[House Hearing, 113 Congress] [From the U.S. Government Publishing Office] CYBER THREATS FROM CHINA, RUSSIA, AND IRAN: PROTECTING AMERICAN CRITICAL INFRASTRUCTURE ======================================================================= HEARING before the SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION __________ MARCH 20, 2013 __________ Serial No. 113-9 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC] [TIFF OMITTED] TONGRESS.#13 Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PRINTING OFFICE 82-583 WASHINGTON : 2013 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Paul C. Broun, Georgia Yvette D. Clarke, New York Candice S. Miller, Michigan, Vice Brian Higgins, New York Chair Cedric L. Richmond, Louisiana Patrick Meehan, Pennsylvania William R. Keating, Massachusetts Jeff Duncan, South Carolina Ron Barber, Arizona Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey Jason Chaffetz, Utah Beto O'Rourke, Texas Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii Lou Barletta, Pennsylvania Filemon Vela, Texas Chris Stewart, Utah Steven A. Horsford, Nevada Keith J. Rothfus, Pennsylvania Eric Swalwell, California Richard Hudson, North Carolina Steve Daines, Montana Susan W. Brooks, Indiana Scott Perry, Pennsylvania Greg Hill, Chief of Staff Michael Geffroy, Deputy Chief of Staff/Chief Counsel Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES Patrick Meehan, Pennsylvania, Chairman Mike Rogers, Alabama Yvette D. Clarke, New York Jason Chaffetz, Utah William R. Keating, Massachusetts Keith J. Rothfus, Pennsylvania Filemon Vela, Texas Steve Daines, Montana Steven A. Horsford, Nevada Scott Perry, Pennsylvania Bennie G. Thompson, Mississippi Michael T. McCaul, Texas (ex (ex officio) officio) Alex Manning, Subcommittee Staff Director Dennis Terry, Subcommittee Clerk C O N T E N T S ---------- Page Statements The Honorable Patrick Meehan, a Representative in Congress From the State of Pennsylvania, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Oral Statement................................................. 1 Prepared Statement............................................. 5 The Honorable Yvette D. Clarke, a Representative in Congress From the State of New York, and Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Oral Statement................................................. 7 Prepared Statement............................................. 8 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security: Prepared Statement............................................. 9 Witnesses Mr. Frank J. Cilluffo, Director, Homeland Security Policy Institute, Co-Director, Cyber Center for National and Economic Security, The George Washington University: Oral Statement................................................. 11 Prepared Statement............................................. 13 Mr. Richard Bejtlich, Chief Security Officer and Security Services Architect, Mandiant: Oral Statement................................................. 21 Prepared Statement............................................. 23 Mr. Ilan Berman, Vice President, American Foreign Policy Council: Oral Statement................................................. 25 Prepared Statement............................................. 27 Mr. Martin C. Libicki, Senior Management Scientist, Rand Corporation: Oral Statement................................................. 30 Prepared Statement............................................. 32 For The Record The Honorable Patrick Meehan, a Representative in Congress From the State of Pennsylvania, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Article, ``Iran's Global Business Is Murder Inc.'' by Michael Oren......................................................... 3 Statement of Dean Picciotti, President, Lexington Technology Auditing..................................................... 43 CYBER THREATS FROM CHINA, RUSSIA, AND IRAN: PROTECTING AMERICAN CRITICAL INFRASTRUCTURE ---------- Wednesday, March 20, 2013 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Washington, DC. The subcommittee met, pursuant to call, at 2:05 p.m., in Room 311, Cannon House Office Building, Hon. Patrick Meehan [Chairman of the subcommittee] presiding. Present: Representatives Meehan, McCaul, Chaffetz, Rothfus, Perry, Clarke, and Vela. Mr. Meehan. The Committee on Homeland Security's Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies will come to order. The subcommittee is meeting today to examine the cyber threat that is posed by China, Russia, and Iran. I now recognize myself for an opening statement. I would like to welcome this distinguished panel, and everyone to today's hearing, which is our first subcommittee hearing of the 113th Congress. This being our first hearing, I would also like to welcome the new Members and extend my appreciation to Chairman McCaul for naming me the Chairman of the crucial subcommittee. I would also like to recognize, which we don't customarily do, but it is a special opportunity to have 16 students from the Valley Forge Military Academy, which is in my district, so I am privileged on that factor as well, to join us here today. I had the good privilege to chair the Subcommittee on Counterterrorism and Intelligence in the last Congress, and there are many overlapping issues in the cyber realm. I look forward to engaging on those again in the coming 2 years. I would also like to begin by taking the opportunity to credit Ranking Member Clarke for her leadership on cybersecurity and the tremendous work she has been doing for some period of time on this issue. I know she has been tied up, but will be joining us very shortly. Representative Clarke has been at this for a while and I look forward to working together in a bipartisan fashion as we move forward on the issue. I would also like to salute Dan Lungren--take an opportunity to say thank you to him for his previous Chairmanship of this subcommittee and the very, very important work he did on this issue before. His substance, knowledge, and exceptional legal acumen is going to missed by our body, and I wish him well and thank him for his service. I am looking forward to serving with each of the new Members who will join us here on this committee. Today's hearing is timely and very relevant. We are examining the cyber threat today that is posed by nation- states, namely China, Russia, and Iran. I focus on the nation- state aspect of this threat because it represents a new battlefield in state relationships and one in which we must prepare accordingly. Since the new year, there have been significant developments in the cyber domain, highlighted by the fact that the U.S. Government has finally begun to name the nation-states most responsible for cyber attacks against the United States. I believe identifying the threat is critical to combating this problem and protecting our critical infrastructure. Over the last 2 months, the Obama administration has rightly placed cybersecurity at the top of its public agenda. In his State of the Union speech, President Obama specifically cited foreign countries swiping our corporate secrets, attacking our financial institutions, and sabotaging our power grid. Last week, Tom Donilon, the President's National security adviser, outed China as the place where cyber intrusions are emanating on an unprecedented scale. Also last week, the annual threat assessment by the United States intelligence community delivered to Congress--Director of National Intelligence, James Clapper, named cyber as the top threat to the United States' National security. This represents a major shift in the threat assessment by the United States intelligence community and makes our work on this committee even more important. Last, President Obama last week discussed cybersecurity during a congratulatory phone call to the new Chinese president. That, coupled with the talks currently taking place or which just have concluded between Secretary Jack Lew and the new leaders in Beijing mean that this is an excellent development for our Nation that this issue has been addressed at the highest levels. With respect to identifying the threat, this subcommittee has a history of identifying the threat, naming it publicly, often before it manifests itself. In fact, last year, former Representative Lungren and I held a joint subcommittee hearing entitled, ``The Iranian Cyber Threat to the Homeland.'' We identified Iran as a cyber growing threat. Since that hearing, it has been reported widely that Iran conducted distributed denial-of-service, the DDOS attacks, against multiple American financial institutions. Both Mr. Cilluffo and Mr. Berman testified at the hearing and accurately predicted Iran's growing intent and capability to conduct a cyber attack against the United States homeland. I credit both of you with foresight on the issue, when many underestimated the Iranian threat in itself, to our Nation, and particularly the Iranian cyber threat. I view today's hearing as a continuation of last year's hearing and look forward to seeing and hearing how you believe it has evolved. With respect to the Iranian cyber threat, I believe clarity is critically important. Iran is the world's largest state sponsor of terrorism and continues to pursue nuclear weapons to, ``wipe Israel off the map.'' In that sense, we must question whether we are dealing with a potentially irrational actor, which makes the Iranian cyber threat even more dangerous. I believe that any regime willing to detonate a bomb in a Washington, DC, restaurant to assassinate a Saudi ambassador to the United States would truly be willing to conduct a major cyber attack against United States' critical infrastructure. The U.S. Government must make clear to the Iranians our red lines, and if they escalate their attempts