[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]



 
       AMERICA IS UNDER CYBER ATTACK: WHY URGENT ACTION IS NEEDED

=======================================================================



                                HEARING

                               before the

                       SUBCOMMITTEE ON OVERSIGHT,

                     INVESTIGATIONS, AND MANAGEMENT

                                 of the

                     COMMITTEE ON HOMELAND SECURITY

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 24, 2012

                               __________

                           Serial No. 112-85

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC] [TIFF OMITTED] 


                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________



                  U.S. GOVERNMENT PRINTING OFFICE
77-380                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



                     COMMITTEE ON HOMELAND SECURITY



                   Peter T. King, New York, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Daniel E. Lungren, California        Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Michael T. McCaul, Texas             Henry Cuellar, Texas
Gus M. Bilirakis, Florida            Yvette D. Clarke, New York
Paul C. Broun, Georgia               Laura Richardson, California
Candice S. Miller, Michigan          Danny K. Davis, Illinois
Tim Walberg, Michigan                Brian Higgins, New York
Chip Cravaack, Minnesota             Cedric L. Richmond, Louisiana
Joe Walsh, Illinois                  Hansen Clarke, Michigan
Patrick Meehan, Pennsylvania         William R. Keating, Massachusetts
Ben Quayle, Arizona                  Kathleen C. Hochul, New York
Scott Rigell, Virginia               Janice Hahn, California
Billy Long, Missouri                 Ron Barber, Arizona
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
            Michael J. Russell, Staff Director/Chief Counsel
               Kerry Ann Watkins, Senior Policy Director
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                                 ------                                

       SUBCOMMITTEE ON OVERSIGHT, INVESTIGATIONS, AND MANAGEMENT

                   Michael T. McCaul, Texas, Chairman
Gus M. Bilirakis, Florida            William R. Keating, Massachusetts
Billy Long, Missouri, Vice Chair     Yvette D. Clarke, New York
Jeff Duncan, South Carolina          Danny K. Davis, Illinois
Tom Marino, Pennsylvania             Bennie G. Thompson, Mississippi 
Peter T. King, New York (Ex              (Ex Officio)
    Officio)
                  Dr. R. Nick Palarino, Staff Director
                   Diana Bergwin, Subcommittee Clerk
              Tamla Scott, Minority Subcommittee Director
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Michael T. McCaul, a Representative in Congress 
  From the State of Texas, and Chairman, Subcommittee on 
  Oversight, Investigations, and Management:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable William R. Keating, a Representative in Congress 
  From the State of Massachusetts, and Ranking Member, 
  Subcommittee on Oversight, Investigations, and Management......     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security..............................................     6

                               Witnesses

Mr. Shawn Henry, Former Executive Assistant Director, Criminal, 
  Cyber, Response, and Services Branch, Federal Bureau of 
  Investigation:
  Oral Statement.................................................     8
  Prepared Statement.............................................    10
Mr. James A. Lewis, Director and Senior Fellow, Technology and 
  Public Policy Program, Center for Strategic and International 
  Studies:
  Oral Statement.................................................    13
  Prepared Statement.............................................    14
Mr. Gregory C. Wilshusen, Director, Information Security Issues, 
  Government Accountability Office:
  Oral Statement.................................................    18
  Prepared Statement.............................................    20
Mr. Stuart McClure, Chief Technology Officer, McAfee:
  Oral Statement.................................................    29
  Prepared Statement.............................................    31
Mr. Stephen E. Flynn, Founding Co-Director, George J. Kostas 
  Research Institute for Homeland Security, Northeastern 
  University:
  Oral Statement.................................................    37
  Prepared Statement.............................................    39

                                Appendix

The Honorable Michael T. McCaul, a Representative in Congress 
  From the State of Texas, and Chairman, Subcommittee on 
  Oversight, Investigations, and Management:
  Statement of John Watters, Chairman and CEO, iSIGHT Partners, 
    Inc..........................................................    57


       AMERICA IS UNDER CYBER ATTACK: WHY URGENT ACTION IS NEEDED
                              ----------                              R


                        Tuesday, April 24, 2012

             U.S. House of Representatives,
    Subcommittee on Oversight, Investigations, and 
                                        Management,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:05 p.m., in 
Room 311, Cannon House Office Building, Hon. Michael T. McCaul 
[Chairman of the subcommittee] presiding.
    Present: Representatives McCaul, Long, Duncan, Keating, 
Clarke, Davis, and Thompson (ex officio).
    Mr. McCaul. The committee will come to order. The purpose 
of our hearing is to examine the evolving computer hacking 
threats from nation-states and hacker groups to Government, 
financial institutions, American businesses, and personal 
computer networks.
    I now recognize myself for an opening statement. America's 
computers are under attack and every American is at risk. The 
United States Government, critical infrastructures, American 
business institutions, and our personal data are being 
compromised by nation-states and hacker groups. Their intent is 
to conduct cyber warfare, paralyzing our infrastructure, 
stealing our intellectual property, conducting espionage, and 
gaining access to our credit card, bank account, and Social 
Security numbers.
    Richard Clarke, Former Special Advisor on Cybersecurity to 
President Bush, said within the first 48 hours of a cyber 
attack on the United States we could experience the Department 
of Defense's classified and unclassified networks collapsing as 
a result of large-scale routers failing to function, reports of 
large oil refinery fires as well as lethal clouds of chlorine 
gas emitting from chemical plants, our financial system 
dissolving as a result of important financial data being lost 
with no idea of who owns what, pipelines carrying natural gas 
exploding, trains and subways derailed, a Nation-wide blackout 
leaving American cities in the dark.
    Unfortunately, this is not a science fiction scenario. 
There are no shells exploding or foreign militaries on our 
shores. But make no mistake: America is under attack by digital 
bombs. There are several things the American public should 
understand about these attacks. They are real, stealthy, and 
persistent, and could devastate our Nation. They occur at the 
speed of light. They are global and can come from anywhere on 
the Earth. They penetrate traditional defenses.
    So who is conducting these attacks and why? An October 2011 
report to Congress on foreign economic collection and 
industrial espionage states, it is part of China and Russia's 
national policy to try to identify and steal sensitive 
technology which they need for their development. China and 
Russia view themselves as strategic competitors of the United 
States and are the most aggressive collectors of U.S. economic 
information and technology. China's cyber warfare capabilities 
and the espionage campaigns they have undertaken are the most 
prevalent of any nation-state actor. China has created citizen 
hacker groups, engaged in cyber espionage, established cyber 
war military units and laced the infrastructure with logic 
bombs.
    Russia has advanced capabilities and the intent and 
technological prowess necessary to carry out a cyber attack 
anywhere in the world at any time. Russia has been accused of 
unleashing a cyber war against Estonia in 2011 and shutting 
down government websites. Russia has also taken down Georgia's 
banking and government sites as part of a policy to demonstrate 
its power during a conflict.
    There are, of course, many other countries developing cyber 
capabilities and using cyber espionage to steal U.S. trade and 
technology secrets to bolster their own economic development, 
and all of them pose a threat. Besides nation-states, there are 
groups such as Anonymous, Moltsec, and AntiSec who indulge in 
non-state hacktivism or hacking and activism. They are largely 
a sympathizer for freedom of information and their agenda is 
basically to protest what they perceive as violations of 
privacy. These attacks are sometimes aimed at individuals but 
many times used against businesses.
    Based on recent arrests here in the United Kingdom--here 
and in the United Kingdom--it appears that the groups consist 
predominantly of juveniles who want notoriety. Non-state 
hacktivist groups have indulged in denial of service attacks 
against the likes of Sony, MasterCard, and Stratfor located in 
my hometown of Austin, Texas. They deface websites, slow down 
on-line access to the internet and steal sensitive information 
such as password files, credit card information, and Social 
Security numbers. These groups, both nation-states and non-
state hacktivists, present a threat not only to the security of 
our Nation but also to our personal and business files.
    We require a robust National effort to counter these 
attacks against our National interest. The potential of cyber 
attacks is frightening. The Stuxnet worm is groundbreaking 
malware launched against the uranium nuclear program. It was 
used to blow up centrifuges. It is so devious in its use of 
computer vulnerabilities, with such a multi-pronged approach, 
that the Iranians had no idea they were being attacked. Such a 
successful attack against the United States, with viruses 
designed to manipulate and bring down our industrial control 
systems, could cause devastating human and economic losses.
    Indeed, General Alexander, Director of the National 
Security Agency, told me that it is not a matter of ``if'' but 
``when'' a cyber Pearl Harbor will occur. We have been 
fortunate that up until this point, cyber attacks in our 
country have not caused a cataclysmic event that has brought 
physical harm to Americans, but that is not for lack of an 
effort on the part of those who mean to destroy our way of 
life.
    Last week Former Secretary of Homeland Security Michael 
Chertoff said it doesn't take a lot to understand how an attack 
on critical infrastructure during a time of tension could 
seriously undermine the ability of a country to defend itself. 
The Secretary recalled: ``I had the experience of living 
through an event that occurred after there was a fair amount of 
warning, and four planes were hijacked and we lost about 3,000 
people. My message to anybody who is interested in this, 
particularly in the Congress, is let's do something meaningful 
because it is not a tolerable situation.''
    I share the Secretary's concerns. It is time to do 
something meaningful.
    [The statement of Mr. McCaul follows:]
                Statement of Chairman Michael T. McCaul
                             April 24, 2012
    America's computers are under attack and every American is at risk. 
The U.S. Government, critical infrastructures, American business 
institutions, and our personal data are being compromised by nation-
states and hacker groups.
    The intent is to conduct cyber warfare, paralyzing our 
infrastructure, stealing our intellectual property, conducting 
espionage, and gaining access to our credit card, bank account, and 
Social Security numbers.
    Richard Clarke, former special adviser on cybersecurity to 
President George W. Bush, said within the first 48 hours of a cyber 
attack on the United States we could experience:
   The Department of Defense's classified and unclassified 
        networks collapsing as a result of large-scale routers failing 
        to function.
   Reports of large oil refinery fires, as well as lethal 
        clouds of chlorine gas emitting from chemical plants.
   Our financial system dissolving as a result of important 
        financial data being lost with no idea of who owns what.
   Pipelines carrying natural gas exploding.
   Trains and subway derailing.
   A Nation-wide blackout leaving American cities in the dark.
    Unfortunately, this is not a science fiction scenario.
    There are no shells exploding or foreign militaries on our shores. 
But make no mistake: America is under attack by digital bombs.
    There are several things the American public should understand 
about these attacks:
   They are real, stealthy, and persistent, and could devastate 
        our Nation.
   They occur at the speed of light.
   They are global and could come from anywhere on earth.
   They penetrate traditional defenses.
    Who is conducting these attacks and why?
    An October 2011 Report to Congress on Foreign Economic Collection 
and Industrial Espionage states, it is part of China and Russia's 
national policy to try to identify and steal sensitive technology, 
which they need for their development. China and Russia view themselves 
as strategic competitors of the United States and are the most 
aggressive collectors of U.S. economic information and technology.
    China's cyber warfare capabilities and the espionage campaigns they 
have undertaken are the most prevalent of any nation-state actor. China 
has created citizen hacker groups, engaged in cyber espionage, 
established cyber war military units, and laced the U.S. infrastructure 
with logic bombs.
    Russia has advanced capabilities and the intent and technological 
prowess necessary to carry out a cyber attack anywhere in the world, at 
any time.
    Russia has been accused of unleashing a cyber war against Estonia 
in 2007 and shutting down government websites.
    Russia has also taken down Georgia's banking and government sites 
as part of a policy to demonstrate its power during a conflict.
    There are of course many other countries developing cyber 
capabilities and using cyber espionage to steal U.S. trade and 
technology secrets to bolster their own economic development; and all 
of them pose a threat. Besides nation-states, there are groups such as 
Anonymous, LulzSec and AntiSec who indulge in non-state ``hacktivism'' 
or hacking and activism.
    They are largely a sympathizer for ``freedom of information,'' and 
their agenda is basically to protest what they perceive as violations 
of privacy.
    These attacks are sometimes aimed at individuals but many times 
used against businesses.
    Based on the recent arrests here and in the United Kingdom, it 
appears the groups consist predominantly of juveniles who want 
notoriety.
    Non-state hacktivist groups have indulged in denial of service 
attacks against the likes of Sony, Mastercard, and Stratfor, located in 
my hometown of Austin, Texas, defacing websites, slowing down on-line 
accesses on the internet and stealing sensitive information such as 
password files, credit card, and Social Security numbers.
    These groups, both nation-states and non-state hacktivists, present 
a threat not only to the security of our Nation, but also to our 
personal and business files. We require a robust National effort to 
counter these attacks against our National interests.
    The potential of cyber attacks is frightening. The Stuxnet worm is 
groundbreaking malware launched against the Iranian nuclear program. It 
is so devious in its use of computer vulnerabilities with such a 
multipronged approach that the Iranians had no idea they were attacked.
    Such a successful attack against the United States with viruses 
designed to manipulate and bring down our industrial control systems 
they could cause devastating human and economic losses.
    General Alexander, director of the National Security Agency, told 
me that it is not a matter of if, but when a cyber Pearl Harbor will 
occur.
    We have been fortunate that up until this point cyber attacks in 
our country have not caused a cataclysmic event that has brought 
physical harm to Americans. But that is not for lack of effort on the 
part of those who mean to destroy our way of life.
    Last week, former Secretary of Homeland Security Michael Chertoff 
said ``It doesn't take a lot to understand how an attack on critical 
infrastructure during a time of tension could seriously undermine the 
ability of a country to defend itself.''
    The Secretary recalled, ``I had the experience of living through an 
event that occurred after there was a fair amount of warning and four 
planes were hijacked and we lost about 3,000 people. My message to 
anybody who's interested in this, particularly in Congress, is let's do 
something meaningful because it is not a tolerable situation.''
    I share the Secretary's concerns. It is time to do something 
meaningful.

    Mr. McCaul. With that, I recognize the Ranking Member of 
the subcommittee, Mr. Keating, for his opening statement.
    Mr. Keating. Thank you, Mr. Chairman. Mr. Chairman, thank 
you for convening today's hearing. I would also like to 
acknowledge Chairman McCaul's long-standing interest in 
cybersecurity efforts. I want to also acknowledge the presence 
of Ms. Clarke, who is the Ranking Subcommittee Chair on 
Cybersecurity, as well as Ranking Member Thompson, whose 
interest in this issue has been longstanding, and he is the 
Ranking Member of the overall committee.
    In 2007 Chairman McCaul, along with Congressman Jim 
Langevin, were named co-chairs of the Center for Strategic and 
International Studies Commission on Cybersecurity for the 44th 
Presidency. Since that time he, among others, have been leaders 
on this issue, and last month he and I co-hosted a House-wide 
cybersecurity briefing that included an in-depth discussion on 
how cyber attacks threaten our critical infrastructure, cell 
phones, and computers.
    I am pleased to see that two of the participating 
organizations in that briefing--CSIS, the Center for Strategic 
and International Studies, and Northeastern University--are 
testifying today. I look forward to continuing to work with 
Chairman McCaul on cybersecurity issues and performing 
oversight of the Department's role as a leading cybersecurity 
agency.
    Cybersecurity, as acknowledged by President Obama, is one 
of the most serious economic and National security threats our 
Nation faces. The impacts of a cyber attack against critical 
infrastructure or our widely-used Federal system are spurring 
efforts in Washington to compel energy companies, along with 
other operators of vital infrastructures, to do more to protect 
their computer network from hackers. Public reports reveal 
Federal networks have been under attack for years, and some 
accounts point to upwards to 3 billion cyber attacks a year in 
the United States. The price of the security is not cheap. 
Government agencies would need to boost cybersecurity spending 
more than seven times to block 95 percent of hacker attacks, 
according to a Bloomberg Government study.
    That translates into an annual spending average of $190.3 
million per agency, up from the current $26 million, according 
to the study based on interviews with officials of 48 Federal, 
State, and municipal agencies.
    Moreover, one recent study estimated that 71 percent of all 
companies experienced a cyber attack last year. The current 
combined financial impact on public and private sector cyber 
attacks is unknown, but estimates are in the billions. Yet as 
we add up the dollars and weigh the risks, we must not forget 
the greatest attack will be on the confidence of the American 
people if even one large-scale cyber attack scenario were to 
materialize.
    It is therefore imperative that we get a full understanding 
of the root causes of cyber attacks, learn from where the 
threat is derived, and ensure that every available means of 
protection is deployed at our disposal.
    Mr. Chairman, last week during our full committee's markup 
of the Precise Act, I proposed an amendment that would have 
incorporated the model of the three-legged stool of Government 
working in partnership with academia and industry and to 
legislation designed to anticipate cyber threats and develop 
means to combat them.
    I plan to work further in this initiative because even in 
times of greatly-needed cost-saving measures, we should be wary 
of trading in long-term gains for short-term cuts. For this 
reason, our Government should do more to accelerate the pace of 
research discovery and development in home-grown technologies. 
I believe that this path forward will enable us to see a return 
on our investments and remain competitive in the global economy 
as well.
    I know that my colleague, Chairman McCaul, is a proponent 
of engaging research institutions in these matters, and I 
congratulate him and his work on the Cybersecurity Enhancement 
Act of 2011. Unfortunately, this week the House will consider 
legislation that contains broad and ambiguous language, serious 
privacy implications, and that moves away from Homeland 
Security being the central agency for cybersecurity efforts.
    The Department through its United States Computer Emergency 
Readiness Team, or US-CERT, has made great strides, and I am 
concerned that the legislation compromising its authority will 
set us back in our fight against cyber attacks. The President, 
the CSIS Commission on Cybersecurity for the 44th Presidency, 
and the House Republican Cybersecurity Task Force have all made 
numerous recommendations on how to improve cybersecurity. I 
would encourage my colleagues to bring legislation to the floor 
that fully protects the Constitutional rights and contains 
recommendations made by these entities.
    I look forward to today's testimony and am especially glad 
to hear from Dr. Stephen Flynn of Northeastern University as he 
discusses the nature of the cybersecurity threat and his 
standpoint on making universities full-fledged cybersecurity 
partners. I yield back.
    Mr. McCaul. I thank the Ranking Member, and thank you for 
your special recognition of our efforts and my efforts as well.
    With that, I recognize the Ranking Member of the full 
committee, Mr. Thompson.
    Mr. Thompson. Thank you very much, Chairman McCaul, for 
today's hearing. The threat to our Nation's cyber systems and 
networks is real and present. Billions of Americans use the 
internet every day to communicate, pay bills, obtain 
information, and perform job-related functions. Moreover, the 
Federal Government relies on the internet and a network of 
Federal systems to support infrastructure, maintain defense 
systems, protect power plants and water supplies, perform 
administrative functions of Federal agencies, and a host of 
other activities.
    It is therefore imperative that we take seriously the 
United States' role in securing cyber space from unwanted 
intrusions and dangerous attacks. A large portion of Federal 
responsibility lies with the U.S. Congress. It is our role to 
ensure that necessary legislation is passed and provide America 
with the protection it needs. Per the title of today's hearing, 
urgent action is needed, and I agree.
    However I have consistently noted that what is needed is 
legislation that will accomplish three things: No. 1, address 
the growing cyber threat to critical infrastructure networks; 
No. 2, promote and enhance information sharing between and 
among private sector and the Federal Government while 
protecting the privacy and civil liberties of Americans using 
the internet; and No. 3, solidify and enhance the Department of 
Homeland Security's role as a Federal Government lead for 
Federal network security and private sector cyber support.
    Unfortunately, none of the bills being voted on by the 
House this week accomplish these goals. As a result, at the end 
of Cybersecurity Week, America will remain without a 
comprehensive National strategy that bears cybersecurity 
efforts in one domestic agency and protects the privacy rights 
of American citizens.
    While the initial measure introduced by Representative 
Lungren, the chairman of the Committee's Subcommittee on 
Cybersecurity, Infrastructure Protection, and Security 
Technologies was not perfect, it took a number of steps in the 
right direction and would have measurably strengthened our 
Nation's cybersecurity posture. Yet the key initiatives that I 
believe were necessary were removed at the last minute. Despite 
these changes, the Republican leadership has elected not to 
bring that measure to the House floor.
    So while I look forward to today's testimony and thank the 
witnesses for their participation, I am disheartened by the 
missed opportunity to produce the urgent action that is indeed 
needed. I yield back, Mr. Chairman.
    Mr. McCaul. I thank the Ranking Member. I share your 
concerns. I do want to say that there are four bills that will 
be on the House floor this week, all of which passed out of 
committee in a bipartisan fashion. I believe it is the 
leadership's intent to proceed with those bills that will go 
forward in a bipartisan way, as this is an issue that should be 
a bipartisan issue and not a partisan issue. Unfortunately, the 
bill passed out of Homeland Security was not a bipartisan vote.
    When I talked to Secretary of Homeland Security Napolitano 
and General Alexander, the NSA director, the two key components 
they wanted to see was a codification of the existing legal 
authorities based on Presidential Directives and Executive 
Orders. The bill passed out of committee does that. Also with 
respect to information sharing, that is achieved through the 
National Cybersecurity and Communications Integration Center. 
So I think those two key components are addressed in the bill.
    But let me just say this to the Ranking Member. I hope that 
we can work together to make this bill out of this important 
committee, with the agency that really is in the forefront and 
the center of cybersecurity. I hope we can work together to 
make this a more bipartisan bill and proceed to the House 
floor.
    With that, other Members are reminded that opening 
statements may be submitted for the record. We are pleased to 
have a very distinguished panel here before us today.
    First, Mr. Henry needs probably little or no introduction 
and I can't tell you how pleased I am to have him here today. 
He has been a real leader in this area. He is a former 
executive assistant director of the Criminal, Cyber, Response, 
and Services Branch of the FBI, really at the forefront of this 
effort for so many years. He was responsible for all FBI world-
wide computer investigations. Additionally, he was an original 
member of the National cyber study group which developed a 
comprehensive National Cybersecurity Initiative.
    Next we have a dear friend of mine, a colleague, somebody I 
worked with, as the Ranking Member mentioned, on the CSIS 
Commission report on cybersecurity, Dr. James Lewis. Jim is a 
senior fellow and director of the Technology and Public Policy 
Program at the Center for Strategic and International Studies 
focusing on technology, National security and the international 
economy. Previously he was the project director for the CSIS 
Commission on Cybersecurity for the 44th Presidency. Jim, great 
to see you here again today.
    Next we have Mr. Gregory Wilshusen. It is hard to say that 
three times in a row and get it right. But Greg is the director 
of information security issues at the GAO where he leads 
information security-related studies and audits of the Federal 
Government. Thank you for being here as well.
    Next we have Mr. Stuart McClure who is the executive vice 
president and the worldwide chief technology officer at McAfee. 
Most of you know McAfee is a leader in cybersecurity efforts. 
At McAfee he also served as senior vice president of global 
threats and research.
    Finally we have Dr. Flynn. Dr. Stephen Flynn is the 
founding co-director of the George Kostas Research Institute 
for Homeland Security at Northeastern University. Prior to 
September 11 he served as an expert advisor to the U.S. 
Commission on National Security, the Hart-Rudman Commission. 
Dr. Flynn served in the Coast Guard on active duty for 20 
years, and we thank you for your service, Dr. Flynn, in that 
regard.
    So with that, the Chairman now recognizes Mr. Henry for his 
testimony.

