[House Hearing, 111 Congress] [From the U.S. Government Publishing Office] REVIEWING THE FEDERAL CYBERSECURITY MISSION ======================================================================= HEARING before the SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND TECHNOLOGY of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED ELEVENTH CONGRESS FIRST SESSION __________ MARCH 10, 2009 __________ Serial No. 111-5 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC] [TIFF OMITTED] TONGRESS.#13 Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html __________ U.S. GOVERNMENT PRINTING OFFICE 51-633 WASHINGTON : 2009 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Bennie G. Thompson, Mississippi, Chairman Loretta Sanchez, California Peter T. King, New York Jane Harman, California Lamar Smith, Texas Peter A. DeFazio, Oregon Mark E. Souder, Indiana Eleanor Holmes Norton, District of Daniel E. Lungren, California Columbia Mike Rogers, Alabama Zoe Lofgren, California Michael T. McCaul, Texas Sheila Jackson Lee, Texas Charles W. Dent, Pennsylvania Henry Cuellar, Texas Gus M. Bilirakis, Florida Christopher P. Carney, Pennsylvania Paul C. Broun, Georgia Yvette D. Clarke, New York Candice S. Miller, Michigan Laura Richardson, California Pete Olson, Texas Ann Kirkpatrick, Arizona Anh ``Joseph'' Cao, Louisiana Ben Ray Lujan, New Mexico Steve Austria, Ohio Bill Pascrell, Jr., New Jersey Emanuel Cleaver, Missouri Al Green, Texas James A. Himes, Connecticut Mary Jo Kilroy, Ohio Eric J.J. Massa, New York Dina Titus, Nevada Vacancy I. Lanier Avant, Staff Director Rosaline Cohen, Chief Counsel Michael Twinchek, Chief Clerk Robert O'Connor, Minority Staff Director ------ SUBCOMMITTEE ON EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND TECHNOLOGY Yvette D. Clarke, New York, Chairwoman Loretta Sanchez, California Daniel E. Lungren, California Laura Richardson, California Paul C. Broun, Georgia Ben Ray Lujan, New Mexico Steve Austria, Ohio Mary Jo Kilroy, Ohio Peter T. King, New York (Ex Bennie G. Thompson, Mississippi (Ex Officio) Officio) Jacob Olcott, Staff Director Dr. Chris Beck, Senior Advisor for Science and Technology Daniel M. Wilkins, Clerk Coley O'Brien, Minority Subcommittee Lead C O N T E N T S ---------- Page Statements The Honorable Yvette D. Clark, a Representative in Congress From the State of New York, and Chairwoman, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology............. 1 The Honorable Daniel E. Lungren, a Representative in Congress From the State of California, and Ranking Member, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. 3 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Chairman, Committee on Homeland Security.............................................. 5 Witnesses Mr. David Powner, Director, Information Technology Management Issues, Government Accountability Office: Oral Statement................................................. 7 Prepared Statement............................................. 8 Mr. Scott Charney, Vice President, Trustworthy Computing, Microsoft: Oral Statement................................................. 15 Prepared Statement............................................. 17 Mr. Amit Yoran, Chairman and Chief Executive Officer, NetWitness Corporation: Oral Statement................................................. 24 Prepared Statement............................................. 26 Ms. Mary Ann Davidson, Chief Security Officer, Oracle Corporation: Oral Statement................................................. 31 Prepared Statement............................................. 33 Mr. James A. Lewis, Project Director, Center for Strategic and International Studies: Oral Statement................................................. 35 Prepared Statement............................................. 37 REVIEWING THE FEDERAL CYBERSECURITY MISSION ---------- Tuesday, March 10, 2009 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Washington, DC. The subcommittee met, pursuant to notice, at 2:53 p.m., in Room 311, Cannon House Office Building, Hon. Yvette D. Clarke [Chairwoman of the subcommittee], presiding. Present: Representatives Clarke, Richardson, Lujan, Kilroy, Thompson [ex officio], Lungren, Broun, and Austria. Ms. Clarke. The subcommittee will come to order. The subcommittee is meeting today to receive testimony on reviewing the Federal Cybersecurity Mission. I will begin by recognizing myself for an opening statement. Good afternoon, and thank you to all the witnesses for appearing before us today. I am pleased to chair today's hearing, my first as Chair of the Emerging Threats, Cybersecurity and Science Technology Subcommittee. While there may be a number of new faces here on the dais, I can assure everyone that this subcommittee will continue to address many of the same issues from the 110th Congress. Over the next 2 years, we will continue our oversight over nuclear detection programs, radiological threats, public health threats, cybersecurity and the Science and Technology Directorate. I also look forward to working in the same bipartisan spirit that the previous Chairman and Ranking Member carried on their work. Mr. Lungren, I know that you take this responsibility as seriously as I do, and I look forward to partnering with you over the next 2 years to ensure the safety and security of the American people, American businesses, American infrastructure and the American way of life. Today's hearing will be the first of three cybersecurity hearings that the subcommittee will hold this month. It is easy to understand why this issue dominates our agenda. We rely on information technology in every aspect of our lives, from our electric grid, banking systems, military and Government functions, to our e-mail, Web browsers, and iTunes. Interconnected computers and networks have led to amazing developments in our society. Increased productivity, knowledge, services, and revenues are all benefits generated by our modern networked world. But in our rush to network everything, few stopped to consider the security ramifications of this new world we were creating. So we find ourselves in an extremely dangerous situation today. Too many vulnerabilities exist on too many critical networks which are exposed to too many skilled attackers who can inflict too many damages to our systems. Unfortunately, to this day, too few people are even aware of these dangers and and fewer still are doing anything about it. This committee will continue to sound the alarm bells, raise awareness of the problems we face, and hold those in charge accountable for their inaction. This hearing comes at a critical moment in our Nation's approach to their cyber threat. There is no more significant threat to our national and economic security than that which we face in cyberspace. We, the United States, must do everything equally significant to meet this challenge. We are approximately halfway through the National Security Council's 60-day interagency review of the Federal Cybersecurity Mission which began on February 16. The review is being conducted by Melissa Hathaway, senior director of the NSC, on orders from President Obama and the National Security Adviser. The goal for the review is to develop a strategic framework to ensure the U.S. Government's cybersecurity initiatives are appropriately integrated, resourced, and coordinated with Congress and the private sector. I commend the President for his vision in making cybersecurity a priority for his administration and for requesting this review. Given this committee's leadership role in cybersecurity policy development, we look forward to working with Ms. Hathaway and her team. Thankfully, their review does not have to start from scratch. I encourage the review team to rely upon the extensive hearing record of this committee in the 110th Congress, and from the work that our witnesses have already undertaken in that area. The CSIS Commission report and the many GAO reports which Mr. Powner's team have produced over the years contain dozens of outstanding recommendations that, if actually implemented, will improve our national security posture. That message bears repeating. The previous 2 decades have seen countless reports from America's thought leaders in cybersecurity, containing hundreds of recommendations about how to improve America's posture in cyberspace. What has been lacking is the courage and leadership to actually implement these recommendations. Now is the time to act. To ensure our national and economic security, now is the time we must act. The U.S. Government must chart a new course to secure cyberspace. Maintaining the status quo will not be enough to keep America secure. Now is the time for the Government to stop planning and start acting. There are three key issues that I believe this review must address. The 60-day review. First, this review must call for a national strategy for cyberspace. The previous administration drafted a high-level national security strategy in 2002 that presented problems and possible solutions to some of the same cybersecurity issues that we face today. Unfortunately, that strategy stopped short of mandating security changes. Without teeth, the strategy was never implemented. We need a strategy that uses all of the tools of the U.S. power in a coordinated fashion, but more importantly, we need to hold our agencies accountable for implementing that strategy. That leads me to my second requirement, leadership. A lack of high-level leadership on cybersecurity has cost our country dearly over the last several years. The review must clearly delineate roles and responsibilities of each agency involved in the governance of cybersecurity at the Federal level, including DSA, NSA, and DOD; but most importantly, it must describe how the White House will coordinate policy and budgets for each of these different responsibilities. The CSIS Commission recommended, and I fully support, an assistant to the President of Cyberspace Security in the Executive Office of the President, along with support staff to coordinate this effort. Third, the review must address the many policy and legal shortfalls that exist in protecting our critical infrastructure from cyber attack. Unfortunately, critical infrastructure systems remain the area of greatest vulnerability. While the previous administration relied on a voluntary protection system throughout many of the 18 credible infrastructure sectors, I believe this administration should seek to use a combination of regulations and incentives to ensure that our electricity grid, including the Smart Grid, water facilities, financial systems, and other key infrastructures are properly secured. The framework of this approach should be addressed in the review. To the witnesses appearing before us today, I thank you for being here. I welcome your thoughts on the issues I have just discussed, as well as your opinions on what an effective national cybersecurity review should look like. I intend for this subcommittee, as well as the full committee, to continue to play a role in shaping our national security posture. I would like to just take a moment to acknowledge that we have been joined by the Chairman of this committee, the full committee, Chairman Bennie Thompson. I think this amplifies the importance of today's hearing. The Chair now recognizes the Ranking Member of the subcommittee, the gentleman from California, Mr. Lungren, for an opening statement. Mr. Lungren. Thank you very much, Chairwoman Clark. Thank you for the bipartisan manner in which you have approached the organization of this subcommittee and the informal meetings that we have had. I am looking forward to working with you and with our colleagues who are here present and the others who are Members of this subcommittee, particularly our Chairman, Mr. Thompson, and our Ranking Member of the full committee, Mr. King. We need in this Congress to address the many threats and challenges that face us and that are under the jurisdiction of this subcommittee. Cybersecurity is certainly one of, if not the most paramount challenge that we have, and I support your decision to highlight the cyber threat with this, our first official hearing. When I chaired the subcommittee in the 109th Congress that had cyber, the issue of cybersecurity within its jurisdiction, I realized that our first challenge was educating our colleagues and the public on the seriousness of the growing cyber threat. After our classified cyber threat briefing last week, it is clear that much, much more needs to be done. In the words of today's witness, David Powner of GAO, our Nation is under cyber attack and our present strategy and its implementation have not been fully effective in mitigating the threat. Now, I don't believe that this is because people wanted this to be the case or that there was any conscious effort on the part of Members of Congress or previous administrations or people in the private sector. I just think it is a point of fact that what you can't see, can't feel, can't hear, can't touch, sometimes is not what you pay attention to. Cybersecurity, the cyber world which is so important to us, is embedded in so much of what we do but we don't see it. I use the old analogy of the refrigerator. I open the refrigerator, and all I want is cold milk. I really don't care how it works. We have that attitude toward the cyber world that is embedded in everything that we do. But we can't have that attitude. I believe it is particularly true regarding our information infrastructure, which includes our telecommunications and computer networks and systems and the data they contain. Information technology and computer networks increase information sharing and collaboration, which does a tremendous thing: It raises our productivity, lowers ours costs and improves performance. Would that the rest of our economy could do as well. However, the rapid growth of the internet and our interconnected computer systems and its networks have, as you so rightly said, made us increasingly vulnerable to things such as cyber crime, cyber espionage, and cyber terrorism. I fully agree with the central finding of the CSIS Commission's report that cybersecurity is one of the most important security challenges this Nation faces. U.S. cyberspace should be declared a vital national asset, perhaps even a critical national asset. This would help the Federal Government marshal its resources and implement a Comprehensive National Cybersecurity Strategy. I have felt for some time that we are playing catch-up in detecting and defending against the increasing number and sophistication of today's cyber threats, whether they are of the mischievous nature, of the organized crime nature, of the nation-state nature. I agree we need a national cybersecurity strategy, understanding that cyberspace can't be secured by Government alone, and that is a very important point that we have to stress. However, the Government does need to reorganize and focus its national cyber efforts if we hope to defeat the new cyber threats. I would also suggest we need a true public/private cybersecurity partnership based on trust and cooperation to protect against this new cyber threat. The private sector, let's make it clear, designs, deploys and maintains much of the Nation's critical infrastructure. Therefore, we must honor their experience, their expertise and their ingenuity--that is, that which is found in the private sector--into a trusted partnership with Government, a partnership where both sides benefit and therefore are eager to cooperate and share information. It just seems to me that in many cases we should be setting certain standards or goals but not setting the means to get there because the cyber world moves so fast, we really can't catch up with this. Government, by its very nature, moves more slowly. I don't want anything that we do to depress the creativity of the private sector. Therein lies our greatest opportunity to protect ourselves. I believe the CSIS report's recommendation to create three new public/private groups designed to foster better trust and cooperation on cyber issues is the right approach. They would be a new Presidential advisory committee that connects the White House to the important private-sector cyberspace entities; a national town hall organization that provides dialog for education and discussion; and a new cyber operational organization. The Bush administration recognized the growing threat on our national security from cyberspace, proposed a Comprehensive National Cybersecurity Initiative in 2008. The CSIS Commission came to a similar conclusion in their December report, ``Securing Cyberspace for the 44th President,'' stating only a Comprehensive National Security Strategy that embraces both domestic and international aspects of cybersecurity will make us more secure. Well said. Everyone seems to agree that we need to do more, so I am anxious to hear the testimony of our expert witnesses today to help us on that journey so that we may do that which needs to be done to meet this 21st century threat. Once again I thank you, Madam Chairwoman, for the time. Ms. Clarke. The Chairwoman now recognizes the Chairman of the full Committee on Homeland Security, the gentleman from Mississippi, Mr. Thompson, for an opening statement. Mr. Thompson. Thank you very much, Madam Chairwoman. Good afternoon. I believe this is the ninth oversight hearing the Homeland Security Committee has held on Federal cybersecurity issues since the beginning of the 110th Congress, and I thank you, Madam Chairwoman, for continuing our oversight efforts. This is a particularly timely hearing, given the recent resignation of Mr. Beckstrom as director of the National Cybersecurity Center. Some of our biggest challenges in the Federal cybersecurity, reported by dozens of independent observers, including GAO and CSIS, have come as a result of ineffective leadership, unclear organizational structure and poorly defined roles and responsibilities from agencies and private sector. This is why I, along with many of my colleagues, were very optimistic when Mr. Beckstrom was brought on to lead the National Cybersecurity Center. He has expertise in organizational structure. He has worked extensively in the private sector. But Mr. Beckstrom did not have experience in working miracles, and that is the unfortunate position that the previous administration put him in. Without clear authority or budget, he was placed in a no-win situation. In his resignation letter, Mr. Beckstrom candidly described the control that is wielded by NSA over the cybersecurity mission today. This parallels the thoughts of some of our witnesses here today. I don't disagree with the public statements made recently by the DNI, who said that the NSA houses most of the cyber talent in the Federal Government. But I don't think the answer to our problems in cyberspace comes from giving control of the entire Federal Cybersecurity Mission to NSA. I want to clearly state that this committee believes that there should be a creditable civilian government cybersecurity capability that interfaces with, but is not controlled by the NSA. According to GAO, DHS has not proven itself up to the challenge yet. From our work with DHS through the years, I don't disagree, but there are pockets within DHS showing signs of improvement. US- CERT and the controlled security system program are two of these programs that I believe are demonstrating progress. I hope the administration can strike the balance between civilian and military cybersecurity capabilities. We here in Congress are looking toward this administration for leadership on this critical issue. I share the Chair's optimism about the President's commitment to cybersecurity, and I hope that, at the end of the 60-day review, we here in Congress will have a clear understanding of the President's vision for cybersecurity. I yield back the balance of my time, Madam Chairwoman. Ms. Clarke. Other Members of the subcommittee are reminded that under the committee rules, opening statements may be submitted for the record. I welcome our distinguished panel of witnesses. Our first witness is Dave Powner, director for information technology management issues at the Government Accountability Office. Mr. Powner and his team have produced a number of outstanding reports for this subcommittee throughout the last several years, and we are pleased to welcome him back. Our second witness is Scott Charney, corporate vice president of Microsoft's trustworthy computing group. Prior to Microsoft, Mr. Charney was a principal for PriceWaterhouseCoopers, where he led the firm's cyber crime prevention and response practice. Mr. Charney also served as chief of the computer crime and intellectual property section in the criminal division of the U.S. Department of Justice. Mr. Charney was also co-chair of the CSIS Commission on Cybersecurity. Welcome. Our third witness is Mr. Amit Yoran, chairman and chief executive officer of NetWitness Corporation, a leading provider of network security products. Prior to NetWitness, he was director of the national cybersecurity division at the Department of Homeland Security. He was also chief executive officer and advisor to Incutel, the venture capital arm of the CIA. Mr. Yoran is a member of the CSIS Cybersecurity Commission. Our fourth witness is Mary Ann Davidson, the chief secretary--excuse me--the Chief Security Officer at Oracle Corporation, where she is responsible for Oracle product security, as well as security evaluations and assessments. Ms. Davidson represents Oracle on the Information Technology ISAC. She has served on the Defense Science Board and is a member of the CSIS Cybersecurity Commission. Welcome, Ms. Davidson. Nothing against the secretary, but you are chief security officer. Our fifth witness is Jim Lewis, the director of the Center for Strategic and International Studies and Technology and Public Policy Program. He is also program manager for the CSIS Commission on Cybersecurity for the 44th Presidency. Mr. Lewis has also been a regular witness before this subcommittee, so welcome to you also. Without objection, the witnesses' full statements will be inserted into the record. I now ask each witness to summarize his or her statement for 5 minutes, beginning with Mr. Powner. STATEMENT OF DAVID POWNER, DIRECTOR, INFORMATION TECHNOLOGY MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE Mr. Powner. Madam Chairwoman, Chairman Thompson, Ranking Member Lungren, Members of the subcommittee, thank you for inviting us to testify on cybersecurity recommendations for the new administration. Over the past several years, our work for the subcommittee has highlighted many areas requiring better leadership and management of our Nation's cyber-critical infrastructure, including improving cybersecurity of control systems, strengthening our ability to respond to internet disruptions, bolstering cyber analysis, and warning capabilities and addressing cyber crime. This afternoon I will provide a progress report of our on- going work for you, Madam Chairwoman, looking at improvements to our Nation's cybersecurity strategy. Specifically, we held panel discussions with nationally recognized experts and these discussions, coupled with GAO's extensive work in this area, have resulted in 12 specific recommendations for the new administration to improve the approach to protecting both Government systems and our Nation's cyber-critical infrastructures. I will now briefly discuss each of the 12. No. 1, develop a national strategy that clearly articulates strategic objectives and priorities and provides a means for enforcing action and accountability. The current strategy does not do this, nor does it contain requirements to hold responsible organizations accountable. No. 2, establish a White House office responsible and accountable for leading and overseeing the National Cybersecurity Policy. Currently, DHS is our national security focal point, and they have not delivered on this responsibility. No. 3, establish a governance structure for strategy implementation. Create a governing body, similar to a board of directors, responsible for reporting and measuring on the strategic priorities. This body should be led by senior executives from key Federal agencies, as well as key sectors. It should be noted that our experts stress that not all Federal agencies and sectors are key cyber players. No. 4, acknowledge we are in a cyber war with criminal and adversarial nations. Publicize the severity of prior attacks and raise awareness that we are constantly under attack. No. 5, create or designate an accountable operational cybersecurity organization. White House-led is not the silver bullet, and DHS has a troubled reputation to overcome. Despite tremendous capability, there are concerns about this being an intelligence organization, because a secretive culture runs counter to the need to partner with the private sector. Our experts suggested a cyber defense organization. Clearly, there was no consensus on where this organization should reside, and this will be a tough policy question whether the best approach is to create another organization and how. No. 6, focus less on creating plans and more on prioritizing, assessing and securing cyber assets. We have created many plans that largely go unused. We need to create a prioritized list of our Nation's cyber assets and work toward securing them. No. 7, bolster public/private partnerships by providing more incentives for private sector participation. No. 8, focus greater attention on the global aspects of cyberspace. We should work toward an international global cyber strategy and use international agreements to focus cybersecurity issues and thwart cyber crime, like the Council of Europe's cyber crime convention. No. 9, modernize our legal framework to better address cyber criminals. Domestic and international law is outdated and it needs to be revised to make it easier to catch and prosecute criminals. No. 10, better coordinate Government and private sector cyber R&D. Cyber R&D is underfunded and not coordinated. No. 11, increase the number of skilled cyber professionals, including criminal investigators. Experts suggested that the cybersecurity discipline should be a profession that is licensed. No. 12, make the Federal Government a model for cybersecurity. The CNCI initiative is a good first step, but the Federal Government has much room for improvement. In summary, Madam Chairwoman, many large cybersecurity policy questions loom for the Obama administration and the Congress. GAO, CSIS and our expert panel recommendations need to be strongly considered as the game plan is defined over the next several months to provide a more secure cyber America. This concludes my statement, and I look forward to your questions. [The statement of Mr. Powner follows:] Prepared Statement of David Powner March 10, 2009 gao highlights Highlights of GAO-09-432T, a testimony to the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security, House of Representatives. Why GAO Did This Study Pervasive and sustained computer-based (cyber) attacks against Federal and private-sector infrastructures pose a potentially devastating impact to systems and operations and the critical infrastructures that they support. To address these threats, President Bush issued a 2003 national strategy and related policy directives aimed at improving cybersecurity Nation-wide. Congress and the Executive branch, including the new administration, have subsequently taken actions to examine the adequacy of the strategy and identify areas for improvement. Nevertheless, GAO has identified this area as high-risk and has reported on needed improvements in implementing the national cybersecurity strategy. In this testimony, you asked GAO to summarize: (1) Key reports and recommendations on the national cybersecurity strategy, and (2) the views of experts on how to strengthen the strategy. In doing so, GAO relied on its previous reports related to the strategy and conducted panel discussions with key cybersecurity experts to solicit their views on areas for improvement. What GAO Recommends GAO has previously made about 30 recommendations, mostly directed at DHS, to improve our Nation's cybersecurity strategy efforts. DHS in large part has concurred with GAO's recommendations and, in many cases, has actions planned and under way to implement them. national cybersecurity strategy.