to infiltrate our critical infrastructure, we will respond accordingly. For the Iranians, cyber is just another tool with which to sow terror and to repress its people. In the words of Michael Oren, the Israeli ambassador to the United States, ``Iran's main export is murder.'' It is important we all realize that, especially within the context of cyber. To ensure we have clarity about the Iranian threat, I would like to enter into the record a February 16 op-ed in The Wall Street Journal by Ambassador Oren, which provides great detail on Iran's regime. I have also asked staff to provide a copy of the op-ed to Members at today's hearing and encourage you to read it closely. In my view, we must assess the Iranian cyber threat through Ambassador Oren's perspective, in the context of, and I quote: ``murder, bombings, kidnappings, and trade in drugs and guns. The cyber attack capability is increasing and their intent may well be murderous. We must not forget it.'' This is the op-ed. I will ask that it be ordered into the record. Without objection, so ordered. [The information follows:] Article Submitted For the Record by Chairman Meehan iran's global business is murder inc. By Michael Oren, February 11, 2013. Bombings in capital cities, kidnappings, trade in drugs and guns--Iranian exports, all. Now Tehran wants nukes. A bomb explodes in Burgas, Bulgaria, leaving five Israeli tourists and a local driver dead. Mysteriously marked ammunition kills countless Africans in civil wars. Conspirators plot to blow up a crowded cafe and an embassy in Washington, DC. A popular prime minister is assassinated, and a despised dictator stays in power by massacring his people by the tens of thousands. Apart from their ruthlessness, these events might appear unrelated. And yet the dots are inextricably linked. The connection is Iran. In 25 cities across five continents, community centers, consulates, army barracks and houses of worship have been targeted for destruction. Thousands have been killed. The perpetrators are agents of Hezbollah and the Quds Force, sometimes operating separately and occasionally in unison. All take their orders from Tehran. Hezbollah's relationship with Tehran is ``a partnership arrangement with Iran as the senior partner,'' says America's director of national intelligence, James Clapper. The Lebanon-based terror group provides the foot soldiers necessary for realizing Iran's vision of a global Islamic empire. Hezbollah chief Hassan Nasrallah says his organization was founded to forge ``a greater Islamic republic governed by the Master of Time [the Mahdi] and his rightful deputy, the jurisprudent Imam of Iran.'' With funding, training, and weapons from Iran, Hezbollah terrorists have killed European peacekeepers, foreign diplomats, and thousands of Lebanese, among them Prime Minister Rafiq Hariri. They have hijacked American, French, and Kuwaiti airliners and kidnapped and executed officials from several countries. They are collaborating in Bashar Assad's slaughter of opposition forces in Syria today. A deadly suicide attack in Burgas leaving five Israeli tourists and a local driver dead in last July. Second only to al-Qaeda, Hezbollah has murdered more Americans--at least 266--than any other terrorist group. The United States designated Hezbollah as a terrorist organization in 1997, though the European Union has yet to do so. Above all, Hezbollah strives to kill Jews. It has fired thousands of rockets at Israeli civilians and tried to assassinate Israeli diplomats in at least six countries. Its early 1990s bombing of a Jewish community center and the Israeli Embassy in Argentina killed 115. The attack in Burgas occurred last July, and this month the Bulgarian government completed a thorough inquiry into who was behind it: Hezbollah. ``The finding is clear and unequivocal,'' said John Kerry in one of his first pronouncements as U.S. Secretary of State. ``We strongly urge other governments around the world--and particularly our partners in Europe--to take immediate action and to crack down on Hezbollah.'' Then there is the Quds Force, the elite unit of Iran's Revolutionary Guard Corps, which takes orders directly from Iranian Supreme Leader Ali Khamenei. The U.S. has repeatedly accused the Quds Force of helping insurgents kill American troops in Iraq and Afghanistan, and of supplying weapons to terrorists in Yemen, Sudan, and Syria. In 2007, Quds Force operatives tried to blow up two Israeli jetliners in Kenya and kill Israel's ambassador in Nairobi. Hezbollah and the Quds Force also traffic in drugs, ammunition, and even cigarettes. Such illicit activities might seem disparate but they, too, are connected to terror and to Tehran. In 2011, the New York Times reported that Hezbollah was working with South American drug lords to smuggle narcotics into Africa, the Middle East, and Europe. The terror group laundered its hundreds of millions of dollars in profits through used-car dealerships in America. Also in 2011, the FBI exposed a plot in which senior Quds Force operatives conspired with members of Mexico's Los Zetas drug cartel to assassinate Saudi Arabia's ambassador to Washington by bombing the restaurant where he dined. The Israeli Embassy in Washington was also targeted. The middleman between the terrorists and the drug dealers was an Iranian-American used-car salesman. And still the dots proliferate. U.S. authorities have implicated Hezbollah in the sale of contraband cigarettes in North Carolina, and Iran has manufactured and sold millions of rounds of ammunition to warring armies in Africa. So while skirting Western sanctions, Iran funds terror world-wide. But Iran's rulers are counting on the West's inability to see the larger pattern. Certainly the European Union would take a crucial step forward by designating Hezbollah a terrorist organization, but terror is only one pixel. Tehran is enriching uranium and rushing to achieve military nuclear capabilities. If it succeeds, the ayatollahs' vision of an Islamic empire could crystallize. Iran and its proxies have already dotted the world with murderous acts. They need only nuclear weapons to complete the horrific picture. Mr. Oren is Israel's ambassador to the United States. Mr. Meehan. We are joined today by the chief security officer of Mandiant Corporation, who is here to testify on the cyber threat posed by China. While I have already mentioned the administration's naming of the Chinese threat, a great deal of credit goes to Mandiant for its long-term work identifying the specific Chinese military unit responsible for looting our intellectual property and technological innovations and for publicly naming its actual geographic location. That threat is a service--that report is a service to all policymakers trying to combat the Chinese cyber threat. I also look forward to hearing from today's witnesses with respect to the threat from Russia. Russia is often overlooked in the cyber-threat realm, but they have capability and have illustrated the intent to use it in Estonia and Georgia. While we fear the theft of classified information, intellectual property, and source codes, as well as grave, crushing attacks on our critical infrastructure from nations who aim to harm us, the threat of monetary and identity theft of our citizens remains a top concern. As our traditional adversary in the game of espionage, I view cyber space as a new, modern Cold War battlefield between the United States and Russia, and we must prepare to respond appropriately. Let me close my comments by focusing on today's hearing. The point that I believe it is worth pointing out that North Korea has been the source of increased rhetoric pertaining to nuclear weapons, and the Obama administration has responded by announcing the addition of missile interceptors in Alaska over the last few years. North Korea's cyber capability should not be underestimated and its intent is difficult to assess. I note for the record, as recently as today, the incidents which are being attributed to North Korea by many with respect to the denial of services on banking and communications entities in South Korea, another escalation in the tension between those two, but seen by many--and I may be interested in the testimony of this distinguished panel--to be in response to actions by the United Nations and other civilized countries to rein in the Iranian--I mean the North Korean nuclear capability. So once again we are seeing this connection of cyber activity in relation to efforts by the civilized world to address both Iran and North Korea. As Chairman McCaul indicated in last week's full committee hearing, the committee plans to pass cybersecurity legislation in the coming weeks and months. We have been meeting with stakeholder groups affected by this issue, and we encourage continued dialogue. The vast majority of critical infrastructure is owned by the private sector, so there must be a true partnership between Government and industry to ensure we are protected. I look forward to a continuing conversation on these issues. Now, let me take a moment to recognize the Ranking Member, and I appreciate that she had been hustling over after being tied up with some other responsibilities. But it is a great privilege to be able to share this responsibility on this committee with my good friend, the gentlelady from New York. As I had identified at the outset, we have been working already together with our staffs. But I respectfully--I respect greatly the great body of work which the Ranking Member has already put into this issue from her previous service. I look forward in working together with her as this committee moves forward on this very, very important work. So let me turn it over to the Ranking Member. Thank you. [The statement of Chairman Meehan