STATEMENT OF SHAWN HENRY, FORMER EXECUTIVE ASSISTANT DIRECTOR, 
CRIMINAL, CYBER, RESPONSE, AND SERVICES BRANCH, FEDERAL BUREAU 
                        OF INVESTIGATION

    Mr. Henry. Good afternoon Chairman McCaul, Ranking Member 
Keating, and Members of the subcommittee. I am pleased to be 
here today with the distinguished witnesses to discuss the 
cyber threats facing our Nation and how these threats impact 
our Government and our private-sector networks. It is difficult 
to overstate the potential harm these threats pose to our 
economy, our National security, and the critical infrastructure 
upon which our country relies.
    I am currently the president of CrowdStrike Services, a 
computer security organization. But up until last month I led 
all the FBI cyber efforts, as the Chairman noted, and I saw 
with deep granularity the threats that we face. The number and 
sophistication of these cyber attacks has increased 
dramatically over the past 5 years and it is going to continue 
to grow. The threat has reached the point that given enough 
time, motivation, and funding, a determined adversary will 
likely penetrate any system that is accessible directly from 
the network. I do not believe our critical infrastructure can 
remain unscathed in the long term if the current environment 
remains unchanged. With the depth and breadth of the intrusions 
that I have seen, I believe it is necessary for network 
administrators to assume that they have already been breached 
rather than waiting for their network intrusion systems to 
alert them to an infiltration.
    Network security compliance in and of itself falls far 
short of the continuous evaluation that needs to be done on our 
networks every single day. Cyber criminal threats to the United 
States result in significant economic losses. Cyber criminals 
are forming private trusted and organized groups to conduct 
cyber crime, and these groups are accessing personally 
identifiable information which includes banking, brokerage 
account information, credentials and credit card numbers of 
individuals and businesses that can be used for financial gain. 
The economic consequences are severe, and there have been 
hundreds of millions of dollars lost in the financial services 
sector alone.
    But that doesn't even begin to tell the real story about 
what is happening to this Nation. A colleague of mine recently 
used an analogy where an iceberg represents the totality of 
threats to the information infrastructure. Cyber crime, as I 
have just described, is merely the tip of the iceberg. The 
biggest threats are below the waterline, just like the vast 
majority of an iceberg. The public sees the tip because cyber 
crime is regularly reported in the media-- stolen credit cards, 
lost identities, eastern European organized crime groups, and 
breached bank accounts. The waterline is the separation between 
the unclassified and classified environment. Thus, the most 
sophisticated and damaging attacks occur primarily out of the 
public sight.
    I would offer that only a small percentage of individuals, 
primarily those in the intelligence community, have ever seen 
below the waterline, and the real threat is grossly 
underappreciated by the public.
    The most significant cyber threats to our Nation are those 
with high intent and high capability to inflict damage or even 
death in the United States, to illicitly acquire substantial 
assets, or to illegally obtain sensitive or unclassified U.S. 
military, intelligence, or economic information. These are the 
threats from foreign intelligence services who assault U.S. 
businesses many times every single day, 365, and for those I 
have seen below the waterline.
    The threat continues unabated. U.S. critical infrastructure 
faces a growing threat due to advancements in the availability 
and sophistication of malicious software tools and the fact 
that new technologies raise new security issues that are not 
always addressed prior to adoption. Specifically, industrial 
control systems which operate the physical processes of the 
Nation's pipelines, electricity, and other critical 
infrastructures are at elevated risk of cyber exploitation.
    Today, likely only advanced threat actors are capable of 
employing these techniques. But as we have seen with other 
malicious software tools, these capabilities will eventually be 
within reach of all threat actors.
    So what does this all mean? I believe most major companies 
have already been breached or will be breached, resulting in 
substantial losses of information, economic competitiveness, 
and National security. Many are breached and have absolutely no 
knowledge that an adversary was or remains resident on their 
network, oftentimes for weeks, months, or even years.
    While I was executive assistant director at the FBI, our 
agents regularly knocked on the door of victim companies and 
told them their network had been intruded upon and their 
corporate secrets had been stolen because we found their 
proprietary data resident on a server in the course of another 
investigation. We were routinely telling organizations they 
were victims, and these victims ranged in size and industry and 
cut across all financial critical sectors, or all critical 
sectors.
    For those companies that do know and fail to report or 
address the breach, they are aiding and assisting in the 
foreign intelligence service collection, and their corporate 
infrastructure is a component of the adversary's collection 
platform. Although our adversary cyber capabilities are at an 
all-time high, combating this challenge needs to be a top 
priority for both the public and the private sector.
    The adversary is persistent. It is not enough to stop their 
attack once or twice. They will keep coming until they get in. 
The problem with existing technologies and threat mitigation 
tactics is they are too focused on adversary tools like malware 
and exploits, and not on who the adversary is and how they 
operate.
    Ultimately, we focus on the enemy and take the fight to 
them to raise their cost of attack, and we will fail because 
they will always get through if we don't take that approach. 
This requires us to stop solely playing defense. The 
sophisticated adversary practices crafty offense and the 
offense outpaces the defense. While we certainly need to 
continue defense and not let our guard down, we need to be more 
proactive and strategic in our approach. We cannot stand by and 
wait for them to trip an alarm as they shake the proverbial 
fence, because the sophisticated adversaries are jumping right 
over the fence. They are never tripping an alarm. They are 
bypassing the intrusion detection systems. We must assume that 
they are already inside the perimeter and we must constantly 
hunt them on our networks to identify and mitigate their 
actions.
    Hunting necessitates us acquiring a better sight picture of 
who the adversary is, the assets they are targeting, the 
techniques they are employing and who exactly they are. This is 
where intelligence sharing is critical.
    Technology is just a piece of the solution, not the sole 
solution. What we have is an adversary problem, not a malware 
problem. Let me repeat that piece about intelligence. The 
sharing of intelligence is critical and the U.S. Government 
needs to develop better protocols to share intelligence broadly 
across the private sector.
    In conclusion, we face significant challenges in our 
efforts to combat the cyber attack. I am optimistic that by 
strengthening partnerships and effectively sharing intelligence 
and successfully identifying our adversaries, we can best 
protect our businesses and critical infrastructure. However, I 
would be remiss if I didn't say this: Recognizing this is a 
complex problem; there are many moving parts. I appreciate the 
committee's statement about the sense of urgency. It is really, 
really important because our Nation is at risk and we cannot 
stand by and admire this problem.
    I look forward to working with the subcommittee and 
Congress as a whole to determine a successful course forward 
and ensure that we can have a safe, positive, economic, and 
social benefit from the internet while minimizing the risks 
posed to us by our adversaries.
    [The prepared statement of Mr. Henry follows:]
                   Prepared Statement of Shawn Henry
                             April 24, 2012
    Good afternoon Chairman McCaul, Ranking Member Keating, and Members 
of the subcommittee. I'm pleased to be here today to discuss the cyber 
threats facing our Nation and how these threats impact our Government 
and private-sector networks. It is difficult to overstate the potential 
harm these threats pose to our economy, our National security, and the 
critical infrastructure upon which our country relies.
                        the cybersecurity threat
    As the subcommittee is aware, the number and sophistication of 
cyber attacks has increased dramatically over the past 5 years and is 
expected to continue to grow. The threat has reached the point that, 
given enough time, motivation, and funding, a determined adversary will 
likely penetrate any system that is accessible directly from the 
internet. Even systems not touching the network are susceptible to 
attack via other than remote access, including the trusted insider 
using devices such as USB flash drives, and the supply chain.
    It is difficult to say with confidence that our critical 
infrastructure--the backbone of our country's economic prosperity, 
National security, and public health--will remain unscathed and always 
be available when needed. In fact, I have stated publicly that with the 
depth and breadth of the intrusions I've seen, I believe it is 
necessary for network administrators to assume they have already been 
breached rather than waiting for their intrusion detection systems to 
alert them to an infiltration.
           criminal cyber threats against the private sector
    Cyber criminal threats to the United States result in significant 
economic losses. Cyber criminals are forming private, trusted, and 
organized groups to conduct cyber crime. The adoption of specialized 
skill sets and professionalized business practices by these criminals 
is steadily increasing the complexity of cyber crime by providing 
actors of all technical abilities with the necessary tools and 
resources to conduct cyber crime. Not only are criminals advancing 
their abilities to attack a system remotely, they are becoming adept at 
tricking victims into compromising their own systems.
    Once a system is compromised, cyber criminals will use their 
accesses to obtain Personally Identifiable Information (PII), which 
includes on-line banking/brokerage account credentials and credit card 
numbers of individuals and businesses that can be used for financial 
gain. As cyber crime groups increasingly recruit experienced actors and 
pool resources and knowledge, they advance their ability to be 
successful in crimes against more profitable targets and will learn the 
skills necessary to evade the security industry and law enforcement.
    The potential economic consequences are severe. The sting of a 
cyber crime is not felt equally across the board. A small company may 
not be able to survive even one significant cyber attack.
    Often, businesses are unable to recoup their losses, and it may be 
impossible to estimate their damage. Many companies prefer not to 
disclose that their systems have been compromised, so they absorb the 
loss, making it impossible to accurately calculate damages. As a result 
of the inability to define and calculate losses, the best that the 
Government and private sector can offer are estimates. Over the past 5 
years, estimates of the costs of cyber crime to the U.S. economy have 
ranged from millions to hundreds of billions. A 2010 study conducted by 
the Ponemon Institute estimated that the median annual cost of cyber 
crime to an individual victim organization ranges from $1 million to 
$52 million.
    According to a 2011 publication released by Javelin Strategy and 
Research, the annual cost of identity theft is $37 billion. This 
includes all forms of identity theft, not just cyber means. The 
Internet Crime Complaint Center (IC3), which aggregates self-reported 
complaints of cyber crime, reports that in 2010, identity theft schemes 
made up 9.8 percent of all cyber crime.
                         the tip of the iceberg
    A colleague of mine recently used an analogy where an iceberg 
represents the totality of threats to the information infrastructure. 
``Cyber crime'', as described above, is merely the tip of the iceberg; 
the biggest threats are ``below the water line'', just like the vast 
majority of an iceberg. The public sees ``the tip'' because the cyber 
``crime'' is regularly reported in the media; stolen credit cards, lost 
identities, Eastern European Organized Crime groups; and breached bank 
accounts. The ``water line'' is the separation between the unclassified 
and classified environment; thus, the most sophisticated and damaging 
attacks occur primarily out of the public's sight.
    I would offer that only a very small group of individuals--
primarily those in the intelligence community--have ever seen ``below 
the water line'', and the real threat is grossly underappreciated by 
the public. The most significant cyber threats to our Nation are those 
with high intent and high capability to inflict damage or even death in 
the United States; to illicitly acquire substantial assets; or to 
illegally obtain sensitive or classified U.S. military, intelligence, 
or economic information. These are the threats from foreign 
intelligence services, and for those I have seen below the waterline.
             cyber threats to u.s. critical infrastructure
    The threat continues unabated. U.S. critical infrastructure faces a 
growing cyber threat due to advancements in the availability and 
sophistication of malicious software tools and the fact that new 
technologies raise new security issues that are not always addressed 
prior to adoption. The increasing automation of our infrastructures 
provides more cyber access points for adversaries to exploit, and the 
target set grows daily as more and more data is pushed, transmitted, or 
stored on the network.
    New ``smart grid'' and ``smart home'' products, for example, 
designed to provide remote communication and control of devices in our 
residences, businesses, and critical infrastructures, must be developed 
and implemented in ways that will also provide protection from 
unauthorized use. Otherwise, each new device will become a doorway into 
our systems for adversaries to use for their own purposes.
    Industrial control systems, which operate the physical processes of 
the Nation's pipelines, railroads, and other critical infrastructures, 
are at elevated risk of cyber exploitation. We need to be concerned 
about the proliferation of malicious techniques that could degrade, 
disrupt, or destroy critical infrastructure. Though likely only 
advanced threat actors are currently capable of employing these 
techniques, as we have seen with other malicious software tools, these 
capabilities will eventually be within reach of all threat actors.
                        what does all this mean?
    I believe most major companies have already been breached or will 
be breached, resulting in substantial losses of information, economic 
competitiveness, and National security. Many are breached and have 
absolutely no knowledge that an adversary was or remains resident on 
their network, often times for weeks, months, or even years. While I 
was EAD at the FBI, our agents regularly knocked on the door of victim 
companies and told them their network had been intruded upon and their 
corporate secrets stolen, because we found their proprietary data 
resident on a server in the course of another investigation. We were 
routinely telling organizations they were victims, and these victims 
ranged in size and industry, and cut across all critical sectors.
                         addressing the threat
    Although our cyber adversaries' capabilities are at an all-time 
high, combating this challenge needs to be a top priority for both the 
public and the private sector. We need to continue to develop 
partnerships within industry, academia, and across all of Government to 
have a dramatic improvement in our ability to share intelligence to 
combat this threat.
    The adversary is persistent. It's not enough to stop their attack 
once or twice; they will keep trying until they get in. The problem 
with existing technologies and threat-mitigation tactics is they are 
too focused on adversary tools (malware and exploits) and not on who 
the adversary is and how they operate. Ultimately, until we focus on 
the enemy and take the fight to them to raise their cost of attack, we 
will fail because they will always get thorough.
    This requires us to stop relying solely on ``defense.'' The 
sophisticated adversary practices crafty offense, and the offense 
outpaces the defense. While we certainly need to continue defense--we 
cannot let our guard down--we need to be more proactive and strategic 
in our approach.
    We cannot stand by and wait for them to trip an alarm as they shake 
the proverbial fence; sophisticated adversaries jump OVER the fence, 
bypassing the intrusion detection ``alarm'' entirely. We must assume 
they are already inside the perimeter, and we must constantly hunt them 
on our networks to identify and mitigate their actions.
    Hunting necessitates us acquiring a better site picture of the 
adversary--what assets are they targeting, what techniques are they 
employing, and who, exactly, are they? This is where intelligence 
sharing is critical; using advanced intelligence technology, companies 
can share information enabling them to learn the human aspects of the 
attack, become more predictive, and thus preventative. Technology is a 
piece of the solution, not the sole solution, because what we really 
have is an adversary problem.
                               conclusion
    We face significant challenges in our efforts to combat the cyber 
threat. I am optimistic that by strengthening partnerships, effectively 
sharing intelligence, and successfully identifying our adversaries, we 
can best protect businesses and critical infrastructure from grave 
damage.
    I look forward to assisting the subcommittee and Congress as a 
whole to determine a successful course forward for the Nation that 
allows us to reap the positive economic and social benefits of the 
internet while minimizing the risk posed by those who seek to use it to 
do us irreparable harm.

    Mr. McCaul. Thank you Mr. Henry for your service and for 
your insight to this committee.
    Next, the Chairman recognizes Mr. Lewis.

   STATEMENT OF JAMES A. LEWIS, DIRECTOR AND SENIOR FELLOW, 
TECHNOLOGY AND PUBLIC POLICY PROGRAM, CENTER FOR STRATEGIC AND 
                     INTERNATIONAL STUDIES

