is hard. It really is.
Software is hard; security is hard. When you put them together,
it's very hard. One thing that we know will be quite difficult
is resources. Resources will maintain their need for quite some
time, and technology is rapidly evolving. We have eroding
boundaries. Systems are changing. We have digital
transformation that continuously happens so we have to relearn
our resources and people. This makes it very difficult for
those responsible in those areas to manage risk to actually
keep up with the actual threat, the pragmatic threat, not just
the way we measure our own threats but in reality like
WannaCry. In that case, I think that we could see a huge value
if we were to see investments in things that allow for threat
prioritization, again going back to the events of magnitude
example. You can't boil the ocean but you can look at the areas
that can hurt you the most and the people that will hurt you
the most, and investigating those things and putting them
together allows you to start to formulate a picture that allows
you to prioritize threats. Once you prioritize threats, the
investments you make in those people and those resources will
be maximized and we'll have a better chance of being more
resilient.
Mr. Lipinski. Thank you.
Dr. Romine?
Dr. Romine. I'd like to describe two important NIST
programs that directly address the human part of this problem.
One is that NIST is privileged to home the program office for
the National Initiative for Cybersecurity Education, or NICE,
which is an interagency program that's dedicated to building a
larger cybersecurity workforce, and we've made great strides in
that area. I'm very proud of the work that we've done there.
The second part of the program is, and you're absolutely
right, that one of the key components in achieving true
security is understanding how humans interact with technology.
You can be theoretically secure through technology but if the
people that are trying to get their jobs done are focused on
that and not taking advantage of, or in some cases, even
circumventing security that's in place in order to get their
jobs done, you have to know about that and you have to
understand how to build systems that have the human in the
loop. NIST views a systems-level approach for cybersecurity but
we think people, the users, are part of the system and so we
have an active research program in understanding. We have
psychologists, sociologists, human factors engineers on our
staff whose entire mission is to understand how people interact
with technology so that we can do better in areas like security
and usability.
Mr. Lipinski. General Touhill?
General Touhill. Thank you very much. When I was at--still
in public service as the U.S. Chief Information Security
Officer, I applied about five strategic lines of effort. One
was harden the workforce; two, treat information as an asset;
three, do the right things the right way and at the right time;
four, make sure that you're continuously innovating and
investing wisely; and then five; make sure that you're making
risk management decisions at the right level.
The first one was harden the workforce. If you gave me an
extra dollar in cybersecurity, I'm always going to spend it on
people, and frankly, your people are your greatest resource but
they're also your weakest link. We see it time and time again,
and 95 percent of the incidents my U.S. ICS, Industry Control
System CERTs responded to you could track back to a human
failure--failure to patch, failure to configure correctly,
failure to read the instruction book. So I think hardening the
workforce should be a strategic priority, and it was one of my
top ones and actually was the top one.
Further, you know, if you ask for where else could we
invest well: exercises. People should not necessarily be
confronting crises without having practiced ahead of time, and
my friend, Admiral Thad Allen, likes to say the time to
exchange business cards is not a time of crisis. We should be
doing exercises more often than we are, and we should be
investing more into them.
And then further, everybody needs to play. Too often we see
senior executives who go dismiss that off to the younger folks
and the kids in the server room to play. It's a risk issue, and
risk decisions are made at the board level.
So I think we need to invest in exercises. We already are
doing a lot. During the time I was at DHS when I first got
there, the year before we had done 44. By the time I left two
years later, we were up to 270 exercises. But I think more
needs to be done, and I encourage the Committee and the
Congress to help reward these type of practices because I think
it'll buy down our risk.
Mr. Lipinski. And if the Chairman will indulge me, Dr.
Thompson?
Mr. Thompson. Thank you. Thanks for that question because I
think what you're hitting on is probably one of the most
important and underinvested areas in cybersecurity in general.
This human element cannot be separated from the technology.