--key improvements are needed to strengthen the nation's posture What GAO Found Over the last several years, GAO has consistently reported that the Department of Homeland Security (DHS) has yet to fully satisfy its responsibilities designated by the national cybersecurity strategy. To address these shortfalls, GAO has made about 30 recommendations in key cybersecurity areas including the 5 listed in the table below. While DHS has since developed and implemented certain capabilities to satisfy aspects of its cybersecurity responsibilities, it still has not fully satisfied the recommendations, and thus further action needs to be taken to fully address these areas. TABLE 1.--KEY CYBERSECURITY AREAS IDENTIFIED BY GAO AS NEEDING FURTHER ACTION ------------------------------------------------------------------------ Item No. ------------------------------------------------------------------------ 1........................................ Bolstering cyber analysis and warning capabilities. 2........................................ Completing actions identified during cyber exercises. 3........................................ Improving cybersecurity of infrastructure control systems. 4........................................ Strengthening DHS's ability to help recover from internet disruptions. 5........................................ Addressing cybercrime. ------------------------------------------------------------------------ Source: GAO analysis of prior GAO reports. In discussing the areas addressed by GAO's recommendations as well as other critical aspects of the strategy, GAO's panel of cybersecurity experts identified 12 key areas requiring improvement (see table below). GAO found these to be largely consistent with its reports and its extensive research and experience in the area. TABLE 2.--KEY STRATEGY IMPROVEMENTS IDENTIFIED BY CYBERSECURITY EXPERTS ------------------------------------------------------------------------ Item No. ------------------------------------------------------------------------ 1........................................ Develop a national strategy that clearly articulates strategic objectives, goals, and priorities. 2........................................ Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy. 3........................................ Establish a governance structure for strategy implementation. 4........................................ Publicize and raise awareness about the seriousness of the cybersecurity problem. 5........................................ Create an accountable, operational cybersecurity organization. 6........................................ Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans. 7........................................ Bolster public/private partnerships through an improved value proposition and use of incentives. 8........................................ Focus greater attention on addressing the global aspects of cyberspace. 9........................................ Improve law enforcement efforts to address malicious activities in cyberspace. 10....................................... Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate Government and private sector efforts. 11....................................... Increase the cadre of cybersecurity professionals. 12....................................... Make the Federal Government a model for cybersecurity, including using its acquisition function to enhance cybersecurity aspects of products and services. ------------------------------------------------------------------------ Source: GAO analysis of opinions solicited during expert panels. Until GAO's recommendations are fully addressed and the above improvements are considered, our Nation's Federal and private-sector infrastructure systems remain at risk of not being adequately protected. Consequently, in addition to fully implementing GAO's recommendations, it is essential that the improvements be considered by the new administration as it begins to make decisions on our Nation's cybersecurity strategy. Madam Chair and Members of the subcommittee: Thank you for the opportunity to join in today's hearing to discuss efforts to protect our Nation from cybersecurity threats. Pervasive and sustained computer-based (cyber) attacks against the United States and others continue to pose a potentially devastating impact to systems and operations and the critical infrastructures that they support. To address these threats, President Bush issued a 2003 national strategy and related policy directives aimed at improving cybersecurity Nation- wide, including both Government systems and those cyber critical infrastructures owned and operated by the private sector.\1\ --------------------------------------------------------------------------- \1\ Critical infrastructures are systems and assets, whether physical or virtual, so vital to nations that their incapacity or destruction would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters. Federal policy established 18 critical infrastructure sectors: Agriculture and food, banking and finance, chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, Government facilities, information technology, national monuments and icons, nuclear reactors, materials and waste, postal and shipping, public health and health care, transportation systems, and water. --------------------------------------------------------------------------- Because the threats have persisted and grown, a commission-- commonly referred to as the Commission on Cybersecurity for the 44th Presidency and chaired by two congressmen and industry officials--was established in August 2007 to examine the adequacy of the strategy and identify areas for improvement.\2\ At about the same time, the Bush administration began to implement a series of initiatives aimed primarily at improving cybersecurity within the Federal Government. More recently, in February 2009, President Obama initiated a review of the Government's overall cybersecurity strategy and supporting activities. --------------------------------------------------------------------------- \2\ The commission was created by the Center for Strategic and International Studies (CSIS), a bipartisan, nonprofit organization that, among other things, provides strategic insights and policy solutions to decision-makers. Entitled the CSIS Commission on Cybersecurity for the 44th Presidency, the body was co-chaired by Representative James Langevin, Representative Michael McCaul, Scott Charney (Microsoft), and Lt. General Harry Raduege, USAF (Ret). --------------------------------------------------------------------------- Today, as requested, I will discuss: (1) Our reports, containing about 30 recommendations, on the national cybersecurity strategy and related efforts, and (2) the results of expert panels we convened to discuss how to strengthen the strategy and our Nation's cybersecurity posture. In preparing for this testimony, we relied on our previous reports on Federal efforts to fulfill national cybersecurity responsibilities. These reports contain detailed overviews of the scope and methodology we used. We also obtained the views of nationally recognized cybersecurity experts by means of two panel discussions on the effectiveness of the current national cybersecurity strategy and recommendations for improvement. In summarizing the panel discussions, we provided all panel members an opportunity to comment on our written summaries, and their comments were incorporated as appropriate. The panelists' names and titles are in appendix I. We conducted our work in support of this testimony during February and March 2009, in the Washington, DC, area. The work on which this testimony is based was performed in accordance with generally accepted Government auditing standards. background Government officials are concerned about attacks from individuals and groups with malicious intent, such as criminals, terrorists, and adversarial foreign nations. For example, in February 2009, the director of national intelligence testified that foreign nations and criminals have targeted Government and private sector networks to gain a competitive advantage and potentially disrupt or destroy them, and that terrorist groups have expressed a desire to use cyber attacks as a means to target the United States.\3\ The director also discussed that in August 2008, the national government of Georgia's Web sites were disabled during hostilities with Russia, which hindered the Government's ability to communicate its perspective about the conflict. --------------------------------------------------------------------------- \3\ Statement of the Director of National Intelligence before the Senate Select Committee on Intelligence, Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence (Feb. 12, 2009). --------------------------------------------------------------------------- The Federal Government has developed a strategy to address such cyber threats. Specifically, President Bush issued the 2003 National Strategy to Secure Cyberspace \4\ and related policy directives, such as Homeland Security Presidential Directive 7,\5\ that specify key elements of how the Nation is to secure key computer-based systems, including both Government systems and those that support critical infrastructures owned and operated by the private sector. The strategy and related policies also establish the Department of Homeland Security (DHS) as the focal point for cyber CIP and assign the Department multiple leadership roles and responsibilities in this area. They include: (1) Developing a comprehensive national plan for CIP, including cybersecurity; (2) developing and enhancing national cyber analysis and warning capabilities; (3) providing and coordinating incident response and recovery planning, including conducting incident response exercises; (4) identifying, assessing, and supporting efforts to reduce cyber threats and vulnerabilities, including those associated with infrastructure control systems;\6\ and (5) strengthening international cyberspace security. In addition, the strategy and related policy direct DHS and other relevant stakeholders to use risk management principles to prioritize protection activities within and across the 18 critical infrastructure sectors in an integrated, coordinated fashion. --------------------------------------------------------------------------- \4\ The White House, The National Strategy to Secure Cyberspace (Washington, DC: February 2003). \5\ The White House, Homeland Security Presidential Directive 7 (Washington, DC: Dec. 17, 2003). \6\ Control systems are computer-based systems that perform vital functions in many of our Nation's critical infrastructures, including electric power generation, transmission, and distribution; oil and gas refining and pipelines; water treatment and distribution; chemical production and processing; railroads and mass transit; and manufacturing. --------------------------------------------------------------------------- Because the threats have persisted and grown, President Bush in January 2008 began to implement a series of initiatives--commonly referred to as the Comprehensive National Cybersecurity Initiative (CNCI)--aimed primarily at improving DHS and other Federal agencies' efforts to protect against intrusion attempts and anticipate future threats.\7\ While these initiatives have not been made public, the Director of National Intelligence stated that they include defensive, offensive, research and development, and counterintelligence efforts, as well as a project to improve public/private partnerships.\8\ Subsequently, in December 2008, the Commission on Cybersecurity for the 44th Presidency reported, among other things, that the failure to protect cyberspace was an urgent national security problem and made 25 recommendations aimed at addressing shortfalls with the strategy and its implementation.\9\ Since then, President Obama (in February 2009) initiated a review of the cybersecurity strategy and supporting activities. The review is scheduled to be completed in April 2009. --------------------------------------------------------------------------- \7\ The White House, National Security Presidential Directive 54/ Homeland Security Presidential Directive 23 (Washington, DC: Jan. 8, 2008). \8\ Statement of the director of national intelligence before the Senate Select Committee on Intelligence, Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence (Feb. 12, 2009). \9\ Center for Strategic and International Studies, Securing Cyberspace for the 44th Presidency, A Report of the CSIS Commission on Cybersecurity for the 44th Presidency (Washington, DC: December 2008). --------------------------------------------------------------------------- gao has made recommendations to address shortfalls with key aspects of national cybersecurity strategy and its implementation Over the last several years we have reported on our Nation's efforts to fulfill essential aspects of its cybersecurity strategy. In particular, we have reported consistently since 2005 that DHS has yet to fully satisfy its cybersecurity responsibilities designated by the strategy. To address these shortfalls, we have made about 30 recommendations in key cybersecurity areas including the 5 listed in Table 1. DHS has since developed and implemented certain capabilities to satisfy aspects of its cybersecurity responsibilities, but the Department still has not fully satisfied our recommendations, and thus further action needs to be taken to address these areas. TABLE 1.--KEY CYBERSECURITY AREAS IDENTIFIED BY GAO AS NEEDING FURTHER ACTION ------------------------------------------------------------------------ Item No. ------------------------------------------------------------------------ 1........................................ Bolstering cyber analysis and warning capabilities. 2........................................ Completing actions identified during cyber exercises. 3........................................ Improving cybersecurity of infrastructure control systems. 4........................................ Strengthening DHS's ability to help recover from internet disruptions. 5........................................ Addressing cybercrime. ------------------------------------------------------------------------ Source: GAO analysis of prior GAO reports. In July 2008, we reported \10\ that DHS's United States Computer Emergency Readiness Team (US-CERT) did not fully address 15 key cyber analysis and warning attributes related to: (1) Monitoring network activity to detect anomalies, (2) analyzing information and investigating anomalies to determine whether they are threats, (3) warning appropriate officials with timely and actionable threat and mitigation information, and (4) responding to the threat. For example, US-CERT provided warnings by developing and distributing a wide array of notifications; however, these notifications were not consistently actionable or timely. As a result, we recommended that the Department address shortfalls associated with the 15 attributes in order to fully establish a national cyber analysis and warning capability as envisioned in the national strategy. DHS agreed in large part with our recommendations. --------------------------------------------------------------------------- \10\ GAO, Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability, GAO-08-588 (Washington, DC: July 31, 2008). --------------------------------------------------------------------------- In September 2008, we reported \11\ that since conducting a major cyber attack exercise, called Cyber Storm, DHS had demonstrated progress in addressing eight lessons it had learned from these efforts. However, its actions to address the lessons had not been fully implemented. Specifically, while it had completed 42 of the 66 activities identified, the Department had identified 16 activities as on-going and 7 as planned for the future.\12\ Consequently, we recommended that DHS schedule and complete all of the corrective activities identified in order to strengthen coordination between public and private sector participants in response to significant cyber incidents. DHS concurred with our recommendation. To date, DHS has continued to make progress in completing some identified activities but has yet to do so for others. --------------------------------------------------------------------------- \11\ GAO, Critical Infrastructure Protection: DHS Needs To Fully Address Lessons Learned From Its First Cyber Storm Exercise, GAO-08-825 (Washington, DC: Sept. 9, 2008). \12\ At that time, DHS reported that one other activity had been completed, but the Department was unable to provide evidence demonstrating its completion. --------------------------------------------------------------------------- In a September 2007 report and an October 2007 testimony, we reported \13\ that consistent with the national strategy requirement to identify and reduce threats and vulnerabilities, DHS was sponsoring multiple control systems security initiatives, including an effort to improve control systems cybersecurity using vulnerability evaluation and response tools. However, DHS had not established a strategy to coordinate the various control systems activities across Federal agencies and the private sector, and it did not effectively share information on control system vulnerabilities with the public and private sectors. Accordingly, we recommended that DHS develop a strategy to guide efforts for securing control systems and establish a rapid and secure process for sharing sensitive control system vulnerability information. DHS recently began developing a strategy and a process to share sensitive information. --------------------------------------------------------------------------- \13\ GAO, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain, GAO-07- 1036 (Washington, DC: Sept. 10, 2007) and Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain, GAO-08-119T (Washington, DC: Oct. 17, 2007). --------------------------------------------------------------------------- We reported and later testified \14\ in 2006 that the Department had begun a variety of initiatives to fulfill its responsibility, as called for by the national strategy, for developing an integrated public/private plan for Internet recovery. However, we determined that these efforts were not comprehensive or complete. As such, we recommended that DHS implement nine actions to improve the Department's ability to facilitate public/private efforts to recover the internet in case of a major disruption. In October 2007, we testified \15\ that the Department had made progress in implementing our recommendations; however, seven of the nine have not been completed. To date, an integrated public/private plan for internet recovery does not exist. --------------------------------------------------------------------------- \14\ GAO, Internet Infrastructure: DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan, GAO-06-672 (Washington, DC: June 16, 2006) and Internet Infrastructure: Challenges in Developing a Public/Private Recovery Plan, GAO-06-863T (Washington, DC: July 28, 2006). \15\ GAO, Internet Infrastructure: Challenges in Developing a Public/Private Recovery Plan, GAO-08-212T (Washington, DC: Oct. 23, 2007). --------------------------------------------------------------------------- In 2007, we reported \16\ that public and private entities \17\ faced a number of challenges in addressing cybercrime, including ensuring adequate analytical and technical capabilities for law enforcement and conducting investigations and prosecuting cybercrimes that cross national and State borders. --------------------------------------------------------------------------- \16\ GAO, Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats, GAO-07-705 (Washington, DC: June 2007). \17\ These public and private entities include the Departments of Justice, Homeland Security, and Defense, and the Federal Trade Commission, internet security providers and software developers. --------------------------------------------------------------------------- cybersecurity experts highlighted key improvements needed to strengthen the nation's cybersecurity posture In addition to our recommendations on improving key aspects of the national cybersecurity strategy and its implementation, we also obtained the views of experts (by means of panel discussions) on these and other critical aspects of the strategy, including areas for improvement. The experts, who included former Federal officials, academics, and private sector executives, highlighted 12 key improvements that are, in their view, essential to improving the strategy and our national cybersecurity posture. These improvements are in large part consistent with our above-mentioned reports and extensive research and experience in this area. They include: 1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities.--The strategy should, among other things: (1) Include well-defined strategic objectives, (2) provide understandable goals for the Government and the private sector (end game), (3) articulate cyber priorities among the objectives, (4) provide a vision of what secure cyberspace should be in the future, (5) seek to integrate Federal Government capabilities, (6) establish metrics to gauge whether progress is being made against the strategy, and (7) provide an effective means for enforcing action and accountability when there are progress shortfalls. According to expert panel members, the CNCI provides a good set of tactical initiatives focused on improving primarily Federal cybersecurity; however, it does not provide strategic objectives, goals, and priorities for the Nation as a whole. 2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy.--The strategy makes DHS the focal point for cybersecurity; however, according to expert panel members, DHS has not met expectations and has not provided the high-level leadership needed to raise cybersecurity to a national focus. Accordingly, panelists stated that to be successful and to send the message to the Nation and cyber critical infrastructure owners that cybersecurity is a priority, this leadership role needs to be elevated to the White House. In addition, to be effective, the office must have, among other things, commensurate authority--for example, over budgets and resources--to implement and employ appropriate incentives to encourage action. 3. Establish a governance structure for strategy implementation.-- The strategy establishes a public/private partnership governance structure that includes 18 critical infrastructure sectors, corresponding Government and sector coordinating councils, and cross- sector councils. However, according to panelists, this structure is Government-centric and largely relies on personal relationships to instill trust to share information and take action. In addition, although all sectors are not of equal importance in regard to their cyber assets and functions, the structure treats all sectors and all critical cyber assets and functions equally. To ensure effective strategy implementation, experts stated that the partnership structure should include a committee of senior government representatives (for example, the Departments of Defense, Homeland Security, Justice, State, and the Treasury and the White House) and private sector leaders representing the most critical cyber assets and functions. Expert panel members also suggested that this committee's responsibilities should include measuring and periodically reporting on progress in achieving the goals, objectives, and strategic priorities established in the national strategy and building consensus to hold involved parties accountable when there are progress shortfalls. 