    Mr. Lewis. Thank you, Mr. Chairman. Thanks to the Members 
of the committee for the opportunity to testify. Many of you, 
of course, are already familiar with the problem, so I will 
touch on two issues in particular: Cyber espionage and cyber 
attack. Cyber espionage is our biggest problem, as you just 
heard, but most breaches are not reported. The best example is 
the 2010 Google incident which involved at least 35 other 
Fortune 500 companies, none of whom reported a problem. 
Concealing losses makes business sense, but it also makes it 
hard to plan a good defense. Perhaps the new SEC ruling will 
change this, but it hasn't changed yet.
    It is difficult to value the loss from cyber espionage, but 
all the estimates I have looked at put it in the tens or even 
hundreds of billions of dollars per year. The damage from 
espionage depends on whether the acquiring nation can use the 
technology. Sometimes it can take years for them to benefit. In 
other cases the benefit can be immediate, and we can identify 
foreign programs that appear to be based on U.S. technology. 
The clearest damage comes from the loss of military technology, 
but America's technological leadership and economic 
competitiveness is at risk. The fastest growing threat comes 
from the proliferation of the ability to attack critical 
infrastructure.
    We have been hearing about cyber Pearl Harbors and cyber 
Armageddons for about 15 years, and a reasonable person could 
ask: Why isn't this hype? Here is why it is not hype. 
Experiments at Idaho National Labs in 2007 showed that software 
sent over the internet could cause physical destruction by 
exploiting vulnerabilities in industrial control systems. 
Stuxnet confirmed this. There has been at least one other 
unreported incident. Just yesterday we saw oil facilities in 
Iran damaged by cyber attack.
    Only a few countries currently have this capability but new 
classes of opponents want them and are seeking to acquire them. 
This includes Iran and North Korea. These regimes are not known 
for stable decision making. Both have development programs and 
both have experimented with attacks. FBI Director Mueller 
points out that Iran may be losing its reluctance to attack the 
United States directly.
    Non-state actors, particularly Western anti-Government 
groups, are also exploring cyber attack. You can download the 
tools that will find critical infrastructure vulnerabilities 
easily off the internet. I did it last week and I toyed around 
with it and found 6,000 vulnerable networks. It was kind of 
fun. Combine these reconnaissance tools with the attack tools 
available in the cyber crime black market, and someone with 
good hacking skills--and there are many in these groups--could 
attack the poorly-defended critical infrastructures that are 
found in this country.
    As cyber attack capabilities become commoditized, the 
temptation for these politically motivated groups to use them 
against vulnerable U.S. targets will increase. The greatest 
threat to cybersecurity in America, however, is complacency. 
There are some in the internet community who still believe that 
the internet can heal itself. This is just naive. There are 
some business groups who argue that a disaggregated, voluntary 
approach to cybersecurity guided by information sharing will be 
adequate. This was tried in the Clinton administration. It did 
not work then, it does not work now, it will not work in the 
future when our opponents are more advanced and when we are 
more dependent on cyber space.
    The future of threats in cyber space involves the diffusion 
and the commoditization of attack capabilities. It will involve 
an increased number of privacy breaches and the loss of 
intellectual property. There are a number of steps that could 
reduce these risks, but unfortunately it appears that we may 
need to wait for a damaging cyber attack to make us move.
    I appreciate all the work the committee has done, both the 
full committee and the subcommittees. I know you are trying 
hard, but I think this attack is inevitable. Thank you for the 
opportunity to testify and I look forward to your questions.
    [The prepared statement of Mr. Lewis follows:]
                  Prepared Statement of James A. Lewis
                             April 24, 2012
    Every week--it's getting kind of boring--we read about hackers 
pilfering some company's database and stealing data on thousands or 
even millions of individuals. These are private-sector networks and 
they point to a crucial problem for assessing cybersecurity. Government 
agencies have to be transparent about breaches. Companies have to 
report breaches when it affects consumer privacy. But companies don't 
have to report breaches involving intellectual property or critical 
infrastructure. In fact, it is in their interest to conceal them. 
Perhaps the new Security and Exchange Commission Ruling that asks 
companies to report cyber incidents that damage shareholder value will 
change this, but it is too early to tell.
    So we have frequent reports of penetrations to governments' 
systems, weekly or daily reports of penetrations of company networks 
that affect privacy, and almost no reports of penetrations affecting 
intellectual property and critical services. This pattern is not 
credible--the level of privacy-related penetrations companies report is 
likely to also be the real level of intellectual property-related 
penetration. It's just not reported. We know from anecdotal data and 
from a few published instances that these network penetrations occur 
frequently. This anomaly in the reporting suggests we really lack--in 
open-source information--a clear understanding of the threat to the 
American private sector, and that protestations that private networks 
are secure or do a better job are, to put it charitably, inaccurate.
    An accurate assessment of threats in cyber space is essential for 
effective defense. A defense built on fictions will fail the first time 
it is tested. There is too much wishful thinking and complacency in the 
face of a threat that is growing as potential attackers acquire new 
capabilities and as our economy becomes more dependent on the internet 
and other cyber technologies. Digital networks are now the backbone of 
economic activity and National security, but our efforts to secure them 
remain haphazard, putting our Nation at risk. We can better understand 
this risk by looking at three separate categories of threat--espionage, 
crime, and attack.
    Our adversaries include powerful states, skilful criminals, and a 
range of extremist groups. We are hampered in our defense against these 
opponents when we try to treat cybersecurity as a business problem. 
Some companies will take adequate defense measures; other will not. It 
makes business sense for an intelligence agency to spend lavishly to 
penetrate an opponent's network. It does not make business sense for 
companies to spend at the same rate to defend. To put this in military 
terms, we have an uncoordinated defense that is easy to defeat in 
detail.
    Cyber espionage is the most pressing threat we face. The loss of 
intellectual property and business confidential information--economic 
espionage--using hacking and other techniques poses a threat to 
National security by undermining the military advantage provided by 
technology and by damaging economic competitiveness. The rate and 
degree to which National security is damaged depends, of course, on the 
ability of the acquiring nations to actually use the technology they 
steal and on America's own economic policies and Government support for 
science and engineering--our own economic policies and laws probably do 
more damage than cyber espionage--but there are many troubling 
incidents that suggest that real harm is being done. A major oil 
company lost exploration data worth hundreds of millions to a foreign 
attacker. We all know the Google case--at least 34 other high-tech 
companies were also penetrated, although they did not report the fact. 
Foreign hackers took IMF and G-20 documents relating to global 
financial negotiations. The delays and cost overruns in the F-35 
program may be the result of cyber espionage, as could the rapid 
development of China's J-20 stealth fighter. Industries as diverse as 
chemicals, telecommunications, and solar energy have all suffered from 
cyber espionage.
    The most harmful form of cyber espionage is state-directed. Foreign 
nation-state opponents are sophisticated intelligence agencies and 
advanced militaries whose business is to defeat network defenses and 
who have a demonstrated capacity to easily exploit commercial and 
Government networks. They have resources and persistence and their work 
can be seen as an extension of traditional espionage activities. Our 
network defenses are so poor, particularly in the ``dot.com'' space, 
that the effort to break in probably only takes these agencies and 
their proxies a few months of effort.
    There is no convincing estimate of the cost of economic espionage 
to the United States. One study put the cost at perhaps $30 billion a 
year (in 2011 dollars) but other studies estimate the loss to be in the 
hundreds of billions. These higher figures exaggerate loss, but 
whatever the dollar figure, the illicit acquisition of technology and 
the loss of confidential political and business information hurts 
American security. The insight into Government policies, and strategic 
industries provided by cyber espionage, and the acceleration of 
competitor technological development, provide foreign competitors with 
a tangible advantage that harms the United States. The committee may 
wish to ask, for example, for classified briefing on improvements in 
China's stealth and submarine capabilities and the possible relation 
between these improvements and hacking incidents at defense contractors 
over the last decade.
    We do not want to assume that losses are distributed evenly across 
all sectors of the economy. State-sponsored espionage will focus on 
area of concern to governments: Advanced technologies in aerospace, 
materials, information technology, and sensors, as well as commercially 
valuable financial data and energy-related information. Semiconductors 
and solar energy have been prime targets recently. Private entities 
also engage in cyber espionage, in many cases they do so with the 
acceptance of their governments. Hacking by private companies and 
individuals could engage a much broader swath of companies and 
technology. This probably reflects not only commercial interests but 
also an official policy to encourage the illicit acquisition of 
technology as a way to promote economic growth.
    Cyber espionage ranks first as a threat to the United States and 
other developed countries. Cyber crimes focused on financial gain are a 
lesser threat, but they damage public safety by putting private 
citizens and companies at risk of monetary loss. Anecdotal evidence 
suggests that crime against banks and other financial institutions 
probably costs the United States a several hundred million dollars 
every year. This is not a major economic loss, but harms American 
citizens and does some damage to our economy. However, cyber crime also 
threatens National security in that it allows potential opponents to 
maintain and train proxy forces at our expense. Nations like Russia and 
China are sanctuaries for cyber crime because it allows them to 
maintain ``irregular forces'' in cyber space--hackers who can be tapped 
to do the state's bidding in espionage, coercion, or attack.
    A recent opinion piece in a leading newspaper illustrates how 
confusing the discussion of cybersecurity has become, and helps explain 
why America may be too slow in constructing adequate defenses. The 
essay posited that most cyber criminals did not make much money, and 
that the threat they posed was overblown. You can test this formula by 
applying to it mugging: Most muggers do not make much money, so by the 
same logic, mugging is not a problem. This formula is divorced from any 
serious concept of public safety. Similarly, the National security 
implications of cyber crime were overlooked. Since cyber criminals are 
the proxy forces--the irregulars--that our two most dangerous opponents 
in cyber space use for National ends, cyber crime is an indirect and 
unwitting subsidies from American companies to foreign military and 
intelligence services.
    Cyber espionage and crime happen on a daily basis. This is [sic] 
nto the for [sic] cyber attacks against critical infrastructure or 
services, which have been few and far between. The threat comes from 
the spread of attack capabilities. In 2007, tests at the Idaho National 
Labs showed that sending malicious instructions via computer networks 
to the industrial control systems used to run critical infrastructure 
could cause machines to destroy themselves. Stuxnet produced a similar 
effect. These incidents showed that software can be sued as a weapon, 
and the internet as a delivery vehicle. Espionage and crime exploit 
vulnerabilities in networks technologies; attacks on critical 
infrastructure compound this by exploiting not only network 
vulnerabilities but also the vulnerabilities in industrial control 
systems. There is no economic incentive to fix these control 
vulnerabilities because they will not affect normal operations and they 
will become visible only when there is an attack. While the cost of 
cyber crime is relatively small, it is an integral part of other, more 
dangerous threat we face, including the ability to launch a damaging 
cyber attack.
    These attacks have been long prophesied, but we have only seen two 
or three. Only a few nations have the capability to destroy critical 
infrastructure and they are unlikely to use it outside of a war. We 
know that our two most likely military opponents have the capability to 
penetrate networks, scramble data, disrupt critical services, and even 
cause physical damage. We also know that they are more deterrable, more 
responsible, and in the case of China, face major disincentives, as a 
disruptive cyber attack would do as much damage to their own country, 
given how deeply our two nations' economies are intertwined.
    You sometimes hear analysts say that we are in a covert cyber war 
with China. This is inaccurate. We should stop trying to cram our 
complicated relationship with China into a simple Cold War framework. 
China and the United States are interdependent in ways that were 
inconceivable for the United States and Soviet Union. China is 
challenging the United States, but it is not a peer-competitor. 
Although it is rapidly increasing its military capabilities, it does 
not pose the existential threat to the United States that the Soviet 
Union posed. Given the deep distrust and hostility between the two 
nations, and the competition for regional and global influence, 
cybersecurity is a potential flashpoint in the bilateral relationship 
and a source of growing tension, but this is not war.
    The number of nations seeking to acquire cyber attack capabilities 
is growing rapidly--cyber attack is becoming a standard element in 
military planning. A more troubling development is that new classes of 
opponents are seeking the ability to launch cyber attacks. These new 
classes of opponents will not be as easily constrained. They are more 
likely to use cyber attack and all evidence suggests that we have 
nothing in the way of adequate defense. We simply do not take the 
threat of cyber attack seriously--would anyone not paid to do so argue 
that information sharing and voluntary action would protect us from 
terrorism? Or that telling companies what missiles and aircraft look 
like would be an adequate defense against a nuclear strike? But it is 
an American tradition to be surprised by opponents and only take action 
after the first attack.
    The area of greatest concern is in the diffusion of the ability to 
attack critical infrastructure, to less responsible and less deterrable 
actors who may calculate that it is in their interest to launch a cyber 
attack against the United States. Attack capabilities could spread if 
private hackers to independently discover the techniques currently 
possessed by governments. Some members of the hacker community have 
amazing capabilities. Another way attack capabilities could spread 
would be for hackers who are government proxies in Russia and China to 
``commercialize'' the skills and tools they have been provided for 
official purposes. These proxies receive training and support from 
military and intelligence agencies. They also participate in the cyber 
crime black markets. The flow from government agencies to proxies to 
the black market is likely, although it appears that governments still 
reserve the most advanced attack technique to themselves.
    It is difficult to assess how rapidly attack capabilities are 
growing outside of governments, and the actual transmission mechanism 
for cyber attack tools is unclear. For example, more than a decade ago, 
foreign intelligence agencies had the ability to activate cell phones 
and use them as listening devices even if they were turned off. 
Variants of this technique appear to be entering the black market. We 
do not know if it is because someone is commercializing a skill they 
learned from government service or if it is an independent discovery. 
People play with the technology and code--this is the original meaning 
of hacking--and find how to do interesting things the designers never 
intended or suspected were possible.
    The most advanced exploits are still out of reach, however, for all 
but large, well-resourced attackers. Stuxnet, for example, combined 
deep engineering knowledge and clandestine intelligence techniques with 
advanced hacking skills. Private hackers and most governments do not 
yet have the capability to launch a Stuxnet-like attack (but this is 
coming). That some of the Stuxnet code is publicly available does not 
really increase risk. Many cyber attacks are ``single-use'' exploits 
that work as a surprise but are much less effective after the target 
reacts and adjusts. In the United States, for example, a 2010 survey 
found that three-quarters of American utilities said they had put in 
place defenses against Stuxnet. These utilities would most likely be 
able to deflect a Stuxnet-like attack, while only the others would 
still be vulnerable.
    Stuxnet has increased risk as it has shown the world how to stage a 
damaging cyber attack, but there are many options other than Stuxnet. 
Unfortunately, even private hackers can exploit freely available 
information on vulnerabilities and penetration techniques to attack 
many commercial networks and the critical infrastructure connected to 
them. Why use an advanced attack like Stuxnet when a simple attack will 
work so well? There are tools that allow anyone to scan the internet to 
find unprotected digital devices at critical infrastructure facilities 
that connect control systems to the internet. You can scan for devices 
that are improperly configured, devices such as wireless routers that 
come from the manufacturer with the password set as ``password.'' It 
does not take a mastermind to break into such systems.
    These tools are widely available. Informal tests using these tools 
can find several thousand insecure connections in the United States on 
any given day. They provide a ``consumer version'' of the cyber 
reconnaissance an advanced power would carry out in planning an attack 
against the United States. Combine these publicly available 
reconnaissance tools with attack tools available on the cyber crime 
black market, and anyone with sufficiently advanced hacking skills will 
be able to attack poorly defended critical infrastructure or other 
commercial targets.
    The diffusion and consumerization of attack capabilities is not the 
only growing source of threat. We must also consider motivation and 
intent, in addition to capability. The few nations that currently 
possess advanced cyber attack capabilities are deterred by American 
military force or they are our allies. Most cyber criminals only engage 
in actions that generate income. Attacking critical infrastructure does 
not generate income unless extortion is involved (by threatening to 
disrupt services if the criminal is not paid). Cyber criminals have no 
motive to launch a cyber attack unless they are acting as government 
proxies or unless they have been hired as mercenaries.
    This is where the nexus between the diffusion of attack 
capabilities and intent become important. There are countries and 
groups that would like to attack the United States and are not as 
deterrable as our current adversaries. As nations and hackers develop 
more sophisticated attack capabilities and as sophisticated attack 
tools become available on the cyber crime black market, the threat of 
attack is increasing.
    We know that two countries hostile to the United States are 
developing cyber attack capabilities. North Korea has been pursuing 
cyber capabilities for more than a decade but the backwardness of its 
economy has so far limited its success. North Korea lacks easy access 
to advanced technologies. Its tightly controlled population is an 
unlikely source of hackers, as North Koreans do not have the 
independence and internet access hackers need to thrive. Technological 
backwardness and political culture are major obstacles to developing 
strong hacking capabilities, but, as with nuclear weapons, if North 
Korea is able to support sustained investment in cyber attack 
capabilities and find some outside support, it will eventually acquire 
them. North Korea's erratic behavior suggests it will use cyber attacks 
against South Korea, Japan, or U.S. forces in Korea, should it succeed 
in its long quest to obtain a cyber attack capability.
    Iran is a more troubling case. Iran has also been pursing the 
acquisition of cyber attack capabilities for several years. Iran has 
been for many years willing to attack U.S. forces and embassies in the 
region, and FBI Director Mueller stated in recent testimony that Iran 
is more willing to carry out attacks inside the United States. 
Statements by Iranian officials show that they believe that the United 
States, along with Israel, was responsible for the Stuxnet attacks and 
suggest that they believe they would be justified in retaliating in 
kind. Iran's attack capabilities are still limited but they have probed 
Israeli networks in what appear to be tests. Iranian hackers have 
greater access to the internet and to the cyber black market than North 
Korea, suggesting that their development of cyber capabilities will be 
more rapid.
    Iran, even more than North Korea, could miscalculate the costs of a 
cyber attack against the United States. Iran has groups that it 
sponsors, like Hezbollah, that it has used in the past to attack 
Americans. The Iranians may believe that these proxies will make it 
difficult for the United States to attribute an attack and this will 
reduce their perceptions of the risk of a cyber attack on American 
targets. Iran routinely exaggerates its military capabilities and its 
claims of cyber prowess are dubious, but there is a clear commitment 
(as with nuclear weapons) by the regime to continue its efforts to 
acquire the ability to launch cyber attacks.
    Finally there are non-state, anti-American and activist groups that 
already make extensive use of the internet. As cyber attack 
capabilities become ``commoditized,'' the temptation for these 
politically motivated groups to use them against vulnerable U.S. 
targets will increase. We have not seen terrorist groups use cyber 
attacks--they seem to have neither the capability nor the interest--but 
since these groups make extensive use of the internet they could 
eventually be attracted to cyber attack if the means to carry it out 
are easily available. Some non-state actors are grouped under the label 
``Anonymous,'' a disparate and decentralized federation of internet 
activists where many members espouse anti-government or anti-American 
ideas. The name ``Anonymous'' is misleading, however, as it implies a 
single entity. Anyone can say they are ``Anonymous,'' from individuals 
posting comments on 4Chan to members of foreign intelligence agencies 
(for whom ``false flag'' operations are routine). In a few cases, it 
appears that cyber criminals have used the name Anonymous when carrying 
out their for-profit exploits.
    These threats are all external, but greatest threat to America's 
cybersecurity come from inside. This threat is complacency and it has 
two sources. In the internet community, there are many who still 
believe that the internet can heal itself, that civil society and 
multi-stakeholder internet governance will ultimately provide adequate 
security. They say that threats in cyber space are exaggerated and that 
better cybersecurity puts privacy and the alleged virtues of an open 
internet for innovation at risk. This is simply naive and outdated. 
This sort of approach has never worked anywhere else, and it is not 
working now in cyber space.
    At the same time, business groups underestimate the threat we face 
and continue to assert that some sort of disaggregated, voluntary 
approach to cybersecurity, guided by better information sharing, will 
be adequate to protect the Nation. This, of course, was the approach 
adopted by the Clinton administration in 1998. It did not work then and 
it does not work now. It will not work in the future when our opponents 
are even more advanced and when we are even more dependent on cyber 
space. Simplifying the regulatory and tax structure would be immensely 
beneficial for our economy, but it is a non-sequitur to argue that 
blocking mandatory standards for cybersecurity somehow compensates for 
any over-regulation of commercial activities.
    The future of threats in cyber space will involve the diffusion and 
commoditization of attack capabilities. It will involve an increased 
number of privacy breaches and the loss of intellectual property and 
confidential business information. The situation is not static and 
could change rapidly. There are a number of steps we could take to 
reduce risk, but these steps face insurmountable political obstacles 
that will not disappear until after a damaging cyber event. To prepare 
itself for the inevitable, the committee may wish to ask for a 
classified briefing on the best available intelligence estimate for 
when America will experience a cyber attack.

    Mr. McCaul. Thank you, Jim, for your testimony and your 
service to the country on this important issue.
    With that, the Chairman now recognizes Mr. Wilshusen.

   STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION 
       SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Chairman McCaul, Ranking Member Keating, and 
Members of the subcommittee, thank you for the opportunity to 
testify at today's hearing on cyber-based threats facing our 
Nation. The increasing dependency of IT systems and network 
operations pervades nearly every aspect of our society. In 
particular, increasing network interconnectivity has 
revolutionized the way our Government, our Nation, and much of 
the world communicate and conduct business. While bringing 
significant benefits, this dependency also creates 
vulnerabilities to cyber-based threats. Today I will describe 
some of those threats, vulnerabilities, and reported security 
incidents affecting the Nation's systems.
    But first, if I may, Mr. Chairman, I would like to 
recognize several members of my team who were instrumental in 
preparing this statement. One, Mike Gilmore, is behind me. Back 
at the office Anjalique Lawrence, Lee McCracken, and Kristi 
Dorsey played a pivotal role in developing these statements.
    Mr. Chairman, the Nation faces an evolving array of cyber-
based threats. These threats can be intentional and/or 
unintentional. Unintentional threats can be caused by software 
upgrades or defective equipment that inadvertently disrupt 
systems. Intentional threats can involve targeted and 
untargeted attacks from a variety of sources. These sources, as 
have been mentioned earlier, include foreign nations, criminal 
groups, hackers, terrorists, and insiders. They vary in their 
capabilities and their motives, which include seeking monetary 
gain and pursuing an economic, political, or military 
advantage. Moreover they have a variety of attack techniques at 
their disposal, such as using malicious code, social 
engineering, phishing, denial of service, and more 
sophisticated attacks that can use a combination of these and 
other techniques. The nature of these attacks vastly enhances 
the reach and impact due to the fact that attackers do not need 
to be physically close to victims and can more easily remain 
anonymous.
    The threat posed by cyber attacks is heightened by 
vulnerabilities in Federal systems and networks. Specifically, 
significant weaknesses in security controls continue to 
threaten the confidentiality, integrity, and availability of 
information systems supporting Federal operations.
    Most major Federal agencies have significant deficiencies 
in their information security controls. For fiscal year 2011, 
18 of the 24 major Federal agencies reported inadequate 
information system controls for financial reporting purposes, 
and inspectors general at 22 of these agencies identified 
information security as a major management challenge for their 
agency. GAO and agency IGs have made hundreds of 
recommendations to agencies to strengthen controls over their 
systems.
    We have also identified vulnerabilities and industrial 
control systems that monitor and control sensitive processes 
and physical functions supporting the Nation's critical 
infrastructures. Federal agencies continue to report an 
increasing number of cybersecurity incidents. Over the past 6 
years, the number of incidents reported by Federal agencies to 
US-CERT has risen nearly 680 percent, to almost 42,900 in 
fiscal year 2011. These incidents include unauthorized access 
and improper use of computing resources and the installation of 
malicious software on systems. Reported attacks and 
unintentional incidents involving Federal, private, and 
critical infrastructure systems occur daily and demonstrate 
that their impact can be serious.
    For example, individuals could suffer privacy and financial 
loss from identity theft and on-line scams. Private companies 
could lose a competitive advantage or market value from the 
cyber threat of intellectual property or business proprietary 
information, and essential Government functions and critical 
infrastructure services could be impaired or disrupted.
    In summary, the cyber threats facing the Nation are 
evolving and growing with a wide array of threat actors having 
access to increasingly sophisticated techniques for exploiting 
system vulnerabilities. The danger posed by these threats is 
heightened by the weaknesses that pervade Federal information 
systems and systems supporting critical infrastructures. 
Ensuring the security of these systems is essential to limiting 
potentially devastating consequences that imperil public health 
and safety in our National and economic security.
    Mr. Chairman, this completes my statement. I would be happy 
to answer any questions.
    [The prepared statement of Mr. Wilshusen follows:]
               Prepared Statement of Gregory C. Wilshusen
                             April 24, 2012
                             gao highlights
    Highlights of GAO-12-666T, a testimony before the Subcommittee on 
Oversight, Investigations, and Management, Committee on Homeland 
Security, House of Representatives.
Why GAO Did This Study
    Nearly every aspect of American society increasingly depends upon 
information technology systems and networks. This includes increasing 
computer interconnectivity, particularly through the widespread use of 
the internet as a medium of communication and commerce. While providing 
significant benefits, this increased interconnectivity can also create 
vulnerabilities to cyber-based threats. Pervasive and sustained cyber 
attacks against the United States could have a potentially devastating 
impact on Federal and non-Federal systems, disrupting the operations of 
governments and businesses and the lives of private individuals. 
Accordingly, GAO has designated Federal information security as a 
Government-wide high-risk area since 1997, and in 2003 expanded it to 
include protecting systems and assets vital to the Nation (referred to 
as critical infrastructures).
    GAO is providing a statement that describes: (1) Cyber threats 
facing the Nation's systems, (2) vulnerabilities present in Federal 
information systems and systems supporting critical infrastructure, and 
(3) reported cyber incidents and their impacts. In preparing this 
statement, GAO relied on previously published work in these areas and 
reviewed more recent GAO, agency, and inspectors general work, as well 
as reports on security incidents.
What GAO Recommends
    GAO has previously made recommendations to resolve identified 
significant control deficiencies.
              cybersecurity.--threats impacting the nation
What GAO Found
    The Nation faces an evolving array of cyber-based threats arising 
from a variety of sources. These threats can be intentional or 
unintentional. Unintentional threats can be caused by software upgrades 
or defective equipment that inadvertently disrupt systems, and 
intentional threats can be both targeted and untargeted attacks from a 
variety of threat sources. Sources of threats include criminal groups, 
hackers, terrorists, organization insiders, and foreign nations engaged 
in crime, political activism, or espionage and information warfare. 
These threat sources vary in terms of the capabilities of the actors, 
their willingness to act, and their motives, which can include monetary 
gain or political advantage, among others. Moreover, potential threat 
actors have a variety of attack techniques at their disposal, which can 
adversely affect computers, software, a network, an organization's 
operation, an industry, or the internet itself. The nature of cyber 
attacks can vastly enhance their reach and impact due to the fact that 
attackers do not need to be physically close to their victims and can 
more easily remain anonymous, among other things. The magnitude of the 
threat is compounded by the ever-increasing sophistication of cyber 
attack techniques, such as attacks that may combine multiple 
techniques. Using these techniques, threat actors may target 
individuals, businesses, critical infrastructures, or Government 
organizations.
    The threat posed by cyber attacks is heightened by vulnerabilities 
in Federal systems and systems supporting critical infrastructure. 
Specifically, significant weaknesses in information security controls 
continue to threaten the confidentiality, integrity, and availability 
of critical information and information systems supporting the 
operations, assets, and personnel of Federal Government agencies. For 
example, 18 of 24 major Federal agencies have reported inadequate 
information security controls for financial reporting for fiscal year 
2011, and inspectors general at 22 of these agencies identified 
information security as a major management challenge for their agency. 
Moreover, GAO, agency, and inspector general assessments of information 
security controls during fiscal year 2011 revealed that most major 
agencies had weaknesses in most major categories of information system 
controls. In addition, GAO has identified vulnerabilities in systems 
that monitor and control sensitive processes and physical functions 
supporting the Nation's critical infrastructures. These and similar 
weaknesses can be exploited by threat actors, with potentially severe 
effects.
    The number of cybersecurity incidents reported by Federal agencies 
continues to rise, and recent incidents illustrate that these pose 
serious risk. Over the past 6 years, the number of incidents reported 
by Federal agencies to the Federal information security incident center 
has increased by nearly 680 percent. These incidents include 
unauthorized access to systems; improper use of computing resources; 
and the installation of malicious software, among others. Reported 
attacks and unintentional incidents involving Federal, private, and 
infrastructure systems demonstrate that the impact of a serious attack 
could be significant, including loss of personal or sensitive 
information, disruption or destruction of critical infrastructure, and 
damage to National and economic security.
    Chairman McCaul, Ranking Member Keating, and Members of the 
subcommittee: Thank you for the opportunity to testify at today's 
hearing on the cyber-based threats facing our Nation.
    The increasing dependency upon information technology (IT) systems 
and networked operations pervades nearly every aspect of our society. 
In particular, increasing computer interconnectivity--most notably 
growth in the use of the internet--has revolutionized the way that our 
Government, our Nation, and much of the world communicate and conduct 
business. While bringing significant benefits, this dependency can also 
create vulnerabilities to cyber-based threats. Pervasive and sustained 
cyber attacks against the United States could have a potentially 
devastating impact on Federal and non-Federal systems and operations. 
In January 2012, the Director of National Intelligence testified that 
such threats pose a critical National and economic security concern.\1\ 
These growing and evolving threats can potentially affect all segments 
of our society--individuals; private businesses; local, State, and 
Federal governments; and other entities. Underscoring the importance of 
this issue, we have designated Federal information security as a high-
risk area since 1997 and in 2003 expanded this area to include 
protecting computerized systems supporting our Nation's critical 
infrastructure.\2\
---------------------------------------------------------------------------
    \1\ James R. Clapper, Director of National Intelligence, 
Unclassified Statement for the Record on the Worldwide Threat 
Assessment of the U.S. Intelligence Community for the Senate Select 
Committee on Intelligence (January 31, 2012).
    \2\ See, most recently, GAO, High-Risk Series: An Update, GAO-11-
278 (Washington, DC: February, 2011).
---------------------------------------------------------------------------
    In my testimony today, I will describe: (1) Cyber threats facing 
the Nation's systems, (2) vulnerabilities present in Federal systems 
and systems supporting critical infrastructure,\3\ and (3) reported 
cyber incidents and their impacts. In preparing this statement in April 
2012, we relied on our previous work in these areas. (Please see the 
related GAO products in appendix I.) These products contain detailed 
overviews of the scope and methodology we used. We also reviewed more 
recent agency, inspector general, and GAO assessments of security 
vulnerabilities at Federal agencies and information on security 
incidents from the U.S. Computer Emergency Readiness Team (US-CERT), 
media reports, and other publicly available sources. The work on which 
this statement is based was conducted in accordance with generally 
accepted Government auditing standards. Those standards require that we 
plan and perform audits to obtain sufficient, appropriate evidence to 
provide a reasonable basis for our findings and conclusions based on 
our audit objectives. We believe that the evidence obtained provided a 
reasonable basis for our findings and conclusions based on our audit 
objectives.
---------------------------------------------------------------------------
    \3\ Critical infrastructures are systems and assets, whether 
physical or virtual, so vital to our Nation that their incapacity or 
destruction would have a debilitating impact on National security, 
economic well-being, public health or safety, or any combination of 
these.
---------------------------------------------------------------------------
                               background
    As computer technology has advanced, both Government and private 
entities have become increasingly dependent on computerized information 
systems to carry out operations and to process, maintain, and report 
essential information. Public and private organizations rely on 
computer systems to transmit sensitive and proprietary information, 
develop and maintain intellectual capital, conduct operations, process 
business transactions, transfer funds, and deliver services. In 
addition, the internet has grown increasingly important to American 
business and consumers, serving as a medium for hundreds of billions of 
dollars of commerce each year, as well as developing into an extended 
information and communications infrastructure supporting vital services 
such as power distribution, health care, law enforcement, and National 
defense.
    Consequently, the security of these systems and networks is 
essential to protecting National and economic security, public health 
and safety, and the flow of commerce. Conversely, ineffective 
information security controls can result in significant risks, 
including:
   loss or theft of resources, such as Federal payments and 
        collections;
   inappropriate access to and disclosure, modification, or 
        destruction of sensitive information, such as National security 
        information, personal taxpayer information, or proprietary 
        business information;
   disruption of critical operations supporting critical 
        infrastructure, National defense, or emergency services;
   undermining of agency missions due to embarrassing incidents 
        that erode the public's confidence in Government; and
   use of computer resources for unauthorized purposes or to 
        launch attacks on other computers' systems.
       the nation faces an evolving array of cyber-based threats
    Cyber-based threats are evolving and growing and arise from a wide 
array of sources. These threats can be unintentional or intentional. 
Unintentional threats can be caused by software upgrades or defective 
equipment that inadvertently disrupt systems. Intentional threats 
include both targeted and untargeted attacks from a variety of sources, 
including criminal groups, hackers, disgruntled employees, foreign 
nations engaged in espionage and information warfare, and terrorists. 
These threat sources vary in terms of the capabilities of the actors, 
their willingness to act, and their motives, which can include monetary 
gain or political advantage, among others. Table 1 shows common sources 
of cyber threats.