Often in the security community we talk about advanced
persistent threats, and most people when they think about that
think about very sophisticated code, malware, but in fact, what
we're seeing is the root of many of these advanced persistent
threats is the initial way a company got infected or a person
got infected was that an individual made in retrospect a bad
choice--they clicked on a link, they downloaded a file--and
we're seeing attackers becoming more socially sophisticated in
the way they attack. We're seeing them personalize attacks
looking for information on social networking sites, for
example, so that they can create credibility in an email or a
text message that they may send you so that you're convinced
that this is a reasonable thing to go and do. And I think from
an industry perspective, it is a place that we desperately need
focus.
I want to give you one data point that I think may be
useful. So I've had the pleasure to serve as the program
committee chairman for RSA Conference for the past ten years.
That conference had 40,000 people, security professionals that
showed up last year, which is a sign of how important I think
this industry's become, and three years ago we started a track
called the Human Element, and it has become one of the most
popular tracks for cybersecurity professionals because I think
we all realize--and I love the comments that the general made
about this topic. I think we all realize that is one of the
most critical areas that we need to focus on going forward,
human element of the people that are responsible for
cybersecurity but also the human element of users.
And I'll make a final comment here. It is very easy for a
user to understand that there's an increase in utility. I know
it's easier to get in my house if I leave the door unlocked,
very easy. You don't have to carry any keys around. If I make
it more secure, generally people's viewpoint is you make it
more secure, you make it more painful. There are more things
that you have to do. So they can easily measure utility but
they can't easily measure risk, and we need to do a better job
at helping the individual, the citizen recognize risk.
Mr. Lipinski. Thank you very much.
Chairman LaHood. Thank you, Mr. Lipinski.
I now recognize Congressman Higgins for his questions.
Mr. Higgins. Thank you, Mr. Chairman.
Mr. Neino, congratulations on shutting down WannaCry. That
was a big mistake by whoever designed that worm, was it not, to
leave the domain unregistered?
Mr. Neino. It's hard to say what it is. It could have been
intentional, it could have been non-intentional. We think it
was non-intentional but it's hard to say. But it definitely was
a mistake in any regard.
Mr. Higgins. Well, congratulations on discovering it. What
would WannaCry had done to the world had that kill switch not
been----
Mr. Neino. I can only give a thumbnail of what that might
look like but given today, you know, we're seeing millions of
thwarted attacks per day, you also have to realize that the
velocity of the attack of WannaCry had slowed significantly as
a result of the kill switch. So generally mathematicians will
say these are exponential attacks, things like that. This could
have been a very, very massive attack. Most systems were
affected.
Mr. Higgins. I concur. Most cyber experts agree that it
appears that North Korea was behind WannaCry. Do you agree?
Mr. Neino. I think that there are tails in the software
program that you could use to associate it but I do believe
that intelligence is cumulative behind cyber. Cyber is very
difficult to attribute. You need other areas to attribute a----
Mr. Higgins. What's your opinion? Was North Korea behind
WannaCry?
Mr. Neino. I don't really want to comment. I've seen other
people make very good conjectures about it being China. I've
seen other conjectures as of just being random people. But I
don't think it's worth commenting because I'm just not a
subject domain expert in intelligence.
Mr. Higgins. Intelligence is a safe answer, sir.
When security software is designed, how easy is it for the
designer to build a backdoor access that would be virtually
undetectable within that cybersecurity software?
Mr. Neino. We've seen that a multitude of times, and
there's very good studies from a variety of areas. The level of
entry to do that is very low.
Mr. Higgins. Thank you for concluding that.
Brigadier General, my question is to you, sir. Thank you
for your service. Are you familiar with Kaspersky Labs out of
Moscow?
General Touhill. I am familiar with Kaspersky.
Mr. Higgins. Manufacturer of cybersecurity products, a long
list of cybersecurity products, that top intelligence officials
at the FBI, the CIA, the NSA and others advise this body that
they don't trust Kaspersky, that they would not use their
product on their personal devices. However, it's still used
widely across the United States Government in various
departments. Can you explain that to this Committee?
General Touhill. Well, sir, I don't know what kind of
conversation, you know, my colleagues from those agencies had
with this Committee. However, as I go and I take a look at the
different products that are in the market today, I believe that
the American products are the best ones out there, and just on
a value proposition, I buy American.