4. Publicize and raise awareness about the seriousness of the cybersecurity problem.--Although the strategy establishes cyberspace security awareness as a priority, experts stated that many national leaders in business and Government, including in Congress, who can invest resources to address cybersecurity problems are generally not aware of the severity of the risks to national and economic security posed by the inadequacy of our Nation's cybersecurity posture and the associated intrusions made more likely by that posture. Expert panel members suggested that an aggressive awareness campaign is needed to raise the level of knowledge of leaders and the general populace that our Nation is constantly under cyber attack. 5. Create an accountable, operational cybersecurity organization.-- DHS established the National Cyber Security Division (within the Office of Cybersecurity and Communications) to be responsible for leading national day-to-day cybersecurity efforts; however, according to panelists, this has not enabled DHS to become the national focal point as envisioned. Panel members stated that currently, DOD and other organizations within the intelligence community that have significant resources and capabilities have come to dominate Federal efforts. They told us that there also needs to be an independent cybersecurity organization that leverages and integrates the capabilities of the private sector, civilian government, law enforcement, military, intelligence community, and the Nation's international allies to address incidents against the Nation's critical cyber systems and functions. However, there was not consensus among our expert panel members regarding where this organization should reside. 6. Focus more actions on prioritizing assets and functions, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans.--The strategy recommends actions to identify critical cyber assets and functions, but panelists stated that efforts to identify which cyber assets and functions are most critical to the Nation have been insufficient. According to panel members, inclusion in cyber critical infrastructure protection efforts and lists of critical assets are currently based on the willingness of the person or entity responsible for the asset or function to participate and not on substantiated technical evidence. In addition, the current strategy establishes vulnerability reduction as a key priority; however, according to panelists, efforts to identify and mitigate known vulnerabilities have been insufficient. They stated that greater efforts should be taken to identify and eliminate common vulnerabilities and that there are techniques available that should be used to assess vulnerabilities in the most critical, prioritized cyber assets and functions. 7. Bolster public/private partnerships through an improved value proposition and use of incentives.--While the strategy encourages action by owners and operators of critical cyber assets and functions, panel members stated that there are not adequate economic and other incentives (i.e., a value proposition) for greater investment and partnering in cybersecurity. Accordingly, panelists stated that the Federal Government should provide valued services (such as offering useful threat or analysis and warning information) or incentives (such as grants or tax reductions) to encourage action by and effective partnerships with the private sector. They also suggested that public and private sector entities use means such as cost-benefit analyses to ensure the efficient use of limited cybersecurity-related resources. 8. Focus greater attention on addressing the global aspects of cyberspace.--The strategy includes recommendations to address the international aspects of cyberspace but, according to panelists, the United States is not addressing global issues impacting how cyberspace is governed and controlled. They added that, while other nations are actively involved in developing treaties, establishing standards, and pursuing international agreements (such as on privacy), the United States is not aggressively working in a coordinated manner to ensure that international agreements are consistent with U.S. practice and that they address cybersecurity and cybercrime considerations. Panel members stated that the United States should pursue a more coordinated, aggressive approach so that there is a level playing field globally for U.S. corporations and enhanced cooperation among government agencies, including law enforcement. In addition, a panelist stated that the United States should work towards building consensus on a global cyber strategy. 9. Improve law enforcement efforts to address malicious activities in cyberspace.--The strategy calls for improving investigative coordination domestically and internationally and promoting a common agreement among nations on addressing cybercrime. According to a panelist, some improvements in domestic law have been made (e.g., enactment of the PROTECT Our Children Act of 2008), but implementation of this act is a work in process due to its recent passage. Panel members also stated that current domestic and international law enforcement efforts, including activities, procedures, methods, and laws are too outdated and outmoded to adequately address the speed, sophistication, and techniques of individuals and groups, such as criminals, terrorists, and adversarial foreign nations with malicious intent. An improved law enforcement is essential to more effectively catch and prosecute malicious individuals and groups and, with stricter penalties, deter malicious behavior. 10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate Government and private sector efforts.--While the strategy recommends actions to develop a research and development agenda and coordinate efforts between the Government and private sectors, experts stated that the United States is not adequately focusing and funding research and development efforts to address cybersecurity or to develop the next generation of cyberspace to include effective security capabilities. In addition, the research and development efforts currently underway are not being well coordinated between Government and the private sector. 11. Increase the cadre of cybersecurity professionals.--The strategy includes efforts to increase the number and skills of cybersecurity professionals but, according to panelists, the results have not created sufficient numbers of professionals, including information security specialists and cybercrime investigators. Expert panel members stated that actions to increase the number professionals with adequate cybersecurity skills should include: (1) Enhancing existing scholarship programs (e.g., Scholarship for Service) and (2) making the cybersecurity discipline a profession through testing and licensing. 12. Make the Federal Government a model for cybersecurity, including using its acquisition function to enhance cybersecurity aspects of products and services.--The strategy establishes securing the Government's cyberspace as a key priority and advocates using Federal acquisition to accomplish this goal. Although the Federal Government has taken steps to improve the cybersecurity of agencies (e.g., beginning to implement the CNCI initiatives), panelists stated that it still is not a model for cybersecurity. Further, they said the Federal Government has not made changes in its acquisition function and the training of Government officials in a manner that effectively improves the cybersecurity capabilities of products and services purchased and used by Federal agencies. In summary, our Nation is under cyber attack, and the present strategy and its implementation have not been fully effective in mitigating the threat. This is due in part to the fact that there are further actions needed by DHS to address key cybersecurity areas, including fully addressing our recommendations. In addition, nationally recognized experts have identified improvements aimed at strengthening the strategy and in turn, our cybersecurity posture. Key improvements include developing a national strategy that clearly articulates strategic objectives, goals, and priorities; establishing White House leadership; improving governance; and creating a capable and respected operational lead organization. Until the recommendations are fully addressed and these improvements are considered, our Nation's most critical Federal and private sector infrastructure systems remain at unnecessary risk to attack from our adversaries. Consequently, in addition to fully implementing our recommendations, it is essential that the Obama administration consider these improvements as it reviews our Nation's cybersecurity strategy and begins to make decisions on moving forward. Madam Chair, this concludes my statement. I would be happy to answer any questions that you or Members of the subcommittee may have at this time. If you have any questions on matters discussed in this testimony, please contact me. Other key contributors to this testimony include Bradley Becker, Camille Chaires, Michael Gilmore, Nancy Glover, Kush Malhotra, Gary Mountjoy, Lee McCracken, and Andrew Stavisky. Ms. Clarke. Thank you very much. Our next witness, I now recognize Mr. Charney to summarize his statement for 5 minutes. STATEMENT OF SCOTT CHARNEY, VICE PRESIDENT, TRUSTWORTHY COMPUTING, MICROSOFT Mr. Charney. Chairwoman Clark, Ranking Member Lungren, Mr. Thompson and Members of the subcommittee, thank you for the opportunity to appear today to provide a perspective on reviewing the Federal Cybersecurity Mission. As you know, I served as one of four co-chairs of the CSIS Commission on Cybersecurity for the 44th Presidency with Representatives Jim Langevin of Rhode Island and Michael McCaul of Texas and General Harry Raduege. I will address four themes that cross many of the recommendations made in the Commission's report. First, we have an immediate need for a comprehensive White House Coordinated National Strategy for Cyber Space Security. Second, we need to to evolve and focus the public/private partnership model. Third, we should consider a new regulatory model designed to ensure that greater regulation, if enacted, protects innovation while providing appropriate Government oversight of cybersecurity issues. Fourth, the internet needs an appropriately deployed identity metasystem, if we are to make the internet dramatically more secure but protect important social values such as privacy and free speech. I will address each of these in turn. First, the need for a Comprehensive and Coordinated National Strategy could not be more clear. In the information age, a country's success is dependent upon information, knowledge, and communications. While the growth of the internet in the early 1990's created new beneficial opportunities for all, including individuals, businesses, and governments, it also created unprecedented opportunities for those who would misuse technology. It permits individual criminals, organized crime groups, and nation-states to target all types of sensitive information, from personal information to business information to military information. It is therefore clear that our country's future success requires a Comprehensive Cybersecurity Strategy that engages the relevant agencies of the Government and brings to bear all elements of national power including economic, diplomatic, law enforcement, military, and intelligence authorities. When one recognizes the breadth of the challenge, and the need for a massively decentralized but coordinated response among the Federal agencies, it becomes clear that our National Cybersecurity Strategy and its implementation should be led by the White House. Of course, any successful strategy must include protecting one's own networks from attack. Here it is critical that the Government and private sector work together to improve the state of computer security. Why is partnership required? It is because the private sector drives the design, development, and implementation of the products and services that power cyberspace. We must also have the right objectives. For years the goal of the partnership has been information sharing which will not, without more, secure America's infrastructures. We must establish a more meaningful public/private partnership where the partners work in complementary fashion toward the clearly identified objective of securing America's networks. Consistent with this philosophy the partnership should focus on sharing information that is actionable and building mechanisms that enable meaningful action to be taken. With regard to regulation, the Government and private sector should jointly determine the level of security provided by markets, the level of security needed to protect national security, and how the gap between what the markets will provide and what national security demands can be filled most effectively. While this is not a call for broad regulation, it is a recognition that appropriately tailored legislation, legislation that is technology-neutral and recognizes the best practices created by the innovative private sector may be an important component of any national cybersecurity effort. The fact is, markets respond to customer demand, and most customers know more security issues today than in the past will not pay for the level of security necessary to protect national security. In short, establishing a cohesive national strategy, a robust public/private partnership and a security model that takes advantage of industry best practices, Government influence, and tailored regulations can dramatically advance security. Finally, creating the ability to identify what person and which device is sending a particular data stream in cyberspace must be part of an effective cybersecurity strategy. Even sophisticated attackers face difficult challenges and find their access restricted because of better authentication. Stronger authentication can also help us create safe places for our children to learn on-line, for businesses to interact with customers, and for Government to serve its citizens. In addition, because the use of digital IDs also reduces the need to authenticate people by having them provide private details about themselves, stronger authentication can enhance both security and privacy. Thus, as part of an overall cybersecurity strategy, the Government should accelerate the adoption of authentication technologies by actions such as issuing and accepting digital credentials in appropriate circumstances and working to integrate privacy issues into the design, development, and operation of the resulting identity metasystem. In conclusion, let me say there are complex challenges that obviously will not be solved overnight. Securing America's future in the information age depends upon creating a comprehensive national strategy for cyberspace security, one that simplifies, organizes, and enables effective operational partnerships among the Government, private sector, and internet citizens. There is both an opportunity and a need for leadership as we focus the Nation's attentions on the importance of cybersecurity. I thank this committee for raising this important issue, for considering my written testimony as part of the record, and I look forward to your questions. [The statement of Mr. Charney follows:] Prepared Statement of Scott Charney March 10, 2009 Chairwoman Clark, Ranking Member Lungren, and Members of the subcommittee, thank you for the opportunity to appear today at this important hearing on cybersecurity. My name is Scott Charney, and I am the corporate vice president for trustworthy computing at Microsoft. I served as one of four co-chairs of the Center for Strategic and International Studies' (CSIS) Commission on Cybersecurity for the 44th Presidency. I served on the Commission as an industry expert with more than 18 years of security technology experience in both the public and private sectors, and have a long history of leading domestic and international cybersecurity efforts. Prior to joining Microsoft, I was chief of the computer crime and intellectual property section in the criminal division of the U.S. Department of Justice. I was involved in nearly every major hacker prosecution in the United States from 1991 to 1999, worked on legislative initiatives, such as the National Information Infrastructure Protection Act that was enacted in 1996, and chaired the G8 Subgroup on High Tech Crime from its inception in 1996 until I left Government service in 1999. Representative Jim Langevin (D-RI), Representative Michael McCaul (R-TX), Lt. Gen. Harry Raduege, USAF (Ret.), and I led the CSIS Commission effort, along with project director Jim Lewis of the Center for Strategic and International Studies, to identify key cybersecurity challenges facing the new administration and provide a set of recommendations to address those challenges. Guided by our Congressional co-chairs, we assembled a group of individuals with cybersecurity experience in both Government and industry. The aim of the group was to identify both short-term recommendations that the next administration could implement quickly to make a noticeable improvement in the Nation's cybersecurity, and longer-term recommendations that are critical to the Nation's future cyber-objectives. Thank you for the opportunity to appear today to provide a perspective on ``Reviewing the Federal Cybersecurity Mission.'' I would like to address four specific themes that cross the Commission recommendations including: (1) The need for a comprehensive and coordinated national strategy for cyberspace security; (2) the imperative to radically evolve and elevate the public-private partnership model; (3) the need for an identity metasystem that makes the internet dramatically more secure while protecting important social values such as privacy and free speech; and (4) the necessity for a new regulatory model that protects innovation while providing appropriate Government oversight. comprehensive and coordinated national strategy As the CSIS Commission report makes clear, we are locked in an escalating and sometimes hidden conflict in cyberspace. The battle of bits and bytes has very real consequences for America, other nations, the private sector, and even what we have come to call ``the internet citizen.'' Cyberattack joins terrorism and weapons of mass destruction as one of the new, asymmetric threats that puts the United States and its allies at risk. To be clear, there are risks to cyberspace other than those related to security; for example, the increasing number of machines and applications creates a very complex environment with challenging reliability issues, and our increased dependence on information technology makes the availability of systems a national and international imperative. But for the purposes of this testimony, I will confine my remarks to security. The information age has arrived, but the United States has not yet built a comprehensive national cyberspace security strategy. The need for such a strategy has never been more urgent. America's leadership in a connected world cannot be assumed from its leadership in the industrial world. In cyberspace, the country does not remain unchallenged, as recent events have clearly proved. Some of the challenges we face include:America's reliance on interdependent global networks; The misuse of information technologies to support violent extremism; The ability of any individual to engage in activities formerly limited to nation-states (e.g., cyber-military espionage and cyber-warfare); and The ability of any nation, regardless of traditional measures of sophistication, to gain economic and military advantage through cyber programs. In addition to these challenges, the Internet citizen--those individuals who use cyberspace for social and commercial interactions-- is critically relevant to any solution. Unsecured computers can turn everyday users into a launch platform for attacks. Fear about on-line security and availability can have sweeping economic consequences. Trust in cyberspace, on the other hand, can create new opportunities, markets, and possibilities. The United States must plan, organize, and act accordingly to develop a national cyberspace security strategy that can address these challenges. Historically, national security strategies have been characterized by their employment of all elements of U.S. power-- economic, diplomatic, law enforcement, military and intelligence. A comprehensive cyberspace security strategy must include these elements and articulate how they will be employed to ensure national security and public safety, ensure economic prosperity, and assure delivery of critical services to the American public. Such a strategy must also recognize the ever-mounting importance of economic security. In the industrial age, power was generally based on physical might; in the information age, power is derived from information, knowledge, and communications. In my opinion, there are three fundamental attributes that span all of the elements of national power. Articulating and advancing a clear understanding of norms, attribution, and deterrence in the context of cybersecurity can dramatically improve the national and international cyberspace ecosystem. Norms.--U.S. foreign policy and diplomatic engagements on issues related to cyberspace security are not as focused as our efforts to combat terrorism or stem proliferation of nuclear weapons. I believe that the United States should marshal its significant diplomatic skills and expertise to advocate for cyberspace security and increase multilateral cooperation. I would caution that advocacy and cooperation are not goals in themselves. We need to focus advocacy and cooperation efforts toward specific outcomes. For example, working with like-minded nations to define clearly articulated norms of nation-state behavior in cyberspace could help to deter state support for cyberattacks or hold nation-states that support such efforts accountable for their actions. Attribution.--Attribution of cyberattacks is one of the most fundamental challenges facing the international community and the United States. The inability to attribute attacks can greatly impede the effectiveness of the Nation's response. Too often, valuable time is lost trying to determine if an attack or penetration of a system was an isolated criminal incident or one perpetrated by a foreign intelligence organization. Attributing the source is essential to ensuring the appropriateness of response--criminal prosecution or military/ diplomatic measures. Absent strong attribution abilities, international and national strategies to deter acts will not be taken seriously by the community of attackers who thrive on this diagnostic weakness, nor by criminals that prey on citizens' inboxes and on-line accounts. Thus, we must focus on identity and authentication in cyberspace and enhancing swift international cooperation on cyberattacks. Deterrence.--Deterrence did not happen overnight in the Cold War; the concept and strategy took several years to develop. Deterrence in the information age is perhaps even more complicated due to the lack of attribution and the inability to identify strong mechanisms to prevent hostile actions. But the United States can learn important lessons from the nuclear experience. In the Cold War, the United States kept sensitive information secret, but disclosed enough about our strategy and capabilities that allies and adversaries alike understood our commitment to national security and our ability to protect it. We must do the same for cyberspace. Deterrence is very difficult when adversaries and bad actors are motivated and persistent. In order to improve cyberspace security in a meaningful way, deterrence requires a clear and unambiguous commitment by our Nation and understanding by the spectrum of bad actors--from cybercriminals, to organized crime, to nation-states--that violations of our cybersecurity have consequences. What makes deterrence successful is commitment, broadly known and broadly felt. The sheer number of extremely important issues that transcend agency boundaries suggests that the coordination of any national cybersecurity strategy must reside within the one organization responsible for ensuring that the Government acts as one Government. If the Government wants to use all the instruments of its power--economic, diplomatic, law enforcement, military, and intelligence--then the center of gravity must be in the White House. I support the Commission's recommendations that, if implemented, would elevate the priority of cybersecurity and improve its strategic coordination. Creating a National Office for Cyberspace in the Executive Office of the President will provide the interagency coordination required to identify, assess, and manage cyberspace risks. This office does not need to assume or manage all cybersecurity functions; rather, it should have a tightly defined mandate to develop strategy and coordinate the implementation of that strategy by the agencies that have jurisdiction over the elements of national power. It must also be recognized that the White House office will be best able to provide strategic leadership only when the agencies of Government responsible for executing their respective cybersecurity responsibilities are staffed with experienced and competent professionals who are resourced appropriately. As you know, President Obama has directed the National Security Council and Homeland Security Council to initiate a 60-day review of the plans, programs, and activities under way throughout the Government that address cyberspace security. According to the White House, the review will build upon existing policies and structures to formulate a new vision for a national public-private partnership and an action plan to: Enhance economic prosperity and facilitate market leadership for the U.S. information and communications industry; deter, prevent, detect, defend against, respond to, and remediate disruptions and damage to U.S. communications and information infrastructure; ensure U.S. capabilities to operate in cyberspace in support of national goals; and safeguard the privacy rights and civil liberties of our citizens.