               TABLE 1.--SOURCES OF CYBERSECURITY THREATS
------------------------------------------------------------------------
        Threat Source                         Description
------------------------------------------------------------------------
Bot-network operators........  Bot-net operators use a network, or bot-
                                net, of compromised, remotely-controlled
                                systems to coordinate attacks and to
                                distribute phishing schemes, spam, and
                                malware attacks. The services of these
                                networks are sometimes made available on
                                underground markets (e.g., purchasing a
                                denial-of-service attack or services to
                                relay spam or phishing attacks).
Criminal groups..............  Criminal groups seek to attack systems
                                for monetary gain. Specifically,
                                organized criminal groups use spam,
                                phishing, and spyware/malware to commit
                                identity theft, on-line fraud, and
                                computer extortion. International
                                corporate spies and criminal
                                organizations also pose a threat to the
                                United States through their ability to
                                conduct industrial espionage and large-
                                scale monetary theft and to hire or
                                develop hacker talent.
Hackers......................  Hackers break into networks for the
                                thrill of the challenge, bragging rights
                                in the hacker community, revenge,
                                stalking, monetary gain, and political
                                activism, among other reasons. While
                                gaining unauthorized access once
                                required a fair amount of skill or
                                computer knowledge, hackers can now
                                download attack scripts and protocols
                                from the internet and launch them
                                against victim sites. Thus, while attack
                                tools have become more sophisticated,
                                they have also become easier to use.
                                According to the Central Intelligence
                                Agency, the large majority of hackers do
                                not have the requisite expertise to
                                threaten difficult targets such as
                                critical U.S. networks. Nevertheless,
                                the world-wide population of hackers
                                poses a relatively high threat of an
                                isolated or brief disruption causing
                                serious damage.
Insiders.....................  The disgruntled organization insider is a
                                principal source of computer crime.
                                Insiders may not need a great deal of
                                knowledge about computer intrusions
                                because their knowledge of a target
                                system often allows them to gain
                                unrestricted access to cause damage to
                                the system or to steal system data. The
                                insider threat includes contractors
                                hired by the organization, as well as
                                careless or poorly-trained employees who
                                may inadvertently introduce malware into
                                systems.
Nations......................  Nations use cyber tools as part of their
                                information-gathering and espionage
                                activities. In addition, several nations
                                are aggressively working to develop
                                information warfare doctrine, programs,
                                and capabilities. Such capabilities
                                enable a single entity to have a
                                significant and serious impact by
                                disrupting the supply, communications,
                                and economic infrastructures that
                                support military power--impacts that
                                could affect the daily lives of citizens
                                across the country. In his January 2012
                                testimony, the Director of National
                                Intelligence stated that, among state
                                actors, China and Russia are of
                                particular concern.
Phishers.....................  Individuals or small groups execute
                                phishing schemes in an attempt to steal
                                identities or information for monetary
                                gain. Phishers may also use spam and
                                spyware or malware to accomplish their
                                objectives.
Spammers.....................  Individuals or organizations distribute
                                unsolicited e-mail with hidden or false
                                information in order to sell products,
                                conduct phishing schemes, distribute
                                spyware or malware, or attack
                                organizations (e.g., a denial of
                                service).
Spyware or malware authors...  Individuals or organizations with
                                malicious intent carry out attacks
                                against users by producing and
                                distributing spyware and malware.
                                Several destructive computer viruses and
                                worms have harmed files and hard drives,
                                including the Melissa Macro Virus, the
                                Explore.Zip worm, the CIH (Chernobyl)
                                Virus, Nimda, Code Red, Slammer, and
                                Blaster.
Terrorists...................  Terrorists seek to destroy, incapacitate,
                                or exploit critical infrastructures in
                                order to threaten National security,
                                cause mass casualties, weaken the
                                economy, and damage public morale and
                                confidence. Terrorists may use phishing
                                schemes or spyware/malware in order to
                                generate funds or gather sensitive
                                information.
------------------------------------------------------------------------
Source: GAO analysis based on data from the Director of National
  Intelligence, Department of Justice, Central Intelligence Agency, and
  the Software Engineering Institute's CERT Coordination Center.

    These sources of cyber threats make use of various techniques, or 
exploits, that may adversely affect computers, software, a network, an 
organization's operation, an industry, or the internet itself. Table 2 
provides descriptions of common types of cyber exploits.

                    TABLE 2.--TYPES OF CYBER EXPLOITS
------------------------------------------------------------------------
       Type of Exploit                        Description
------------------------------------------------------------------------
Cross-site scripting.........  An attack that uses third-party web
                                resources to run script within the
                                victim's web browser or scriptable
                                application. This occurs when a browser
                                visits a malicious website or clicks a
                                malicious link. The most dangerous
                                consequences occur when this method is
                                used to exploit additional
                                vulnerabilities that may permit an
                                attacker to steal cookies (data
                                exchanged between a web server and a
                                browser), log key strokes, capture
                                screen shots, discover and collect
                                network information, and remotely access
                                and control the victim's machine.
Denial-of-service............  An attack that prevents or impairs the
                                authorized use of networks, systems, or
                                applications by exhausting resources.
Distributed denial-of-service  A variant of the denial-of-service attack
                                that uses numerous hosts to perform the
                                attack.
Logic bombs..................  A piece of programming code intentionally
                                inserted into a software system that
                                will cause a malicious function to occur
                                when one or more specified conditions
                                are met.
Phishing.....................  A digital form of social engineering that
                                uses authentic-looking, but fake, e-
                                mails to request information from users
                                or direct them to a fake website that
                                requests information.
Passive wiretapping..........  The monitoring or recording of data, such
                                as passwords transmitted in clear text,
                                while they are being transmitted over a
                                communications link. This is done
                                without altering or affecting the data.
Structured Query Language      An attack that involves the alteration of
 (SQL) injection.               a database search in a web-based
                                application, which can be used to obtain
                                unauthorized access to sensitive
                                information in a database.
Trojan horse.................  A computer program that appears to have a
                                useful function, but also has a hidden
                                and potentially malicious function that
                                evades security mechanisms by, for
                                example, masquerading as a useful
                                program that a user would likely
                                execute.
Virus........................  A computer program that can copy itself
                                and infect a computer without the
                                permission or knowledge of the user. A
                                virus might corrupt or delete data on a
                                computer, use e-mail programs to spread
                                itself to other computers, or even erase
                                everything on a hard disk. Unlike a
                                computer worm, a virus requires human
                                involvement (usually unwitting) to
                                propagate.
War driving..................  The method of driving through cities and
                                neighborhoods with a wireless-equipped
                                computer--sometimes with a powerful
                                antenna--searching for unsecured
                                wireless networks.
Worm.........................  A self-replicating, self-propagating,
                                self-contained program that uses network
                                mechanisms to spread itself. Unlike
                                computer viruses, worms do not require
                                human involvement to propagate.
Zero-day exploit.............  An exploit that takes advantage of a
                                security vulnerability previously
                                unknown to the general public. In many
                                cases, the exploit code is written by
                                the same person who discovered the
                                vulnerability. By writing an exploit for
                                the previously unknown vulnerability,
                                the attacker creates a potent threat
                                since the compressed time frame between
                                public discoveries of both makes it
                                difficult to defend against.
------------------------------------------------------------------------
Source: GAO analysis of data from the National Institute of Standards
  and Technology, United States Computer Emergency Readiness Team, and
  industry reports.

    The unique nature of cyber-based attacks can vastly enhance their 
reach and impact. For example, cyber attackers do not need to be 
physically close to their victims, technology allows attacks to easily 
cross State and National borders, attacks can be carried out at high 
speed and directed at a number of victims simultaneously, and cyber 
attackers can more easily remain anonymous. Moreover, the use of these 
and other techniques is becoming more sophisticated, with attackers 
using multiple or ``blended'' approaches that combine two or more 
techniques. Using these techniques, threat actors may target 
individuals, resulting in loss of privacy or identity theft; 
businesses, resulting in the compromise of proprietary information or 
intellectual capital; critical infrastructures, resulting in their 
disruption or destruction; or Government agencies, resulting in the 
loss of sensitive information and damage to economic and National 
security.
 systems supporting federal operations and critical infrastructure are 
                      vulnerable to cyber attacks
    Significant weaknesses in information security controls continue to 
threaten the confidentiality, integrity, and availability of critical 
information and information systems used to support the operations, 
assets, and personnel of Federal agencies. For example, in their 
performance and accountability reports and annual financial reports for 
fiscal year 2011, 18 of 24 major Federal agencies \4\ indicated that 
inadequate information security controls were either material 
weaknesses or significant deficiencies \5\ for financial reporting 
purposes. In addition, inspectors general at 22 of the major agencies 
identified information security or information system control as a 
major management challenge for their agency.
---------------------------------------------------------------------------
    \4\ The 24 major departments and agencies are the Departments of 
Agriculture, Commerce, Defense, Education, Energy, Health and Human 
Services, Homeland Security, Housing and Urban Development, the 
Interior, Justice, Labor, State, Transportation, the Treasury, and 
Veterans Affairs; the Environmental Protection Agency, General Services 
Administration, National Aeronautics and Space Administration, National 
Science Foundation, Nuclear Regulatory Commission, Office of Personnel 
Management, Small Business Administration, Social Security 
Administration, and U.S. Agency for International Development.
    \5\ A material weakness is a deficiency, or a combination of 
deficiencies, in internal control such that there is a reasonable 
possibility that a material misstatement of the entity's financial 
statements will not be prevented, or detected and corrected on a timely 
basis. A significant deficiency is a deficiency, or a combination of 
deficiencies, in internal control that is less severe than a material 
weakness, yet important enough to merit attention by those charged with 
governance. A control deficiency exists when the design or operation of 
a control does not allow management or employees, in the normal course 
of performing their assigned functions, to prevent, or detect and 
correct, misstatements on a timely basis.
---------------------------------------------------------------------------
    Agency, inspectors general, and GAO assessments of information 
security controls during fiscal year 2011 revealed that most major 
Federal agencies had weaknesses in most of the five major categories of 
information system controls: (1) Access controls, which ensure that 
only authorized individuals can read, alter, or delete data; (2) 
configuration management controls, which provide assurance that only 
authorized software programs are implemented; (3) segregation of 
duties, which reduces the risk that one individual can independently 
perform inappropriate actions without detection; (4) continuity of 
operations planning, which helps avoid significant disruptions in 
computer-dependent operations; and (5) agency-wide information security 
programs, which provide a framework for ensuring that risks are 
understood and that effective controls are selected and implemented. 
Figure 1 shows the number of agencies that had vulnerabilities in these 
five information security control categories. 


    Over the past several years, we and agency inspectors general have 
made hundreds of recommendations to resolve similar previously 
identified significant control deficiencies. We have also recommended 
that agencies fully implement comprehensive, agency-wide information 
security programs, including by correcting weaknesses in specific areas 
of their programs. The effective implementation of these 
recommendations will strengthen the security posture at these agencies.
    In addition, securing the control systems that monitor and control 
sensitive processes and physical functions supporting many of our 
Nation's critical infrastructures is a National priority, and we have 
identified vulnerabilities in these systems. For example, in September 
2007, we reported that critical infrastructure control systems faced 
increasing risks due to cyber threats, system vulnerabilities, and the 
serious potential impact of possible attacks.\6\ Specifically, we 
determined that critical infrastructure owners faced both technical and 
organizational challenges to securing control systems, such as limited 
processing capabilities and developing compelling business cases for 
investing in control systems security, among others. We further 
identified Federal initiatives under way to help secure these control 
systems, but noted that more needed to be done to coordinate these 
efforts and address shortfalls. We made recommendations to the 
Department of Homeland Security to develop a strategy for coordinating 
control systems security efforts and enhance information sharing with 
relevant stakeholders. Since this report, the Department formed the 
Industrial Control Systems Cyber Emergency Response Team to provide 
industrial control system stakeholders with situational awareness and 
analytical support to effectively manage risk. In addition, it has 
taken several actions, such as developing a catalog of recommended 
security practices for control systems, developing a cybersecurity 
evaluation tool that allows asset owners to assess their control 
systems and overall security posture, and collaborating with others to 
promote control standards and system security. We have not evaluated 
these activities to assess their effectiveness in improving the 
security of control systems against cyber threats.
---------------------------------------------------------------------------
    \6\ GAO, Critical Infrastructure Protection: Multiple Efforts to 
Secure Control Systems Are Under Way, but Challenges Remain, GAO-07-
1036 (Washington, DC: Sept. 10, 2007).
---------------------------------------------------------------------------
    In May 2008, we reported that the Tennessee Valley Authority's 
(TVA) corporate network contained security weaknesses that could lead 
to the disruption of control systems networks and devices connected to 
that network.\7\ We made 19 recommendations to improve the 
implementation of information security program activities for the 
control systems governing TVA's critical infrastructures and 73 
recommendations to address weaknesses in information security controls. 
TVA concurred with the recommendations and has taken steps to implement 
them.
---------------------------------------------------------------------------
    \7\ GAO, Information Security: TVA Needs to Address Weaknesses in 
Control Systems and Networks, GAO-08-526 (Washington, DC: May 21, 
2008).
---------------------------------------------------------------------------
    In addition to those present in Federal systems and systems 
supporting critical infrastructure, vulnerabilities in mobile computing 
devices used by individuals or organizations may provide openings to 
cyber threats. For example, consumers and Federal agencies are 
increasing their use of mobile devices to communicate and access 
services over the internet. The use of these devices offers many 
benefits including ease of sending and checking messages and remotely 
accessing information on-line; however, it can also introduce 
information security risks if not properly protected. We have on-going 
work to determine: (1) What common security threats and vulnerabilities 
affect generally available cellphones, smartphones, and tablets; (2) 
what security features and practices have been identified to mitigate 
the risks associated with these vulnerabilities; and (3) the extent to 
which Government and private entities are addressing security 
vulnerabilities of mobile devices.
    number of cybersecurity incidents reported by federal agencies 
    continues to rise, and recent incidents illustrate serious risk
    Federal agencies have reported increasing numbers of security 
incidents that placed sensitive information at risk, with potentially 
serious impacts on Federal operations, assets, and people. When 
incidents occur, agencies are to notify the Federal information 
security incident center--US-CERT. Over the past 6 years, the number of 
incidents reported by Federal agencies to US-CERT has increased from 
5,503 incidents in fiscal year 2006 to 42,887 incidents in fiscal year 
2011, an increase of nearly 680 percent (see fig. 2).\8\
---------------------------------------------------------------------------
    \8\ According to US-CERT, the growth in the number of incidents is 
attributable, in part, to agencies improving detection and reporting of 
security incidents on their respective networks. 


    Agencies reported the types of incidents and events based on US-
CERT-defined categories. As indicated in figure 3, the two most 
prevalent types of incidents and events reported to US-CERT during 
fiscal year 2011 were unconfirmed incidents under investigation and 
malicious code. 


    Reported attacks and unintentional incidents involving Federal, 
private, and critical infrastructure systems demonstrate that the 
impact of a serious attack could be significant. These agencies and 
organizations have experienced a wide range of incidents involving data 
loss or theft, computer intrusions, and privacy breaches, underscoring 
the need for improved security practices. The following examples from 
news media and other public sources illustrate that a broad array of 
information and assets remain at risk.
   In April 2012, hackers breached a server at the Utah 
        Department of Health to access thousands of Medicaid records. 
        Included in the breach were Medicaid recipients and clients of 
        the Children's Health Insurance Plan. About 280,000 people had 
        their Social Security numbers exposed. In addition, another 
        350,000 people listed in the eligibility inquiries may have had 
        other sensitive data stolen, including names, birth dates, and 
        addresses.
   In March 2012, it was reported that a security breach at 
        Global Payments, a firm that processed payments for Visa and 
        Mastercard, could compromise the credit- and debit-card 
        information of millions of Americans. Subsequent to the 
        reported breach, the company's stock fell more than 9 percent 
        before trading in its stock was halted. Visa also removed the 
        company from its list of approved processors.
   In February 2012, the inspector general at the National 
        Aeronautics and Space Administration testified that an 
        unencrypted notebook computer had been stolen from the agency 
        in March 2011. The theft resulted in the loss of the algorithms 
        used to command and control the International Space Station.
   In March 2012, a news wire service reported that the senior 
        commander of the North Atlantic Treaty Organization (NATO) had 
        been the target of repeated cyber attacks using the social 
        networking website Facebook that were believed to have 
        originated in China. According to the article, hackers 
        repeatedly tried to dupe those close to the commander by 
        setting up fake Facebook accounts in his name in the hope that 
        his acquaintances would make contact and answer private 
        messages, potentially divulging sensitive information about the 
        commander or themselves.
   In March 2012, it was reported that Blue Cross Blue Shield 
        of Tennessee paid out a settlement of $1.5 million to the U.S. 
        Department of Health and Human Services arising from potential 
        violations stemming from the theft of 57 unencrypted computer 
        hard drives that contained protected health information of over 
        1 million individuals.
   In January 2012, the Department of Commerce discovered that 
        the computer network of the Department's Economic Development 
        Administration (EDA) was hit with a virus, forcing EDA to 
        disable e-mail services and internet access pending 
        investigation into the cause and scope of the problem, which 
        persisted for over 12 weeks.
   In June 2011, a major bank reported that hackers had broken 
        into its systems and gained access to the personal information 
        of hundreds of thousands of customers. Through the bank's on-
        line banking system, the attackers were able to view certain 
        private customer information.
   Citi reissued over 200,000 cards after a May 2011 website 
        breach. About 360,000 of its approximately 23.5 million North 
        American card accounts were affected, resulting in the 
        potential for misuse of cardholder personal information.
   In April 2011, Sony disclosed that it suffered a massive 
        breach in its video game on-line network that led to the theft 
        of personal information, including the names, addresses, and 
        possibly credit card data belonging to 77 million user 
        accounts.
   In February 2011, media reports stated that computer hackers 
        had broken into and stolen proprietary information worth 
        millions of dollars from the networks of six U.S. and European 
        energy companies.
   In July 2010, a sophisticated computer attack, known as 
        Stuxnet, was discovered. It targeted control systems used to 
        operate industrial processes in the energy, nuclear, and other 
        critical sectors, reportedly causing physical damage. It is 
        designed to exploit a combination of vulnerabilities to gain 
        access to its target and modify code to change the process.
   A retailer reported in May 2011 that it had suffered a 
        breach of its customers' card data. The company discovered 
        tampering with the personal identification number (PIN) pads at 
        its checkout lanes in stores across 20 States.
   In August 2006, two circulation pumps at Unit 3 of the 
        Browns Ferry, Alabama, nuclear power plant failed, forcing the 
        unit to be shut down manually. The failure of the pumps was 
        traced to excessive traffic on the control system network, 
        possibly caused by the failure of another control system 
        device.
    These incidents illustrate the serious impact that cyber threats 
can have on Federal agency operations, the operations of critical 
infrastructures, and the security of sensitive personal and financial 
information.
    In summary, the cyber threats facing the Nation are evolving and 
growing, with a wide array of potential threat actors having access to 
increasingly sophisticated techniques for exploiting system 
vulnerabilities. The danger posed by these threats is heightened by the 
weaknesses that continue to exist in Federal information systems and 
systems supporting critical infrastructures. Ensuring the security of 
these systems is critical to avoiding potentially devastating impacts, 
including loss, disclosure, or modification of personal or sensitive 
information; disruption or destruction of critical infrastructure; and 
damage to our National and economic security.
    Chairman McCaul, Ranking Member Keating, and Members of the 
subcommittee, this concludes my statement. I would be happy to answer 
any questions you have at this time.

    Mr. McCaul. Thank you for your testimony.
    The Chairman now recognizes Mr. McClure.