follows:] Statement of Chairman Patrick Meehan March 20, 2013 I'd like to welcome everyone to today's hearing, which is our first subcommittee hearing of the 113th Congress. This being our first hearing, I'm going to take care of a few housekeeping items right off the bat. As some of you know, I chaired the Subcommittee on Counterterrorism and Intelligence last Congress. There are many overlapping issues in the cyber realm and I look forward to engaging in them over the next 2 years. I'd like to begin by taking the opportunity to credit Ranking Member Clarke for her leadership on cybersecurity. You have been at this for a while and I look forward to working together in a bipartisan manner moving forward. Second, I'd also like to take the opportunity to salute the former Chairman of this subcommittee, Rep. Dan Lungren from California. Rep. Lungren served in Congress during the 1980s and after a stint at Attorney General of California in 1990s, felt compelled to serve again after September 11. He was elected to the House again in 2004 and was involved in virtually every post-9/11 Government policy response. His substance, knowledge, and exceptional legal acumen will be missed in this body. I wish him well and thank him for his service. Finally, I'd like to welcome the new Members to the subcommittee. In my experience, this committee has operated in a bipartisan manner and I expect that to continue in the 113th Congress. I look forward to working with all of you. Today's hearing is timely and relevant. We are examining the cyber threat posed by nation states: China, Russia, and Iran. I focus on the ``nation-state'' aspect of this threat because it represents a new battlefield in state relations and we must prepare accordingly. Since the New Year, there have been significant developments in the cyber domain, highlighted by the fact the U.S. Government has finally begun to name the nation-states most responsible for cyber attacks against the United States. I believe identifying the threat is critical to combatting this problem and protecting our critical infrastructure. Over the last 2 months, the Obama administration has rightly placed cybersecurity at the top of the public agenda. In his State of the Union speech, President Obama specifically cited ``foreign countries'' swiping our corporate secrets, attacking our financial institutions, and sabotaging our power grid. While he didn't name any specific countries, last week, Tom Donilon, the President's National Security Advisor, outed China as the place where cyber intrusions are emanating on ``an unprecedented scale.'' Also last week, in the Annual Threat Assessment by the U.S. intelligence community delivered to Congress last week, the Director of National Intelligence (DNI), James Clapper, named cyber as the top threat to U.S. National security. This represents a major shift in the threat assessment by the U.S. intelligence community and makes our work on this committee even more important. Last, The New York Times reported last week the President Obama discussed cybersecurity during a congratulatory phone call with the new Chinese President. The fact this issue is being addressed at the head- of-state level is an excellent development. I credit the Obama administration for naming the threat and pushing for action. With respect to identifying the threat, this subcommittee has a history of identifying the threat and naming it publicly, often before it manifests itself. In fact, last year, former Rep. Lungren and I held a joint subcommittee hearing entitled, ``The Iranian Cyber Threat to the Homeland'' which identified Iran as a growing cyber threat. Since that hearing, it has been widely reported that Iran conducted distributed denial-of-service (DDoS) attacks against multiple American financial institutions. If true, I'd say that we were all correct in our predictions last July. Both Mr. Cilluffo and Mr. Berman testified at that hearing and aptly predicted Iran's growing intent and capability to conduct a cyber attack against the U.S. homeland. I credit you both for your foresight on this issue when many underestimated the Iranian cyber threat. I view today's hearing as a continuation of last year's hearing and I look forward to learning how the threat has evolved. With respect to the Iranian cyber threat, I believe clarity is critically important. Iran is the world's largest state sponsor of terrorism and continues to pursue nuclear weapons to ``wipe Israel off the map.'' In that sense, I believe we are dealing with a potentially irrational actor, which makes the Iranian cyber threat even more dangerous. Common sense dictates that any regime willing to detonate a bomb at a Washington, DC restaurant to assassinate the Saudi Ambassador to the United States would surely be willing to conduct a major cyber attack against U.S. critical infrastructure. The U.S. Government must make clear to the Iranians our ``red lines'' and make clear to them that if they escalate any cyber attacks against U.S. critical infrastructure, we will respond appropriately. For the Iranians, cyber is just another tool through which to sow terror and repress its people. In the words of my good friend Michael Oren, Israeli Ambassador to the United States, Iran's main export is murder. It is important we all realize that, especially within the context of cyber. To that ensure we have the clarity about the Iranian threat, I would like to enter into the record a February 16 op-ed in The Wall Street Journal by Ambassador Oren entitled ``Iran's Global Business is Murder, Inc.'' The op-ed provides great detail on Iran's murderous regime. I have also asked staff to ensure a copy of the op-ed has been provided to Members at today's hearing and encourage you to read it closely. In my view, we must assess the Iranian cyber threat through Ambassador Oren's perspective: ``in the context of murder, bombings, kidnappings, and trade in drugs and guns.'' Their cyber attack capability is increasing and their intent is murderous. We must not forget it. Without objection, so ordered. Members are also lucky to have a representative from Mandiant Corp. here today to testify on the cyber threat posed by China. While I've already mentioned the administration's naming of the Chinese threat, a great deal of credit goes to Mandiant for its long-term work identifying the specific Chinese military unit responsible for looting our intellectual property and technological innovations and publicly naming its actual geographic location. That report is a service to all policymakers trying to combat the Chinese cyber threat. As the ultimate credit to Mandiant's report on China's cyber threat, I will quote perhaps the premier American intelligence official, former CIA and NSA Director and fellow Pennsylvanian, General Michael Hayden, who simply stated: ``It was a wonderful report.'' General Hayden knows a thing or two about intelligence analysis so I view this as the ultimate validation of Mandiant's work. With respect to the Russian cyber threat, I look forward to hearing from today's witnesses. Russia is often overlooked in the cyber threat realm, but they have the capability and have illustrated the intent to use it in Estonia and Georgia. As our top traditional adversary in the game of espionage, I view cyber space as a new, modern Cold War battlefield between the United States and Russia and we must prepare and respond appropriately. While not the focus of today's hearing, I believe it is worth pointing out that North Korea has been the source of increased rhetoric pertaining to nuclear weapons and the Obama administration has responded by announcing the addition of missile interceptors in Alaska over the next few years. North Korea's cyber capability should not be underestimated and its intent is difficult to assess. It was widely reported North Korea conducted cyber attacks against South Korea and the United States in July 2009. We must keep a watchful eye on this continued threat actor. As Chairman McCaul indicated at last week's full committee hearing, the committee plans to pass cybersecurity legislation in the coming weeks and months. We have been meeting with stakeholder groups affected by this issue and we encourage continued dialogue. The vast majority of critical infrastructure is owned by the private sector so there must be a true partnership between Government and industry to ensure we are protected. I look forward to continuing the conversation on these issues. Ms. Clarke. I thank you, Mr. Chairman, and I thank you for holding this hearing today. First, I would like to congratulate you, Chairman Meehan, on your appointment to Chair of our subcommittee. I look forward to working with you to continue this subcommittee's proud history of bipartisan oversight and legislative action. I think that the topic at hand is an appropriate one for our subcommittee's first hearing at this Congress. I don't have to tell you, Mr. Chairman, that the cyber threats to our critical infrastructure are growing and serious, and cybersecurity is perhaps the most prominent National security issue we face this Congress. Last week in the intelligence community's annual world-wide threat assessment report to Congress, Director of National Intelligence, James Clapper, named cyber as the leading threat to our National security, ahead of terrorism, transnational crime, and WMD proliferation. To set the stage for the important actions that our committee must take to enhance our Nation's cybersecurity, it is important that we first examine the evolving nature of the threat we are facing. Each month seems to bring a new wrinkle in our understanding of the threat to our Government, to our businesses, and to individuals. Malicious cyber actors have destroyed 30,000 computers on an oil company's