\1\ --------------------------------------------------------------------------- \1\ http://www.whitehouse.gov/blog/09/03/02/Cyber-review-underway/. --------------------------------------------------------------------------- A successful cyberspace security strategy requires more than a plan and an organization; it requires partnership. The private sector drives the design, development, and implementation of the products and services that power cyberspace. Our technical expertise and experience in the global marketplace make us key partners in developing national and international cyberspace security strategies. For more than a decade, the Government and the private sector have partnered to address various aspects of cybersecurity, but this partnership has not achieved the robust results that are needed to protect cyberspace effectively. Therefore, my next key recommendation is to redesign that partnership. radically evolve public-private partnerships to advance cyberspace security Cyberspace security is a shared challenge and requires Government and the private sector to work together. The private sector designs, deploys, and maintains much of the Nation's critical infrastructure. However, the private sector faces unique challenges because its customer base and supply chains are global. It also builds commercial products that can be targeted by sophisticated advisories, including nation-states. Private sector firms are increasingly being forced to think about security challenges that cannot reasonably be mitigated by commercially realistic development practices, especially as users remain price-sensitive. The Government also faces challenges. Unlike certain other traditional aspects of national security, cyberspace cannot be secured by the Government alone; it requires a coordinated effort involving the owners, operators, and vendors that make cyberspace possible. The bifurcation of responsibility (the Government must protect national security) and control (it does not manage the assets or provide the functions that must be protected) dictates the need for a close partnership with clearly defined roles and responsibilities that optimizes the capabilities of participating stakeholders. Since the 1990s, well-intended public-private partnerships have been created to address this need, yielding a perplexing array of advisory groups with overlapping missions, different stakeholders with varying capabilities, insufficiently articulated roles and responsibilities, and plans with literally hundreds upon hundreds of recommendations. In the few instances where groups overcame institutional adversities and developed meaningful recommendations, the repeated unwillingness or inability to implement those recommendations at the Federal level has damaged the partnership significantly. Absent a comprehensive national strategy and clear purpose, both Government and private sector stakeholders will continue to struggle to be effective. Advancing cyberspace security requires a radical evolution of public-private partnerships as we currently know them. What does radical evolution mean? The Federal Government and private sector stakeholders must articulate a new philosophy for collaboration, one that starts with a very simple premise: Government and private sector efforts should be synergistic and efficient. This requires that the Government and private sector: (1) Identify those security requirements that will be fulfilled by the market; (2) identify national security requirements; and (3) identify how the gap between market security and national security can be filled. This effort must be focused on protecting functions (e.g., communications) as opposed to simply physical assets. Moreover, we must build operational partnerships that let us effectively mitigate and respond to threats. Finally, to the extent important work is on-going, the parties must identify what works and have the courage to retire what does not, even though retiring organizations may be viewed as draconian by those who have invested in these efforts in the past. As part of the evolution, it is important that the public-private partnership concentrate on what is truly critical to cyberspace security and build trusted and effective collaboration between Government and private sector stakeholders. What functions are critical? The Commission identified four critical cyber-infrastructures: Energy; Finance; Converging information technology and communications;\2\ and --------------------------------------------------------------------------- \2\ Outside the United States, this is referred to as the ICT sector. See ``Telecommunications Task Group Final Report,'' CSIS Cybersecurity Commission http://www.csis.org/media/csis/pubs/ 081028_telecomm_task_group.pdf, for more information on why ``the boundary between information, information technology, and telecommunications services has become almost indistinguishable.'' --------------------------------------------------------------------------- Government services (including State and municipal governments). This is not to suggest that all these infrastructures are identical. If power fails, the cascading effect is immediate and significant; by contrast, the result of an attack on Government will depend upon what Government service is affected. In essence, energy and information technology and communications form the backbone of cyberspace, and the availability of Government services and finance are particularly important for national security. While other infrastructures depend on cyberspace, an interruption of their operations would not broadly affect cyberspace itself. If energy, finance, the converging information technology and communications networks, along with Government services, can continue to function as intended while under attack, cyberspace will continue to support the Nation. Thus, these infrastructures should be the focus of a more attentive cyberspace security effort. Trusted and Effective Collaboration The majority of public-private partnership efforts to date have focused on information sharing. While information sharing is important, it cannot be--as it had been to date--the end goal; rather, we must focus instead on sharing information that is actionable and then taking action. The CSIS Commission recommended three new partnership groups to advance beyond information sharing to enable trust and action. I will focus my comments on the two that would most significantly and immediately enhance our cybersecurity and resiliency by permitting better strategy development and operational collaboration. Evolve Strategic Presidential Advisory Bodies Trust is the foundation of a successful partnership between Government and the private sector. In the past few years, despite good intentions on both sides, trust between Government and the private sector has declined. Trust is built on personal relationships and in small groups, with parity of stakeholders and demonstrated commitment. Large, diffuse groups with floating engagements among a range of participants are not conducive to building the level of dialogue that promotes trust. When the President brings C-Level officers to the table and addresses challenges in a trusted forum, he can drive a powerful set of changes in the cyber-ecosystem. Advisory committees that engage senior-level Government and private sector personnel, such as the National Security and Telecommunications Advisory Committee (NSTAC) and the National Infrastructure Advisory Council (NIAC), have served past presidents well. However, the split between national security and emergency preparedness communications and cybersecurity is artificial and dangerous. In the information age, with its converged information technology and communications infrastructure, the distinction between these two groups creates overlap and limits progress on developing and improving cyberspace security capabilities. Accordingly, the Commission recommended establishing the President's Committee for Secure Cyberspace to replace the NSTAC and NIAC. In addition to establishing the proposed Committee for Secure Cyberspace as a C-level membership organization operated under Federal Advisory Committee Act, the administration should act to reform current decision-making bodies in Government that do not have private sector involvement. For example, the Joint Telecommunications Resources Board (JTRB), which is chaired by the Office of Science and Technology Policy, consists of agencies, such as the Department of Defense (DOD), the Department of Homeland Security, the General Services Administration, and the Department of Commerce.\3\ The JTRB is chartered to make decisions on how to prioritize telecommunications resources in non-wartime crisis, yet absent an effective channel into the private sector, the JTRB would be challenged to fulfill its charter. Another parallel entity is the National Cyber Response Coordination Group, an organization intended to help identify and coordinate response to a cyber-based crisis. Unfortunately, this interagency Government group does not have a meaningful way to engage the private sector, thus limiting its strategic and tactical effectiveness. --------------------------------------------------------------------------- \3\ Executive Order 12472, ``Assignment of National Security and Emergency Preparedness Telecommunications Functions,'' section 2(b)(3), April 3, 1984, available at http://www.ncs.gov/library/policy_docs/ eo_12472.html. --------------------------------------------------------------------------- Create Operational Collaboration Over the past 10 years, there have been several attempts to improve operational coordination between and among key Government and private sector stakeholders, but these have met with limited success. For example, the private sector has invested and maintained information sharing and analysis centers, but they are all too often ignored by Government agencies. The Commission recommended creating a new organization, the Center for Cybersecurity Operations (CCSO), to address operational issues that affect cyber infrastructure. I strongly support creating a more effective model for operational collaboration to move us from the less effective partnerships of the past to a more dynamic and collaborative self-governing approach involving cybersecurity leaders from Government, industry, and academia. Collaboration is not about plans; it is about outcomes. To create actual operational collaboration, we must learn from the experiences of the past. Collaboration is more than information sharing and is more than coordination; collaboration involves stakeholders working together, jointly assessing operational risks, and developing and implementing mitigation strategies. I would like to add to the Commission recommendation and suggest that an effective collaboration framework for public-private partnerships should include focused efforts to: Exchange technical data (at the unclassified level as much as possible), with rules and mechanisms that permit both sides to protect sensitive data; Create global situational awareness to understand the state of the computing ecosystem and events that may affect it; Analyze the risks (threat, vulnerabilities, and consequences) and develop mitigation strategies; When necessary and consistent with their respective roles, respond to threats; and Develop cyber threat and risk analytics as a shared discipline. For example, one could combine Government and private sector information and then use the private sector's expertise in analyzing large data sets in pseudonymous ways to get new insights into computer security without raising privacy concerns. What needs to be accomplished over the long term, and the operational mission, must be clear and articulated; the roles of Government and industry must be well-defined; and all participants must demonstrate commitment and continuity to achieve success. The goal is a trusted and focused collaborative alliance for both strategy and operations among the Government, academia, and the private sector. take action today to create a more secure tomorrow On-line collaboration, commerce, and, in some instances, public safety depend on trust. Today the mechanisms to provide authentication and attribution in cyberspace do not meet the needs of the internet citizen, enterprises, or governments. The lack of trust stems in part from our inability to manage on-line identities effectively and the excessive reliance on voluntary efforts to close key gaps in security. Identity Imperatives In the context of national security, weak identification and authentication limits an organization's ability to enforce security policies to protect sensitive information and systems, and hinders effective Government and industry response to cyber attacks. From an economic security perspective, these weaknesses prevent internet users from taking reasonable steps to protect themselves from dangerous parties. Creating the ability to know reliably the person and/or device that is sending a particular data stream in cyberspace must be part of an effective cybersecurity strategy. Even sophisticated attackers face difficult challenges--and find their access restricted--because of better authentication. This need for improved identity and authentication in cyberspace has been documented in numerous forums, and Government and industry are progressing on multiple initiatives to address it. For example, in the United States, the Federal Financial Institutions Examination Council's (FFIEC) Guidance for Authentication in an Internet Banking Environment has spurred the use of stronger authentication in online banking. The experience of the DOD was that intrusion into its networks fell by more than 50 percent when it implemented Common Access Cards (CAC). Homeland Security Presidential Directive 12 (HSPD-12) (``Policy for a Common Identification Standard for Federal Employees and Contractors'') is another U.S. authentication initiative which requires Federal agencies to improve their identity and credentialing processes, using smart cards to secure both physical and logical access to Federal facilities and networks. These and other Federal initiatives have had success, but it is often limited to the sector or domain for which they are attempting to affect change. Past efforts to radically improve identity management for cybersecurity have not failed due to lack of awareness regarding the problem, nor a lack of efforts to address it. Much more simply, there are too many disparate efforts resulting in stove-piped policies and technologies that conflict and compete with each other, instead of driving toward a coordinated, interoperable, scalable security- and privacy-sensitive solution. There is also, particularly in the consumer sector, a serious ``chicken-and-egg'' problem: Consumers are not interested in robust on-line identity tokens because Government and commercial sites do not consume them, and Government and commercial sites do not build technology to consume such tokens because, after all, no consumer has them. I want to re-emphasize a point made earlier: Any successful public-private partnership should start with the premise that the Government should fill market gaps in security. Thus, as part of an overall cybersecurity strategy, the Government should accelerate the adoption of authentication technologies by supporting the creation and use of digital credentials. This would include issuing and accepting such credentials in appropriate circumstances, catalyzing the private sector market for digital identities, and establishing the appropriate governance structure for the issuance, use, revocation, and destruction of digital credentials. The use of digital IDs also reduces the need to authenticate people by having them provide private details about themselves, known as Personally Identifiable Information or PII. This usage would reduce the need to transmit, store, and use private information to identify individuals, thus increasing privacy and helping prevent crimes such as identity theft. Stronger authentication, combined with appropriate rules regarding the use of such authentication mechanisms, could enhance both security and privacy. I recognize that efforts to improve authentication raise sensitive privacy and civil liberties issues, but it is possible to improve authentication for critical functions without unduly compromising our values.\4\ This can be done if we integrate privacy issues into the design, development, and operation of the identity metasystem. --------------------------------------------------------------------------- \4\ For more on this topic, including how the Government can ensure privacy is protected in a better authenticated environment, see the White Paper on Establishing End-to-End Trust, www.microsoft.com/ endtoendtrust (pp. 6-7). --------------------------------------------------------------------------- The Role of Regulation Opinions vary widely on how industry and Government can best work together to more effectively increase cybersecurity across critical infrastructures and Government. But even if public and private cooperation is optimized and operationalized, that will not provide the level of security necessary to meet national security demands. This is true because markets respond to customer demand and most customers, even though more aware of security issues today than in the past, will not pay for the level of security likely necessary to protect national security. This recognition, however, does not mean the first step to address the gaps between the current and desired states of security should be broad-based regulation. Rather, the Government should encourage a balanced approach, one that combines industry self-regulation with Government influence (through, for example, procurement regulations) and then includes carefully tailored regulation when necessary. I believe such a combined approach can be highly effective without unduly raising the costs for users and stifling the very innovation that is needed to make infrastructures more secure. When security gaps are identified--and neither market forces nor non-regulatory Government intervention suffices to address that gap-- Government should focus on adopting the regulatory model suggested by the CSIS Commission. In this model, industry identifies the best practices, and the Government ensures their adoption and works to harmonize requirements across sectors. I would also add that any Government regulation should follow certain key principles: It should solve a clearly identified problem; it should neither be under- inclusive (fail to solve the problem fully) nor over-inclusive (address more than the problem); it should not be crafted in a way that creates unintended consequences; and it should be technology-neutral and not create hard-to-modify statutorily imposed technology requirements that stifle innovation and prevent further enhancements in security. Progress in cyberspace security is not without cost. Voluntary efforts have closed many security gaps but have not done enough. Establishing a cohesive national strategy with a robust public-private partnership will create a framework for tailored regulations that can advance identity and trust in a manner that markets alone cannot. moving forward The first major Presidential document on emerging threats in cyberspace was published more than a decade ago when the President's Commission on Critical Infrastructure Protection released its seminal report.\5\ At that time, only 1.7% of the world's population (70 million people) had internet access. In the years that have followed, the world has changed dramatically. Attacks have evolved from exploits designed to garner attention to targeted stealth attacks that are designed for more nefarious purposes, such as conducting identity theft, economic espionage, and military espionage. In 2008, almost a quarter of the world's population (more than 1.5 billion people) had internet access, and it continues to grow.\6\ The rise of the internet has permitted new forms of social connection, and created new educational and economic opportunities. But the richness of cyberspace also permits criminals, foreign intelligence organizations, and nation- states to exploit cyberspace for profit, espionage, or conflict. Securing America's future in the information age depends upon creating a comprehensive national strategy for cyberspace security, one that simplifies, organizes and enables operational partnerships between and among Government and private-sector stakeholders, including internet citizens. --------------------------------------------------------------------------- \5\ http://cip.gmu.edu/archive/ 5_PCCIPCriticalFoundations_1097_full_report.pdf. \6\ http://www.internetworldstats.com/emarketing.htm. Ms. Clarke. I thank you for your testimony. I now recognize Mr. Yoran to summarize his statement for 5 minutes. STATEMENT OF AMIT YORAN, CHAIRMAN AND CHIEF EXECUTIVE OFFICER, NET WITNESS CORPORATION Mr. Yoran. Ms. Chairwoman and Members of the committee, thank you for the opportunity to testify on Reviewing the Federal Cybersecurity Mission and for your attention to this important topic. My name is Amit Yoran and I have a lot to say, so I will skip reading my bio and jump right into it. An effective national cyber effort must leverage the intelligence community's superior technical acumen and scalability. However, it is in grave peril if this effort is dominated by the intelligence community. Simply put, the intelligence community has always and will always prioritize its own collection efforts over the defensive and protection mission of our Government's and Nation's digital systems. When intelligence operations discover a compromise, the decision to inform system defenders or not lacks transparency. Mission conflict exists between those defending systems and those attempting to collect intelligence or counter-intelligence insights. The current series of cyber programs called for billions of dollars in funding for intelligence and centralized security efforts, but are designed with very little emphasis on helping defenders better protect the systems housing our valuable data and business processes. For instance, the Center for Disease Control, which houses sensitive research and information about biological threats such as anthrax, has ongoing cyber incidents which it lacks the personnel and technologies to adequately investigate. In the face of spending billions more on centralized cyber intelligence activities, the CDC's cyber budget is being cut by 37 percent. Intelligence focused on national efforts are overclassified, to the point where catastrophic consequences are highly probable. High levels of classification prevent the sharing of information necessary to adequately defend our systems. For instance, IP addresses, when classified, cannot be loaded into defensive monitor systems. It also creates insurmountable hurdles when working with a broad range of Government IT staffs that do not have appropriate clearances, let alone when trying to work with, communicate, and partner with the private sector. Classification cannot be used effectively as a cyber defensive technique, only one for avoiding responsibility and accountability. Overclassification leads to a narrowly limited review of any program. One of the hard lessons learned from the terrorist surveillance program is that such a limited review can lead to ineffective legal vetting of a program. The cyber mission cannot be plagued by the same flaws as the TSP. An immediate, thorough, and transparent legal analysis of the governance authority's privacy requirements should be performed on the efforts used to both protect our CT systems as well as all cyber collection activities. Given the broad concerns of overclassification and its cascading consequences, conducting these reviews must be a high-priority task. Cyber research investments are practically nonexistent at a time when bold new visions need to be explored. The Department of Homeland Security has demonstrated inefficiency and leadership failure in its cyber efforts. While pockets of progress have been made, administrative incompetence and political infighting have squandered meaningful advancement for years now, while our adversaries continue to aggressively press their advantage. DHS has repeatedly failed to attract or retain the leadership and technical acumen required to successfully lead in the cyber mission. While the tendency would be to move the cyber mission to the NSA, it would be ill-advised for all the reasons I provide in my much longer written testimony. We must enable civil government to succeed in its mission of defense or also concede that the private sector, too, cannot succeed in its defensive mission and subjugate them to intelligence support. DHS is the natural and appropriate place for public/private partnership and cooperative activities, including those in cyber. The current set of public/private partnerships is at best ill-defined. They categorically suffer