STATEMENT OF STUART MC CLURE, CHIEF TECHNOLOGY OFFICER, MC AFEE

    Mr. McClure. Thank you Chairman, thank you Members. So . . 
. I am the global CTO for McAfee. Ultimately I am responsible 
for all the technology that comes out of the company and all 
the protective measures that we put in place. But I also used 
to run the labs within McAfee. The labs are responsible for all 
malware that comes in and a quick turnaround to protect our 
customers.
    Now, when I was running the labs, it was probably about 
2005-2006, we had upwards of about maybe 1,000 samples every 
single day that came into our networks that we had to go and 
respond to and build signatures and countermeasures for. Today 
we receive 80,000 that must be responded to. These are unique, 
these are malicious, and they are something that we have to 
find protective countermeasures to.
    This is a huge exponential problem that we have. If I had a 
blank check to write to hire as many people as I wanted, to put 
as many controls in place as I wanted, I could not do it to 
respond to all of these threats. It is a huge, huge problem.
    Another part of my background, I also wrote a very 
successful computer security book called ``Hacking Exposed.'' 
The whole point behind the book was to expose how the hacker 
thinks, how the hacker works and achieves its primary goals and 
targets, and leaves very stealthily. That book has been very 
successful in helping administrators understand, and ITs as 
well, to understand how they work, because I do, really, 
believe passionately that if you cannot understand how they 
work, you will never be able to prevent them effectively. We 
are starting to see that today.
    Now, one thing I wanted to share with you is so many years 
ago we used to talk mostly amongst us--I have been doing this a 
long time, about 20-plus years--and we would say, well, at 
least this cyber thing has not gotten to the physical world, it 
can't really kill anybody. That was the idea. So we got to put 
our heads down on the pillows and actually feel pretty good 
about that.
    But I can tell you right now, definitively, I can 
personally kill somebody with my computer. I have already 
demonstrated this potential many times, and it is something 
that I want to make sure I get across, that the link between 
cyber and physical is here.
    Now, I am--the demo that I have done in the past has been 
around, a particular insulin pump, okay, but it proves the 
point, which is that given no connection to this particular 
pump, I can overdose, okay, the insulin that is in there. This 
is just indicative of the bigger and broader problem.
    It became really personal for me when my friend, who is a 
diabetic and has the exact pump, I asked him, hey, can I borrow 
your pump real quick, I am just going to test it out, you know, 
trust me, there is no problem here. He would not do it, he was 
freaked out. He flat refused, and to be honest I think it 
compromised a friendship in a way. But it drove home the point 
for me, which is this stuff, the technology that helps people 
either in biomed or otherwise protects and keeps people alive. 
So it is something to think about as we go forward.
    Now, we always talk about the threats basically in three 
areas: Motivation, opportunity, and ability. Of course you have 
heard a lot about the motivation, financial, ego-driven, 
hacktivism, purpose, you name it, we see it all the time. 
Opportunity. The big problem in this formula is the 
opportunity. There are so many opportunities. The number of 
devices are just exploding out there, and they are all 
interconnected 24/7, everything from your mobile devices to 
tablets to insulin pumps to critical infrastructure for that 
matter. Also the vulnerabilities that are present on them are 
growing all the time, and that is the core of the problem, 
these vulnerabilities on the assets. The ability is only 
getting better.
    So every day, more and more people get smarter and smarter, 
the tool kits get easier and easier to download and buy on-
line. It is those variables in that formula are the big 
problem, and they are not going anywhere but up. So what we 
have to do is think about it, I think, in a better way. So 
information sharing is absolutely critical and key. I have been 
talking about that for a long time. We have to be able to share 
that valuable data. We can clear the privacy issues. I really--
I believe that it doesn't take much to allow the critical data 
to be shared effectively in a timely manner.
    But the other part that we have to think about is security 
by design. This is the big problem. We develop software, we 
develop hardware, and quite frankly no one--very, very few 
think about security in that design process and in the 
planning. It is that process that we have to try to instill in 
the coming years to truly affect the core problem; otherwise, 
all we are doing is affecting the symptoms. It would be like 
taking a decongestant or a pain reliever when you have a cold, 
rather than eating healthy and exercising and building your 
immunity.
    So with that, I want to say thank you very much for your 
time.
    [The prepared statement of Mr. McClure follows:]
                  Prepared Statement of Stuart McClure
                             April 24, 2012
    Good afternoon Chairman McCaul, Ranking Member Keating, and other 
Members of the subcommittee. I am Stuart McClure, Executive Vice 
President and Worldwide Chief Technology Officer for McAfee. Thank you 
for requesting my views on this important topic.
    You asked me to focus on the cyber threat, so my testimony will 
focus on threats to consumers, to intellectual property, and to 
critical infrastructure. During my discussion I will attempt to 
highlight the following points:
   The world's continual drive to innovate has driven 
        unprecedented connectivity which has given rise to exploding 
        numbers of cyber threats and attacks.
   The only way to definitively solve this problem--and it is 
        solvable--is through ``security by design.''
   There are policy initiatives, such as enhanced information 
        sharing and other measures, that would dramatically help 
        respond to these threats.
    First I would like to provide some background on my professional 
experience and on McAfee.
    As Global CTO, I work closely with senior leaders at McAfee to 
ensure strong collaboration on customer requirements, knowledge 
sharing, strategy, development efforts, advanced threat research, and 
technology patents. Prior to joining McAfee, I held positions as 
executive director of security services for Kaiser Permanente, a $34 
billion health care organization; served as senior vice president of 
global threats and research at McAfee Labs, where I led an elite global 
security threats team; and was founder, president, and chief technology 
officer of Foundstone, which was acquired by McAfee in 2004.
    I have dedicated my entire professional life to the practice of 
cybersecurity. My first book, Hacking Exposed, was published in 1999 
and has been translated into more than 30 languages and has become the 
definitive best-selling computer security book teaching the good guys 
how the bad guys think and attack. I have demonstrated literally 
hundreds of hacker techniques in front of live audiences for the better 
part of 20 years, as I believe a picture is worth a 1,000 words and a 
demo is worth millions.
                     mcafee's role in cybersecurity
    McAfee, Inc. protects businesses, consumers, and the Government/
public sector from cyber-attacks, viruses, and a wide range of on-line 
security threats. Headquartered in Santa Clara, California, and Plano, 
Texas, McAfee is the world's largest dedicated security technology 
company and is a proven force in combating the world's toughest 
security challenges. McAfee is a wholly-owned subsidiary of Intel 
Corporation.
    McAfee delivers proactive and proven solutions, services, and 
global threat intelligence that help secure systems and networks around 
the world, allowing users to safely connect to the internet and browse 
and shop the web more securely. Fueled by an award-winning research 
team, McAfee creates innovative products that empower home users, 
businesses, the public sector, and service providers by enabling them 
to prove compliance with regulations, protect data, prevent 
disruptions, identify vulnerabilities, and continuously monitor and 
improve their security.
    To help organizations take full advantage of their security 
infrastructure, McAfee launched the Security Innovation Alliance, which 
brings together more than 150 partners, large and small, to allow 
organizations access into our extensible management platform and 
thereby detect and prevent attacks in real time.
                    the double edge of connectivity
    Today, we are always on and always connected. The world of 
instantaneous communication and constant connectivity we have come to 
take for granted is limited only by our powers of creativity and 
innovation--and those seem to have no end. For years policymakers have 
heard of the numerous benefits that this interconnected, always-on 
world can and does bring to the areas of education, health and 
medicine, energy, and transportation, as well as to individual well-
being and the American economy at large. Indeed, the Federal 
Communications Commission has now redefined ``universal service'' from 
a program designed to create universal telephone service, to a program 
that will create Nation-wide high-speed broadband access. There is no 
turning back from this path, nor should we want to.
    The reality, however, is that this same world of connectivity also 
creates risk. Risk is dictated by three factors: Opportunity, 
motivation, and ability. If you are able to affect any one or more of 
these factors, you reduce the overall risk. In today's environment, all 
three factors--opportunity, motivation, and ability--are growing 
inordinately.
    Let me start with motivation. By now you have heard much about a 
variety of criminal actors who are highly motivated--either by money, 
National pride, religion, or some other compelling factor. These actors 
have huge amounts to gain with hardly anything to lose; our laws and 
penalties, in addition to our inability to enforce them, make cyber 
crime extremely attractive and profitable. There are few real 
deterrents to cyber crime and there is much to gain.
    Add to this the fact that the level of ability of most cyber 
criminals has increased dramatically from the days of the pimply 
teenager working out of his garage. Now there are serious professionals 
and even companies for hire. Simply put, attacks are relatively easy to 
perform, leveraging thousands and even millions of computers to attack 
a single target, creating virtual armies that are far less expensive 
and more dynamic than physical armies. The tools and techniques are 
well-documented, easy to find, and the range of a malicious individual 
armed with a laptop and an internet connection surpasses that of any 
ICBM.
    Who has the opportunity? Certainly insiders--those with knowledge 
of the organization and its most sensitive data and systems--have 
optimum opportunity. But in the highly interconnected world, a cyber 
attacker certainly does not have to BE inside an organization to GET 
inside it. Indeed, almost any device that we use regularly--mobile 
phone, tablet, laptop, thumb drive, automobile, and even a medical 
device--is perfectly capable of letting an attacker inside. Anything 
that you can connect to, or that can be connected to--through USB, 
wired network connection, WiFi network connection, Bluetooth, RFID--is 
enough to let a cyber criminal in.
    Yet the other great reality about a world that is becoming 
increasingly interconnected is the degree to which connected devices 
are helping individuals address significant challenges, and many of 
these challenges are highly personal. For example, diabetics can now 
use insulin pumps that are connected wirelessly; homeowners can set 
their burglar alarm or control the temperature of their homes remotely; 
patients with heart conditions can stay home while doctors monitor 
their conditions from their offices; students in rural areas can take 
classes at major universities; motorists can have their car's door 
locks unlocked from remote or be routed to their exact destination and 
soon might be able to drive on smart highways.
    This list is by no means exhaustive. Innovative companies have 
every incentive to offer more and more goods and services addressing 
the most fundamental needs of consumers while at the same time make 
them more interconnected. This is a powerful market trend that will 
continue in the future. But unless the devices are locked down and 
secured by design, the cyber criminals will be given even more 
opportunities to profit, plunder, and pillage.
                 the risk to individuals and consumers
    Most consumers expect that when they go on-line, they will be safe, 
their information will be private, and their kids will be protected as 
long as they do not go on websites from which their parents have barred 
them. But this is an illusion. For every control, there is a bypass.
    The threats that individuals and consumers face run the gamut from 
identity theft to loss of financial or personal information, to 
infection of their systems and destruction of hardware, software, and 
data. The advent of new mobile technology, particularly smartphones and 
tablets, has opened up new attack vectors for hackers.
    According to a recent House Science Committee witness from Idaho 
National Labs, Dr. Rangam Subramanian, every key economic sector will 
soon be dependent on wireless: Energy and power, public safety, 
finance, health care, transportation, entertainment, and more. Yet for 
all the convenience and innovation that wireless brings, it also 
introduces even more opportunities for hackers.
    Many Americans now engage in personal banking, shopping, and other 
services by accessing Wi-Fi hot spots on their smartphones, which can 
lead them directly into traps set by cyber criminals. And the wireless 
revolution is only in its infancy. Cisco's U.S. mobile data forecast 
projects that mobile data traffic will increase 16 times from 2011 to 
2016 for a compound annual growth rate of 74 percent. By 2016, mobile 
data traffic will be equivalent to four times the volume of the entire 
U.S. internet in 2005. The United States is a leader in the area of 
wireless innovation, and it is to our National advantage to have that 
leadership continue. The key is to ensure that that innovation 
incorporates security by design.
    Following are just some of the most recent threats to consumers:
    Social networking sites.--The social networking phenomenon has 
overtaken pornography as the No. 1 internet activity and has brought 
traditionally non-computer savvy users onto the internet in droves. As 
an example, if Facebook were a country, it would be the 3rd largest in 
the world with over 850 million users. And cyber criminals know this. 
The attack surface area is large, but they might, for example, send 
what appears to be a harmless video but when clicked on it downloads a 
malicious virus.
    Mobile devices.--While PCs remain the bigger targets, smartphones--
which of course are miniature, mobile computers--are quickly capturing 
cyber criminals' attention, with instances of mobile malware increasing 
by 600% from 2010 to 2011. McAfee Labs again saw the Android platform 
firmly ensconced as the No. 1 target for writers of mobile malware. 
However, it is a misconception that Mac platforms are invulnerable to 
attack. As Apple recently learned with the Flashback Trojan, even their 
MacBooks can be victims, with over 600,000 infections to date. The 
hackers go where the numbers are, and the more ubiquitous iPhones and 
iPads become, the more they will be targeted by hackers.
    Mobile apps.--In 2011, apps that appeared legitimate were bundled 
with malware and distributed over Google's Android Marketplace. Google 
was able to remotely detect and delete more than 50 infected 
applications from thousands of Android devices. Every day, consumers 
download apps from unknown apps stores without a second thought. We 
advise consumers to download apps only from well-known, reputable app 
stores, check reviews and apps ratings before downloading them, read 
the fine print to check what permissions the app is accessing, and 
install a comprehensive mobile security product, including those from 
McAfee or other vendors.
    Phishing scams and IRS scams.--During the tax season, in 
particular, hackers are known to conduct scams that involved phishing--
a way of attempting to acquire information such as usernames, 
passwords, and credit card details by masquerading as a trustworthy 
entity. Some criminal actors masquerade as the IRS or an entity closely 
related to the IRS. We advise consumers never to respond to or click on 
links within unsolicited emails requesting that they enter personal 
data or visit a website to update account information--especially from 
the IRS, as they do not send out emails to consumers.
    Perhaps one of the most unsettling examples of individuals being 
exposed to cyber attacks on a personal level entails the use of 
personal medical devices. Recently a McAfee researcher identified a 
security flaw in a wirelessly-enabled insulin pump, which allows the 
device to be controlled by a hacker and subsequently administer a 
potentially lethal dose of insulin to diabetes patients. While there 
are several security holes in the device, the principal vulnerability 
comes from the wireless connection between the glucose monitoring 
system and the pump itself, which is vital to determining how much 
insulin is dispensed.
    Since that story was publicized, I've heard from several friends 
who either used the pump in question themselves or whose child did. 
When they asked me if their pumps--and thus their lives--were 
vulnerable to cyber attack, I had to answer ``yes.'' Again, medical 
device manufacturers are making great strides in reducing inconvenience 
for individuals, yet at what price? Unless devices are built from the 
ground up with security by design, the price could be high.
    Another example is automobiles. Many security researchers have 
noticed an alarming number of vectors of attack inside today's 
increasingly computerized cars. They have discovered that cars are as 
insecure as PCs were some 20 years ago, fraught with ways into the 
system and vulnerabilities to attack. In fact, researchers from the 
University of Washington and the University of California, San Diego, 
have released findings over the past 2 years detailing how they could 
not only open a locked car without the keys but they could remotely 
penetrate a car's IVI (in-vehicle infotainment) system to then take 
over control of much of the car's features, including disabling airbag 
and brakes. Both these examples show that in our highly interconnected 
world, you don't have to be sitting at a computer or holding a 
smartphone to be vulnerable to cyber attack.
                   the risk to intellectual property
    One of the most insidious types of threats to individuals, 
corporations, organizations, Government agencies, and the economy as a 
whole is the theft of intellectual property. Today, malware developers 
combine web, host, and network vulnerabilities with spam, rootkits 
(invisible malware that hides within authorized software in a 
computer's operating system), spyware, worms (which target computers 
rather than software programs but which can clog communications 
bandwidth and overload computers or networks,) and other means of 
attack. Malware also can be distributed indirectly by networks of 
computers that have been corrupted by a criminal--known as a 
``botnet,'' or a collection of compromised computers connected to the 
internet.
    Then there is the type of attack known as an Advanced Persistent 
Threat (APT), which has received much attention recently. The APT is 
essentially an insidious, persistent intruder meant to fly below the 
radar screen and quietly explore and steal the contents of the target 
network.
    In the past 3 years, McAfee has uncovered numerous APTs affecting 
tens of thousands of organizations worldwide. These attacks are 
significant because they were managed by well-coordinated, organized 
teams that succeeded in extracting billions of dollars of intellectual 
property from leading global companies in the information technology, 
defense, and energy sectors--strategic industries vital to any 
country's long-term economic success and National security. These low-
profile attacks are often more dangerous than high-profile incursions 
because they are a type of cyber espionage, providing silent, on-going 
access to protected institutional information. And these APTs are not 
limited in scope; they can affect any company, government body, or 
nation, regardless of sector, size, or geography.
    However, as the United States is the largest producer of 
intellectual property in the world, we are an especially rich target. 
The onslaught of increasingly sophisticated targeted attacks is 
reflected in growing information breach statistics. A 2010 survey found 
that 60 percent of organizations report a ``chronic and recurring 
loss'' of sensitive information. The average cost of a data breach 
reached $7.2 million in 2010 and cost companies $214 per compromised 
data record, according to the Ponemon Institute. And that's just the 
cost to respond internally to a data breach. If a company's 
intellectual property is stolen, it could decimate an organization.
    We do not have statistics for all of the IP breached, as 
organizations can be reluctant to report IP theft, fearing that it will 
cause customers and markets to lose confidence. Again, by building 
products and systems that are secure from the ground up, these fears, 
costs, and substantial drain of American competitive innovation could 
be greatly reduced.
            the risk to critical systems and infrastructure
    As policymakers have begun to recognize, a cyber attack--or series 
of cyber attacks--to the Nation's critical infrastructure could be 
tremendously devastating to our way of life. Let's take the electrical 
grid, by far the most vulnerable of our critical infrastructures.
    Almost every aspect of American life depends on electricity--from 
producing goods to saving lives, from defending the country to 
conducting electronic banking and commerce, from simple communications 
to feeding our families safely. Yet the systems used to manage our 
electricity, the supervisory control and data acquisition, or SCADA 
systems, are antiquated, running on commonly available operating 
systems, and with their design having changed little since their 
introduction decades ago. They were never designed or built securely, 
and they certainly were not meant to be connected to the internet. And 
even today, we find that many electric companies still use vendor-
supplied default passwords because they allow easy access in times of 
crisis or for maintenance and repair.
    A report by CSIS and McAfee interviewing executives in the energy 
and power sector found that a large majority of them had reported cyber 
attacks, and about 55% of these attacks targeted SCADA. In 2009, nearly 
half of the respondents said that they had never faced large-scale 
denial of service attacks or network infiltrations. By 2010, those 
numbers had changed dramatically; 80 percent had faced a large-scale 
denial-of-service attack, and 85 percent had experienced network 
infiltrations. Meanwhile, a quarter of the interviewees reported daily 
or weekly denial-of-service attacks on a large scale. A similar number 
reported that they had been the victim of extortion through network 
attacks or the threat of network attacks. Nearly two-thirds reported 
they frequently (at least monthly) found malware designed for sabotage 
on their system.
    Attacks on systems like SCADA can give hackers direct control of 
operational systems, creating the potential for large-scale power 
outages or man-made environmental disasters. Yet in the United States, 
many companies have not adopted security measures for their SCADA 
systems, and many report their SCADA systems connected to IP networks 
or the internet, making these systems even more susceptible to attacks.
    What happens when there are multiple, simultaneous failures or 
system manipulations in the electric grid? Industry experts acknowledge 
that the grid is not currently equipped to handle this situation. While 
the experts say that the odds of a natural event or a physical attack 
creating this situation have been quite low, they are not prepared to 
say that for cyber--which all agree is the threat most likely to give 
rise to this kind of power failure.
    What could happen? Imagine that cyber criminals have been gaining 
access to various parts of the power grid for years. They have 
infiltrated enough systems to make it possible to knock out power for 
the entire Northeast grid. They launch an attack in winter and power 
goes down throughout the area. Not only do people lose heat, light, 
refrigeration, cooking facilities, communication, and entertainment, 
but the systems that pump our water from reservoirs--and those that 
purify the water in the reservoirs--are affected. No potable water, 
perhaps no water at all, and no capacities for managing sewage.
    Even if stores have back-up generators, they cannot order the 
inventory because their systems are electronic. Banking comes to a halt 
because funds can no longer move electronically. Gas stations can no 
longer sell gasoline. Commerce effectively ends because order 
fulfillment systems are down, payment systems are down, and 
communication is down. Those consumers with phone service through the 
internet--including those triple play plans offered by major 
providers--are out of luck because their service is no longer over the 
traditional land-line telephone network. Hospitals and medical centers, 
which might also have independent generators, can care for only the 
most critical patients, as they cannot check on patients' insurance 
status or connect with the outside world electronically. While many of 
these sectors have emergency back-up systems to enable them to maintain 
operations during a power failure, those back-up systems are meant to 
be temporary--not long-term.
    I personally experienced something like this as a child living on 
the island of Guam. A devastating and powerful typhoon knocked out 
power for many weeks and we had to run back and forth between the 
slowly moving water truck driving down the street and the house's 
bathtub where we emptied the bucket and ran back. The memory of that 
time is vivid, but it was not nearly as bad as it might have been had 
the situation gone on longer.
                           security by design
    Adding security features into systems after they have been 
developed is a losing battle. Remember the sunroof of the 1980's? The 
only way to get one was to get it installed aftermarket. Manufacturers 
did not offer one as an option on new cars. And many of them leaked 
badly. Today, every manufacturer offers a sunroof as an option to your 
new car--and they never leak!
    Cybersecurity has to be the same: It must be baked into the 
equipment, systems, and networks at the very start of the design 
process. Security must be intrinsic to an organization's thought 
processes, its business processes, and its design, development, and 
manufacturing processes. It must be embedded in a product or network 
element so that it becomes an integral part of the product's or 
element's functioning. This approach is not only more effective; it is 
less cumbersome and less expensive than trying to lock down systems 
that are inherently insecure.
                         policy recommendations
    Given the level of the cybersecurity threat, the Government has a 
legitimate interest in ensuring that our country is protected from 
cyber attacks. The first order of business must be for the Government 
to fully protect its own institutions, and we support rapid passage of 
FISMA reform legislation. The Government also has an obligation to work 
with our companies and citizens to improve the level of security at 
work and in the home. I believe that positive incentives are superior 
to regulation in achieving the desired National outcome: A cyber-secure 
Nation. Using positive incentives rather than negative ones, such as 
Government mandates, is the most effective way to drive higher levels 
of trust and actual cooperation between the private sector and 
Government--all vital to producing real success. Having the private 
sector fully commit--customers and vendors of IT products and 
services--to the principles and implementation of security by design 
will do much to help make our country more secure in the future.
    There are a variety of legislative approaches focused on positive 
incentives in play right now that I believe can make a major 
contribution to addressing our country's cybersecurity challenges. Many 
of the recommendations of Representative Thornberry's (R-Texas) 
Cybersecurity Task Force are a step in the right direction in that they 
address a wide range of incentives such as information sharing, 
insurance reforms, and tax credits. And over the past few years there 
has been good bipartisan collaboration on a number of cyber 
initiatives, including additional investment in cybersecurity research 
and FISMA reform, to name just a few.
    In this same spirit, better information sharing would be 
particularly effective in encouraging the kind of public-private 
partnerships we need to move forward in cybersecurity. There have been 
several proposed Government solutions, and many of them share McAfee's 
goal that Government facilitate collaboration and encourage trusted 
working relationships to the benefit of all parties in the internet 
ecosystem.
    Better enabling information sharing is critical for addressing the 
cyber threat. This would help organizations execute with the alacrity 
shown by our cyber adversaries, as previously described. There are also 
other positive incentives that can help address some of our Nation's 
fundamental challenges--challenges in hiring the right type of 
cybersecurity experts, regulatory disincentives, economic 
disincentives, and the immaturity of the insurance market, which has 
limited the growth of the kind of insurance programs needed for 
companies to insure against catastrophic losses:
   Litigation/Legal Reform.--Imposing limitations on liability 
        for damages as well as for non-economic losses would remove a 
        serious obstacle to information security investments--i.e., the 
        risk of losses for which responsibility is assigned 
        notwithstanding a company's good faith investments in adequate 
        information security. Eliminating that risk, at least for 
        companies that meet high, ``best practices'' security 
        standards, would encourage more security on a company-by-
        company basis. This approach can help create positive 
        incentives for disclosure through liability relief for 
        responsible organizations to improve the Nation's overall 
        cybersecurity posture.
   Competitions, Scholarships, and Research and Development 
        Funding.--Cybersecurity competitions and challenges, as well as 
        scholarship and creativity to programs, can help identify and 
        recruit talented individuals to the field to augment the future 
        cybersecurity workforce. Similarly, research and development 
        grants foster innovation and advance basic and applied 
        solutions. Recognizing this, several legislative proposals 
        under consideration contain provisions designed to help 
        industry meet the cybersecurity challenges of tomorrow and 
        train the next generation of experts.
   Tax Incentives.--Accelerated depreciation or refundable tax 
        credits are being considered to encourage critical 
        infrastructure industries to make additional investments in 
        cybersecurity technologies, solutions, and human capital. The 
        same approaches could be effectively applied to small 
        businesses. Despite the current environment where balancing the 
        budget is a critical priority, we cannot afford to be 
        shortsighted. Cybersecurity-related tax incentives would prove 
        to be a legitimate, long-term investment in security that would 
        protect our National security and economic interests.
   Insurance Reforms.--Many companies defer investments in 
        improved security out of a concern that, even with improved 
        security, they are not protected from liability for losses that 
        occur. Similarly, insurance carriers are reluctant to create a 
        vigorous marketplace for cybersecurity insurance, thereby 
        hindering investment. Government should give consideration to 
        implementing reinsurance programs to help underwrite the 
        development of cybersecurity insurance programs. Over time, 
        these reinsurance programs could be phased out as insurance 
        markets gained experience with cybersecurity coverage.
                               conclusion
    As Global CTO for the world's largest dedicated security company, I 
carry a heavy burden, but one to which I have dedicated my entire 
career: To protect the world from cybersecurity attacks. But I stay 
focused on this task because I believe I can make a difference to 
provide a safer world for our children.
    Thank you for giving me the opportunity to take part in this 
hearing on behalf of McAfee. The cybersecurity challenge faced by our 
country is a serious matter that requires an evolution in the way in 
which both the public and private sectors collaborate. Each sector has 
its own set of core capabilities. Only the Government can implement the 
complex set of organizational and policy responses necessary to counter 
the growing cybersecurity threat. Leading information technology 
companies and their customers are uniquely positioned to act as early 
warning systems that can identify and help address cybersecurity 
attacks. Information technology companies focused on cybersecurity, in 
particular, have the resources and the economic incentives to continue 
to invent and develop the technologies and solutions needed to stay 
ahead of sophisticated cyber attackers. Aligning Government incentives 
with a National objective of achieving security by design in all of our 
systems is consistent with the best American tradition of 
collaboration. The public and private sectors have made important 
strides to address the cybersecurity challenge. As we work together to 
further evolve our collaboration models, we can succeed in protecting 
our homeland from the threat of cyber attacks.