network in the blink of an eye. They have bombarded dozens of our banks with denial-of- service attacks on a weekly basis in a concerted campaign dragging on for months. They have infiltrated the manufacturer of smart grid industrial control systems, which are currently installed all across the Nation in our critical infrastructure. These are just reports that have been made public in the last 9 months. We have long since passed the time when our biggest challenge in cyber space was dealing with the stereotypical teenager in his parent's basement. A small group of nation-states are taking advantage of the internet's openness to conduct cyber-espionage, not only against traditional Government targets, such as defense and intelligence agencies, but against all variety of economic targets and critical infrastructure. But though I think we have recognized this for some time, what has been missing is a public discussion of this bad behavior. That is why I think the events of the last few weeks have been a real tipping point in the way our Nation responds to cyber threats. Foreign actors can no longer be permitted to commit industrial-strength espionage against our Government and businesses without being brought to account. I have been heartened to see that the Obama administration has recently made great strides in this area. Two weeks ago, National Security Adviser Tom Donilon went on the record about China's aggressive behavior in cyber space, outlining key areas where the United States will require China's engagement moving forward. Then, last week, President Obama himself expanded upon the threat posed by the Chinese and other state actors, and the strong messages that we are beginning to send. I applaud the administration's willingness to raise this issue to the Presidential level. I hope that it leads to substantive engagement with foreign governments on proper conduct in cyber space. Finally, I am pleased that we are joined today by this very distinguished panel of witnesses. I look forward to learning more about the cyber threats to our critical infrastructure and further informing the public debate on cybersecurity. I yield back, Mr. Chairman. [The statement of Ranking Member Clarke follows:] Statement of Ranking Member Yvette D. Clarke March 20, 2013 I think that the topic at hand is an appropriate one for our subcommittee's first hearing this Congress. I do not have to tell you, Mr. Chairman, that the cyber threats to our critical infrastructure are growing and serious, and cybersecurity is perhaps the most prominent National security issue we will face this Congress. Last week, in the intelligence community's Annual Worldwide Threat Assessment report to Congress, Director of National Intelligence James Clapper named cyber as the leading threat to our National security, ahead of terrorism, transnational crime, and WMD proliferation. To set the stage for the important actions that our committee must take to enhance our Nation's cybersecurity, it is important that we first examine the evolving nature of the threat we are facing. Each month seems to bring a new wrinkle in our understanding of the threat to our Government, to our businesses, and to individuals. Malicious cyber actors have destroyed 30,000 computers on an oil company's network in the blink of an eye. They have bombarded dozens of our banks with denial-of-service attacks on a weekly basis in a concerted campaign dragging on for months. They have infiltrated the manufacturer of smart grid industrial control systems which are currently installed all across the country in our critical infrastructure. These are just reports that have been made public in the last 9 months. We have long since passed the time when our biggest challenge in cyber space was dealing with the stereotypical teenager in his parents' basement. A small group of nation-states are taking advantage of the internet's openness to conduct cyber espionage, not only against traditional Government targets such as defense and intelligence agencies, but against all variety of economic targets and critical infrastructure. But though I think we have recognized this for some time, what has been missing is a public discussion of this bad behavior. That's why I think the events of the last few weeks have been a real tipping point in the way our Nation responds to cyber threats. Foreign actors can no longer be permitted to commit industrial- strength espionage against our Government and businesses without being brought to account, and I have been heartened to see that the Obama administration has recently made great strides in this area. Two weeks ago, National Security Advisor Tom Donilon went on the record about China's aggressive behavior in cyber space, outlining key areas where the United States will require China's engagement moving forward. Then, last week, President Obama himself expanded upon the threat posed by the Chinese and other state actors and the strong messages that we are beginning to send. I applaud the administration's willingness to raise this issue to the Presidential level, and I hope that it leads to substantive engagement with foreign governments on proper conduct in cyber space. Finally, I am pleased that we are joined today by this distinguished panel of witnesses, and I look forward to learning more about the cyber threats to our critical infrastructure and further informing the public debate on cybersecurity. Mr. Meehan. Well, thank you, Ranking Member Clarke. One little housekeeping issue here, because one of the realities of our work here in Congress is the most important responsibility, which is to vote, and as you can see, we were just called to vote. So I am going to use the little window that we have here to try to do some quick introductions of our panel, and then I am going to ask--we are going to try to get through the testimony of two of the first witnesses. We will then quickly return from votes and, hopefully, gavel it down as quickly as we can after we are finished voting to hear the testimony of the last two, and then we will move into questions from the Members who are able to join us again. So let us--the rest of the committee is reminded, opening statements can be submitted for the record. [The statement of Ranking Member Thompson follows:] Statement of Ranking Member Bennie G. Thompson March 20, 2013 The list of significant cyber intrusions against our critical infrastructure keeps growing. Our top Government officials are going on the record about state sponsors of aggressive cyber activities that have been stealing our trade secrets and intellectual property as well as targeting our most sensitive critical infrastructure networks. National Security Advisor Tom Donilon and Director of National Intelligence James Clapper have spent recent weeks identifying state sponsors of aggressive cyber activities--including China, Iran, and Russia. Just last week, President Obama raised the issue of cyber attacks with the Chinese president, instantly raising the importance of cybersecurity in the U.S.-China relationship. But even though we have made great strides in our response to state-sponsored cyber activities, we cannot expect the problem to go away overnight. It would be prudent to expect the future to bring new, more sophisticated attacks. Even the best, most secure critical infrastructure in our country is no match for a determined adversary backed by the resources of a government. That is why it is so important for this committee to pass comprehensive cybersecurity legislation. We must act to provide a framework which will improve the partnership between the owners and operators of our critical infrastructure and the Government to work together collaboratively to protect our networks. I look forward to working with you, Chairman Meehan and Ranking Member Clarke, as well as Chairman McCaul, to ensure that this legislative necessity becomes a reality. But while the threats we face are severe, it is important that we do not overstate them or call for a militarized response. Not all attacks require a military response. The vast majority of attacks are against individual citizens and the private sector. We need a measured civilian response that permits these threats to be addressed by DHS and the FBI working together to mitigate and respond to the attacks, investigate the perpetrators, and help prevent future attacks. Just last week, NSA Director Keith Alexander testified before Congress that cyber attacks on U.S. soil required a civilian-led response. The evolution or increase in threats is no justification for abandoning the traditional separation of foreign and domestic intelligence and law enforcement authorities. We cannot allow cyber attacks to provide a reason to jettison the precious and hard-won American values of privacy and civil liberties. I am convinced that any measure we put forth must embrace privacy and civil liberties as a bedrock principle. As we move forward with cybersecurity legislation, with those values firmly embedded, we must take the time to fully investigate and understand the scope of the threats we face. So, I am pleased that we are joined today by this panel of experts, who can speak to the diverse array of cyber threats to our critical infrastructure, and I look forward to their testimony. Mr. Meehan. Let me now identify the distinguished panel of witnesses before us here today on this topic--and no stranger, any of them, to this issue. Mr. Frank Cilluffo directs the Homeland Security Policy Institute at the George Washington University, where he works on a wide variety of homeland security issues, including counterterrorism, counter security, transportation security, and emergency management. Mr. Cilluffo joined G.W. in April 2003 after leaving the White House, where