from meaningful value creation or private sector incentives for participation. Such incentives might include tax credits, fines, liability levers, public recognition, or even occur at an operational level through mechanisms such as the sharing of threat intelligence, technical knowledge, incident response report, to name just a few. Trust relationships when dealing in cybersecurity matters are absolutely critical. In discussions among privacy and civil liberties group, the role of the NSA in monitoring or defending U.S. networks is debated. Should such intelligence programs exist, DHS should be very cautious before participating in, supporting or engagement in these activities. The Department's ability to fulfill its primary mission and responsibilities may be permanently damaged by a loss of public confidence and trust. At a bare minimum, in order to preserve this trust, any interacting with domestic intelligence efforts should be explicitly and clearly articulated. Sufficient transparency may serve to increase public trust and confidence and offset concerns raised by uncertainty and the uninformed. DHS must be formally charged with and enabled to build an effective cyber capability in support of securing our Federal civilian systems. Special provisions should be made in the hiring, contracting, human resources, and political issues within the cyber mission of DHS to prevent it from remaining a victim of the Department's broader administrative failures. DHS should be given specific emergency authorities to address security concerns in civil systems, to include the ability to measure compliance with security standards, protocols, and practices, and take decisive action where organizations are not applying reasonable standards of care. At present, the operation's cybersecurity arm of DHS, US-CERT, remains politically torn apart into three components, completely subjugated to a cadre of detailees from the intelligence community. In order to regain efficiency, the Department's operational security activities must be reconsolidated in the US-CERT. This operational mission is not resourced to succeed with less than 20 Government FTEs and a budget of only $67 million. Ms. Clarke. Mr. Yoran, I am just going to ask if you can summarize and we will probably pick up on more of your testimony through questions. Of course, we have your full testimony in the record. Mr. Yoran. Yes, Madam Chairwoman. The newly focused DHS US-CERT should report directly to the Secretary of DHS, just as NTOC reports to the Director of NSA. The cyber responsibilities of the Department must not remain buried in the Department or, alternatively, they must be removed and placed in an independent agency where they can succeed. Thank you. [The statement of Mr. Yoran follows:] Prepared Statement of Amit Yoran March 10, 2009 Ms. Chairwoman and Ranking Member, thank you for the opportunity to testify before the Homeland Security Committee on Reviewing the Federal Cybersecurity Mission. My name is Amit Yoran and I am the CEO of the NetWitness Corporation, a company providing next generation cybersecurity monitoring technologies to the U.S. Government and private sector, including Fortune 500 companies delivering critical infrastructure cyber protection to the Nation. I serve as a member of the CSIS Cyber Commission advising the 44th Presidency and on numerous security industry advisory bodies. Previously I have served as the first Director of the National Cyber Security Division (NCSD) in standing up the United States Computer Emergency Readiness Team (US-CERT) and Einstein program at the Department of Homeland Security (DHS), as founder and CEO of Riptech, a leading managed security services provider, and as manager of the Vulnerability Analysis Program (VAP) of the U.S. Department of Defense's Computer Emergency Response Team (DoD CERT). I received Bachelor of Science degree in Computer Science from the United States Military Academy at West Point and Master of Science in Computer Science from The George Washington University. Over the past 15 years, automation and use of computer systems has permeated every aspect of modern life. Our Nation is entirely reliant upon computer systems and networked technologies in everything from national security and intelligence activities to commerce and business operations to power production and transmission to personal communications and correspondences. Today's internet has become one of the unifying fabrics driving globalization at an increasingly accelerated pace. It represents the core means by which personal and organizational interactions occur whether those communications take the form of internet email or simply phone calls, which invariably traverse the cyber realm. Beyond its role as a communications medium, computer-based automation and technology are the driving forces behind every major industrial and economic base in the world. Simply put, computer technologies and communications represent the greatest threat to and opportunity for expansion of the U.S. values system. evolving into a national cyber strategy The past 2 years have brought about an unprecedented level of Federal focus and attention on cyber security matters culminating in a portfolio of activities commonly referred to as the Comprehensive National Cyber Initiative (CNCI). Advocacy for CNCI under the Bush administration resided in the Office of the Director of National Intelligence (ODNI), under whose charge the billions of dollars in programs were conceived and orchestrated. While many of the CNCI programs are well intended and designed, there are several significant flaws in adopting the Bush administration's CNCI as an on-going national cyber strategy. White House leadership. The Obama White House is currently conducting a comprehensive 60-day review of cyber. The purpose of the review is to develop a strategic framework to ensure that ``initiatives in this area are appropriately integrated, resourced and coordinated both within the Executive Branch and with Congress and the private sector.'' This review effort will culminate in recommending an optimal White House organizational structure for dealing with the cyber challenges facing our national and economic security as well as ``an action plan on identifying and prioritizing further work in this area.'' For the reasons outlined below, an effective national effort to address cybersecurity can only succeed through continuous, active, and decisive White House leadership. Intelligence. An effective national cyber strategy must leverage the strength of the intelligence community. As information and computer-based technologies increasingly permeate how the world works, opportunities abound to improve the types, quantity, and quality of intelligence the community can provide at various levels of classification to its consumers. In the primary intelligence functions of collection, analysis, and dissemination, cyberspace can provide an effective aspect to operations. The volumes of information and the diversity of sources can quickly become overwhelming. The intelligence community must continue to refine its ability to evaluate the quality and value of such information and accurately assess it in order to assure its appropriate dissemination to decisionmakers. This should include improved functionality around attribution in cyberspace. There is a clear and distinct conflict of interest between intelligence objectives and those of system operators. Simply put, intelligence organizations prioritize the intelligence and counter-intelligence missions; which in cyber focuses on monitoring adversaries, determining their methods and techniques, tracking their activities to a point of origin, and determination of compromise scope, and attack intent and adversary's objectives. While these are very important, they frequently conflict directly with the information assurance objectives of system owners and operators, who are primarily concerned with system defense and protection, and in the event of compromise, a speedy restoration to a functional and assured state. This distinction in core objectives is critical because it represents the difference between programmatic emphasis on information gathering, or system resilience and availability. For instance, intelligence and law enforcement entities often prioritize attack attribution, while almost no emphasis is placed on attribution by those defending systems. Rather than sharing information with operators and better informing them as to how they can defend and monitor themselves, an intelligence community- centric mindset around cyber would limit information exchange and instead focus on enabling the intelligence community to perform an expanded and aggregated monitoring program. Such a monitoring program would face significant cost and scalability impediments. We must remember the purpose for a monitoring program. Are we in fact monitoring to enable better defenses? Who makes the decisions to inform the defense? It is a clear conflict of interest for those who collect to make this decision. The decision should be a balanced one. Prioritizing the intelligence mission also has significant resource allocation implications. Amid news stories of billions of dollars in cyber spending under CNCI a majority of resources are going to intelligence and centralized monitoring activities. For instance, the Center for Disease Control, where sensitive information resides about biological threats, such as anthrax, has on-going incidents which they do not have the manpower or technology to adequately investigate. In the face of these challenges, this year the CDC's cybersecurity budget will be reduced by 37%. For ill-defined reasons, the CNCI led by ODNI has been shrouded by a high degree of secrecy and lack of transparency. The plan itself is so classified that even Members of Congress have not been provided copies and industry has had no access to the document. While the need for high levels of classification may exist in certain components of a national cyber effort, such as offensive capabilities or for the protection of sources and methods, such a broad over-classification is counterproductive to supporting an effective cyber defense. Such information is prevented from being shared with operators, most of which do not hold adequate clearances and creates significant hurdles when trying to defend unclassified systems. In recent examples adversary internet addresses used in attacks and their various attack methods have been classified to the point they were not broadly available for defensive purposes or provided through channels. In numerous cases this roadblock prevented information from being used effectively in cyber defense and provided further advantage to our adversaries. If you cannot or will not share useful information with cyber defenders, their job is made far more difficult. As the private sector is increasingly the target of foreign intelligence efforts, a national cyber effort will need to further evolve its abilities in working with the private sector. Most importantly, over-classifying a national cyber strategy prevents adequate public review and debate to assure that the programs are designed optimally, contain the highest level of innovation, and are well-aligned with and informed by the total body of knowledge of the cyber security profession. Often classification is used to hide weaknesses found. Classification cannot be used effectively as a cyber defensive technique, only one for avoiding responsibility and accountability. Over-classification leads to a narrowly limited review of any program. One of the hard-learned lessons from the Terrorist Surveillance Program (TSP) is that such limited review can lead to ineffective legal vetting of a program. The cyber mission cannot be plagued by the same flaws as the TSP has been. Intel loss/gain analysis has historically been performed by the intelligence community's judgment without substantive subject matter input from those whose systems are being damaged. If the intelligence community takes on a leadership role for the cyber mission it is likely that additional monitoring programs will be put in place to find the adversary. While the technical acumen within NSA is strong, better controls over operations would be needed to reduce the natural emphasis on collection and instead prioritize the protection and availability of Government and industry systems. The cyber mission suffers in favor of the intelligence mission all too often. While protecting sources and methods, the intelligence community needs to better inform public and private sectors on the threat environment and how they can better defend themselves. Moreover, some organizations may be less likely to act responsibly and invest properly in monitoring and defending their own systems if they feel as though they can rely on some federated intelligence monitoring operation. Research and Development. The current paradigm in cyber security is not likely to change significantly through improved security products, monitoring, and incident response capabilities. While the private sector makes significant investment in incremental product, application, and protocol improvements; fundamental research is required to meaningfully improve the security of the cyber and critical infrastructures. According to the CSIS Commission work, ``The federal government plans to spend about $143 billion in 2009 on R&D. We estimate that two-tenths of 1 percent of that will go to cybersecurity.'' An inherently Government investment must drive long-term research agendas in cybersecurity, where private sector focus on shorter-term commercialization limits results to more tactical or incremental advancements. The Department of Homeland Security's Science and Technology Directorate invests less than $20 million per year on cybersecurity research efforts, a far cry from any responsible level of resource allocation. The Government should not use this money to be in the security product development business, especially via classified venues. In an overwhelming majority of instances, Government cyber requirements are substantially similar to if not exactly the same as the private sector and only in the rare cases where they are not or in classified instances, do specific tactical Government development efforts make sense to consider. In addition, it is a fact that there is a severe lack of qualified engineers needed to develop these systems. Today, the majority of these engineers are employed by the security industry. The Government and intelligence community should guide and assist in functional requirements for the development of technologies which can help us best address the sophisticated cyber threat environment, not enter the product development business. The resulting improvement in security technologies will not only benefit the Government in protecting its systems, but will also benefit the Nation's critical infrastructure operators and rest of the shared internet fabric that joins our digital world. Additionally, Government development efforts have stranded enterprise cyber defenders without the benefits of product management, maintenance, and professional support. Standards and Acquisition reform. The CSIS Commission report provides a lot of insight into how the Government can positively improve its situation as well as security of private networks by leveraging its expertise in standards, setting and using its procurement size to effect product vendor behaviors. We also need to consider more dynamic methods for systems procurement and lifecycle management as the current processes seem marginally nimble enough to enable the purchase of a battle tank or fighter jet. Antiquated and poorly maintained systems compound our challenges. The systems on Federal networks average 5 years old. Unlike responsible parties in the private sector, Federal networks frequently do not have centralized patching, vulnerability understanding, or adequate monitoring technologies and processes. Simply put, they are not achieving or maintaining an appropriate standard of care by any responsible measure. It should be understood the reasons for this are a lack of IT and IT security governance. The technology here is not overly complex; the real challenge is the people and the process. The average Government executive, whether DoD or civil, stays in his/her position for an average of 18 months. There is little or no reason to look ahead at the next executive's tenure and budget or plan for the life cycle management or security of a system 18 months later. In addition, because planning was not done in the previous executive's tenure, the system the executive has to care for is more likely than not to be in an unkempt, dated, and insecure state. There is no governance mechanism or motivation for Government systems to plan, budget, or perform best practice life-cycle management which can significantly reduce risk of loss. Please see the recently published Consensus Audit Guidelines for a reasonable approach to minimal security practices. Legal Review and Privacy Oversight. Congress and the Obama Administration must work together to modernize authorities. FISMA and Clinger-Cohen are dated and fraught with politics and games. Without hard-hitting, detailed legislation that structures governance and authorities no program will succeed. Today the CNCI is not codified. HSPDs 54 and 23 are not supported by legislation, therefore are not mandated. An immediate, thorough, and transparent legal analysis of the governance, authorities, and privacy requirements should be performed on both the efforts used to protect IT systems as well as an analysis with the requisite understanding of intelligence and national security law for all cyber collection activities. Given the broad concerns of over-classification, conducting these reviews must be a high priority task. An effective national cyber function requires an informed privacy function. Privacy issues need proper review and advocacy when designing various Government cyber security programs, especially those of the intelligence and law enforcement communities. An effective program should be implemented in a non-partisan fashion by qualified privacy professionals who are not members of the executive or legislative branches and have fixed terms of service without eligibility for reappointment or extension terms. Security can be implemented with and even contribute to enhanced privacy, but it is not easy and often not without strong and deliberate privacy advocacy and oversight. Homeland Security. The Department of Homeland Security (DHS) has demonstrated inefficiency and leadership failure in its cyber efforts. While pockets of progress have been made, administrative incompetence and political infighting have squandered meaningful progress and for years now our adversaries continue to aggressively press their advantage. Recently, the Director of National Intelligence, Admiral Dennis Blair, told the House intelligence committee that, ``the NSA, rather than the Department of Homeland Security which currently oversees cybersecurity, has the smarts and the skills to secure cyberspace.'' In his assessment of both organizations he is absolutely correct. DHS has repeated failed to either attract or retain the leadership and technical acumen required to successfully lead in the cyber mission space. On a number of occasions proven, talented, and knowledgeable leaders from within the Government or successful experts from private sector have joined the Department in hopes of meaningful contribution. In its cyber responsibilities DHS has a consistent track record for tolerating political infighting, individual egos, and shenanigans over prioritizing and executing its cyber responsibilities in a mature fashion. While the tendency would be to migrate the cyber mission to the NSA, that would be ill-advised for all of the reasons provided earlier. In Rod Beckstrom's resignation letter last week, he states, ``NSA effectively controls DHS cyber efforts thru detailees, technology insertion and the proposed move of NPPD and the NCSC to a Ft. Meade NSA facility. NSA currently dominates most national cyber efforts . . . The intelligence culture is very different than a network operations or security culture. In addition, the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization.'' This could not have been more accurately stated. We must enable civil government to succeed at this mission. This being said, it is far past time we fix the DHS problems and move forward. Public-Private Partnership. In addition to defining increased security functionality and assurances for Commercial Off the Shelf Software (COTS), the Government must work more closely with the private sector and understand their businesses if it is to be effective in constructing useful partnership programs. Programs managed in a vacuum by the intelligence community at a highly classified level are unlikely to work well and in concert with system operators within the Federal Government, let alone in the private sector, where not only are mission objectives completely foreign, but where there are very few people with Government clearances. Government programs need to focus on open dialog and information exchange, and enabling the private sector to better understand the security challenges they face and how they might be overcome with the help of the Government. DHS is the natural and appropriate placement for public-private partnership and cooperative activities, including those in cyber security. The current set of public-private partnerships are at best ill-defined. While well- intentioned and occasionally valuable information is brought to the Department, they categorically suffer from meaningful value creation to the private sector. A deeper understanding of how cyber defense and security operations are implemented in the private sector is required by those crafting the evolution of these programs so that adequate incentives can be appropriately incorporated going forward. Such incentives might include tax consequences, fines, liability levers, public recognition, or even occur at an operational level, such as the sharing of threat intelligence, technical knowledge or incident response support to name just a few. Due to its fluid nature, trust relationships when dealing in cyber security matters are at least as strongly emphasized as in physical security. In news reports and discussions among privacy and civil liberties groups the role of the NSA in monitoring or defending domestic private networks is debated. Should such intelligence programs exist, DHS should be very careful to distance itself from participation, support, or engagement in these activities. The Department's ability to fulfill its primary mission and responsibilities may be permanently damaged by a loss of public confidence and trust. At a bare minimum, in order to preserve public trust, its interaction with domestic intelligence collection efforts should be explicitly and clearly articulated. NCSC and US-CERT. Congress and the administration should focus DHS where it can have the greatest positive impact. The Department's culture migrates toward increasing its own mission scope and infrequently emphasizes a crawl, walk, run mentality. Sometimes, it's just time to close PowerPoint and Word, stop the rhetoric and simply roll the sleeves up and begin the actual work at hand. For instance, spending the Department's limited resources on advocacy programs for better software development, where the Department has very limited experience, expertise, and credibility is of exceptionally limited value. The US-CERT works to support the security of Government networks through design, deployment and monitoring the Einstein series of programs to enhance situational awareness, be the centralized incident reporting authority for the Federal civilian networks, facilitate efficient incident response and cleanup efforts, support the private sector through information exchange with critical infrastructure operators, and working with IT and IT security product vendors to assure that they can address the needs of the broader Federal Government and critical infrastructures. At present the US-CERT remains torn apart into three arms; a technology deployment arm (lead by an intelligence community detailee), a security arm (managing the Trusted Internet Connection program), and the operations arm (performing the core US-CERT mission). This stove-piping has added political strife, inability to spend 2009 money this year, and defocusing all from accomplishing the single US-CERT mission. In order to regain any efficiency, the Department's operational security role, which has been ripped apart by years of political infighting, must be reconsolidated in the US-CERT. The critical work of the US- CERT with its operational mission is not resourced to succeed (fewer than 20 Government FTEs, a budget of only $67 million out of the Department's $355 million spend on cybersecurity). Additionally, the US-CERT must be lead by a single Federal civil executive. The coordination function of the National Cyber Security Center is underutilized. Rod Beckstrom's recent resignation claims that only 8 weeks of the annual funding have been provided to it. His concerns for NSA management control of DHS' cyber efforts apply to the US-CERT as well, which reports to detailee from the USSS, who reports to detailee from NSA/Navy. All special assistants around the Acting Assistant Secretary are also NSA detailees. The US-CERT must be provided appropriate staffing levels to move forward and given adequate funding. Not doing so cannot help but send the strongest message to the cyber community, the rest of Government, the intelligence community, and the private sector that cybersecurity does not matter to DHS leadership and the Department's role is unnecessary. A newly focused cyber mission must report directly to the Secretary of DHS. This critical mission has been sought aggressively by so many parties, but resisted so strongly by the Department responsible for its successful execution. Cyber must not remain buried in the bureaucracy of DHS or, alternatively, it must be removed and placed where it can succeed. The House Homeland Security Committee and Congress should work with the Executive branch to assure these fundamental changes are made: 1. DHS must be charged with and enabled to build an effective cyber capability in support of securing Federal civilian systems. a. Make special provisions in the hiring, contracting, human resources, political issues within the cyber mission of DHS to prevent it from remaining a victim of the Department's broader administrative failures. b. Enable the US-CERT to stand up the capabilities necessary to assist in the defense of Federal civil government as a component of the Federal civil agency charged with defending the homeland. c. DHS should also be given specific emergency authorities to specifically address security concerns in civil systems, to include the ability to measure compliance with security standard, protocols, and practices and take decisive action where organizations are not applying reasonable standards of care. 2. Flesh out, define roles, responsibilities and authorities of DHS, DoJ, DoD, NSA, and other Federal departments and agencies engaged in securing digital infrastructure. Such a framework should be publicly stated so that trust and confidence in cyber programs can be restored. It will also be a critical step in guiding more informed and consistent interactions with the private sector. Steps must also be put in place to allow the White House, Congress, departments and agencies to have visibility, input, and clear oversight into the process and solutions. 