Mr. Higgins. I concur. That's a brigadier general speaking
right there.
General Touhill. That's an American speaking, sir.
Mr. Higgins. Let me say that although there's no public
evidence of collusion between Kaspersky Labs and the Russian
government, it's not a large leap, and Eugene Kaspersky has
suggested that his products have no ties to the Russian
government. However, as part of the national conversation, Mr.
Chairman, and it's widely known that the Russians have been
involved in efforts to influence governments across the world
with cyber-attack, and Mr. Kaspersky has suggested that he
would testify before this body. I strongly suggest that we take
him up on his offer. I'd sure like to talk to him regarding the
kill switch in North Korea, that having been a rather glaring
error on the part of the designer of that worm cyber-attack.
Mr. Neino, what do you think that happened to that guy in
North Korea? It was a kill switch, wasn't it? So this message,
should it get to any of the cyber-attack cyber experts in North
Korea, if you can get out of the country, you're welcome in the
West. We'd love to have you before this Committee. We'll give
you some real good food.
Mr. Chairman, I yield back.
Chairman LaHood. Thank you, Congressman Higgins.
I now yield to Congresswoman Esty.
Ms. Esty. Thank you very much. This has been very
enlightening and extremely helpful.
There are a couple of points I want to return to and maybe
drill down on. One is on the human element, which I think is
unbelievably important because you can buy all the great
equipment in the world, and as you said, Dr. Thompson, if you
leave the door open, it doesn't do you any good, and I think a
little bit about the analogy in hospitals about getting people
used to washing their hands, and it may be low-tech but it
works, and so one of the things I think we need to emphasize
for all Americans is hygiene. It's just what are proper hygiene
practices, so that's one, and getting people's thoughts and how
we make that absolutely standard operating procedure for all
organizations, government and non-government.
Number two, we have an issue in the federal government in
particular at all levels of government of really old systems.
So we look at the fact that this was exploiting a
vulnerabilities in Windows. Who's still using those systems?
Overwhelmingly I can tell you it's local and state governments
that don't have any money and they're still using these old
systems, so that makes it an even greater issue.
Mr. Neino, your point about threat assessment and
understanding levels of assessment, we need triage help. You
know, we need triage help to recognize what defcon level is
this because, you know, everybody gets those notes on their
phones and we're looking at our phones like I don't have time
to upgrade my system, and that's the reality of human behavior.
So I'd suggest a couple of things. We ought to be getting
behavioral economists and social-media experts to your point,
Dr. Thompson, and I think that needs to be part of what the
federal government, part of what NIST is doing is to stay ahead
of the game we need to do that.
A number of us were at an Aspen briefing a couple of months
ago with some of the folks from the top levels of the private
sector talking about how so much of our emphasis at the federal
government has been and frankly the incentives have been for us
to be on attack mode. We're developing our attack cyber
capability out of the federal government. We've left it to the
private sector to do defense. Obviously we need to be doing
more defense. So that's--you know, how do we incentivize
defense attention? It's less sexy but frankly a lot more
important. So what can we do as a culture change? Where does
that have to come out of? Is that out of NIST? Is that out of
DOD, NSA to put the incentives there? How do we make sure we're
getting the broader sector of talent pool.
Again, it may not strike people bringing in, you know,
people who do Snapchat for figuring out how do we make sure
people don't click on that link but it strikes me over and over
again if we don't do that, if we look at what happened in the
hacking on the electoral system and last year what happened, it
was John Podesta's email where someone clicked on a link, and
it is going to be the weakest link and the strongest link at
the same time.
So anyone who has thoughts on that whole bunch of stuff I
just dumped, that's what happens when you're at the end of the
hearing, you know, you're batting clean-up and want to raise a
number of issues. But again, thank you very much. I look
forward to following with all of you, and thank you for your
efforts and in joining with us in figuring out how we can do
better for America. Thanks.