he was a special assistant to the President for homeland security. Mr. Richard Bejtlich is the chief information security officer for Mandiant, the security firm that recently released a widely-publicized report on the hacking activities of the Chinese government. Mr. Bejtlich has more than 13 years' experience of enterprise-level intrusion detection and incident response, working with the Federal Government, defense, and private industry. Mr. Ilan Berman is the vice president of the American Foreign Policy Council, where he specializes in regional security in the Middle East, Central Asia, and Russia. Throughout his career, Mr. Berman has consulted for numerous Government agencies, including the CIA and the Department of Defense. Mr. Berman has also authored several books, and serves as the editor of The Journal of International Security Affairs. Mr. Martin Libicki is a senior management scientist at RAND Corporation, where he focuses on the impacts of information technology on domestic and National security. His most recent research has focused on assisting the United States Air Force prepare for cyber war, exploiting cell phones in counterinsurgency, developing post-9/11 information technology strategy for the Department of Justice, and assessing the terrorist information awareness program for the Defense Advanced Research Project Agency. The witnesses' full written statements will appear in the record, so the Chairman now recognizes Mr. Cilluffo for 5 minutes to testify. STATEMENTS OF FRANK J. CILLUFFO, DIRECTOR, HOMELAND SECURITY POLICY INSTITUTE, CO-DIRECTOR, CYBER CENTER FOR NATIONAL AND ECONOMIC SECURITY, THE GEORGE WASHINGTON UNIVERSITY Mr. Cilluffo. Well, thank you, Mr. Chairman. Chairman Meehan, Ranking Member Clarke, distinguished Members of the committee; I would like to thank you for the opportunity to appear before you today. Mr. Chairman, I think you deserve the foresight for having been prescient in terms of identifying the Iranians cyber threat the last go-around. So hats off to you. Quite honestly, I think we need to have continued leadership on these issues as the threat continues to grow in terms of scale, scope, and the consequences are becoming more and more clear. Put simply, both our National security and our Nation's economic security are at risk, and the stakes are exceedingly high. When prepping for this hearing and thinking about how to convey a whole lot of information in a very short amount of time, I thought perhaps the best way to do so is to provide a frame for how to think about some of these issues. I did put in my prepared remarks a couple of charts that get to the point where we can start racking and stacking the threats, understanding the different intentions and capabilities of the actors, and to be able to put it into some sort of context. I also will be very brief, and I know my fellow witnesses here will touch on all the various specific threats. But I would like to applaud the Mandiant report. I think it provided a smoking keyboard. We have all known about the Chinese activity, but in this case it provided both empirical evidence and did so with strong data. We need more of that in the open community. Very quickly, a couple of contextual thoughts and assumptions before I jump into the charts. It is becoming more and more clear that the future of conflict will include a cyber component. This is military and other forms of conflict. Computer network operations, including exploits and attacks will be and are being integrated into military planning, doctrine, and operations. Nations that can best marshal and mobilize their cyber power and integrate it into their strategy in war fighting, I would argue, will ensure significant National security advantage in the future. These efforts not only enhance their ability to project power in terms of a battlefield context, but also to stymie the power of others, and that is important to keep in mind when we are looking at some of the threat actors we are discussing today. Moreover, not all hacks are the same, nor are all hackers the same. The threat spectrum is wide-ranging. It comes in various shapes, sizes, and forms, ranging from nation-states who are integrating computer network attack and exploit into their war fighting capability down to those kids that are still operating out the basements of their parents' homes. So we do have that broad spectrum. I would underscore that nations themselves have different capabilities and different intentions. In the charts, what I tried to lay out in a very simple axis is a capability and intent axis, both in terms of what the steady-state threat matrix is to the United States and our homeland and also to what sorts of triggering events could cause an escalation. I spliced out what I call computer network exploit. Think of that as espionage, traditional espionage: Political, military secret-stealing, but also obviously economic espionage, which is the theft of intellectual property and economic secrets, as well as industrial espionage, where companies are stealing secrets to benefit--where countries are stealing to benefit individual companies. You have got to look at it in all those realms. Then you have got computer network attack, which is where they turn to computer network attack capabilities to be able to cause harm. So if you were to rack and stack the various countries we are talking about right now, obviously, China and Russia are what you would call APT threats, advanced persistent threats. They are at the very high end in terms of capability. When you look at the exploit side or the espionage side, they are blinking to the far right, both in terms of intentions and in terms of capabilities. When you look in terms of computer network attack, they are more on the left axis. In other words, they have some modicum of responsibility and recognize that we could retaliate and have some responsibilities to be able to at least harness some of that capability in a smart way. When you look at Iran, on the other hand, while the good news they are not at the same level of capability as Russia and China, the bad news is for what they lack in capability, they more than make up for in intent. What intent they don't have, they can turn to their proxies or they can simply buy or rent. Botnets are available for a small amount of money, and they can still cause harm. But the bar to entry, when we talk about cyber, is not very high. That said, those with more sophisticated capabilities, that they, in my eyes, are a much greater concern. North Korea, they are the wild card. North Korea, I think clearly has intent, and they are turning to computer network attack. Much like Iran, they are not curtailed in terms of some of their responsibilities in this space. So I put them on the very high end in terms of computer network attack and in terms of consequence and likelihood. As I know my time is running out, one thing to keep in mind that I think needs to be underscored, and this is with respect to Russia and China. If you can exploit, you can attack. In other words, if they have the intent to attack--we know what they are doing in terms of computer network exploitation. It is brazen. It is wholesale. It is significant. If their intent is to attack, the same techniques they are using to exploit can be flipped, literally. It is as simple as flipping a switch to attack. Here I think we have to take that very seriously, and there are a whole host of triggering events that could cause that escalation, which I am happy to get into during the Q & A. Bottom line, we are never going to firewall our way out of this problem. We need to improve our defenses, but we also need to invest in our offensive capabilities and get to a point where we can deter our enemies; dissuade, deter, and compel. I will leave it at that. Thank you, Mr. Chairman. [The prepared statement of Mr. Cilluffo follows:] Prepared Statement of Frank J. Cilluffo March 20, 2013 Chairman Meehan, Ranking Member Clarke, and distinguished Members of the subcommittee, thank you for this opportunity to testify before you today. The subcommittee has demonstrated real leadership in this issue area with hearings and other work undertaken long before the cyber domain and its challenges were front and center on the National agenda as is now the case. For example, your hearing last April on the Iranian cyber threat to the United States was quite prescient.\1\ That challenge, and the broader one under study today, remains crucial to explore, understand, and respond to, because of all that is at stake-- namely U.S. National and economic security. --------------------------------------------------------------------------- \1\ ``The Iranian Cyber Threat to the United States'', Testimony of Frank J. Cilluffo before the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies; and the House Subcommittee on Counterrorism and Intelligence (April 26, 2012). http:/ /www.gwumc.edu/hspi/policy/ Iran%20Cyber%20Testimony%204.26.12%20Frank%20Cilluffo.pdf. --------------------------------------------------------------------------- My statement below is designed to help frame how the United States can and should assess and respond to cyber threats, especially those posed by nation-states. A great deal of excellent, deep-dive analysis is already being performed on specific threats, including the work of my fellow witnesses. For example, the recent Mandiant report tracing extensive hacking activity against the United States (and other countries and corporations) back to the doorstep of China's Army, the PLA, was a significant contribution to the discourse, in that it provided both forensic and empirical data, which are in short supply in the open-source literature, yet sorely needed.