3. Adequately resourcing for success. a. A large-scale reallocation of the DHS cyber monies toward the programs which are operational and provide meaningful value add to its responsibilities to the Federal civil networks is needed. b. There exists stronger network controls and millions of dollars spent by DoD and NSA to protect the DoD networks, and that they still are under-resourced to adequately defend themselves. Only a fraction of that is being spent to defend Federal civilian systems and in reality those networks are by comparison 10 times larger than the Defense Department's. Thank you for the opportunity to testify. I would be happy to answer any questions you may have at this time. Ms. Clarke. I thank you as well for your testimony. I now recognize Ms. Davidson to summarize her statement for 5 minutes. STATEMENT OF MARY ANN DAVIDSON, CHIEF SECURITY OFFICER, ORACLE CORPORATION Ms. Davidson. Chairwoman Clarke, Members of the subcommittee, my name is Mary Ann Davidson. I am Chief Security Officer for Oracle. Thank you for the opportunity to testify regarding the important issue of cybersecurity. The Declaration of Independence states all men are created equal. All information systems, however, are not. The truth of the statement should be self-evident but it isn't, and therein lies a risk to our freedoms. The ubiquity, flexibility, and configurability of information systems has led to circumstances in which software designed for a particular purpose and environment is too often deployed in an environment it was never designed for, without any thought or explicit acceptance of the risks in so doing. There is no substitute for knowing up front what you need software for, how it is going to be deployed, and what risks you can accept and what risks you won't. The time to make these determinations is during procurement, not afterwards. The Navy does not purchase container ships and try to deploy them as aircraft carriers, nor does the Air Force purchase Gulfstream V's and try to configure them as F-22 Raptors. While there is nothing wrong with container ships or Gulfstream V's, they were not designed for the operational needs or the threat environment that aircraft carriers and F- 22s were designed for. Why then is information technology somehow different? It isn't. Good security, like good hardware, starts in procurement: Knowing what you need, how it will be used, and explicitly describing the threat environment for deployment. Use procurement wisely and aggressively. This brings me to my second point. Information technology is mission-critical not merely mission-enabling. Our entire economy rests on an IT backbone; in particular, our homeland security and our military's ability to prosecute war rests on an IT backbone. DOD continues to invest in network-centric operations, which is all about getting the right information to the right warrior at the right time and the right battlespace. This makes the network itself the battlefield and therefore, DOD needs to enhance the treatment of information systems as a core mission specialty as well as using information systems offensively. Absent this capability, the DOD will not be able to use IT as the force multiplier it is. Just as General Patton knew his tanks and their technical capabilities very well, not just merely how to deploy them, our military and homeland security leaders need to know and how to deploy and embrace the full capability of IT. Putting it differently, do we envision having a contractor at the helm of an aircraft carrier? If not, then why would our cyber offense be any different? General Patton also knew that the 3rd Army would stop without supplies of gas. Netcentric armies stop without supplies of information. Only by holding capability for both function and esteem can offense inform defense. This brings me to my third point. We are in a conflict. Some would say a war. Let's call it what it is. Given the diversity of potentially hostile entities building cadres of cyber warriors probing our systems, including our defense systems for weaknesses, infiltrating U.S. Government networks and making similar attempts against American businesses and critical industries, is there any other conclusion to be reached? There are three obvious outgrowths from the above statement. One is that you can't win a war if you don't admit you are in one. The second is that nobody wins on defense. The third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the off-line world. In short, Congress should consider developing a 21st century application of the Monroe Doctrine. The need for a framework to guide the Government's role in response to foreign aggression is a point that Melissa Hathaway has specifically noted during her review and an area where this subcommittee can work with the National Security Council. You may recall that the Monroe Doctrine, introduced in 1823, said that further efforts by European governments to interfere with the States in the Americas, the Western Hemisphere, would be viewed by the United States as acts of aggression, and the United States would intervene. The Monroe Doctrine is one of our longest-standing foreign policy tenets, invoked on multiple occasions by multiple Presidents. We have, as the expression goes, sent in the Marines and the rest of our Armed Forces to uphold it. Some may argue that cyberspace is virtual and unsuited to declared spheres of influence. But even internet protocol addresses mapped to physical devices in physical locations we care about: Critical infrastructures such as a server for a utility company in New York or a bank in California. Note that the Monroe Doctrine did not detail the same intervention or even specific intervention for each perceived act of aggression. Merely laid out ``Here is our turf, stay out or face the consequences,'' language that allowed great flexibility in terms of potential responses. We need not militarize all elements of U.S. cyberspace any more than invoking the Monroe Doctrine meant creating permanent military encampments throughout the Western Hemisphere. The advantages of invoking a Monroe Doctrine in cyberspace would be to put the world on notice that the United States has cyber turf, and the second is that we will defend our turf. We need to do both now. Thank you and I look forward to your questions. [The statement of Ms. Davidson follows:] Prepared Statement of Mary Ann Davidson Chairwoman Clark, Members of the subcommittee, my name is Mary Ann Davidson, and I am Chief Security Officer for Oracle. For more than 30 years, information security has been a central part of Oracle's software DNA, and is a big reason why the Federal Government is Oracle's largest customer. Thank you for the opportunity to testify regarding the important issue of cybersecurity. 1. The Declaration of Independence states ``All men are created equal.'' All information systems, however, are not. This truth of this statement should be self-evident but it isn't, and therein lies a risk to our freedoms. The ubiquity, flexibility, and configurability of information systems has led to circumstances in which software designed for a particular purpose and environment is too often deployed in an environment it was never designed for, without any thought or explicit acceptance of the risks in so doing. Without properly scoping our requirements we are faced with an all-or-nothing approach to cyberspace, simultaneously putting at risk our civil liberties, our homeland security and the women and men of our armed forces. Let me give you a present-day example: I had a most frightening conversation with a highly placed official in the Defense Department who said that DoD wanted to use popular social networking software and that (direct quote) ``you in industry need to secure it.'' My response to that statement: ``What is DoD going to use the software FOR? `Hi, I'm an al Qaeda operative. I like long walks on the beach and IEDs. Will you friend me?' '' Without an appropriate context, I noted to the gentleman, there is no magic security dust we in industry can sprinkle on technology that is already ``out there and being used,'' especially if we do not know what it is being used for. Certainly there are legitimate scenarios where we may want to permit our troops to use social networking software as a morale booster, including contact with their family and friends, but the technical and policy-based security requirements around that use case are different from a use case where the DoD might use similar technology for operational purposes. There is no substitute for knowing upfront what you need software for, how it is going to be deployed, and what risks you can accept and what risks you won't. The time to make those determinations is during procurement, not after. The Navy does not purchase container ships and try to deploy them as aircrafts carriers. Nor does the Air Force purchase Gulfstream Vs and try to configure them as F-22 Raptors. There is nothing wrong with container ships or Gulfstream Vs, by the way, but they were not designed for the operational needs or--and I emphasize this last point--threat environment that aircraft carriers and F-22s were designed for. Why, then, is information technology somehow ``different?'' It isn't. Private industry and Government agencies have varying use cases and threat environments in cyberspace, just as they share different requirements in the real world. And where privately run information systems can benefit from defensive technologies informed by our offensive capabilities--to use a metaphor--this rising tide will lift all ships in cyberspace. Unfortunately, many think software is so flexible and configurable, that one size fits all applications. It doesn't. The military already knows this, but sometimes they need an occasional reminder. When I was a naval officer, I had many different uniforms: dress blues, dress whites, tropical whites, khakis, and utility greens. Each had its purpose. Should one be foolish enough to wear dress blues to a firefight, it isn't merely that you will be breaking uniform regulations; you aren't going to be adequately protected, either. You wear body armor to a firefight. While cost is one consideration in deployment, it need not be the only one, unless we plan on digging up old Lee-Enfield rifles and giving them to the Marine Corps instead of the M-16s they now use. ``You get what you pay for'' is as true in software as in anything else. Good security, like good hardware starts in procurement: Knowing what you need, how it will be used, and explicitly describing the threat environment for deployment. Use procurement wisely and aggressively. This brings me to my second point. 2. Information technology is mission critical, not merely mission enabling. Our entire economy rests on an IT backbone: The acronym ``IT'' therefore represents ``infrastructure technology'' as much as ``information technology.'' In particular, our homeland security and our military's ability to prosecute war rests on an IT backbone. DoD continues to invest in network-centric operations, which is all about getting the right information to the right warrior at the right time in the right battlespace. Therefore, the network itself is the battlefield because the network is what our enemies will attack if they want to deny us the ability to use our own technology (or in an attempt to use our technology against us). Given that DoD has bet the farm on information systems, they need to enhance its treatment of information systems as a core mission specialty in supporting roles as well as using information systems offensively as a warfare specialty. Absent this capability, the DoD will not able to fully use IT as the force multiplier it can be. Just as Patton knew his tanks and their technical capabilities very well, not just merely how to deploy them, our military and homeland security leaders need to know and embrace the full capability of IT. Putting it differently, do we envision having a contractor at the helm of an in- theatre aircraft carrier? If not, then why would our cyber offense be any different? Note that the ability to deploy and support systems itself is also a critical mission specialty, just as, say, supply/ logistics is a staff function in the military but a critical one. Patton knew very well that armies stop without supplies of gas; net- centric armies stop without supporting information systems. Furthermore, only by holding capability for both functions in esteem can ``offense inform defense'' and vice versa. We must also remember the strength of the American economy rests on the flexibility afforded the private sector to innovate and market those innovations globally. In the same way our Nation's electrical grid, pipelines, roads, and railways support our military but are not run by our military, our critical cyber infrastructures and the companies who create them cannot simply fall under military control. Of course our Government should defend our cyber interests, but in the same way we would abhor a military presence at every intersection, we must also ensure civilian control over the normal operation of our digital highways. This brings me to my third point. 3. We are in a conflict--some would say a war. Let's call it what it is. Given the diversity of potentially hostile entities building cadres of cyberwarriors, probing our systems--including our defense systems-- for weaknesses, infiltrating U.S. Government networks and making similar attempts against American businesses and critical industries, is there any other conclusion to be reached? Whatever term we use, there are three obvious outgrowths from the above statement. One is that you can't win a ``conflict''--or war--if you don't admit you are in one. The second is that nobody wins on defense. The third is that we need a doctrine for how we intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the off-line world. In short, Congress should consider developing a 21st century application of a Monroe-like Doctrine. The need for a framework to guide the Government's role in response to foreign aggression is a point that Melissa Hathaway has already noted during her 60-day interagency review of the Federal cybersecurity mission, and an area where this subcommittee can productively collaborate with the National Security Council. For those a tad rusty on their U.S. history, the Monroe Doctrine (introduced December 2, 1823) said that further efforts by European governments to interfere with states in the Americas--the Western hemisphere--would be viewed by the United States as acts of aggression and the United States would intervene. The Monroe Doctrine is one of our longest-standing foreign policy tenets: Invoked on multiple occasions by multiple presidents, including Teddy Roosevelt, Calvin Coolidge, Herbert Hoover, and John Kennedy. We have, as the expression goes, sent in the Marines--and the rest of our armed forces--to support the Monroe Doctrine. Note that the Monroe Doctrine did not detail the same intervention or even specific intervention for each perceived act of aggression, merely laid out ``here is our turf; stay out or face the consequences'' language that allowed great flexibility in terms of potential responses. Some may argue that cyberspace is ``virtual'' and unsuited to declared spheres of influence. But even internet protocol (IP) addresses map to physical devices in physical locations we care about-- critical infrastructures such as a server for a utility company in New York, for example, or a bank in California. The advantages of invoking a Monroe-like Doctrine in cyberspace would be to put the world on notice that the United States has cyber ``turf,'' (properly and narrowly scoped--we should not claim all cyberspace as our turf). The second is that we will defend our turf. We need to do both. Now. As I mentioned earlier, having a military response capability does not mean militarizing all elements of U.S. cyberspace any more than invoking the Monroe Doctrine meant necessarily creating permanent encampments throughout the Western hemisphere. Nor should a cyber- Monroe Doctrine lead to permanent Government encampments in private networks, or become a mandate for unilateral intervention in all of cyberspace. With proper guidance, various Government agencies and the private sector can find their natural role in guarding our cyber infrastructures in a framework similar to how we currently protect our real-world interests. To summarize: Technology is only a force multiplier if you pick the right technology for the intended use and intended threat environment. The Government must make security an explicit part of procurement, funding appropriately skilled staff to execute these procurement requirements while recognizing that some non- commercial requirements will incur additional costs. We need a skilled cadre of Government information technology professionals--both offense (in the military) and defense (throughout the entire Government). We need the cyber-equivalent of the Monroe Doctrine for our 21st-century information age that respects the boundaries of our shared ownership of the Nation's cyber infrastructure. Ms. Clarke. We thank you for your testimony. I now recognize Mr. Lewis to summarize his statement for 5 minutes. STATEMENT OF JAMES A. LEWIS, PROJECT DIRECTOR, CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES Mr. Lewis. Thank you and thank you to the committee for the opportunity to testify. The new administration has a real opportunity to improve our Nation's security in cyberspace, but there are many difficult issues it has to address, and the work of this committee will be essential in helping to guide that effort. You know, the President has directed the National Security Council to undertake a 60-day review. This review is an important step. Cyberspace, as you have heard, has become one of the central pillars of our economy and our national security. Securing cyberspace will help enable recovery and future growth. Officials involved in the review have told me it is forward-looking, with a broad scope. It will lay out a strategic framework for the United States. In my testimony, I would like to discuss how to assess the review. The Center for Strategic and International Studies issued a report in December on steps the next President could take. We made many recommendations and whether you like our recommendations or not, I believe strongly that we identified the right issues. Any review that does not address the issues we identified will be inadequate. Among our recommendations there are two that I think are crucial. The first is the need for clear leadership from the White House, and the second is a comprehensive plan for moving ahead. We undertook a long discussion of who should lead the Federal cybersecurity effort. It looked at many agencies: Defense, FBI, GSA, DHS, the intelligence community. We were concerned with agency authorities and competencies, but also with the signal that a lead agency would send to the public and to the world. The United States should avoid being perceived as militarizing the internet, and it should avoid solutions that give rise to concerns over privacy and civil liberties. In the end, we decided only the White House had the necessary authority. Clear White House leadership is essential, but it has to be accompanied by a truly strategic plan, a truly strategic plan-- a truly comprehensive plan, I am sorry. What does comprehensive mean? It means going beyond an effort to secure Government networks. It means integrating offensive and defensive strategies and looking at how to improve attribution and identity in cyberspace. It means engaging with foreign nations, something we have not done particularly well. It means accepting that the Federal Government must use its regulatory powers if we are to make any progress. I want to emphasize the need to develop regulatory strategies, because this has been largely overlooked in previous national efforts. Regulation is necessary when market forces alone will not provide security. We were careful to note in our report that a new approach is needed, one that avoids both prescriptive regulations, but also rules, that are so diluted as to be meaningless. New regulation must be developed in partnership with the private sector, but with the Government setting the goals and ensuring compliance. My own view is that regulation is essential if we are to give substance to public/private partnerships. Regulation gives us an opportunity to improve cybersecurity in critical infrastructure, something this committee has worked on in the past and you will be working on, I understand, in the future. The work of this committee has made a tremendous contribution. It helped guide us in writing the report. Regulation of critical infrastructure will become increasingly important. The stimulus package envisions spending on infrastructure and it will build security in. This is a good idea, but when we come to the question of what precisely needs to be done to make new projects secure, we don't know the answer, and we don't have the time or the people to develop that answer. A failure to invest in infrastructure modernization for almost 2 decades has made it impossible to build both quickly and securely. Smart Grid projects are an example of this. Smart Grid uses, for example, advanced meters to measure and manage the flow of electricity. These new meters are based on network technologies. Unfortunately, if the new smart meters are not secure, they can be hacked. Regulation can play a role in remedying this by giving Government the ability to mandate actions that mitigate our new vulnerabilities. But if we do not build the regulatory foundation now, the United States will be put at risk. Let me summarize quickly. It is always difficult batting clean-up because everyone has already said everything. But we need somebody in charge at the White House who will implement a comprehensive plan. That plan has to include strategies for international engagement and for domestic regulation. Then we need to move out. Okay. I thank the committee and look forward to your questions. [The statement of Mr. Lewis follows:] Prepared Statement of James A. Lewis March 10, 2009 I thank the committee for the opportunity to testify on the Federal Cybersecurity Mission. I believe that the new administration has a real opportunity to make a significant difference in improving our Nation's security in cyberspace, but there are many difficult issues that it must address. The work of this committee will be essential for helping to guide that effort. As you know, the President directed that the National Security Council undertake a 60-day review of the U.S. approach to cybersecurity. Federal officials involved in the review have told me that this is a forward-looking effort with a broad scope. It looks beyond securing Federal networks, which was the focus of the last administration's efforts, and will endeavor to lay out a strategic framework for the United States. The decision to undertake this broad review is an important step forward for our Nation. Cyberspace has become one of the central pillars of our economy and our national security. The adoption of network technologies since the 1990's by the United States has been a source of both competitive advantage and the rapid growth. The digital infrastructure is now essential. More importantly, expanding our digital advantage offers the possibility for continued increases in productivity and innovation. Securing cyberspace will help enable recovery and future growth. Reaping the full advantage of digital technologies will require real improvement in cybersecurity. Estimates of the damage to our economy are imprecise, but millions of dollars are lost each year to fraud and theft, millions of dollars worth of intellectual property lost to foreign competitors, with the total easily reaching into the billion. One of my fears is that as we increase spending on research and science as part of the stimulus package, we are actually subsidizing the research of our economic and military competitors since they can easily access work that cost us millions to develop for only a few dollars. There is of course additional risk that insecure digital networks could allow foreign militaries and intelligence services, criminals, or other groups, to disrupt the provision of crucial services that are either provided by or depend upon digital technologies. It is easy to overstate the consequences of this sort of attack, and much of the discussion of cybersecurity over the last decade has involved some very silly and exaggerated scenarios for national disaster, but the risk is real and growing, and any national security strategy that does not address it is inadequate. Where are we today in cyber security? From one perspective, we are in remarkably bad shape. In the last year, we have seen the networks of the two Presidential campaigns, secure networks at the U.S. Central Command and computer networks in Congress and other Federal agencies penetrated by outsiders. 