Dr. Romine. Thank you, Congresswoman. I'll just make two
very quick points. One is, we have active research going on now
under the program that I just talked about to understand human
behavior, trying to understand susceptibility to phishing
attacks, and what are the things that factor into people not
recognizing that something is a phishing attack. And so there's
research coming out about that.
With regard to culture change, I think maybe it's
underappreciated sometimes the culture change that's going on
in boardrooms and among CEOs who in light of the Framework as a
catalyst for this but I think this might have been on their
radar anyway, but the Framework is a means of catalyzing the
understanding on the part of boardrooms and CEOs that manage
risk to reputation, financial risk, and business operational
risk and all of the other risks that you're already managing as
a CEO, you now have the tools that you can use to incorporate
cybersecurity risk into that entire risk management.
General Touhill. I'd like to pile onto that. First of all,
on the cyber hygiene, we all need to do better, and we work
very closely with NIST to help promote the national cyber
education programs that we have, and I think we really need to
do better on that. As a matter of fact, I propose that we
probably need a Woodsy Owl, Smokay the Bear type of thing. You
know, I call it Byte. Let's get kids out there fully educated
and bring that pipeline up. And we've been working with NIST
and across the interagency to do that.
And we also need to incentivize. We shouldn't necessarily
be seen as the government that's here to help but not really
help but to overregulate. We need to encourage and incentivize
folks to do the right thing, to buy down their enterprise risk.
But we also have to recognize that risk is an intrinsic part of
any management of any business, and we have to be very careful
that we don't have hamshackle the different boards and C suites
from actually managing their risk, and we need to give them the
tools and the support to be good wingmen to help them make
those risk decisions.
And then finally, you know, we've had a lot of discussions
publicly in this town over the last two, three, four years
about roles and missions as to who does what in helping folks.
As for me, having served in uniform for over 30 years and then
having done some public service on top of that, I think it
really takes teamwork, and I view the DOD and NSA and
intelligence community's mission to help us with deterrence and
interdiction. Let's stop them and take the fight to the bad
guys out to foreign shores. But when it comes to protecting
hometown America, I believe that that's more appropriate for
DHS and the work that's being currently done in the NCCIC to
choreograph different activities across the federal government
in better serving the citizens.
Mr. Thompson. Just a quick comment. First, I support the
General's suggest that we resurrect Smokay the Bear. I think it
would be great to see him again and maybe kind of repurpose him
for this effort. But I will say first, Congresswoman, thank you
so much for your comments. I very much agree with what you said
about this human element. I can tell you that the practice of
security I think is changing very much because of that, and I
think about the folks that we hire at Symantec as an example.
The kinds of folks that are hunting down the malicious networks
today aren't just the computer scientists and mathematicians
but there are computational linguists, there are behavioral
psychologists, there are anthropologists. There are people that
are looking at the human behavior of an attack group, so that's
one side.
On the consumer side, which we sell to with Norton, we
spend an amazing amount of time thinking about how do we make
security similar to the iPad, and I call it the iPad because
it's the only piece of technology I think I've ever given to my
mom and I didn't have to give her any instruction about how to
use it. She just understood it. And we spend a massive amount
of time now today on design. How do we make it intuitive? How
do we make it easier to be more secure than less secure? And I
think that is where a lot of effort must go in in the security
community today. How do we make it easier to be more secure
than less secure?
Chairman LaHood. Thank you, Congresswoman Esty.
I was just thinking as you referenced Smokay the Bear,
maybe a new company, Smokay the Bear Malware would be
something----
Mr. Thompson. We'll register the domain, Mr. Chairman.
Chairman LaHood. Thank you.
I now recognize Mr. Palmer for his questions.
Mr. Palmer. Mr. Neino, first, accept our thanks for the
quick thinking that allowed the kill switch to prevent so many
infections, but with regard to your measurements, however, you
suggest that the number of 200,000 infections is too low, and
that before the implementation of the kill switch, there may
have been 1 to 2 million infections. In that regard, how do you
then explain that practically no one tried to pay the ransom if
there were that many more?