\2\ What is also needed, however, is a broader typology of the cyber threat, structured to help us rack and stack the challenges that we face, and prioritize our efforts to meet them. I will propose such a typology today to assess the relative severity of cyber threats, and also suggest how the United States might re-focus its cyber efforts accordingly. --------------------------------------------------------------------------- \2\ Mandiant Report, ``APT-1: Exposing one of China's Cyber Espionage Units'' (February 2013). http://intelreport.mandiant.com/, and https://www.mandiant.com/blog/mandiant-exposes-apt1-chinas-cyber- espionage-units-releases-3000-indicators/. --------------------------------------------------------------------------- The cyber threat comes in various shapes, sizes, and forms. The bar to entry is low to launch a relatively rudimentary, but still potentially damaging, cyber attack. The threat spectrum ranges from nation-states plus their proxies, to foreign terrorist organizations, criminal syndicates and information brokers, to hacktivists, to ankle- biters operating out of their parents' home. Each of these categories, in turn, also breaks down into a number of sub-categories. Regarding nation-states, for example, they vary widely in their sophistication, capability, intent, motivation, and so on. Taking a top-line perspective, however, it is nation-states (and their proxies) that the United States should be most concerned about when it comes to threat. This finding is supported by a recent Homeland Security Policy Institute (HSPI) Flash Poll conducted right after the President issued an Executive Order, ``Improving Critical Infrastructure Cybersecurity'',\3\ this February. According to our poll, to which over 100 HSPI stakeholders responded: Nearly 70% of respondents indicated that nation-states posed the greatest threat to cybersecurity, by comparison to other categories of actors. The remainder of responses were split between foreign terrorist organizations, ``hacktivists'', organized crime, and ``other''.\4\ --------------------------------------------------------------------------- \3\ http://www.whitehouse.gov/the-press-office/2013/02/12/ executive-order-improving-critical- infrastructure-cybersecurity. \4\ http://www.gwumc.edu/hspi/frontincludes/ Cyber%20EO%20Flash%20Poll%20Press- %20Release%202-15-2013.pdf. --------------------------------------------------------------------------- For too long, though, we have assessed and appreciated the nation- state threat in overly general terms. The volume and nature of activity directed against us, and our allies, should serve as a wake-up call to raise our game. Now is the time to focus on the high-end threat, and to rack and stack our priorities. We simply cannot afford to do otherwise--not in the current economic climate, and not in light of the critical U.S. assets and infrastructure that are still vulnerable and at risk. Every day, new news of cyber intrusions, exploits, and attacks comes to light. The Nation's most sensitive sectors, from defense to energy to finance, are often the targets. Our adversaries have engaged in brazen activity, from computer network exploitation (CNE) to computer network attack (CNA). Foreign militaries are, increasingly, integrating CNE and CNA capabilities into their warfighting and military planning and doctrine. These efforts may allow our adversaries to enhance their own weapon systems and platforms, as well as stymie those of others. CNE may also support intelligence preparation of the battlefield, to include the mapping of critical infrastructures that could be targeted in a more strategic campaign or attack plan. CNAs may occur simultaneously with other forms of attack (kinetic, insider threats, etc). Last month, against this background, the President issued an Executive Order intended to improve critical infrastructure cybersecurity.\5\ The goal is closer collaboration between Government and the private sector to protect critical networks. The Executive Order is a good start, but it is no substitute for legislation--which can introduce a range of incentives (such as tax provisions, liability protections, and procurement preferences which factor security requirements into Federal acquisitions) plus sticks to accompany those carrots, and thereby raise the bar higher when it comes to critical infrastructure standards and practices.\6\ --------------------------------------------------------------------------- \5\ http://www.whitehouse.gov/the-press-office/2013/02/12/ executive-order-improving-critical- infrastructure-cybersecurity. \6\ Frank J. Cilluffo and Andrew Robinson, ``While Congress dithers, cyber threats grow greater'' Nextgov.com (July 24, 2012). http://www.nextgov.com/cybersecurity/2012/07/while-congress-dithers- cyber-threats-grow-greater/56968/. --------------------------------------------------------------------------- To refine and reinforce its stance in relation to the threat, the United States must focus upon actors and their particular behaviors, rather than upon technology per se, or upon means and modalities of attack. Doing so means digging deeper into specifics, and factoring those case-by-case (actor- and country-specific) details about our adversaries into a tailored U.S. response that is also designed to dissuade, deter, and compel our adversaries accordingly. Our response must be calibrated to address and thwart (among other things) the adversary's motivation--be it to steal money, intellectual property, or military secrets, etc. U.S. response must also be calibrated to address and thwart the adversary's intent--be it commercial gain, military advantage, criminal activity, etc. To complicate matters, both motivation and intent are multidimensional, and thus may consist of some combination of these factors. Motivation and intent may also change over time, and the various factors that comprise each may shift at a given moment. Nation-states and their proxies may also differ in their motivation and intent. Parsing our understanding of U.S. adversaries down to (and beyond) this level of granularity will yield insights upon which more effective strategies and tactics may be built and implemented. At first glance, such a task may seem overwhelming, given the number and complexity of the potential variables. The good news is that a robust but general posture should help us deal with the signal-to-noise ratio and suffice to handle 80% of the nefarious activity that comes our way. The other 20% is where we need to keep a closer eye on the ball. I turn now to those harder cases, to offer a snapshot of who they are, what they have done, why they have done it, and what they might do in future. Naming and shaming is an approach that has been invoked with varying degrees of success across a range of contexts. Until recently, however, only a few of the boldest of U.S. officials (current and former) had walked out on that limb in the context under examination today. Lately, however, the number of U.S. Government and private- sector voices has become more of a chorus. The President's National Security Advisor Thomas Donilon publicly cited and elaborated upon U.S. cybersecurity concerns in connection with China, in a speech earlier this month.\7\ Before that, and among other developments, the New York Times published an account of intrusions against its own networks \8\ by Chinese hackers--which in turn seems to have prompted a cascade of similar revelations, including in relation to the Washington Post and the Wall Street Journal. In this context, as in others, there is power in numbers. --------------------------------------------------------------------------- \7\ ``The United States and the Asia-Pacific in 2013'', before The Asia Society (March 11, 2013). http://www.whitehouse.gov/the-press- office/2013/03/11/remarks-tom-donilon-national-security-advisory- president-united-states-a. \8\ Nicole Perlroth, ``Hackers in China Attacked the Times for Last 4 Months'', New York Times (January 30, 2013). http://www.nytimes.com/ 2013/01/31/technology/chinese-hackers-infiltrate-new-york-times- computers.html?pagewanted=all&_r=0. --------------------------------------------------------------------------- Capabilities do matter, of course. Our most challenging adversaries in the cyber domain are commonly known as Advanced Persistent Threats (APT). China and Russia indisputably fall in this category although the two can and should be characterized and understood somewhat differently (see below). Iran is another difficult case, though a bit different in kind, as it makes up in intent what it may lack in capability--though its capabilities are noteworthy, especially when proxies are factored in. To the list of truly concerning nation-state actors one could and should also add North Korea. A worst-case scenario would combine kinetic and cyber attacks, and the cyber component would serve as a force multiplier to increase the lethality or impact of the physical attack(s). Though I will focus exclusively on China, Russia, and Iran in the limited space that remains, North Korea is a troubling case as well as an unusual one. Ordinarily, it is organized crime that seeks to penetrate the state. In this case, however, it is the other way around, with the state trying to penetrate organized crime in order to ensure the survival of the regime/dynasty. Like Iran, the DPRK is more likely to turn to CNA to achieve its objectives. In this regard, Iran and North Korea stand in contrast to China and Russia which operate under greater constraints. Precisely because North Korea has fewer constraints, I would underscore that it poses an important ``wild card'' threat, not only to the United States but also to the region and broader international stability. Since a picture is often worth a thousand words, I have tried to encapsulate findings and cross-country comparisons in the two charts that follow. The graphics are a rough attempt to rank each of the countries at issue according to capability and intent, as well as in terms of the CNE and CNA threat that they each pose, including in relative terms to one another. For the purposes of the matrices below, CNE is defined as traditional, economic, and industrial espionage, as well as intelligence preparation of the battlefield (IPB). However, IPB is also included in the definition of CNA used here, as it may well be a precursor, such as surveillance and reconnaissance of targets to be attacked. Bear in mind that if one can exploit, one can also attack if the intent exists to do so. Note also that, for present purposes, CNA is defined as activities that alter (disrupt, destroy, etc.) the targeted data/information.The second chart reflects the shifts in position that may occur if triggering or unforeseen events lead to potential escalation:
Unless and until we wrap our heads around the challenge posed by each of these cases, and do so in a way that appreciates both the similarities and differences between and among them, our National and economic security (including our critical infrastructure) will remain at risk. Not all actors, nor capabilities, nor intentions, are the same. Tradecraft and its application may also differ widely. So too motivations, which may include blackmail, coercion, fraud, and theft. Heightening our understandings of each of these elements as they apply to key actors is all the more important, as countries continue to integrate CNA/CNE into war-fighting and military planning, and interweave the cyber domain into the activities of their foreign intelligence services, to include intelligence derived from human sources (HUMINT). China China possesses sophisticated cyber capabilities and has demonstrated a striking level of perseverance, evidenced by the sheer number of attacks and acts of espionage that the country commits. Reports of the Office of the U.S. National Counterintelligence Executive have called out China and its cyber espionage, characterizing these activities as rising to the level of strategic threat to the U.S. National interest.\9\ The U.S.-China Economic and Security Review Commission notes further: ``Computer network operations have become fundamental to the PLA's strategic campaign goals for seizing information dominance early in a military operation''.\10\ China's aggressive collection efforts appear to be intended to amass data and secrets (military, commercial/proprietary, etc.) that will support and further the country's economic growth, scientific and technological capacities, military power, etc.--all with an eye to securing strategic advantage in relation to (perceived or actual) competitor countries and adversaries. --------------------------------------------------------------------------- \9\ ``Foreign Spies Stealing U.S. Economic Secrets in Cyberspace'', Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011 (October 2011). http://www.ncix.gov/publications/ reports/fecie_all/Foreign_Economic_Collection_2011.pdf [referred to hereafter as NCIX Report]. See also Frank J. Cilluffo, ``Chinese Telecom Firms Pose a Threat to U.S. National Security'', U.S. News & World Report (November 19, 2012). http://www.usnews.com/opinion/ articles/2012/11/19/chinese-telecom-firms-pose-a-threat-to-us-national- security. \10\ Patton Adams, George Bakos, and Bryan Krekel, ``Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage,'' Report prepared for the U.S.-China Economic and Security Review Commission by Northrop Grumman Corp. (March 3, 2012). http://www.uscc.gov/RFP/2012/ USCC%20Report_Chinese_Capabilities- forComputer_NetworkOperationsandCyberEspionage.pdf. --------------------------------------------------------------------------- China denies the various charges leveled against it, and has raised its own hacking allegations, in which the country claims to have been victimized. The latter claim is difficult to accept completely, especially since China appears to take its own cybersecurity efforts seriously. According to Microsoft's security blog, ``China had the lowest malware infection rate . . . of any of the 105 locations included in volume 13 of the [Microsoft] Security Intelligence Report'', which refers back to 2012.\11\ Perhaps China is as focused on self-inoculation as it is on hacking others? And perhaps this posture derives from an attempt to protect against precisely the points of vulnerabilities that China saw in others? Consider also the Mandiant report referenced earlier, which identifies Chinese PLA Unit 61398 as the most likely culprit behind the theft of ``hundreds of terabytes of data from at least 141 organizations across a diverse set of industries, beginning as early as 2006.'' --------------------------------------------------------------------------- \11\ Tim Rains, ``The Threat Landscape in China: A Paradox'' (March 11, 2013). http://blogs.technet.com/b/security/ --------------------------------------------------------------------------- As a domain, cyber space is made for plausible deniability. Attribution remains a challenge, because smoking keyboards can be hard to find; and in the case of China, the PLA may also outsource certain activities and operations to skilled hackers, to distance the PLA from any smoking keyboards.\12\ The attribution challenge is just one reason the Mandiant report is significant. Separate and apart from attempts to mask involvement in activity targeting the United States, there may also be powerful reasons for China to restrict itself from acting against the United States in certain ways, at least at a particular moment in time. Director of National Intelligence James Clapper testified last week that China and Russia are ``advanced'' cyber actors, but that he did not foresee ``devastating'' cyber attacks by these two actors against the United States in the near future \13\-- ``outside of a military conflict or crisis that they believe threatens their vital interests.''\14\ The vital interests caveat is important, since it is fairly easy to identify potential triggers in this category, such as Taiwan. --------------------------------------------------------------------------- \12\ Perlroth, http://www.nytimes.com/2013/01/31/technology/ chinese-hackers-infiltrate-new-york-times- computers.html?pagewanted=all&_r=0. \13\ Mark Mazetti and David E. Sanger, ``Security Leader Says U.S. Would Retaliate Against Cyberattacks'', New York Times (March 12, 2013). http://www.nytimes.com/2013/03/13/us/intelligence-official- warns-congress-that-cyberattacks-pose-threat-to-us.html?src=twr&_r=0. \14\ Tom Gjelten, ``Is All The Talk About Cyberwarfare Just Hype?'' NPR.org (March 13, 2013). http://www.npr.org/2013/03/15/174352914/is- all-the-talk-about-cyberwarfare-just-hype. --------------------------------------------------------------------------- The administration's public pronouncements on China have taken on a tougher tone this month, which represents a good step forward--but this is only a first step down a path that, for far too long, we have been traveling too slowly and too weakly. National Security Advisor Thomas Donilon emphasized ``the urgency and scope of this problem''--meaning ``sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale''. Donilon then called on China ``to investigate and put a stop to these activities'' as well as ``engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace''.\15\ Days later, President Obama himself raised U.S. cyber concerns (of volume, scale, and scope) in a phone call with China's President, Xi Jinping.\16\ Sustained U.S. leadership and engagement, at the highest levels, will be required, moving forward. --------------------------------------------------------------------------- \15\ Donilon, supra. \16\ Steve Holland, ``Obama, China's Xi discuss cybersecurity dispute in phone call'', Reuters (March 14, 2013). http:// www.reuters.com/article/2013/03/14/us-usa-china-obama-call- idUSBRE92D11G20130314. --------------------------------------------------------------------------- Since the line between CNE and CNA is thin, with the distinction between the two turning largely on intent, it is crucial that there be consequences for the actor that engages in sophisticated and persistent CNE. The principle applies regardless of the perpetrator. Indeed, one could argue that the only difference between China and Russia in this regard is that China got caught. It is a numbers game, after all. And China may not even be that concerned about getting caught, since the country may have taken a conscious decision to throw as much as possible at us, in terms of human resources dedicated to CNE--in the hope that some, even if not all, of their efforts would yield fruit. Unless and until there are consequences for such behavior, China (and others) have no real reason to care if they are caught in the act of CNE. To date, there have been no significant consequences for China's massive intrusions into critical U.S. networks. By failing to call attention to their CNE campaign (much less retaliating in any way at all) earlier on, we have encouraged it. Last month's White House report announcing a new strategy to mitigate the theft of U.S. trade secrets is at least a step in the right direction.\17\ --------------------------------------------------------------------------- \17\ Executive Office of the President of the United States, ``Administration Strategy on Mitigating the Theft of U.S. Trade Secrets'' (February 2013) http://www.whitehouse.gov/sites/default/ files/omb/IPEC/ admin_strategy_on_mitigating_the_theft_of_u.s._trade_secrets.