    Mr. McCaul. Thank you Mr. McClure. I agree with you that I 
think we have made the jump from virtual to physical as well.
    With that, the Chairman recognizes Dr. Flynn for his 
testimony.

STATEMENT OF STEPHEN E. FLYNN, FOUNDING CO-DIRECTOR, GEORGE J. 
 KOSTAS RESEARCH INSTITUTE FOR HOMELAND SECURITY, NORTHEASTERN 
                           UNIVERSITY

    Mr. Flynn. Thank you very much Mr. Chairman, Ranking Member 
Keating, Ranking Member Thompson. It is an honor to be before 
you all, distinguished Members of the subcommittee. I would 
like to build on the conversation we have had already today, 
the testimony we have already had today, and essentially assign 
an explanation point I think to the risk.
    As I see it, this subcommittee certainly well understands 
the serious nature of the challenge, but we really have as a 
country not stepped up to this risk.
    I want to share with you a scenario that was actually 
developed by the National Institute of Standards and 
Technology, the NIST, in an attack on the U.S. electric grid to 
kind of drive home the stakes involved with this. According to 
the NIST study, they provide the following scenario. Using war 
dialers, simple computer programs that dial consecutive phone 
numbers looking for modems, an adversary finds modems connected 
to programmable breakers of the electric power transmission 
control systems, they crack the passwords that control access 
to the breakers and change the control settings to cause local 
power outages and damage equipment. The adversary lowers the 
settings from 500 amps to 200 amps on some circuit breakers, 
taking those lines out of service, and then diverting power to 
neighboring lines. At the same time the adversary raises the 
settings on the neighboring lines to 900 amps which prevents 
the circuit breakers from tripping, plus overloading the lines. 
This causes significant damage to transformers and other 
critical equipment, resulting in lengthy repair outages.
    This is not a particularly sophisticated attack and it can 
be carried out remotely by anybody with anonymity. The harm it 
could cause will be far beyond the disruption of service and 
the loss of data. When you can successfully disable a portion 
of the power grid, you can generate cascading consequences. 
When transformers fail, so too will water distribution, waste 
management, transportation, communications, and many emergency 
Government services. People who take medicines that require 
refrigeration will quickly face the prospect of going without 
those drugs.
    Given the average of a 12-month lead that is required to 
replace a damaged transformer today with a new one if we had a 
mass damage of that scale in a local regional level, the 
economic and societal disruption would be enormous.
    There are lots of potential target or opportunity, as Mr. 
McClure laid out. We have a power grid that operates with 5,300 
power plants that, combined, produce 1,075 gigawatts that is 
moved from power plants to 140 homes and businesses via 211 
miles of high-voltage transmission lines and thousands of 
substations.
    Again, the cyber world and the physical world is here. The 
things that we are talking about messing with are things that 
we rely on and largely take for granted. The issue is primarily 
that these attacks can go after the industrial control systems 
that are central to their operation. As these vulnerable 
industrial control systems are used remotely to manage 
everything from waste, water, oil pipelines, refineries, and 
power generation plants, transportation systems, mass transit 
to maritime port operations, an attack on these systems can 
produce not only a catastrophic disruption, but destruction, 
loss of life. Here we really need to wake up and recognize that 
we have a problem that hackers cannot only break into systems 
but take control of them. Doing things like turning off alarms 
or sending bad data to falsely trigger alarms can essentially 
cause the kind of mischief we just heard Mr. McClure can do 
with an insulin device.
    So, given this urgency, flashing back to my own career in 
the Coast Guard, the model should be ``all hands on deck.'' But 
I would argue that to date, American universities and academic 
institutions have been largely left on the sidelines. We talk 
about private-public, but we fail to engage the various 
institutions that are involved in developing so many of these 
technologies and developing the culture which we have to 
operate in, for better or for worse. Universities, I would 
argue, can play a key role in helping us to move forward in the 
face of this risk. They can offer expertise to play an honest 
broker role between the private and public sectors. 
Universities can bridge that expertise and trust gap by its 
convening of power and offering technical advice where it can 
be helpful. They also can--another point Mr. McClure just made, 
the importance of baking in cybersecurity. Universities have 
been and will continue to be the incubators for information 
technology and applications. The time for thinking about 
incorporating safeguards is when they are under development, 
not after they are being widely used by consumers and industry. 
When security measures are an afterthought, they often end up 
being costly and suboptimal.
    Developing and maintaining standards that can mitigate 
cyber threats, vulnerabilities, and consequences and help to 
sustain or rapidly recover central functions and trust, needs 
to become an organic part of critical infrastructures, systems, 
and networks. Academic institutions need to be made an active 
partner in that effort.
    Finally, the need to develop a culture of cybersecurity. At 
the end of the day, we are going to need young people involved 
with this, and we have got a lot of them in the academic and 
university world. We should go there to try to get them 
involved, to be part of the solution, not potentially be a part 
of the problem.
    In conclusion, I would like to recommend to the committee 
to consider really actively embracing some of the proposed 
legislation that Ranking Member Keating has been advancing to 
advance regional university-based cybersecurity research 
centers ideally located in several places in part of the 
country. We need to mobilize civil society, we need to mobilize 
intellectual capital we have in this country to address this 
very urgent problem.
    Thank you very much Mr. Chairman.
    [The prepared statement of Mr. Flynn follows:]
                 Prepared Statement of Stephen E. Flynn
                             April 24, 2012
    Chairman McCaul, Ranking Member Keating, distinguished Members of 
the subcommittee, thank you for the opportunity to testify about the 
serious and growing cybersecurity threat facing consumers, industry, 
and government at all levels in the United States. The significant 
vulnerability of critical infrastructure such as the electric grid and 
transportation infrastructure, information and financial systems, and 
everyday American consumers to cyber threats is why today's hearing is 
so timely and why urgent action by Congress is so needed.
    My name is Stephen Flynn. I am the founding Co-Director of the 
Kostas Research Institute for Homeland Security and professor of 
Political Science at Northeastern University in Boston, Massachusetts. 
I am also a member of the Homeland Security Project at the Bipartisan 
Policy Center that is led by 9/11 Commission co-chairs Governor Tom 
Kean and Congressman Lee Hamilton. The Nation's exposure to a growing 
array of cybersecurity threats is one of deep concern to the co-chairs 
and all the members of our group of distinguished National security and 
homeland security leaders.
    At the Kostas Institute, our mission is to help advance resilience 
in the face of 21st Century risks so that America can better withstand, 
nimbly respond, rapidly recover, and adapt to man-made and natural 
disruptions. As such, we are working with our Northeastern colleagues 
in the College of Computer & Information Science, College of 
Engineering, and College of Social Sciences and Humanities to make 
cybersecurity a primary area of focus. We are a particularly interested 
in better safeguarding industrial control systems that are key to the 
operation of much of the Nation's critical physical infrastructure.
    The Kostas Institute is housed in a new 70,000-square-foot research 
facility located in the heart of the metro-Boston high-technology 
corridor where it provides a secure environment for innovative 
translational research conducted by private-public-academic 
multidisciplinary research teams. Northeastern is also home to the 
Institute for Information Assurance, which is one of the National 
Security Agency's (NSA) Centers of Excellence. In addition, the 
university is a member, along with MIT, Harvard, Boston University, and 
the University of Massachusetts, of the Advanced Cyber Security Center 
hosted at the MITRE Corporation in Bedford, Massachusetts. Given the 
historic leadership role that Northeastern, our neighboring 
universities, and the information technology industry that is 
concentrated in the metro-Boston area have played in high-tech 
development, we feel a special responsibility to help manage, stem, and 
mitigate the growing risks to critical systems from cyber threats. To 
this end, we are committed to bringing together expert researchers and 
practitioners to identify risks and their potential consequences, to 
develop next-generation secure applications and computing architecture, 
and to promote best practices with our counterparts around the United 
States and globally.
                   nature of the cybersecurity threat
    The cybersecurity threat is one of the most serious economic and 
National security challenges we face as a Nation. Quite simply, the 
United States is at risk of becoming a victim of its own success. Our 
position as the world's dominant economic power can be attributed in no 
small part to the speed at which Americans have developed and embraced 
information technology systems and applications. But while we have been 
leading and benefiting from the information age, there has been too 
little consideration to the security implications of our growing 
reliance on information technologies.
    A particularly worrisome vulnerability is the extent to which over 
the past decade, more and more Internet Protocol (IP) devices have been 
replacing proprietary hardware, software, and communications protocols 
for the Nation's physical infrastructure. As industrial control systems 
(ICS) become increasingly accessible to the Internet, cyber attacks can 
be launched at the electrical power grid; water and waste management 
systems; oil pipelines, refineries, and power-generation plants; and 
transportation systems ranging from mass-transit to maritime port 
operations. An attack on these systems by a state or non-state actor, 
not only places at risk the continuity of service or the compromise of 
databases, but the potential for catastrophic loss of life and 
destruction of property. This is because computer hackers are not only 
able to infiltrate systems, but they are increasingly in a position to 
actually take control of such systems--turning off alarms or sending 
bad data that falsely triggers an alarm. Unfortunately, bad actors need 
not be terribly sophisticated in order to accomplish substantial harm. 
Because of the interconnectivity of our networks, successful disabling 
of just one critical system can generate cascading consequences across 
multiple systems.
    The U.S. power grid is particularly vulnerable to the risk of cyber 
attacks and given the reliance on power by all other sectors, it 
deserves special and urgent attention. As with other large and 
disbursed infrastructures that make up America's critical industrial 
landscape, managing the electric grid depends on the operation of 
supervisory control and data acquisition (SCADA) systems and 
distributed control systems (DCS). SCADA systems make it possible to 
control geographically dispersed assets remotely by acquiring status 
data and monitoring alarms. Based on the information received from the 
remote station control devices, automatic or operator-driven 
supervisory commands can be provided from a centralized location. These 
field devices can perform such functions as opening and closing 
breakers and operating the speed of motors based on the data received 
from sensor systems. Distributed control systems (DCS) are typically 
facility-centric and used to control localized industrial processes 
such as the flow of steam into turbines to support generation of power 
in an electric plant. DCS and SCADA systems are networked together so 
that the operation of a power generation facility can be well-
coordinated with the demand for transmission and distribution.\1\
---------------------------------------------------------------------------
    \1\ U.S. Department of Commerce. Guide to Industrial Control 
Systems (ICS) Security, (Special Publication 800-82, Jun. 2011) by K. 
Stouffer, J. Falco and K. Scarfone.
---------------------------------------------------------------------------
    When most industrial control systems (ICS) were originally 
installed to help operate components of the power grid, they relied on 
logic functions that were executed by electrical hardware such as 
relays, switches, and mechanical timers. Security generally involved 
physically protecting access to the consoles that controlled the 
system. But, over time, microprocessors, personal computers, and 
networking technologies were incorporated into ICS designs. Then in the 
late 1990's, more and more Internet Protocol (IP) devices were embraced 
so as to allow managers to gain better access to real-time systems data 
on their corporate networks. These networks are, in turn, often 
connected to the internet. The inevitable result of this increased 
reliance on standard computers and operating systems is to make ICS 
more vulnerable to computer hackers.\2\
---------------------------------------------------------------------------
    \2\ Ibid.
---------------------------------------------------------------------------
    Tampering with DCS and SCADA systems can have serious personal 
safety consequences since industrial control systems directly control 
assets in the physical world. According to a June 2011 report by the 
National Institute of Standards and Technology (NIST), cybersecurity 
breaches of industrial control systems could include unauthorized 
changes to the instructions, commands, or alarm thresholds that result 
in disabling, damaging, or shutting down key components. Alternatively, 
false information about the status of systems can be sent that cause 
human operators to make adjustments or to take emergency actions that 
inadvertently cause harm. If a cyber attack leads to a power-generating 
unit being taken off-line because of the loss of monitoring and control 
capabilities, it could result in a loss of power to a transmission 
substation, triggering failures across the power grid if other 
substations are not able to carry the added load. The resultant 
blackouts would affect oil and natural gas production, water treatment 
facilities, wastewater collection systems, refinery operations, and 
pipeline transport systems.\3\
---------------------------------------------------------------------------
    \3\ Ibid.
    
    
Source: Department of Homeland Security.\4\
---------------------------------------------------------------------------
    \4\ National Aeronautics and Space Administration. NASA Science 
News. Severe Space Weather--Social and Economic Impacts. June 2009 at 
http://science.nasa.gov/science-news/science-at-nasa/2009/
21jan_severespaceweather/.

---------------------------------------------------------------------------
    A possible scenario hypothesized by the NIST is illustrative:

Using war dialers--simple computer programs that dial consecutive phone 
numbers looking for modems--an adversary finds modems connected to the 
programmable breakers of the electric power transmission control 
system, cracks the passwords that control access to the breakers, and 
changes the control settings to cause local power outages and damage 
equipment. The adversary lowers the settings from 500 Ampere (A) to 200 
A on some circuit breakers, taking those lines out of service and 
diverting power to neighboring lines. At the same time, the adversary 
raises the settings on neighboring lines to 900 A, preventing the 
circuit breakers from tripping, thus overloading the lines. This causes 
significant damage to transformers and other critical equipment, 
resulting in lengthy repair outages.\5\
---------------------------------------------------------------------------
    \5\ U.S. Department of Commerce. Guide to Industrial Control 
Systems (ICS) Security, (Special Publication 800-82, Jun. 2011) by K. 
Stouffer, J. Falco and K. Scarfone. 3-17.

    When transformers fail, so too will water distribution, 
transportation, communications, and many emergency and Government 
services. Given the 12-month lead time typically required to replace a 
damaged transformer with a new one,\6\ the local and regional economic 
and societal disruption caused by a cyber attacks that that disable or 
destroy the mechanical functioning of key components of the power grid 
would be devastating.
---------------------------------------------------------------------------
    \6\ National Aeronautics and Space Administration. NASA Science 
News. Solar Shield--Protecting the North American Power Grid. October 
26, 2010 at http://science.nasa.gov/sciencenews/science-at-nasa/2010/
26oct_solarshield/.
---------------------------------------------------------------------------
    Beyond this exposure of long-standing industrial infrastructure to 
cyber threats, there is a serious risk to the emerging computing 
environment as well. As mobile devices, from smart phones to iPads have 
proliferated, so too has mobile malware reflecting the painful reality 
that security still receives insufficient attention by the private 
sector responsible for rushing to market new informational technology 
tools and applications. According to a March 2012 company survey 
conducted at a major IT conference, 68 percent of security 
professionals reported currently having no way of identifying known 
mobile device vulnerabilities that could be affecting their 
networks.\7\ Mobile devices are being targeted to steal users' 
authentication credentials and financial information. Moreover, as new 
social networks emerge, users tend not to appreciate the permanent 
availability of data, which can facilitate hackers' identity theft and 
identity cloning efforts. It is these growing ubiquitous links on the 
internet that makes all Americans vulnerable to cyber threats that can 
damage very practical aspects of our lives.
---------------------------------------------------------------------------
    \7\ ``Mobile Device Vulnerability Management Flagged as Top Concern 
for Security Professionals in 2012,'' Press Release by Tenable Press 
Security (Apr 2, 2012) http://finance.yahoo.com/news/mobile-device-
vulnerability-management-flagged140900613.html.
---------------------------------------------------------------------------
 the case for making universities full-fledged cyber security partners
    The potential contribution of American universities and academic 
institutions in advancing cybersecurity has been largely overlooked by 
the Executive Branch. There are three reasons why this oversight must 
be redressed.

    (1) The need for expertise and for an honest broker to support 
        public-private partnerships.--Universities can help bridge the 
        expertise and trust gap between the public sector and private 
        sector in developing standards, and--when appropriate--
        regulations. Universities can play this role by serving as 
        neutral conveners between the public and private sectors and as 
        arbiters of technical issues. Serving in this capacity should 
        be seen as attractive to both the private sector and public 
        sector, given the unique challenges for each associated with 
        advancing cybersecurity.

    The private sector, left largely on its own, has struggled to 
        establish and enforce cybersecurity standards. In some 
        instances this is because the information asymmetry associated 
        with moral hazard; i.e., the developer of technologies and 
        applications pass along risks because the costs will be 
        disproportionately or wholly borne by the IT users that are 
        attracted to the benefits of the tool, but lack an 
        understanding of their resultant exposure to cyber threats and 
        the associated consequences. There is also the tragedy of the 
        commons dilemma arising from the fact that an entire system or 
        network can be compromised by an attack on its weakest link. If 
        compliance with a security standard is only voluntary, the 
        vigilant company must worry that one or more of its competitors 
        will find irresistible the temptation to forego the added cost 
        of adopting the measure in a bid to boost market share or 
        profits. As a result, the system remains vulnerable to 
        disruption even if the vigilant company places itself at a 
        competitive disadvantage by investing in the security measure.

    The traditional way to deal with the problem associated with moral 
        hazard and the tragedy of the commons dilemma is by adopting 
        regulations that are well-enforced. But, effective regulations 
        largely depend on the public sector having the requisite 
        expertise to develop and oversee them. Unfortunately, in the 
        case of cybersecurity, the Federal Government continues to face 
        significant challenges with recruiting and retaining personnel 
        with the appropriate technical background. This is particularly 
        true of the Department of Homeland Security and other Federal 
        agencies outside the Department of Defense, the National 
        Security Agency, and the intelligence community.

    Universities and the academic community should be enlisted to 
        assist in addressing this deficit. Universities can help the 
        private sector identify reasonable security options that can be 
        embedded into critical infrastructures without causing undue 
        disruption to dynamic and complex systems. Universities can 
        also provide the public sector with the expertise that 
        Government policy makers and officials need to keep up with the 
        rapid pace and the growing complexity of information 
        technologies and applications. Beyond the Office of University 
        Programs within the DHS Science and Technology Directorate, 
        Secretary Janet Napolitano has embraced the need for such 
        coordination with the university community by recently 
        establishing a Homeland Security Academic Advisory Council 
        (HSAAC). HSAAC has been created so that the Department has a 
        structured way to receive advice and input from university 
        leaders who voluntary serve on the Council, including 
        Northeastern University's President, Joseph E. Aoun. In 2011, 
        Secretary Napolitano has also created an Office for Academic 
        Engagement and appointed an Executive Director to serve within 
        her office.

    (2) The imperative to ``bake-in'' cybersecurity.--Universities have 
        been and will continue to be incubators for information 
        technology and applications. The time for thinking about 
        incorporating safeguards is when they are under development, 
        not after they are being widely used by consumers and industry. 
        When security measures are an afterthought, they often end up 
        being costly and suboptimal. Developing and maintaining 
        standards that can mitigate cyber threats, vulnerabilities, and 
        consequences, and help to sustain or rapidly recover essential 
        functions and trust need to become an organic part of critical 
        infrastructures, systems, and networks. Academic institutions 
        need to be made an active partner in that effort.