Mr. Neino. I think there were some who tried to pay the
ransom be it the measure of success of that is hard to
determine. I think we also----
Mr. Palmer. Well, what you've got is that from many studies
that a large portion of the companies do pay the ransoms when
their computers are encrypted, but monitoring the Bitcoin
wallets advertised in the WannaCry malware, it seems that less
than 500 people did, so that's two one-hundredths of 1 percent.
Mr. Neino. Sure. Well, I think----
Mr. Palmer. That's very inconsistent with your----
Mr. Neino. Yeah, I think----
Mr. Palmer. --with what you're saying.
Mr. Neino. I think that when you look at--it's hard to
associate the payments to the actual spread, and I'll tell you
for a variety of reasons. One, when you look at the actual
attack and the magnitude of the attack and you try to trace it
to the payment, if you look at the mechanisms to make the
payment, it was, one, not clear whether you would get your
systems back anyways, and at this point the attacks have been
abandoned, so we know that if you pay the ransom, you didn't go
anywhere. Most of the media and many of the experts were
suggesting not to pay the attack. We were asked the same
question and we said you would have to base your own risk
organization and determine if you should pay the attack.
However, what I can say is the data that we are receiving is
absolute. When we get this data--we've been doing this. It's
not just WannaCry. We've been doing this for close to a decade.
We see and visibly analyze data that comes in. It is accurate.
Mr. Palmer. I'd like to address this question to General
Touhill, and again, as many of our members have said, thank you
for your service, sir.
Your testimony refers to people who were infected by
running Windows 95 but published industry reports are saying
that almost everyone that was infected was running Windows 7.
So isn't it true that the main reason people were infected was
because an intelligence community vulnerability was leaked to
the public? Turn on your mic, please.
General Touhill. Thanks. Sir, thanks for the question. You
know, just for clarity's sake, the--in my written testimony I
highlighted Windows 95 as being used as an exemplar. However,
there was plenty of other different operating systems that were
very susceptible to this type of attack including Windows ME,
7, you know, a lot of unpatched systems.
Mr. Palmer. But I'm asking about an intelligence community
vulnerability that was leaked to the public.
General Touhill. I think that if we take a look at it from
that standpoint, yeah, I'm very concerned about that, and I
think that this highlights a couple of things. First of all,
patch your systems. We've been telling you all along to do
that. Second of all, I think that as we take a look at, you
know, the leakage of information or the attribution of leakage
of information, that's very serious and unacceptable.
Mr. Palmer. Well, in regard to the patch, the reality is
that a team of actors calling themselves shadow brokers
published an NSA exploit called EternalBlue on the Internet,
and that happened in January 2017, and Microsoft released a
patch that addressed that vulnerability 3 months later in
March, a patch called MS17-010, so it was not a problem of
machines being out of date. The problem was that if you hadn't
put all of the Microsoft recommended patches on all the
machines within 60 days, you would become a victim, and it was
a zero-day attack because when EternalBlue code was released in
January, there was no way to protect a computer from it.
General Touhill. I don't believe I would characterize this
one necessarily as a full-zero-day attack. From my perch, you
know, frankly, because the fact that we had some patches that
had been put out, and Microsoft went through extraordinary
measures, by the way, to go out and create those patches for
operating systems that had previously been declared
unsupportable many years before, and I use Windows 95 in my
written testimony as an exemplar because Windows 95 had been
online for about 19 years before it was retired, and for the
last three years, Microsoft had not been supporting it, and
then for them to come back and put out that patch in March was
extraordinary, and through the federal government and other
organizations around the world, we went out and we clearly
communicated, and Carnegie Mellon's C-CERT was one of them,
clearly communicated to all of the communities of interest,
patch your systems, this is an important patch, and it was
labeled as a critical patch, sir.
Mr. Palmer. If I may, I have one more question for Mr.
Thompson. Could you address the double pulsar feature that you
mentioned? Since no one was actually paying the ransoms, it is
possible that the real goal of the attack was to allow remote
access to the machines that the double pulsar was installed on
by becoming infected?