2007 saw a number of significant penetrations of major Federal agencies by an unknown foreign power. The Secretary of Defense's unclassified email was hacked. The Department of Commerce's Bureau responsible for high tech exports off-line for more than a month. The networks of the Departments of State and Energy, NASA, and other Federal agencies were penetrated and according to public reports, immense quantities of information downloaded. The networks of Federal contractors, the defense industry and other leading companies were also penetrated. Again, our statistics on this are imprecise, as companies prefer to conceal their losses or in many instances may not even be aware they have been hacked. Poor cybersecurity damages national security and drains our economy. In response to this crisis, the Bush administration created its Comprehensive National Cybersecurity Initiative (known as CNCI). This initiative made real progress in securing Federal networks. CNCI included Einstein, a technology that monitors Federal networks for intrusion. It included the Trusted Internet Connection initiative, TIC. It looked at the question of how to use Federal procurements to improve cybersecurity in an effort know as the Federal Desktop core Configuration--FDCC. The CNCI included several other initiatives and projects, some of which were underway by the time the Bush administration ended. Overall, it was a major step forward. However, the CNCI had several major drawbacks. It began in the last year of the Bush administration. This late start was a serious impediment and one advantage for the Obama administration is that it came into office understanding that securing cyberspace is a major strategic issue. The CNCI was highly and unnecessarily classified. A few of its elements deserved being labeled top secret, but most did not, and the difficulties that over-classification created for coordinating with the private sector and with our allies seriously impeded the Bush administration effort. Finally, and most importantly, the Comprehensive National Cybersecurity Initiative, despite its name, was not comprehensive. This was its greatest failing. The CNCI focused on the ``dot.gov'' space, on Government networks, and while this is important, it is inadequate for cybersecurity. The task involves a global network largely operated by the private sector. The CNCI did not have a serious international component and it did not adequately address how to secure critical infrastructure or the ``dot.com'' space where most commercial activity takes place. These were serious shortcomings, and they point to crucial areas for work by the new administration. At the same time that the previous administration began work on the CNCI, the Center for Strategic and International Studies created a commission to develop recommendations for the 44th Presidency on how to improve cybersecurity. CSIS is a nonpartisan, nonprofit research center organization headquartered in Washington, DC with more than 200 staff and a large network of affiliated experts. Its research focus is on security in a changing global environment. CSIS has been working on cybersecurity issues for many years and this work led us, in the face of the damaging events of 2007, to establish this Commission. When we began our work and for many months afterwards, we did not know of the CNCI. Officials involved in the CSNI initially declined our invitations to participate in order to preserve the initiative's secrecy. The report produced by this commission--I note that the other private sector witnesses on this panel were members of the group--laid out a truly comprehensive approach to securing cyberspace. Thirty-eight thousand copies have been downloaded from the CSIS Web site. We were guided by the conclusions that Federal disorganization and an over- reliance on voluntary efforts had damaged our national security. To summarize our recommendations: Create a comprehensive national security strategy for cyberspace that uses all the tools of U.S. power in a coordinated fashion--international engagement and diplomacy; military planning and doctrine; economic policy tools; and the involvement of the intelligence and law enforcement communities. Publish a public doctrine for cyberspace. The President should state publicly that the cyber infrastructure of the United States is a vital asset for national security and the economy and that the United States will protect it, using all instruments of national power. Clarify governance and responsibility for cyber security and establish White House leadership for cybersecurity based on Presidential Strategy and Directives. Use regulation to set minimum standards for securing cyberspace, to ensure that the delivery of critical services can continue when we are attacked. Mandate strong authentication for access to critical infrastructure. Strong authentication can significantly improve defense, if it is done in a way that protects privacy and civil liberties. Use acquisitions policies and rule to drive security, to encourage the development and use of products and services that are secure, based on standards and guidelines developed in partnership with industry. Build human capital and improved technologies for securing cyberspace by expanding research, training, and education. Refocus and strengthen public-private partnerships and focus them on action, not information sharing. Build on the CNCI effort, as part of a larger and more transparent comprehensive effort to secure cyberspace. It is a lengthy list, but this reflects the overarching importance of cyberspace to our Nation and the complexity of the problems involved in securing it. I believe that the issues we identified are central for improving national security and the 60-day review must address them. Two recommendations deserve additional scrutiny in the context of the 60-day review. These are governance and regulation. We had a lengthy set of discussions in the CSIS commission on how best to organize for cyberspace. We considered many agencies for the lead role, including the Departments of Defense and Homeland Security, the FBI, the General Services Administration, and the intelligence community. Three problems drove us to reject an agency-led approach. First, the mandate of any one agency would have to be greatly expanded to fully cover cybersecurity. Agency legal authorities differ widely and none--law enforcement, military or intelligence--are by themselves adequate for the range of cyber problems. We did not think that a super agency with broad domestic and international powers made sense. Public perception is important. Giving the intelligence community the lead in cybersecurity, although initially attractive to some of us because of the strong capabilities these agencies possess, would trigger powerful antibodies in the privacy community and the public, particularly after the experience of the previous administration's warrantless surveillance program and the struggles over FISA renewal. The previous administration gave the Department of Homeland Security a central role in cybersecurity. We concluded that this was a mistake. While DHS has an important role to play, it lacks the competencies to deal with the range of issues involved in cybersecurity or to successfully engage in conflict with foreign militaries and intelligence services. DHS also lacks the interagency stature to direct other, more powerful agencies. Giving DOD the lead could be interpreted as ``militarizing'' the internet and would likely also provoke a reaction from both the privacy and the international communities. Foreign nations track U.S. policies closely and a decision to give DOD the lead in securing cyber space would be interpreted as a decision by the United States to make military action the focus of its cyber efforts. This would not be in our interest, as we will need to build a collaborative international approach to improve security. At the end of the discussion, we concluded that only the White House had the authority to bring many large and powerful agencies to follow a common agenda and to coordinate with each other. A successful approach to cybersecurity blends intelligence, law enforcement, military, diplomatic, and domestic regulatory functions. Coordinating these various functions can be best done from the White House. In recommending a White House lead, we emphasized that a ``cyber czar'' is not the right solution. The new administration went through a brief fascination with czars of various shapes and flavors for different issues; our view is that for cyber security, the overly centralized approach implied by a czar will fail. The White House and only the White House can set strategy and policy, ensure that agencies are following them and resolve agency disputes. Regulation is the second issue that deserves extra attention. Our report concluded that the market would never deliver adequate security and the Government must establish regulatory thresholds for critical infrastructure. We proposed a new, more flexible approach to developing regulation that was based on close cooperation with industry in developing standards and an avoidance of prescriptive regulations that spell out in precise detail what companies must do. Regulation poses a number of challenges. The United States does not need regulations that are costly to implement yet deliver little in the way of improved security. Nor does the United States need regulations that are so diluted as to be meaningless. Finding the required balance will be difficult, but if we fail to use regulation to improve our national cyber security, if we do not identify mandatory actions to secure the digital infrastructure, the Obama administration will have no more success than any of its predecessors. The stimulus package has inadvertently complicated the issue of regulation. The package includes significant funding for infrastructure projects, such as the Smart Grid. The package envisions that spending on infrastructure will build security into new projects. All this is good, but we then come to the question of what precisely needs to be done to make these new projects secure? Unfortunately, we do not know the answer to this and we do not have the time or people needed to develop that answer. A failure to invest in infrastructure modernization for more than a decade has makes it impossible to build both quickly and securely. ``Smart Grid'' projects are an example of this problem. It uses advanced meters to measure the flow of electricity and allow it to be better managed. These new meters are based on internet technology. Unfortunately, if the new ``smart'' meters are not secure, they can be ``hacked,'' taken over by attackers, and used to disrupt the delivery of electricity. The United States does not have the guidelines it needs to guide make infrastructure secure. I am not recommending that we delay stimulus investments while we sort out the requirements for cybersecurity. The most pressing task facing the new administration is to mitigate the suffering that the recession has brought and to take the steps needed to reduce unemployment and restore growth. Infrastructure investment is an important part of this. Years of underinvestment in infrastructure have put us in this unfortunate situation. However, regulation can play a role in remedying this problem, by giving Government the ability to identify and mandate actions that mitigate new vulnerabilities. For example, a requirement that electrical companies strengthen authentication of identity on their control networks would improve security. But if we do not build the regulatory foundation now, the United States will be put at risk, and the task of laying the foundation falls squarely on the 60-day review. Regulation can also help reshape and strengthen public-private partnerships. For more than a decade, the public dialogue has revolved around threadbare ideas on the need to defer to the private sector as it owns and operates the bulk of the critical infrastructure and on information sharing as an alternative to Government mandates. In fact, the result has been to make public-private partnership less attractive or less important. The partnership groups often serve a largely ``representational'' function rather than one that is oriented towards action. Companies do not have ``skin in the game.'' Regulate them, and they will come. Regulation is the key to improving public private partnerships, particularly if these partnerships are tasked with developing and maintain the standards upon which regulation must be based. This administration has a unique opportunity. The United States has pursued a market-led approach to cybersecurity for more than a decade. This approach is inadequate. Now is the time to identify where regulation is needed to improve cybersecurity. Our recommendation was to begin with critical infrastructure--if a service is truly critical, we should not be afraid to require action to secure it. I began by asking where we are today in cybersecurity and answered that, from one perspective, we are in remarkably bad shape. From another perspective, however, we are at a moment of tremendous opportunity. This administration can define an integrated and comprehensive Federal approach to securing cyberspace, something no previous administration has been able to do. The complexity of the problem means that it will take much longer than 60 days to put in place the policies, structures, and regulations we will need. However, if the 60-day review can establish a clear governance structure led from the White House, if it lays out a broad plan of action for moving ahead, including the development of a comprehensive national security strategy and the use of regulatory authorities to secure critical infrastructure, and if this administration acts upon it, the review will be a success. Ms. Clarke. We thank you for your testimony. I thank all of the witnesses for their testimony, and I will remind each Member that he or she will have 5 minutes to question the panel. I will now recognize myself for questions. This first question goes to the entire panel. You all have spent a great deal of time putting together cyber recommendations for this administration. I want to express my gratitude for your work. The statements during the campaign and the decision to do a comprehensive review suggest that this administration is committed to a real change in our approach. My question is: How do we judge whether the review has been a success, and what specific things should we be looking at to determine if we are moving in the right direction? Mr. Powner. A couple of thoughts here. Looking at whether the review is a success, and echoing what Dr. Lewis mentioned, there have been already a fair number of very good recommendations through the CSIS report. Clearly, the experts we talked to had some additional recommendations. One, that that review needs to take into consideration those many recommendations. The other thing is looking back on this historically, even back to the mid-1980's, we really need to look at a new organization. DHS-led hasn't really cut it. Recently, an 18-sector approach where all sectors are created equal, I am not certain that that is the right approach either. Moving forward we need to look at certain things: A new organizational structure; greater prioritization; and clearly more accountability for those organizations that are in charge. Ms. Clarke. Anyone have anything else to add to that? Mr. Lewis. Well, we know what a bad plan looks like because we have lived through at least a couple of them. I think that if we were looking at this plan, we would want clear leadership, some comprehensive strategies that include both international and regulatory, that look at combining intelligence, military, law enforcement, diplomatic engagement. We would want a commitment to action. At the end of the day, if we see those three things--leadership, planning, action--we should be better off. Ms. Clarke. Let me then move on and direct this question to Mr. Powner. I know that the CSIS Commission met with the review team last week. Have you met with the review team yet? Mr. Powner. No, we have not. We are in the process of trying to get that scheduled. Ms. Clarke. Would you please let us know how we can help facilitate that meeting? Mr. Powner. We will. Ms. Clarke. My next question, and it is ironic because I understand that Mr. Beckstrom has joined us in the audience, and I would like to thank him for his service and express my regret for our inability to retain his talent and expertise. But late on Friday, Mr. Rod Beckstrom announced that he was resigning as Director of the National Cybersecurity Center. I think this is a loss for the community and it is unfortunate that Mr. Beckstrom's skills weren't put to good use. In his resignation letter he acknowledges the critical importance of the NSA, but said that their dominance in cybersecurity today is a bad strategy. Can you all comment on what you agree or disagree with in these comments and what role the NSA should play alongside DHS? Mr. Charney. Mr. Charney. Yes. So there is no question that the center of technical expertise in the Government, particularly on the operational side, is within NSA. However, I agree with the comments made earlier, that at the end of the day, if you want the public to trust that the networks are being secured well and in a transparent fashion, the mission cannot reside in NSA. So I think it is really important to empower DHS to take the necessary operational role and have a relationship with NSA that captures and utilizes their technical expertise. Ms. Clarke. Anyone else want to comment? Okay. I am going to move on to my next question. On March 24, this subcommittee will hold a hearing entitled ``Securing the Smart Grid from Cyber Attack''. We will be discussing a number of technological issues related to the new advanced metering technologies that are being developed and deployed. But this question has to do with policy. What Federal agency is in charge of defending against the cyber attack launched by a nation-state against our electric grid and what agencies do you think should be in charge of defending against such an attack? Any thoughts on that issue? Mr. Yoran. Ms. Chairwoman, this is an issue that we have been trying to tackle for some time, initially with a National Cyber Incident Response Working Group, co-chaired by the Department of Homeland Security, Department of Justice and the Department of Defense. It is an issue that I think is one that ought to be a key focus for Melissa Hathaway as she conducts her 60-day review, understanding exactly what the authorities are, the priorities, the technical capabilities that exist in various pockets of the Federal Government, and how they can be brought to bear most effectively so that that planning can occur before any time of crisis. Mr. Lewis. I was just going to add, for me the answer would be FERC or the NRC or maybe the Department of Energy. I say that because they have the relationships with the companies. They know how the stuff works. They are the people who have the regulatory authorities. The last thing you want is somebody new charging in in a crisis and saying, ``I am in charge, do what I say.'' So I would say look at the folks who are doing this now. One of the things that this committee has done that has been very useful is hold those regulatory agencies accountable and get them to move out a bit more smartly. I think that would be a good direction to continue. Mr. Powner. Chairwoman Clarke, if I can just add to your question on who is responsible for defending--and I want to make sure we are real clear on this. If it is a response--if we are answering that in terms of response I agree it is muddy. It could be various Federal agencies and entities in charge of that response, depending on the severity of the attack. But in charge of defending the grid, it is those public utility companies that own the grid. Ms. Clarke. Well, thank you very much. My time is up. I now recognize the Ranking Member of the subcommittee, the gentleman from California, Mr. Lungren, for questions. Mr. Lungren. Thank you very much, Madam Chairwoman, and thank you all for being here. I appreciate the contributions you all have made and there are so many questions to ask. Let me just try one very, very quickly. Dr. Lewis, you were very specific about saying that the person who should be in charge of the leader of the new comprehensive cybersecurity ought to be in the White House. Mr. Charney, if I understand what you said, I thought you felt the DHS could be stood up to have that responsibility. Mr. Charney. Sir, to be clear, there is a difference between developing a strategy and coordinating it through the Federal agencies and the individual responsibility of the various agencies. Mr. Lungren. Right. Mr. Charney. So if you are going to look at a national strategy that has to determine some very difficult questions like when is a cyber attack an act of war and what is a proportional response, those kinds of key decisions are to be done at the White House level. But you also need an operational capability, things like US-CERT, an agency to help the other agencies deploy best practices. So I view DHS as more operational of implementing the strategy, but I think strategic elements and the cross-government cooperation has to be at the White House. Mr. Lewis. I agree completely with that. I think if you look at the agencies, I agree completely FBI has a role, DOD has a role, DHS has a role, the intelligence---- Mr. Lungren. I understand they all have roles. My question has been--I think Mr. Charney responded to it and I have articulated it before, but I am concerned about a lack of urgency not only in the Congress, in the White House, in the public domain with respect to the threat, No. 1; and, No. 2, how we do it? As we have seen DHS develop and pull itself together, I think it is actually starting to get its sea legs and frankly I think doing a far much better job today than it was 2, 3, 4, 5 years ago. That is part of what happens when you stand up an agency like that. But there is the question of a sense of urgency. The President and his particular delegate in the White House can set the policy, but how do you make sure people follow it? We all know CIOs in the various departments and agencies have a natural protective mechanism about how it ought to be done. We understand that you have got DOD, you have got NSA, you have got the FBI and all of them, and all of them believe they have a certain respected expertise. How do you engage that sense of urgency throughout the Federal establishment that has not been there? I am not trying to blame anybody. I am just trying to state a fact because it hasn't been there in the public either. How do we leapfrog to that position where we have that policy established at the White House on the one hand, but then we have the implementation or operational motivation and authority? Because if the various individuals responsible for the various agencies and departments think they can just kind of shrug when they get the call from the person at DHS, it doesn't drive what I want to be driven here. Mr. Yoran. Mr. Yoran. Sir, I think that is a very important issue, when they get the call from DHS, that they have to feel a sense of urgency in getting it fixed or, more importantly, not feel like they can rely on DHS doing the monitoring, where the intelligence community is protecting them. Everybody has to feel a sense of responsibility and ultimately be held accountable for the protection of the information and the systems that they manage and need in order to accomplish their core mission. Until the Executive branch or any branch of Government holds senior leadership accountable for flaws in the security culture, lapses in security which are a result of lack of due care or negligence if you want, until there is some accountability there, I don't think we are going to see meaningful change. Mr. Lungren. Let me follow up and ask a slightly different way. That is, how do we maintain those people that have the quality that can do that job, and how do we attract others to those kinds of jobs? In other words, you can't pay them as much as the private sector can pay them. It is like when people go in the military service or do some other type of service. They do it in part because they are making a contribution, but they know their contribution is going to be utilized. It is going to be valuable. It is going to be effective. How do we raise that level of appreciation so it is not just accountability, but it is also responsibility in the sense that it is recognized throughout the establishment, both private sector and public sector? Ms. Davidson. I believe that one of these--this is