    (3) The need to develop a culture of cybersecurity.--Cybersecurity 
        needs to be embedded in our information-age culture. Everyone 
        needs to have a better understanding of cyber risks. This will 
        require collaborative efforts that actively engage civil 
        society, not just companies and Government agencies. There's no 
        better way to develop this culture than by starting with young 
        people who are attending academic institutions. An important 
        way to advance this is to integrate cybersecurity within and 
        across academic curriculums. Universities should be assigned a 
        prominent role in conducting research, developing courses, and 
        teaching as many informational technology users and providers 
        as possible about the cyber dangers that we face and the 
        security strategies and tactics that we need to embrace. The 
        goal should be to create a new generation of students with the 
        sophisticated skills to harness the opportunities of the 
        information age without becoming victims of its dark side.
       the need for a coordinated research & development strategy
    While pockets of knowledge exist about new and emerging cyber 
threats and the techniques for better safeguarding systems from attack, 
too many owners and operators of critical infrastructure continue to 
embrace information-age tools, including wireless and mobile devices, 
without adequately understanding the associated vulnerabilities and 
consequences. Faced with significant resource constraints, the Federal 
Government is largely trapped in the present, racing to respond to 
known threats to critical assets, often at the expense of developing 
the means to better anticipate new threats, to map out the associated 
risks, and to devise appropriate responses. There is also a National 
security imperative to develop offensive capabilities to deter or 
respond to attacks by state actors. It's in these areas that academic 
partners working together with industry and governments at all levels 
can be particularly helpful.
    I applaud Chairman Dan Lungren and the efforts by Ranking Member 
Keating to introduce legislation that recognizes that preparing for and 
combatting cyber warfare requires robust academic, industry, and 
Federal research partnerships to design and implement secure systems 
for critical infrastructure. Yet, to date, the Nation's cybersecurity 
leaders have not yet fully engaged the academic research community in 
this effort. Meanwhile, industry is focused more on the near- and 
medium-term tasks of developing new products and applications. As the 
National Academies have noted, it largely falls to the Federal 
Government to play the indispensible role in sponsoring fundamental 
research that is key to developing the information technology talent 
that is used by industry and other parts of the economy. Chairman 
Lungren's proposed legislation appropriately recognizes the vital 
importance of a coordinated Federal program of research and development 
to advance cybersecurity.
    In 2010, the DoD-commissioned JASON Report, Science of 
Cybersecurity, outlined the need to establish cybersecurity science-
based centers within universities and other research institutions.\8\ 
These Federally-funded centers would provide Government sponsors with 
access to the regional clusters of innovative ideas and academic 
experts while concurrently facilitating exposure by researchers to 
agency experience and expertise in managing cyber threats to Government 
networks. One priority should be to map the risk and potential 
cascading consequences associated with cyber attacks on critical 
physical infrastructure. A second priority should be to advance 
research that can support the development of technology and automated 
approaches to detect and mitigate attacks. And another priority should 
be to enrich our understanding of the human and social aspects of 
managing cyber vulnerabilities since advancing cyber security involves 
much more than technical problems.
---------------------------------------------------------------------------
    \8\ ``Science of Cyber-Security'' JASON, The MITRE Corp. JSR-10-102 
(Nov 2010) http://www.fas.org/irp/agency/dod/jason/cyber.pdf.
---------------------------------------------------------------------------
        regional university-based cybersecurity research centers
    Since information and communications networks are largely owned and 
operated by the private sector, regional university-based cybersecurity 
research centers should be assigned the task of facilitating an 
exchange among industry, Government, and academic partners to test data 
and transition new ideas into the rapid adoption of research and 
technology development innovations. Regional university-based centers 
should be assigned as their primary mission, developing strategies to 
improve the security and resilience of information infrastructure and 
reducing the vulnerability, mitigating the consequences, and speeding 
the recovery of critical infrastructure in the face of cyber attacks.
    As a stepping-off point, these regional university-based research 
centers should be tasked with working with U.S. National research 
laboratories to develop a detailed profile of the physical-cyber risk 
to the electric grid and developing options for mitigating that risk. 
Understanding the technical elements of the cyber threat to the power 
grid is a complex, multi-disciplinary challenge, that requires an 
understanding of networking and protocols, software and machine 
architecture, formal methods and high-performance computing, 
nanotechnology, and quantum and compressive imaging, to name a few. 
Implementing potential solutions will involve an intricate array of not 
just technical tools, but appropriate procedural protocols, public 
policy, and regulations. To accomplish this task, the Department of 
Energy and the Department of Defense should actively support a directed 
research program that involves a collaborative effort amongst the U.S. 
National research laboratories, electric utilities, and the university-
based cybersecurity research community to simulate real-life 
conditions, systems, and infrastructure, that would lead to the 
discovery, testing, and analysis of state-of-the-art tools, 
technologies, and software in a scientifically rigorous manner. 
Concurrently, the research program should identify policy guidelines 
and incentives for quickly integrating those tools, technologies, and 
software into the power grid to bolster its resilience in the face of 
the cyber threat. This effort should be undertaken with close 
collaboration with Canada given the interconnected nature of the 
regional grids in the East and West with the provinces of Canada.
                            economic drivers
    Advances in networking and information technology are key economic 
drivers, crucial to maintaining America's global competitive position 
in energy and transportation, food and manufacturing, education and 
life-long learning, health care, and National and homeland security. If 
the recent past is a guide, these advances will also accelerate the 
pace of discovery in nearly all other fields. In the end, capitalizing 
on America's peerless standing in higher education by creating regional 
university-based centers to advance cybersecurity, will provide a rich 
return on investment for the Nation.
                               conclusion
    Beyond the risk of a detonation of a weapon of mass destruction on 
U.S. soil, no security challenge is currently more serious to the 
United States than the on-going risk of cyber attacks. The security of 
our public and private cyber networks is vital to assuring the 
reliability of the electric grid, transportation systems, and banking 
and financial systems, and consumers. Continued research collaboration 
with academic and industry partners is an important function for the 
Federal Government and vital to improving homeland security. Such 
partnerships provide an important return on investment as Government 
receives solutions tailored to its security needs, university partners 
employ some of their best researchers and students in an effort to 
develop new technologies, and the next generation of STEM professionals 
get the skills and training they need to enter into homeland security 
careers that benefit the Nation. I strongly recommend that this 
subcommittee direct the Department of Homeland Security to build on 
Secretary Napolitano's recent academic engagement efforts by more 
actively incorporate university partners, including establishing 
regional university-based cybersecurity research centers, to support 
the DHS's efforts to develop public-private approaches to preventing, 
responding, and recovering from future cyber attacks.
    Thank you again for the opportunity to testify today. I would be 
happy to answer any questions you may have.

    Mr. McCaul. Thank you Dr. Flynn.
    In fact, I offered an amendment, and Ms. Clarke was helpful 
with that amendment, that would basically look at these 
consortiums, university-based and fusion center. The bill that 
I introduced, that passed unanimously out of the Science and 
Technology Committee will be on the floor this Thursday, does 
create a public-private partnership between the universities 
and the public sector and the private sector in a task force. 
So I think that is a step in the right direction.
    I completely agree with your analysis on that point, that 
universities can play such a critical role. We also have a 
Federal scholarship program for service in the Federal 
Government in that bill.
    So with that, I just want to--one of the reasons we wanted 
to have this hearing--we have historic legislation on the floor 
on cybersecurity for the first time in many years, and we 
wanted to call to the attention of the American people and to 
Members of Congress as to what the real threat is. I have been 
dealing with this issue for a long time, but I think it is 
important that the American people, who most of them don't 
understand this issue, have a better idea of what is at risk.
    You know, when I look at the theft of intellectual property 
to the tune of $1 trillion, that is a serious economic issue 
for the United States; when I look at countries like China who 
have stolen our Joint Strike Fighters, F-35 and F-22s, stolen 
those blueprints so they can manufacture those planes and then 
guard against those planes; when you look at China and Russia 
who have hacked into every Federal agency in the Federal 
Government, including the Pentagon.
    You know, we talk about the analogy, agents of a foreign 
power caught with paper files walking out with classified or 
nonclassified information, it will be all over the papers. But 
yet in the virtual world, that is happening and no one seems to 
know or really pay attention to it.
    Then the final piece. There is the espionage, the stealing 
of military secrets, satellite technology, rocket technology 
out of NASA, it is prevalent, it is everywhere; and when I look 
at the cyber warfare piece, that is the one that keeps me up at 
night the most.
    As we know, the genie is out of the bottle, just like 
nuclear weapons. It can be turned against us. We know what our 
offensive capability is and it is pretty darn impressive. That 
capability turned against us, I think is what frightens us, and 
who would have the motivation to do that.
    So my first question is to Mr. Henry. You said that we are 
really just hitting the tip of the iceberg and that the biggest 
threats are below the waterline. Can you expand on what these 
bigger threats are beneath the tip of the iceberg?
    Mr. Henry. Yes, sir. Thank you. Let me, if I could just 
clarify my statement that I made about the sense of urgency. I 
certainly recognize everything this committee is doing. My 
concern is the holistic response of our society, public, 
private, other Government agencies, and citizens themselves. So 
I wanted to make sure that was clear. That was my concern.
    When I talk about below the iceberg, I really talk about 
what is being seen on the classified side. Certainly in this 
environment, I can't go into details. But when you have people 
like General Alexander from NSA, and General Hayden, former CIA 
and NSA, and Admiral McConnell, the Director of National 
Intelligence, Joel Brenner, the National Counterintelligence 
Executive, when you have people, they have all seen below the 
waterline. When they are standing up saying what they are 
saying, I think people need to listen to that and understand 
that when you have got the senior leadership of the Government 
talking about how significant and substantial this threat is, 
they have seen below the waterline, they have seen that big 
piece of iceberg the average person just never gets to see. 
What they hear about and see about in the media is really just 
a very small portion. I think some of the witnesses here kind 
of alluded to that and talked about some of the concerns about 
SCADA systems, industrial control systems, some of the threats 
to, as you mentioned, our cleared defense contractors. The 
threats there are so voluminous and so large and the 
implications--while certainly a threat of a credit card being 
stolen is absolutely important and I recognize that--but when 
you talk about the plans to our next generation weapon systems 
and our adversary being able to prepare a defense today or to 
build devices that can counter or actually exceed our 
capabilities, that is a significant danger to this Nation and 
people have to understand that.
    Mr. McCaul. When we talk about cyber Pearl Harbor, and I 
have the director of NSA telling me it is not a question of if 
but when, where do you see the biggest threat coming from?
    Mr. Lewis. I think it is two of the groups I mentioned, Mr. 
Chairman. I don't worry about China and Russia. They are not 
going to start a war just for fun. But I don't know if I would 
say that for Iran or North Korea when they get the 
capabilities. I know the full committee is going to have a 
hearing on Iran on Thursday, but they have a little bit of a 
grudge match. They feel like we are somehow responsible for 
Stuxnet and they are trying to create a cyber army.
    The other group to watch, and the group that is more 
interesting that I think we have all raised, are these hacker 
groups who have anarchic or anti-Government tendencies, very 
strong cyber skills, some of them have excellent hackers 
involved. There are so many vulnerabilities and there are so 
many tools that eventually--you know, the line I always refer 
to is a headline we saw last year about how Anonymous declares 
war on Orlando, right? Well, what that meant was they defaced 
the Orlando City website. Maybe a year from now they will be 
able to do a little bit more, and I think we are on track to 
find that out the hard way.
    Mr. McCaul. Well, my concern with those groups is that they 
sometimes may be--organized crime may be the real perpetrator, 
but they take the credit for it and sort of provide a ruse.
    I see my time is expired. I can ask a lot more questions, 
but thank you for being here today.
    With that, I recognize the Ranking Member Mr. Keating.
    Mr. Keating. Thank you, Mr. Chairman.
    Two things that were raised. The idea of incorporating 
protections into the design work, and another issue that was 
raised was the fact that you had companies that have been 
victims of attack and haven't been forthright in acknowledging 
what that is or the extent of it, what damages they had or what 
happened.
    I think those two things call into question again the role 
that academia can play in this regard, being more neutral and 
being part of design.
    With that, I would like to ask Dr. Flynn what on-going 
research projects are in place, not only in your university but 
around the country that you are aware of? How can Congress act 
to extend those and make that more beneficial in our efforts 
against cybersecurity attacks?
    Mr. Flynn. Thank you very much for your question, Ranking 
Member Keating. It is probably a bit overstated to say they 
have been missing in action, but it is not too much overstated. 
I mean to a large extent, we really have not engaged our 
academic community to work at this problem at the outset of it. 
Clearly we have some infrastructure in place. The Department of 
Homeland Security has centers of excellence that have been set 
up, the National Security Agency has created similar kinds of 
output. So you have some outreach to engage some of this 
enormous intellectual capital we have. But we really haven't 
gone into the universities and given the challenge, the kind of 
things that we have done in past history where we have really 
embraced that intellectual capital and focused it and channeled 
it in a constructive way.
    In our area of the country up in the Northeast, in fact, 
five universities--Harvard, MIT, Boston University, University 
of Massachusetts, and my own Northeastern University--have come 
together with some private-sector players to build an advance 
cybersecurity center. Some of the folks who were in on the 
origin of helping to drive the information age feel some 
responsibility to help work it. But to the extent that kind of 
regional effort, we have clusters of expertise, and we have 
them in Texas, we have them in Seattle, we have them in big 
pockets across our country, the sense that we can harness that, 
I think through regional efforts, will be an enormously 
positive contribution, both to set the alarm, set the 
challenge, engage folks and then ultimately to work toward some 
solutions.
    Mr. Keating. Thank you, Dr. Flynn.
    You mentioned, and Mr. McClure mentioned, that there are 
actual, now, transitions into physical danger; people can be 
murdered. I wanted to first address this to Mr. Henry and then 
anyone else that might want to comment on this.
    But what can we do in Congress to--I am a former prosecutor 
myself--what can be done to extend--I would imagine the 
jurisdictional issues would be difficult even if you are 
successful in finding out who is responsible for these actions. 
But Mr. Henry, what can be done here in Congress to help that 
effort, because it will help not only bring people to justice 
that are responsible, but it would help as a deterrent as well. 
I would imagine one of the things that is difficult in this is 
finding a deterrent when people do this, because they might 
feel that they are, in a criminal sense, judgment-proof or not 
being able to prosecuted. So do you have any suggestions as to 
what we can do in Congress in that regard?
    Mr. Henry. Yes, sir. I think that you hit on it right 
there. With the Computer Fraud and Abuse Act primarily, we are 
looking at stiffening the penalties for the breaches and for 
those who are stealing information. I think that the deterrence 
is critical. I said that we have an adversary problem. These 
are adversaries who are launching viruses, who are launching 
Trojans, who are breaking into computers. There are people, and 
by reaching out and touching these people and taking them off 
the playing field, we are having an impact on the threat. It is 
a way for us to mitigate the threat. Stiffer penalties that are 
more rigorous, certainly from an enforcement perspective or an 
investigation perspective, I think we will have a larger impact 
and will raise the cost of adversaries for what they do on a 
day-to-day basis.
    Mr. Keating. What can we do in terms of international 
cooperation in this regard? Because they can be launched from 
any country, any jurisdiction.
    Mr. Henry. Absolutely. Anybody, anywhere in the world with 
an internet connection and a $500 laptop is a potential subject 
in any investigation. The attribution, to who may have done 
that type of attack, is a critical piece.
    When I was in the FBI, we worked very, very closely with 
foreign partners. The Bureau continues to do that, as well as 
other agencies, where we actually put FBI agents into the 
National police agencies of a number of countries in Eastern 
Europe and Western Europe, physically sitting side by side, 
working these investigations. I think we have to continue that 
both from an intelligence-sharing perspective and from 
collaborative investigations.
    Mr. Keating. We have security treaties with other 
countries. Can you see that being expanded in terms of 
cybersecurity treaties with other countries around the world 
and expanding that to a greater level?
    Mr. Henry. I think that has got to be a constant dialogue. 
I mean, this is a problem that doesn't face just the United 
States. It faces good societies and good people around the 
world. People are using this as a tool and as a weapon to 
promote their means and to promote their criminal operations. 
We have to have that dialogue regularly.
    Mr. Keating. Thank you, Mr. Chairman.
    Mr. McCaul. I thank the Ranking Member. The Chairman now 
recognizes the Ranking Member of the full committee, Mr. 
Thompson, for 5 minutes.
    Mr. Thompson. Thank you very much, Mr. Chairman. I agree 
with all of the comments that have been made relative to the 
seriousness of this issue. I listened with great interest to 
our panel of witnesses, and I am going to kind of ask for a 
little more help from you with my questions.
    If you were sitting in our seat, having to craft 
legislation that would provide the tools that you think would 
be necessary to get our hands around this issue, given what you 
know and the seriousness of this issue, what two or three 
things do you think that kind of cybersecurity legislation 
would need? Mr. Henry, I will start with you.
    Mr. Henry. The first one, for me, that I think is the most 
critical is data breach reform, data breach reporting. 
Currently there are, as the committee knows, I am sure, 47 
State data breach laws. There is a lot of confusion that I see 
in the private sector, from organizations that are breached, on 
to whom to report and when to report. I think the failure to 
report is a problem for all of us. I think that those 
companies, those infrastructures in those organizations are 
being used by our adversaries. They are part of the problem. If 
that is not reported, if there is not some type of remediation 
done, that continues to be a problem.
    From my perspective, when I was in the FBI, in some of our 
most successful cases where we were able to effectively reach 
out across oceans and put our hands on people, it was really 
the times when organizations came forward very quickly, which 
enabled us to get attribution through analysis of their network 
in collaboration with them. That is really, really critical. So 
data breach reporting.
    The second one is intelligence sharing, the ability for the 
Government to share broadly across infrastructure, to help 
raise the defenses, and to make organizations much more secure 
by providing some of those signatures that are not necessarily 
out in the hands of the general public but will enable critical 
infrastructure and organizations as a whole to better protect 
themselves.
    Mr. Thompson. Mr. Lewis.
    Mr. Lewis. Thank you. There are some very useful bills in 
the House and they will do some good things. But the ultimate 
test will be: Do you give the Government more authority to 
mandate security, to protect critical infrastructure 
facilities? If we don't do that this year, an attack is 
inevitable. Now, I know that there is a lot of contention on 
this issue, and I know there are questions about the ability of 
some agencies to carry out this function. But the ultimate test 
will be, do we require better security for critical 
infrastructure? If the answer is no, the Congress will have 
failed.
    There are good things on the information-sharing side, on 
the research side, but the ultimate test is critical 
infrastructure.
    Mr. Thompson. Mr. Wilshusen.
    Mr. Wilshusen. I would also echo what each of my colleagues 
have mentioned, but I will also talk to clearly define what the 
roles and responsibilities of the Federal agencies are in 
Federal Governments with respect to not only protecting and 
securing its own systems but also the support and assistance 
they can provide to the private sector and protecting 
particularly critical infrastructure sectors.
    Mr. McClure. I agree on the information sharing. I think it 
is absolutely key. But the only downside is that it is very 
reactive. The proactive side of it would be to really think 
about, how do you provide guidelines, either incentives or 
mandates, around secure by design? You know, a power plant 
might not be able to control how a PLC is designed from 
Germany, but they can absolutely not buy that PLC if it is not 
secure. So it is up to them, and I think we can provide better 
guidance, sir, on that.
    Mr. Flynn. Everything I have heard so far are things that I 
would endorse. I would certainly endorse the legislation, Mr. 
Chairman, you are trying to advance as well with the Ranking 
Member.
    I would add, one of the areas that we really need to do a 
better job at the risk mapping; particularly across 
infrastructure, we have got a sector-by-sector approach. When 
you hit one, what we don't have is a very good understanding of 
how the loss of that one could impact on others. So I know the 
Department of Energy is looking into this. But this is 
something, I think with legislative support, let's map what the 
consequences are of these attacks. That is a great motivator 
for people to get into the prevention mode. I think that could 
be very important.
    The other key area I think is, err on the side of openness. 
The hearing is doing, I think, a great public service. But a 
lot of the approach we have taken to date is work that is below 
the surface. You are not going to get the American people 
willing to invest, companies willing to invest, unless we talk 
about the problem with greater candor and with more 
specificity. I think we need to essentially err on the side of 
being more open about the risk to vulnerabilities, but 
obviously develop solutions for attacking these problems. Thank 
you.
    Mr. Thompson. Thank you. I yield back, Mr. Chairman.
    Mr. McCaul. I thank the Ranking Member.
    The Chairman now recognizes the gentleman from Missouri, 
Mr. Long.
    Mr. Long. Thank you. Thank you all for taking your time to 
be here today on this important subject. I would be remiss, Dr. 
Flynn, if I didn't mention that for the last few months, I have 
had a young lady from your university, Northeastern, interning 
in my office. If she is emblematic of your university and of 
college students today, I would say that this country has a 
very bright future.
    Mr. Flynn. They are all exactly like her.
    Mr. Long. All righty. Send me some more, will you?
    In 1941, my dad was a junior in high school. So he and 
people of his vintage can tell you where they were during the 
attack on Pearl Harbor. I can tell you where I was when JFK got 
assassinated. I can also tell you where--most people 16 years 
and older can probably tell you where they were on 9/11. We all 
remember that. I think I can predict with great certainty where 
I will be when we have our first devastating cyber attack. I 
have two options: I will either be in a full committee hearing 
on cybersecurity or a subcommittee on cybersecurity. We are 
good at talking things to death. It seems like we go over this 
again and again and again, but I have yet to really have anyone 
add any concrete steps that we can take to prevent such a 
horrific attack.
    So, Mr. Lewis, if I were to ask you--I heard one a minute 
ago--but your top three priorities or things that we can do, 
take to the Congress to try to address this situation, because 
we keep talking it and talking it and talking it. The top three 
things that we can do. Just pick out three things that you 
think are the most vital that we can truly make an impact on 
this situation at preventing cyber attacks.
    Mr. Lewis. You know a lot of the legislation that is before 
the House and before the Senate does good stuff, but it doesn't 
do enough. So we have got to think about a comprehensive 
approach. For me, the most important step that we are not 
taking is thinking about how to deal with the issues of 
critical infrastructure vulnerability. The difference between 
now and, say, 5 years ago--5 years ago, it was difficult to say 
how to secure networks. Now I think we can tell you how to 
secure networks. People will not do it, though, unless----
    Mr. Long. Let me ask you--let me interrupt you for a 
second.
    Mr. Lewis. Sure.
    Mr. Long. Before I came to Congress I was in a business 
where there was a large group of people that all needed to 
access, from several different companies, but access the same 
information on the internet. We would carry a fob with us that 
had--I think it was a nine-digit number and that number would 
change about every 90 seconds. So if you wanted to log onto 
your computer--systems like that, would those be beneficial on 
a wider scale, or not?
    Mr. Lewis. Remember, what was it, last year we had a story 
about--it was a false story but people got all excited because 
they thought that Springfield, Illinois, had their water system 
hacked. That turned out to be not true. But the story behind it 
was actually a little scarier, because they weren't hacked. The 
contractor was calling in from Russia. I thought to myself, 
``That is bad in so many ways, right?'' So yes, having a 
requirement for people to better authenticate themselves when 
they log into critical infrastructure networks would be a good 
step. There are other things we can do. But right now----
    When I told you about this search software that would find 
vulnerabilities, the easiest vulnerability to find is--you all 
know when you have bought a computer, when you have bought a 
router, that it comes configured with the username as 
``administrator'' and the password is ``password.'' If you go 
out and look at critical infrastructure, you will find some 
networks have not been reconfigured. So getting people to 
reconfigure, getting people to better authenticate, getting 
people to think about what they have attached to their systems, 
all of these would make a big difference.
    When you talk to companies and you say to them, ``Do you 
have your control systems connected to the internet?'' Almost 
all of them say no, right? When they say that, they believe it. 
Now it turns out they are always wrong, right, they don't know 
because these are a lot of computers. Nothing malicious here. 
But getting people to have a better understanding of what is 
connected to the internet, how it connects, and who can use it, 
these are all things we can do, but it won't happen magically. 
So that is where Congress could make a very big difference.
    Mr. Long. Okay. You were talking about Springfield, 
Illinois, a false story out of there.
    Springfield, Missouri, my hometown. I have said this before 
in committee hearings. But we had a small title loan company 
that, over the weekend, had $440,000 removed from their account 
and it went to Pakistan, which we don't know if it went on to 
benefit al-Qaeda or what from that point.
    But one real quick wrap-up question for Mr. Henry: Why am I 
concerned if it is China, Russia, Iran, why do I care where 
these attacks come from? Don't we need to be concerned with 
combating the problem more than where it is coming from? 
Everybody goes back to where it might be coming from.
    Mr. Henry. Well, sir, I think that it is really important 
for us to understand who the adversary is so we can take other 
actions. I say that we have an adversary problem. I think there 
are things we can do as a Government to define for the 
adversaries what the red lines are and what the repercussions 
are for crossing those red lines. So if in fact we were able to 
identify that a particular country took the plans to our next-
generation fighter plane, that we would take actions, as a 
country, against them, whatever it may be, whether it be 
diplomatic, economic, or military.
    Mr. Long. But to prevent that from happening the next 
time----
    Mr. Henry. So from my perspective, I think if we, as people 
who are monitoring security on networks, have an understanding 
of who the adversary is, the tactics, techniques, procedures 
that they are using, the information that they are going after, 
we can get a better sight picture of who that adversary is, and 
it helps us to better defend. It helps us from a strategic 
perspective.
    If you are protecting the network and you know a particular 
country is looking for plans to a particular device, you can 
change how that data is stored, you can change how it is 
transmitted, you can change how it is maintained on the 
network. There are actually procedures that network owners can 
take to better defend themselves.
    So I believe that using intelligence and by being 
proactive, you can be predictive and then preventive. You can 
predict who is going to attack what and where, and it helps you 
prevent.
    Mr. Long. I am way past my time. I yield back.
    Mr. McCaul. I thank the gentleman.
    Just on the point of specific recommendations, I wanted to 
brag on my colleague, Mr. Lewis. The CSIS report made many 
specific recommendations. Some have been taken up by the 
Congress and some have not, but I want to thank you again for 
that great work.
    With that, I recognize the gentlelady from New York, Ms. 
Clarke.
    Ms. Clarke. Thank you very much Mr. Chairman. I thank our 
Ranking Member for this very important Oversight, 
Investigations, and Management Subcommittee hearing. I want to 
associate my comments with the comments of Mr. Long about 
frustration when it comes to to this conversation about the 
urgent action that is required to protect our Nation's 
infrastructure from the constant barrage and bombardment, the 
attack on our systems, because it just seems as though we just 
keep having this conversation. Understanding the threat that we 
are under, understanding the constant attack that we are under, 
but we are not making the types of headway that we need to 
make.
    All of us have a role to play here. We have a legislative 
role to play. It seems that we tinker at the margins. I am very 
concerned that--you know, as a New Yorker, someone who could 
not have imagined that airplanes could be turned into missiles, 
that we are not imagining the real devastation that we could be 
under with the click of a mouse at any point in time. So, 
gentlemen, I think--you know your expertise is well noted.
    One of the things that I would like to ask of you is 
whether you have had an opportunity to review the bill that was 
passed out of the Homeland Security Committee for cybersecurity 
and whether any of you are in a position to comment on that 
legislation?
    This is Cybersecurity Week. There are a number of bills 
that are moving to the floor to be passed this week, but none 
of which have the level of comprehensiveness as the bill that 
was passed out of this committee; yet that won't be taken up 
this week. So I am just trying to figure out how serious we are 
here and what each of you respectively believes should be the 
next move of this legislative body when it comes to 
legislation.
    Don't all click at once. I don't want to put anyone on the 
spot. Some folks may not have had an opportunity to see it yet. 
But Mr. Lewis, you are nodding so maybe you can----
    Mr. Lewis. Yes. I think I am the stuck key on this one 
initially.
    The original bill that emerged from the committee I think 
was a very strong bill and would have gone a long way to 
putting us in a better position than we are today. I think a 
lot of people were surprised when we saw the amendment. The 
easiest way to describe it is the original bill was, I believe, 
45 pages and the amended bill was 34 pages. So the question you 
want to ask is: What was in those 11 pages that came out? If I 
had any advice, it might be to add those 11 pages back in. 
These are always difficult issues.
    If I have learned one lesson this year, it is that you 
shouldn't try to do major legislation in an election year. But 
I think this is a case where we can put the two bills side by 
side and see one--and I applaud the authors of it--one was very 
strong. The other is less strong. So maybe we need to 
reconsider.
    Mr. McClure. I am not detailed around some of the bills 
that have come up. But I will say that we have always found 
that incentives tend to motivate quite a bit, but they have to 
be specific. Anything around, for example, finding the problem 
before a bad guy does or finding the vulnerabilities, for 
example, and then patching and fixing them in an acceptable 
window of time, what we call the window of exposure, right?
    We are also enforcing, as we talked about earlier, 
enforcing strong authentication. It is really hitting--if you 
can just hit the 80/20 rule of security, which is that 80 
percent of the risk is represented by 20 percent of the 
problems, you are going to go a long, long way to making it 
simple to do, but also very impactful.
    Mr. Flynn. If I might just add, clearly one of the core 
issues has been, to what extent should Government play a more 
enforcement role. Clearly one of the issues that we have seen 
laid out here is the market has not been able unto itself to 
figure out how to put together adequate standards that are 
essentially being enforced within the market to deal with this 
risk. What has been particularly a problem is information 
providers interacting with critical infrastructure owners, 
people in the physical world who often are unaware of the 
vulnerabilities that they are investing in.
    There is a moral hazard problem there. We typically deal 
with moral hazard through some form of standard-setting and 
enforcement of that standard. The bottom line here is that this 
is an interesting philosophical battle. But at a practical 
level, we need a much more mature process for identifying 
standards and figuring out how to enforce them. So where I 
think we should be more creative is around third parties as a 
fee-based approach, whatever is required here. But at the end 
of the day, purely voluntary approaches I think will not get us 
to where we need to be.
    Ms. Clarke. Thank you, Mr. Chairman. I yield back.
    Mr. McCaul. Thank you. The Chairman now recognizes the 
gentleman from South Carolina, Mr. Duncan.
    Mr. Duncan. Thank you, Mr. Chairman. Just a quick question: 
If Congressman Long sent a tweet out during a hearing on 
cybersecurity, is that a contradiction?
    I just got a Facebook message from someone that said, 
``Please vote `no' on SISA, SOPA, PIPA, and H.R. 1981.''
    There is dramatic concern within the populace that there 
will be a Government overreach as we try to protect American 
systems on the private sector and the public sector. So I think 
we have got to tread lightly. What has been a concern of mine 
is: Where do we cross the line as a Government trying to 
protect our citizens when it comes to civil liberties and 
private information that will be not only captured during this 
process but possibly retained? We had a long debate about 
retention of that and when it should be eradicated from the 
computer files. But is it ever really eradicated? There are a 
lot of questions that came to mind during that debate that I 
think are definitely worthy of further discussion, especially 
this week.
    But Mr. McClure, I have got a question for you: What is the 
role of the public sector in protecting the United States 
Government institutional systems and the role of the private 
sector, primarily the free market, which I firmly believe that 
the free market can do it better than any Government entity?
    A case in point would have been Cash for Clunkers. If a 
private entity would have been running that program, I don't 
think we would have seen the problems that we saw from the 
dealers.
    So primarily the free market, in finding solutions to 
protect American systems, both public and private. So where is 
that balance? From the Federal Government, the public sector, 
trying to protect its institutions and also raise awareness of 
this, but the private sector and the free market finding those 
solutions for us.
    Mr. McClure. Well, I think that when it comes to the 
private sector, obviously the buck is what motivates, right? So 
if they can either sell more stuff, more products, more 
widgets, because it is secure or because it is more secure than 
a competitor, that draws a lot of interest. So from an 
incentive perspective, that works out quite well.
    I think when you start to move to the public sector, there 
is little incentive around that of making an extra buck. So 
from that perspective, I think you know more mandates and more 
guidelines have to be enforced. Now, where the two come 
together, in my book, is they really haven't, up until this 
point, and they need to in some form or fashion bring together 
both sides at the top levels to--not just for information 
sharing but also for helping to set and establish the 
guidelines that each other will be measured against, if you 
will, around security. Because this is very--it is actually 
quite simple to prevent a lot of bad stuff from happening that 
is just not happening. That has been the frustration in doing 
this for 20-plus years, is we know what solves this problem. It 
is just an issue of getting people to move and act to do it, 
and making it a priority within their organization. That is the 
bottom line.
    Mr. Duncan. I know academia is working with both. So I am 
going to ask you to step out of that and ask--we have got some 
public entities there. Do y'all want to answer that question? 
Do you want to chime in on that?
    Mr. Lewis. Well, two points: It is a good question. The 
first is knowing the work that Chairman Rogers and Ranking 
Member Ruppersberger have done on the bill. It is not SOPA, 
right? There is an effort to try to tag SOPA to it because 
everyone hates SOPA and they go ballistic when they hear it.
    They have made an effort to protect privacy. I think the 
changes in that bill are essential. You know, they update old 
legislation from the 1980s, from dial phones and copper wires, 
to let Government and companies work together better. So when I 
look at the bill, I don't think it poses a great risk to 
privacy. I realize there are concerns. Perhaps when it goes to 
conference or when it moves along in the voting process, those 
can be addressed.
    Mr. Duncan. Thank you, Mr. Chairman. I don't have anything 
further. I yield back.
    Mr. McCaul. Thank you. The Chairman now recognizes the 
gentleman from Illinois, Mr. Davis.
    Mr. Davis. Thank you very much, Mr. Chairman. Thank you, 
gentlemen, very much for being here.
    I guess we have always been concerned about the economic 
impact and never have we been more concerned about it than now. 
I often hear people try to estimate, say, what the cost of 
security operations are, what the impact of 9/11 has been on 
our economy, and what the economy would be like perhaps if we 
had not experienced that attack, and all of the different 
things that we have had to do to try to prevent it from 
occurring.
    There are estimates and studies that have suggested that 
there might be as much of an annual cost of about $40 billion a 
year from cyber attacks. Do any of us know how that information 
was arrived at, or the basis upon which those estimates are 
being made?
    Mr. Wilshusen. I would just say from our view, we don't 
know exactly how that information has been derived or the 
methodology. Indeed, in many cases we have found that cyber 
crime is often underreported and the amounts and estimates that 
are made, they vary widely from, you know, tens of billions to 
hundreds of billions. So the actual amount that has been the 
result of cyber crime, it is hard to really difficult. But it 
is likely to be a very large number.
    Mr. Lewis. If I could just add to that. I used to think 
that people just used a magic eight ball and if they didn't 
like the number, they flipped it. But there are a couple of 
things we can look at.
    The first is I would note that the National Intelligence 
Council is attempting to estimate the cost of cyber losses. The 
Economic Intelligence Unit, which is a branch of the Economist 
magazine is doing it. Cambridge University is doing an 
estimate. So in the next year, we might see three estimates.
    One thing you could look at is you could look at Germany 
which did its own estimate of its losses through cyber 
espionage, economic espionage. I believe the figure they came 
up with was about $24 billion. Now the U.S. economy is five 
times as large as the German economy, so that gives you a 
range. We don't have a good figure, but we are working on it. 
It looks to me like it will be in the low hundreds of billions.
    Mr. Flynn. I was just going to add, Congressman, that I 
think you made a very compelling analogy. The cost often is 
what happens after a catastrophic event. So when we have a 
cyber Pearl Harbor, that is where we really start to see the 
numbers, in part because of the rush to deal with the 
uncertainty.
    The case I try to make to my private-sector friends when we 
talk about these issues, we are, No. 1, trying to prevent 
things, but we are also trying to prevent the overreaction, the 
associated cost. That is why getting standards at the outset, 
agreed upon, that pass the smile test, those are critical in 
terms of protecting our economy, protecting the market against 
these kinds of threats.
    Mr. Davis. There are some people who think that we might be 
engaged in a bit of overkill in terms of how much time, energy, 
effort, money, everything else that we are putting into the 
notion of trying to create as secure an environment as we can 
possibly have. What would you say to people who express that 
kind of thought?
    Mr. McClure. I would say that it is a little shortsighted, 
that it is as big as you hear, and probably three to four 
times. I have done countless, hundreds and hundreds of 
investigations, incident response exercises, and have cleaned 
up after. I can tell you that the estimates that have come from 
all those engagements are typically far diluted because of 
their--No. 1, just inability to actually quantify the loss. The 
attempts to do it are quite flawed, especially because of the 
urgency of the remediation attempts. So for me, it is highly 
underestimated.
    Mr. Davis. So you would still say the old adage that an 
ounce of prevention is worth much more than a pound of cure?
    Mr. McClure. Without a doubt.
    Mr. Davis. Thank you, gentlemen, very much. Thank you, Mr. 
Chairman. I yield back.
    Mr. McCaul. I thank the gentleman. Let me just in closing 
say, first of all, thank you for being here. You provide great 
insight.
    We do have four bills going forward this week. With respect 
to the bill that passed out of this committee, I do believe it 
has the core components that the Secretary and the director of 
NSA asked for, and that is codification of existing legal 
authorities and an information-sharing system through the 
National Cybersecurity and Communications Integrations Center. 
We also have the ISECS out there as well.
    I know the intel bill also makes DHS a hub for cyber threat 
information sharing within the Government. I think anytime we 
deal with the private sector, we always have to be careful of 
that balance of incentivizing versus unduly burdensome 
mandates. It is always a balance between security and that. I 
would always prefer to incentivize when possible. But this is a 
very, very important, serious issue. And it is my sincere hope, 
as I mentioned to the Ranking Member of the full committee--you 
being Ranking on the cybersecurity committee--that we can work 
together on this important legislation. The issue is too 
important for the American people. I think everybody standing 
up here or sitting here at the dais understands that.
    So with that, we thank the witnesses again. Without 
objection, this hearing is adjourned.
    [Whereupon, at 3:35 p.m., the subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              