Mr. Thompson. Thanks for your question. It's difficult to
anticipate what the true intention was of this attack, whether
it was ransomware, whether it was a test, whether it was the
ability to propagate some kind of back door, but what is, I
think, interesting as a characteristic of the attack, which I
think goes back to your first question of why didn't we see,
quote, normal or expected rates of ransomware payment. The
backend infrastructure that was set up was very weak compared
to the typical piece of ransomware that we see out there in the
wild, and it is pretty incredible. Many of these ransomware
attacks have a very robust infrastructure behind them. They
have almost the equivalent of customer support for people that
have been infected with the ransomware. We didn't see that
level of sophistication here in the back end.
Mr. Palmer. I thank the witnesses for their answers. I
yield back.
Chairman LaHood. Thank you, Mr. Palmer.
I now yield to Congressman Webster for his questions.
Mr. Webster. Thank you, Mr. Chairman. Thank for you having
this meeting, a joint meeting, and thank each of you for
coming, but I'll tell you, my mind has been on something else,
and the statements that were given here were similar to that in
that they fit. There was an attack yesterday, and I thought
about how the fact it was an advanced, persistent threat, and
not only that, was it a personalized attack, and there's some
people, in fact, my seatmate here, who acted heroically to turn
it around, and so I just--that's what was on my mind, these
Capitol Police whose service protected life yesterday along
with the heroic acts of many of the Members of this Congress.
Maybe it's a different kind of threat but it was real, and in
this particular case, there was no human error, and so I just--
I wanted to take this time that I have, just a few minutes, and
say thank you for our people who work there and for the members
who serve here who prove there still are heroes in our country
and they just haven't been exposed yet, and there was some
yesterday that were exposed, so thank you, Mr. Chairman. I
yield back.
Chairman LaHood. Thank you. I think we have a couple more
questions. We're going to go just for a short second round
here. I'll yield myself five minutes.
Dr. Romine, you note in your written testimony that the
National Vulnerability Database, NVD, that NIST maintains and
``updates dozens of times daily'' of all known and publicly
reported IT vulnerabilities documented that vulnerability that
the WannaCry malware exploited. A recent report notes that 75
percent of the vulnerabilities documented last year were
disclosed elsewhere first and that it takes on average 7 days
between the discovery of a vulnerability and its reporting on
the NVD. What is the reason for the delay there if you could
talk about that, and is NIST working to get rid of that lag
time?
Dr. Romine. Thank you for the question. We're always
interested in trying to shorten time to deliver really
important information to our stakeholders. In the case of NVD,
our goal is not first to disclose or first to disseminate the--
although we want to do as early as we can. Our real goal is
accurate curation, including an assessment of the impact that a
vulnerability might have, and that assessment requires a
certain amount of analysis that has to be done before we can
include something in the National Vulnerability Database.
The other reason for that is that the disclosures are often
from sources that are not necessarily reliable from our
perspective, and including information about vulnerabilities
from sources that we don't view as authoritative would not be
in our best interest for the NVD.
Chairman LaHood. And was there a delay in reporting the
vulnerability that the WannaCry malware exploited?
Dr. Romine. I don't know the exact duration between the
time that we received the report and the time that we put it in
the NVD. I'm sure it was a matter of days.
Chairman LaHood. Thank you. Those are all my questions.
I yield to Mr. Beyer.
Mr. Beyer. Thank you, Chairman, very much.
General, you are the first Chief Information Security
Officer, and you took that position, I guess, last September
under the Obama Administration?
General Touhill. Yes, sir.
Mr. Beyer. Do you believe the federal government should
have this federal CISO position? I know the Trump
Administration hasn't filled it yet, but do you--any reason why
you left at the time that you did, and any concerns about
whether it will be refilled?
General Touhill. Well, first of all, thank you for the
question. I believe that this is a best practice to have a
Chief Information Security Officer in different organizations.