one of the issues I tried to touch upon, which is if you don't actually have a career path, you see there are people whose job it is to do information technology. Information technology will continue to be the janitorial service of many organizations where we are cleaning up other people's messes. It absolutely is critical. One of the things that we do to try to make people understand how critical it is is to, quite honestly in our own company, to go into various meetings and say, let me show that a particular tack isn't theoretical; I am going to hack your software. This is exactly how I can do this. This is exactly how I can corrupt a system. That creates some of the awareness. It is scary but it is necessary. Either that or we wait until we get a real attack. In terms of, you are talking about compensation trying--we do actually elevate those security professionals to give them some recognition within their jobs so they get training, they get recognition. It is recognized as a specialty that is held in esteem. As you point out, you can't always give people more money, but you can give people respect. I think you need both of those to show what is possible and to show that the, if you will, the warriors who defend it do a good job at it, and that creates the environment by which people who are able to actually do that kind of work are respected. Mr. Lungren. Could I ask one real quick question, maybe for a quick response? That is, how will we enforce the new Davidson doctrine that you articulated to protect our cyberspace? Mr. Lewis. Let me try. All of us have worked in the Federal Government for a long time, and if you want power, there are a couple of things that give you power: Access to the President, control of the budget, control of policy. For me, the only place you are going to do that is in the White House. If I have the access to the President, control of your budget, and I can say what the policy is and know that the President or the Vice President or the National Security Adviser will back me up, I will get agencies to do whatever I want. That is what we need. So you want to know who is going to enforce the Davidson doctrine? It is a good name for it, by the way. You know, we have to put that at the White House. Ms. Clarke. I now recognize Mr. Lujan from New Mexico for 5 minutes. Mr. Lujan. Thank you, Madam Chairwoman. I am going to just jump right into this, because there are many questions I think that need to be asked, and I am not sure if we will run out of time with doing this. But specifically with what we are discussing today with understanding that DHS is the lead agency for the Nation's cybersecurity and the key components that exist within DHS, what are your thoughts--and I don't know if we want to start with Mr. Powner, and then I will move down the line a bit--but from the perspective of having DHS move away from their near exclusive internal focus on cybersecurity issues and more toward development and deployment of software and hardware solutions to protect critical infrastructure projects? Mr. Powner. We have done a lot of work with the DHS. DHS clearly is the lead cybersecurity focal point for the Nation. Even working with our critical infrastructure owners, if you look at policy and law and how that is laid out, it is pretty clear that they have not lived up to those responsibilities. So the question going forward is, do we want to keep working with them as the operational entity that is the lead or do we just designate them an operational role and put someone else in charge of primarily coordinating with the private sector, with the intelligence community, and with the military organizations? We would think the latter. Mr. Charney. I think it is really important to get the organizational structure right. Every Federal agency needs to deploy IT systems for their business operations, and therefore, every Federal agency needs a CIO and a CSO, a chief security officer, who manages security at that agency. Now, when you have a distributed organization--and certainly Microsoft is one--you end up with a lot of different, essentially business groups, that are running IT that will service their business mission, and that is fine. The role that DHS should play in coordination with NST that sets standards for civilian agencies, and NSA because of their technical expertise, is to decide what the minimum bar is for security that should be required to be implemented by the various agencies. You know, in any environment there are things that you have to do, things that would be good to do, and best practices that you might like to deploy. Understanding what is required versus what is recommended versus what is a best practice is really important. But I don't think you can have, for example, DHS making hardware and software decisions for the various agencies because the hardware and software that is deployed has to map to the agency mission. But DHS could say, as a requirement of deploying whatever you are going to deploy, there are certain security things that must be done: You must have a documented information security program; you must have technical controls and people controls in place to manage risk; you need an incident response plan in place because bad things will happen. I think that is the appropriate function of DHS. Mr. Lujan. Mr. Yoran, before you answer that, I think that is a perfect segue into an issue that I want to raise. Within our New Mexico DOE and New Mexico laboratories, there is a real opportunity with the work that they are working on to improve the Nation's cybersecurity posture by bringing the resources to bear on this critical problem. So in speaking specifically to some of the IT teams that are being discussed and making sure that we have a centralized point to be able to have access, whether it is to the President or to others as we are talking about this issue, what are your thoughts in taking advantage of the expertise that lies in some of our Nation's DOE laboratories that are working with specific issues, some which are partnered with DOD responsibilities as well? Mr. Charney. It is obviously critically important to grab expertise wherever it resides, and one of the things DHS should be doing is discovering and then propagating best practices across the Government and the private sector. So I think that would be a key thing to do. Mr. Lujan. Thank you. Madam Chairwoman, if I may shift a little bit and get your perspective. As we are moving forward with the deployment of Smart Grid, including the importance of communications and the potential threats that could exist from attacks, what is the importance of making sure that we are taking into consideration the elements and inventories across the country and making sure we have adequate protections for our critical infrastructure like electricity, renewable generation areas, and the backbone of really what will essentially be our Smart Grid? Ms. Davidson. I do think that there are entities who are looking at that in their role with the utilities. But if I could actually back up a little earlier than that, if you think of this as a supply chain, one of the things that actually needs to change that none of us touched upon, part of the reason we have these difficulties--I don't think anybody sits down and says I think I am going to deploy a system that is hopelessly insecure and will leak like a sieve. It isn't merely awareness. It is that a lot of the people who are building these at the grassroots level do not understand that they have any responsibility and they don't learn to think like an attacker. That starts with the university system. It is not just computer science and electrical engineering, it is people who are building these control systems. If you can change one thing, if you can get the people designing and building those things to assume, think like a hacker, assume your system will be attacked, then they will design differently. They will build differently. They will deploy differently. By the time someone like a utility gets something, they will still have to ask intelligent questions in procurement, but they won't have to sit around and wonder, I wonder if anybody had a clue whether somebody is going to try to attack the power grid? We have to move the supply chain for security-aware people all the way back into the university systems. Unfortunately, having gone to the universities--I believe Scott has as well-- you get a resounding nonresponse from universities when you ask, do you teach secure coding practice in all of your engineering and control system disciplines? Mr. Lewis. On the question, the national labs are actually places that you could look for. Both Sandia, which has done some excellent work, also Idaho National labs, NERC, FERC, NST, Department of Energy, these are all the people who could help us make sure that Smart Grid is secure. Ms. Clarke. Mr. Lujan, we will be covering that territory in about 2 weeks when we do our Smart Grid hearings. So this is a precursor to it. I would like to now recognize Mr. Broun of Georgia for 5 minutes. Mr. Broun. Thank you, Madam Chairwoman. First, I want to respectfully disagree with those of you all that think that the White House is the place to put central control of this problem, for the simple reason that I am disappointed that we haven't been more aggressive in our last administration, and I don't know what kind of aggressiveness we are going to have in this administration to try to solve this problem. As I have learned more and more about it I am extremely, extremely concerned about our national security, not only from a military perspective but an economic perspective. At home, I have utilized Koperski, I have used Norton, I have used McAfee to try to make sure that my own home computer networks are secure and have a firewall that are in place. I have just recently learned how inadequate those programs are. So I think we have to have a national effort to develop some kind of very, very strong national security and economic security type of plan. But I think this committee and the Department of Homeland Security is the best place to do that, for the simple reason that in the administration you have personalities and different focuses and those sorts of things. I do agree we need to have a central focus, but I don't think the White House is that place. I think this committee ought to be setting policy, and not the White House frankly; and the Department of Homeland Security I think is the best way to try to coordinate things within the interagency efforts to make sure that we stay secure, whether it is DOD, Department of Energy or all the other sources as well as within the private sector. Having said all that, I believe in the private sector, I believe in the marketplace, and I think innovation and development comes probably best in the private sector and not from governmental sources. Can the Government secure our cyberspace without private sector involvement, and how much private sector involvement do we need in that? I just throw that open to the panel. Mr. Powner. Well, clearly 85 percent of the cyber-critical infrastructure associated with this Nation is owned by someone other than the Federal Government. So the Federal Government can't do it. The key is partnering with them, where those private sector owners view the Federal Government as a credible partner that provides a valuable service. I think that is what has been determined with DHS with their US-CERT operations where we share threat information. The message really going forward is we in the Federal Government, whether it is DHS or whether it is the White House, they need to do a much better job where they are viewed as a credible partner in helping the private sector secure it. Mr. Yoran. I would just add to that a little bit. I agree that centralized coordination is required. I think the Department of Homeland Security's key role can be in protecting the dot.gov, the Federal civilian agencies. I don't think the DHS can effectively lead sort of offensive capabilities we would need in cyber or counterintelligence capabilities we would need in cyber, nor do I think the Department of Defense would subjugate their cybersecurity efforts, which are necessary for conducting warfare today, to the Department of Homeland Security. However, I agree with you entirely that the best thing Government can do is fund some fundamental long-term research, but ultimately rely on the private sector and commercial products for the development of IT technologies that have more security and IT security technologies that have more capability by refining their requirements and using their procurement and acquisition capabilities to drive those products and features into the commercial software versus trying to develop technologies in Government development efforts. Mr. Broun. My time is about up but I appreciate y'all's comments. I have got a hundred questions to ask you all and don't have the time to do that. I appreciate y'all's efforts. I see this as a critical national security interest. In fact, just in the commercial sector, if we have an attack, which we are having every day on commercial entities, if we have an attack on our commercial entities, it can totally wreck this Nation. So I think we have got to find a solution, and I look forward to your answers that--I am going to give you all some questions in written form and and I appreciate y'all's candid answers to that. I think we need to act and act now. Government doesn't do that very well. It is very slow in acting, and that is the reason why I want to try to get the private sector involved as much as we possibly can, because I think the private sector can be more innovative and can act quicker and can find real solutions to this. We need to have some coordinated efforts, and I think the Department of Homeland Security is the best way to do that. Thank you, Madam Chairwoman. Ms. Clarke. The Chairwoman recognizes for 5 minutes the gentleman from Ohio, Mr. Austria. Mr. Austria. Thank you, Madam Chairwoman. To our committee, thank you for your testimony today. I appreciate it very much. I want to follow up on some of the questions that were asked earlier and more on the role of homeland security in your opinion. When you look at the jurisdiction, the electricity, the grid was brought up earlier, and you testified that you know it has fallen on the Department of Energy. Sometimes we see things intertwined between the different departments, whether it be DOD, Department of Justice. What do you see as Homeland Security's role or jurisdiction as a department? I would open that up to the entire panel. Mr. Yoran. I think that Homeland Security's greatest impact can be summed up in three key areas. The first is in US-CERT series of programs and operations to help protect the dot.gov, the Federal civilian systems and agencies. The second is in cross-critical infrastructure issues. Clearly, the Department of Energy and other regulatory bodies define security standards, measure their effectiveness, and have many levers for forcing change in the private sector. I think the third is sort of working on issues where the failure of one critical infrastructure or the security levels in one critical infrastructure don't address the requirements of another industry, of another sector of our economy. The third area is in interaction with the private sector through a series of well-defined public/private partnerships with specific objectives and also with value-add and incentives in the private sector for their voluntary participation. Mr. Charney. I suggest the way to think about this is separating out the horizontal from the vertical. There are a lot of things in IT that are horizontal on which all the verticals depend. So robust authentication, knowing who is connecting to your network, you need to know whether you are telecom, energy, or something else. There are other things that are unique to vertical sectors. The energy SCADA systems may be different than phone SCADA systems. As a result of that, I think when you think of DHS' role, I view it as kind of the horizontal base security, and then the sectors and their regulatory agencies have to focus on the vertical uniqueness. Mr. Austria. Thank you for that. That is why I do agree with you. I think we need to have clear leadership and a comprehensive strategy and a commitment to take action in those areas so that is much better defined. Let me jump over to the public/private partnership because I do agree with you on that. I have always believed that the private sector, which designs and deploys and maintains much of our Nation's critical infrastructure is far ahead of Government in their ability to detect, to attribute, and to defend against a cyber attack. Correct me if you think I am wrong, but isn't that, again, a reason just to follow up on some of the other questions with the public/private sector, that we really should be pursuing this to really achieve national security when it comes to cyberspace? Mr. Charney. Sir, the answer is yes. We all here I think are big fans of private sector innovation, but I will say I wrote years ago that you couldn't make a market case for the Cold War. I mean, there are certain things in national security where the markets are not designed to address the problem, because when we build products for market we know that we have a large customer base that is global and very price-sensitive. Some of things that the national security community requires is very specific and expensive. So it has long been my view that you need a symbiotic relationship where--and I described this in my testimony--where you figure out what the market will provide, what national security needs are, and how Government can help bridge that gap. I don't think you can rely on markets alone to bridge the gap because markets aren't designed to do that any more than they are designed to protect national security and provide law enforcement mechanisms. These are things that we tax people for and make them pay for from the Government. Ms. Davidson. I do agree with Scott largely, but I also think that the Government can be a smarter buyer. Even something as simple as some transparency in procurement around what vendors do and do not do in terms of security, I don't think in many cases the questions have ever been asked. It is certainly asked at the Defense Department level or the intelligence. They want to know how you engineered your software. But the average garden-variety agency does not ask that. Why would that change things? This is something I think, unfortunately, women can understand better than men, but I call it the bathing suit test. If you have to go out in public in June in a bathing suit, along about March you are going to put it on and you are going to say I can't believe I look like this; I better get in shape before I have to go out in public. If people had to disclose, so to speak, their development processes related to security, you would want to look a lot better by the time you are actually filling in the form. That per se is not going to cure all our ills, but it will improve what people are buying or at least they will know what they are getting and not getting, and they can make smarter decisions as purchasers. That will not, as Scott I think would agree with, mean that we are going to--commercial software, unless it has been necessarily engineered to the highest level of software assurance that, for example, the intelligence community could want. But even raising the baseline would be a very good start. It would save people a lot of money they are spending now, trying to patch their security and make it harder for bad guys to do what they do. Make them work harder. Mr. Austria. I understand that my time is up. Thank you. I do agree with my colleagues that, you know, cyberspace security is critical to our national security. I have other questions that I will be glad to submit to our panel. But thank you, thank you for your time. Ms. Clarke. Thank you. The Chairwoman now recognizes the Chairman of the full committee, the gentleman from Mississippi, Mr. Thompson. Mr. Thompson. Thank you very much, Madam Chairwoman. I was listening to the testimony in the rear but I was multitasking, too. This is basically to each panel member. With the information that you have available to you, do you think the United States is prepared for a major cyber incident? Mr. Powner. No, we are clearly not as prepared as we should be. I will go back, several years' work that we did for this subcommittee, I think several Congresses ago, looking at internet recovery. You can look at what happened with 9/11, Katrina, on how we recovered major portions of the internet. There were major lessons learned in that. The question going forward, do we have--one of the requirements in our current national strategy is a joint public/private internet recovery plan if we have a major, major attack. We still don't have that plan. You need a plan. You need to exercise that plan. So I think today we are not prepared. Mr. Lewis. You can look at the experience of 9/11, and I hate to bring it up because it is painful, but one of our co- chairs who couldn't be here today, Harry Raduege was the Director of the Defense Communications Network. On that day, he got phone calls from all the major service providers, all the big telecom companies, all the big IT companies saying, how can we help, what can we do to restore service? I know that Dick Clarke, who was also at the White House then, got similar calls. So you had two people, people who knew who to call, they had the existing relationships, and they knew how to do things. They knew how to move trucks from Ohio or from Virginia to New York or to Washington to rebuild services. We don't have that today in cyberspace, and that is one of the things we desperately need. Ms. Davidson. I would like to tell a story in response, a short one. That is, in the 1920's, there was a Marine Corps colonel who realized the next war would be with Japan, and it is because of him that the Marine Corps developed amphibious warfare capability. He saw this in the 1920's, which was long before December 7, 1941. So we don't have that much time. There are people who are sounding the warning. There are people who are trying to do things differently. We are not going to have 21 years to get it right. So we do need to act now. No, we are not prepared. Mr. Thompson. Mr. Yoran. Mr. Yoran. Sir, I would say that the nefariousness of cyber is the fact that we are experiencing the 9/11 in cyber. It just doesn't have the tremendous visibility. For over 10 years now, for over a decade now, we have had significant incidents going on with foreign adversaries, and our national response has basically been to look the other way or occasionally have an article in the news media about it. So because there is no catastrophic visible outcome, we sort of lie in bed at night and are able to sleep, not realizing exactly how much damage is occurring. So we are not prepared. Mr. Charney. I would never go against my esteemed colleagues on this point. I would point out, however, that it is important to focus on the nature of the attack so you can figure out your strategy for defending. There are attacks against confidentiality, we have heard a lot about that, where data is taken. There are attacks against integrity where people alter critical systems or data that you rely upon. There are attacks against availability, and then the systems go down. In the availability attacks, I mean one goal is always to keep five-ninths of availability, keep the networks up. But the other part of any strategy has to be about how fast you can reconstitute the capabilities if the capabilities fail. So this is one of the reasons it is so important to have a comprehensive strategy, because when you think about how you are going to reconstitute across multiple networks and maybe across multiple time zones, it is actually quite challenging. You have to figure out what your strategy is for reconstitution, who is in charge, roles and responsibilities, what is the interface to the private sector that owns 85 percent of this infrastructure. The availability problem is in some ways different than the confidentiality and the integrity problem. It is important to focus on all of them. Mr. Thompson. Well, I would like to say, Madam Chairwoman, that what we have just heard is very troubling, I think to me and the rest of the committee, that we have some work to do. I think perhaps at our next hearing we need to bring some of the people who have the primary responsibility for the plan, or whatever we are operating under, and see if we can get some idea as to what they are doing to keep us safe. But I am real concerned about it. I would say that both the subcommittee and I as Chairman on the full committee will give this our undivided attention, and I would look to people like yourselves to help provide the leadership, getting us where we need to be. I yield back. Ms. Clarke. Thank you. Member Lungren. Mr. Lungren. Madam Chairwoman, I just wanted to tell you this is an outstanding panel that I thank you for putting together. I thank all of you for being here. We could go on with this for hours. Some of us will probably submit some written questions. I know we have already begged your indulgence for the time you have given us, but hopefully if you could respond to those in a timely fashion, we could maybe talk to you later, too, as well. Thank you. Ms. Clarke. I thank the witnesses for their valuable testimony and the Members for their questions. The Members of the subcommittee may have additional questions for the witnesses, and we will ask you to respond expeditiously in writing to those questions. Hearing no further business, the subcommittee stands adjourned. [Whereupon, at 4:04 p.m., the subcommittee was adjourned.]