   Statement of John Watters, Chairman and CEO, iSIGHT Partners, Inc.
                             April 24, 2012
    Chairman McCaul, Vice Chairman Long, Ranking Member Keating, and 
other distinguished Members of the subcommittee, thank you for the 
opportunity to offer testimony to the Subcommittee on Oversight, 
Investigations, and Management.
    My name is John Watters and I am the Founder, Chairman, and CEO of 
iSIGHT Partners, Inc, a highly-specialized cyber risk management 
company. We launched over 5 years ago to help the public and private 
sectors assess and adapt their security measures against the rapidly 
intensifying cyber threat environment. The insights we provide into 
adversarial capability drives efficient resource utilization and focus 
on key threat concerns as opposed to noise that cannot be translated 
into mitigation. At our core, iSIGHT Partners has a world-class cyber 
threat intelligence capability delivering research, analysis, and a 
``community defense'' against emerging threats from around the globe.
    Threats to the cyber environment where our citizens, critical 
infrastructure, industry, and governments operate have intensified 
dramatically in recent years. This should come as no surprise, as the 
efficiency, effectiveness, and anonymity of cyber attacks have expanded 
to encompass every traditional threat category. Criminals understand 
that stealing no longer requires putting themselves in danger by 
committing traditional crimes using a weapon, such as bank robbery. In 
today's high-tech world, criminals easily and efficiently steal 
millions of dollars simply by creating aliases and obtaining a few 
keystrokes from their victims using tools readily available in 
underground forums. Nationalist actors recognize that they need not 
risk human assets to gain access to vital National interests when they 
can navigate the connected world of computers to establish a virtual 
presence and route information back home without a passport or visa and 
without leaving an evidentiary trail. The shift from the physical space 
to cyber space has already transpired, and the resulting risks to 
industries and governments are substantial and growing. Unfortunately, 
we continue to look internally for ways to combat cyber crime, when the 
solution requires that we look externally.
    Given the incredibly complex set of challenges we face in securely 
and efficiently managing our businesses and the Government while 
contending with these increased risks, we must embrace change as a 
constant and adapt accordingly. Absent an adaptive defense to an 
adaptive threat environment, we will fall further behind in our ability 
to prevent successful attacks targeting our interests. And small 
businesses, as the innovation engine of our country, are able to focus 
on not only confronting but actually outstripping the adversary's rapid 
pace.
    In the past, in what could now be called ``Cybersecurity 1.0,'' we 
resourced internal environments with a layered approach of people, 
processes, and technologies. This approach began at the perimeter and 
layered back to the core, where critical operations and information 
reside. However, as technologies have become more advanced and 
interconnected, these layers have shrunk, and the adversary's ability 
to traverse our networks has grown tremendously. In some cases, this 
phenomenon relates to bad security practices, such as password reuse. 
In other ways, the complexity of our own environments increases likely 
ingress and attack points through which adversaries can gain access to 
our critical information. While our defenses are enhanced because we 
can correlate events from different devices in different layers, the 
reality is that our adversaries have watched our slow adaptation and 
responded accordingly with more sophisticated and coordinated attacks; 
they are adapting to our moves, but we are slow to comprehend and adapt 
to theirs.
    However, improvements to our cybersecurity posture should not go 
unnoticed. Now that we have resourced our environment and refined our 
overall security posture, our future success in combating cyber threats 
resides in our ability to tactically and operationally adapt our 
defense to new and emerging attack methodologies. We now have a 
security infrastructure that we can manage, but the question is whether 
we manage it with insight into our adversaries and their capabilities 
or continue to blindly attempt to secure critical intellectual property 
and information. In summary, ``Cybersecurity 1.0'' was vulnerability-
based, and we benchmarked ourselves against regulations and what we 
thought were best practices. However, absent adversary insight, we will 
continue to hunt in our own environment for vulnerabilities that, in 
many cases, have already been exploited and try to close those security 
gaps. We have taken this approach for more than a decade with very 
little success. To more effectively combat cybercrime, we must move 
away from the old model and begin to benchmark our countermeasure 
posture in light of current attacks executed within our borders and 
from abroad and adapt our defenses accordingly.
    Now we need to exceed the innovation pace of our adversaries. As 
our country's global advantage has traditionally centered on the 
creativity spawned by small businesses, it is imperative we feed this 
innovation engine and embrace industry advances in this mission. 
Consequently, ``Cybersecurity 2.0'' must better manage our environment 
in light of the adversary's capabilities and attack methods and defend 
against the ``new normal'' of increased threat pace and capabilities. 
Addressing how to effectively manage decentralized environments 
associated with National infrastructure, global businesses and globally 
distributed networks where our sensitive data, processes, and 
intellectual property reside is the challenge. We need to decentralize 
our awareness outward beyond our perimeter. Rather than focus on what 
we alone see, our goal should be to build a common shared understanding 
of the threats we face with a focus on knowledge rather than more data. 
Just as important, we need to learn from each other's experiences. The 
key message is that one entity's reactive can be the next entity's 
proactive if these insights are rapidly shared. In others words, where 
we have common concerns and common threats with which to contend, we 
need common insights with shared solutions to combat those shared 
problems. Given the broad range of motivations behind adversaries using 
very similar attack methods, sharing individual lessons learned to 
create a ``community defense'' will enable businesses and Government to 
more effectively combat cyber crime.
    The strategy of volunteer coordination or using a variety of 
Government entities for sharing is riddled with challenges. For 
example, one of the more critical challenges facing the traditional 
intelligence mission lies in the classification structure that renders 
real-time information sharing across common stakeholders--most managing 
unclassified networks--unfeasible. These security restrictions 
essentially prevent cyber threat intelligence analysis from being 
shared. In other words, most of the intelligence sourcing from the 
Federal sector takes place in secure environments, and the resulting 
analysis of attacks is inherently difficult to share.
    In addition, the current construct of information sharing is 
limited by the absence of a trusted intermediary that can convert 
shared information into actionable intelligence and rapidly deliver 
that intelligence to each community member. To convert this idea into 
action and enable entities to proactively support the entire community, 
each community member must help fund tactical, operational, and 
strategic intelligence information gathering.
    We need a global window into and network of all research resources. 
Federal security activities tend to focus deeply on a relatively tight 
set of specific cyber threats. However, global commercial entities do 
not have that luxury because their people, information, and networks 
are globally distributed. Therefore, they must gain access to emerging 
threat data and victim data from around the world, rather than from one 
specific nation, sector, or entity. This requires community-building 
around the world, developing relationships and focusing on the transfer 
of knowledge rather than simply deploying machine sensors that witness 
technical indicators and events. Without the context associated with 
the indicators, it is impossible to attribute an attack to the 
appropriate threat category and source data that is associated with the 
analysis. Absent context, community members cannot effectively assess 
whether they are seeing something of critical importance or just 
another spam attack.
    In summary, we need an analytical pace that matches the rapidly 
developing pace of cyber threats. This is a resource- and time-
intensive activity requiring complete integration of global insight, an 
analytical team and structure that processes information into 
structured analytical products and a delivery method that enables 
community members to filter analysis based on the appropriate and 
specific customer and operation. An executive in one department of the 
Federal Government has a very different set of needs from a security 
operations center analyst in a fusion center, which is different from 
the fraud prevention team of an on-line bank with branches in Europe 
and South America. In short, intelligence analysis must address 
tactical, operational, and strategic needs while supplying various 
views of the analysis for each community member's category and sector.
    Since June 1, 2010, iSIGHT Partners has been fortunate to provide 
these capabilities in support of the entire Federal, State, and local 
civilian government through a single enterprise contract with the 
Department of Homeland Security's (DHS) United States Computer 
Emergency Readiness Team (US-CERT). Over the past 9 months alone, 
iSIGHT Partners has delivered more than 18,000 intelligence reports and 
updates with more than 8,500 associated technical threat indicators. 
During the same 9-month period, we responded to nearly 500 analysis 
requests while holding nearly 200 meetings with those we support. Most 
recently, US-CERT has begun leveraging a large number of our indicators 
as part of its Joint Cybersecurity Services Pilot. These threat 
indicators connect to specific intelligence analyses which enable each 
unique organization to tune their own security environment to detect 
and defend against specific cyber attacks that have been observed and 
analyzed. As threat indicators are triggered, defenders now have 
context about what attack was just defeated based on its connection to 
associated analysis. To that end, for example, Section 935 of the Ike 
Skelton National Defense Authorization Act for Fiscal Year 2011 
established the requirement for progress reports from the Department of 
Defense requiring just this sort of shift toward contextual knowledge. 
And as many of our Government users have recognized, this is a game-
changer for Government security operations. Enabling context and threat 
categorization in real time also enables defenders to prioritize 
resources and focus on serious cyber threats rather than taking the 
traditional approach of attempting to deal with all attacks equally.
    This contracting approach demonstrates the forward-leaning, 
innovative leadership within US-CERT and DHS. In today's budget 
climate, and as recognized by the current administration's Federal 
Information Technology Shared Services Strategy paradigm of ``Shared 
First,'' common problems must be addressed with common solutions. The 
ability to contract and deliver this shared solution across the mission 
space is a case study illustrating that fact. Through this program, 
visibility into global cyber attacks against commercial and Government 
entities has improved tremendously. Together with US-CERT, iSIGHT 
Partners has driven a public-private partnership, an operational level 
of information sharing, a mechanism to detect and defeat emerging cyber 
attacks while learning from other community experiences and maintained 
the integrity of non-classified cyber threat intelligence shared 
unconstrained among Federal, State, and local civilian government 
members. This approach has provided insight into each member's cyber 
defense experiences without disclosing an individual victim's 
identity--this is what ``community defense'' is all about.
    Change in the cyber threat environment will be constant, and the 
cyber adversaries our country faces are excellent at sharing 
information and learning from each other's experiences. While we have 
made some progress in sharing information through coordination centers, 
in order to surpass the innovation pace of our adversaries, 
entrepreneurial companies like iSIGHT Partners have demonstrated a 
clear capability to embrace this reality. In the end, if we do not 
shift to an adaptive defense based on continuously updated, actionable, 
and sharable threat intelligence, our National interests will remain at 
great risk.
    Thank you again for this opportunity to testify. Most importantly, 
I want to thank each of you for your contributions to the country and 
your leadership in working what is quickly emerging as one of the most 
important challenges facing the United States.