The first Chief Information Security Officer position was
created in the private sector over 20 years ago, and it took
about 20 years for the federal government to create one. I
think it is critically important as part of an enterprise risk
management approach that you do in fact have someone who is
focused on information security and the risk to the enterprise
and advising the corporate community as it were up, down and
across as far as what those risks are and best practices to buy
down and manage that risk. Within the federal government, we
still don't have an authorization for a federal Chief
Information Security Officer in statute. My position was
appointed as an administrative appointment, and I think that as
we take a look at--as we move forward--and the Executive Order
that just recently came out is a great step forward. I think we
need to firm up and make sure that this position is an enduring
position but we also need to authorize and empower the position
such that Chief Information Security Officer can in fact have
the authorities to choreograph and direct activities that are
necessary to better manage our risk.
As far as the appointment goes, I look forward to seeing
who the Administration brings forward, and I will coach and
serve as wingman for that person.
Mr. Beyer. Great. While we're talking Executive Orders, you
made the really interesting case that we overclassify, that the
default position right now is to make everything the highest
thing, and that we should instead make the default position the
lower level of classification and argue our way up. How do we
operationalize that? Is this Executive Order, legislation,
memorandum of understanding?
General Touhill. I thank you for that question. I'm very
passionate about it because I was responsible for public and
private sector partnerships while I was at DHS and the
information sharing between the public sector and the private
sector, and frankly, we overclassify too much time-sensitive
information in the federal government, in my view, and I
believe that the solution set is going to have to be a
combination of legislation as well as executive action. So I
think that really both branches of government are going to need
to partner up as far as--to determine a best means of getting
information out faster to folks so that we can timely and
actionable actions in this fast-paced cyber environment.
Mr. Beyer. Thank you.
Mr. Neino, you had one very intriguing, or many intriguing
lines in your testimony. One said that ``points contrary to
defense (who did it)'' and what I understood from that is we
spent too much time trying to figure out who is Lazarus or who
is Bayrob rather than defend ourselves. Can you expand on that?
Because I confess, as a naturally curious person who watches
Law and Order and CSI and all the stuff, I want to know who did
it.
Mr. Neino. I think that the barrier of entry at this point
is that anyone could do it, so conjecturing over who has done
it is a very difficult task because cybersecurity is something
that could be easily misdirected. You never really know who the
attack is, and focusing on that doesn't solve the problem that
we're vulnerable. We are vulnerable. So if you leave the door
open, there could be thousands of people that walk by your
house every day. Would it really matter if it's because you
leave yourself exposed who has done it? They do it because they
can, and we should not make it that way. We should make it so
that we are resilient and we are a very strong nation in
regards to defense.
Mr. Beyer. Thank you.
Dr. Thompson, do you want to pile on at all?
Mr. Thompson. I do. Thank you. You know, it's interesting.
We don't spend very much time looking at who did it and who is
the country behind it, who is the enterprise behind it, who is
the person behind it, but it's very critical for us to
associate patterns of behavior. So if we associate attack A
with attack B and then believe that these two things are
connected, it will let us learn more about that group, the
tactics that they use, and make is better prepared to protect
against a new attack sight unseen, and that was the case with
Symantec's AV engines and our artificial intelligence engines
because of previous training on this against the WannaCry
malware. So it's critical for us to have that grouping together
and we'll leave it up to the intelligence community to decide
who that group actually belongs to.
Mr. Beyer. Great. Thank you very much, Mr. Chair.
Chairman LaHood. Mr. Lipinski, do you have any follow-up
questions?
Mr. Lipinski. No, I think I took plenty of time on my first
round. I thank the witnesses for your testimony, all the work.
As I said, I'm sure we'll be continuing this discussion, so
thank you.
Chairman LaHood. In closing, I want to thank all of the
witnesses here today for your important, insightful and
impactful testimony here today, and as our two Subcommittees
look at legislation and public policy as it relates to
cybersecurity and the ancillary issues of national security,
economic vulnerabilities, privacy, we look forward to
continuing to work with you on those issues and appreciate you
taking time out of your busy schedule to be here today.
And the record will remain open for two weeks for
additional written comments and written questions from Members,
and at this time the hearing is adjourned.
[Whereupon, at 11:51 a.m., the Subcommittees were
adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
Additional Material for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]