- pdf. --------------------------------------------------------------------------- Russia Russia's cyber capabilities are, arguably, even more sophisticated than those of China. The Office of the U.S. National Counterintelligence Executive (NCIX) observes: ``Moscow's highly capable intelligence services are using HUMINT [human intelligence], cyber, and other operations to collect economic information and technology to support Russia's economic development and security.\18\ Russia's extensive attacks on U.S. research and development have resulted in Russia being deemed (along with China), ``a national long- term strategic threat to the United States,'' by the NCIX. --------------------------------------------------------------------------- \18\ NCIX Report, supra, at p. 5. http://www.ncix.gov/publications/ reports/fecie_all/For- eign_Economic_Collection_2011.pdf. --------------------------------------------------------------------------- In 2009, the Wall Street Journal reported that cyber-spies from Russia and China had penetrated the U.S. electrical grid, leaving behind software programs. The intruders did not cause damage to U.S. infrastructure, but sought to navigate the systems and their controls. Was this reconnaissance or an act of aggression? What purpose could the mapping of critical U.S. infrastructure serve, other than intelligence preparation of the battlefield? Ambassador David Smith notes: ``Russia has integrated cyber operations into its military doctrine; though not fully successful . . . Russia's 2008 combined cyber and kinetic attack on Georgia was the first practical test of this doctrine . . . [and] we must assume that the Russian military has studied the lessons learned''.\19\ Russia was also behind the 2007 distributed denial-of-service (DDoS) attacks on Estonia (its government, banks, etc.) although Russia denies official involvement. Relying upon ``patriotic hackers'' guided by government handlers plus a little help from the Russian intelligence service, however, does not alter the reality that activity undertaken by those hackers is state-sponsored and directly implicates Russia. --------------------------------------------------------------------------- \19\ ``How Russia Harnesses Cyberwarfare'', American Foreign Policy Council Defense Dossier (August 2012) http://www.afpc.org/files/ august2012.pdf. --------------------------------------------------------------------------- Hackers and criminals based in Russia have also made their mark. Cyber space has proven to be a gold mine for criminals, who have moved ever more deeply into the domain as opportunities to profit there continue to multiply. Russia's slice of the 2011 global cyber crime market has been pegged at $2.3 billion, and there are indications that the forces of Russian organized crime have begun to join up ``by sharing data and tools'' to increase their take.\20\ Just last week, moreover, hackers based in Russia posted what seemed to be personal financial information about the Vice President, the Director of the FBI, and a number of other current and former senior U.S. officials.\21\ Russia's history has demonstrated a toxic blend of crime, business, and politics--and there are few, if any, signs that things are changing today. Indeed, as the former ranking member of the KGB in London said recently, Moscow has as many spies in the United Kingdom now as it did in the Cold War.\22\ Similarly, former CIA officer Hank Crumpton has said: ``I would hazard to guess there are more foreign intelligence officers inside the U.S. working against U.S. interests now than even at the height of the Cold War.''\23\ --------------------------------------------------------------------------- \20\ Group IB, State and Trends of the Russian Digital Crime Market 2011, p. 6, http://group- ib.com/images/media/Group- IB_Report_2011_ENG.pdf; see also http://group-ib.com/images/media/ Group-IB_Cybercrime_Inforgraph_ENG.jpg (graphics). \21\ Ken Dilanian and Jessica Guynn, ``Obama meets with CEOs to push cyber-security legislation'', L.A. Times (March 13, 2013) http:// www.latimes.com/business/la-fi-obama-hacking-20130314,0,2583428.story. \22\ Luke Harding, ``Gordievsky: Russia has as many spies in Britain now as the USSR ever did'', The Guardian (March 11, 2013). http://www.guardian.co.uk/world/2013/mar/11/russian-spies-britain-oleg- gordievsky. \23\ ``More spies in U.S. than ever, says ex-CIA officer.'' 60 Minutes (May 10, 2012). http://www.cbsnews.com/8301-18560_162-57431837/ more-spies-in-u.s-than-ever-says-ex-cia-officer/. --------------------------------------------------------------------------- Iran In April 2012, as mentioned earlier, I testified before a joint hearing of this subcommittee and the Subcommittee on Counterterrorism and Intelligence, on the subject ``The Iranian Cyber Threat to the United States.''\24\ What follows is an attempt to distill the essence of that 9-page statement into just a few paragraphs here.\25\ --------------------------------------------------------------------------- \24\ http://www.gwumc.edu/hspi/policy/ Iran%20Cyber%20Testimony%204.26.12%20Frank%20- Cilluffo.pdf. \25\ For an in-depth treatment of Iran, see Gabi Siboni and Sami Kronenfeld, ``Iran and Cyberspace Warfare'' in Military and Strategic Affairs, Vol. 4, No. 3 (Dec. 2012) at 77-99. http://www.gwumc.edu/hspi/ policy/INSS.pdf. --------------------------------------------------------------------------- Iran is investing heavily to deepen and expand its cyber warfare capacity.\26\ A range of proxies for indigenous cyber capability also exist. There is an arms bazaar of cyber weapons, and our adversaries need only intent and cash to access it. Capabilities, malware, weapons, etc.--all can be bought or rented. Iran has also long relied on proxies such as Hezbollah--which now has a companion organization called Cyber Hezbollah--to strike at perceived adversaries. Elements of Iran's Revolutionary Guard Corps (IRGC) have also openly sought to pull hackers into the fold. There is evidence that at the heart of IRGC cyber efforts one will find the Iranian political/criminal hacker group Ashiyane;\27\ and the Basij, who are paid to do cyber work on behalf of the regime, provide much of the manpower for Iran's cyber operations.\28\ --------------------------------------------------------------------------- \26\ Yaakov Katz, ``Iran Embarks on $1b. Cyber-Warfare Program,'' Jerusalem Post (December 18, 2011) http://www.jpost.com/Defense/ Article.aspx?id=249864. \27\ Iftach Ian Amit, ``Cyber [Crime/War],'' paper presented at DEFCON 18 conference (July 31, 2010). \28\ ``The Role of the Basij in Iranian Cyber Operations'', Internet Haganah (March 24, 2011) http://internet-haganah.com/ harchives/007223.html. --------------------------------------------------------------------------- In January 2013, the Wall Street Journal reported on ``an intensifying Iranian campaign of cyber attacks [thought to have begun months earlier] against American financial institutions'' including Bank of America, PNC Financial Services Group, Sun Trust Banks Inc., and BB&T Corp.\29\ In the latest chapter in this story, six leading U.S. banks--including J.P. Morgan Chase--were targeted just last week, in ``the most disruptive'' wave of this campaign, characterized by DDoS attacks.\30\ The Izz ad-Din al-Qassam Cyber Fighters claim responsibility for all of these incidents. --------------------------------------------------------------------------- \29\ Siobhan Gorman and Danny Yadron, ``Banks Seek U.S. Help on Iran Cyberattacks'', Wall Street Journal (January 15, 2013) http:// online.wsj.com/article/ SB10001424127887324734904578244302923178548.html. \30\ Tracy Kitten, ``DDoS: 6 Banks Hit on Same Day'' (March 14, 2013) http://www.bankinfosecurity.com/ddos-6-banks-hit-on-same-day-a- 5607. --------------------------------------------------------------------------- There has also been considerable speculation about government of Iran involvement in a number of hacking incidents including against Voice of America, and Dutch firm DigiNotar which issues security certificates. Fallout from the latter case was significant, and affected a range of entities including Western intelligence and security services, Yahoo, Facebook, Twitter, and Microsoft.\31\ The DigiNotar case, moreover, reflected a new and concerning level of sophistication on the part of Iran and its capabilities. Iran and Hezbollah are also suspected in connection with the August 2012 cyber attacks on the state-owned oil company Saudi Aramco and on Qatari producer RasGas, which resulted in the compromise of approximately 30,000 computers.\32\ --------------------------------------------------------------------------- \31\ Kevin Kwang, ``Spy agencies hit by CA hack; Iran suspected,'' ZDNet Asia (September 5, 2011) http://www.zdnetasia.com/spy-agencies- hit-by-ca-hack-iran-suspected-62301930.htm. See also Bill Gertz, ``Iranians hack into VOA website,'' The Washington Times (February 21, 2011). \32\ Adam Schreck, ``Virus origin in Gulf computer attacks questioned'', Associated Press. http://www.nbcnews.com/technology/ technolog/virus-origin-gulf-computer-attacks-questioned-978717. See also Siboni and Kronenfeld, supra, at pp. 90-91. --------------------------------------------------------------------------- On the kinetic side, from Bulgaria to Bangkok, we have seen an uptick in attacks and assassinations (attempted and actual) targeting Israeli, Jewish, U.S., and Western interests. Iranian agents and proxies (Hezbollah) have been implicated, although Iran has tried to distance itself from these incidents and denied responsibility. Also recall the recently thwarted Iranian plot to assassinate Saudi Arabia's Ambassador to the United States on U.S. soil. Based on recent activity, the Los Angeles Police Department has elevated the government of Iran and its proxies to a Tier One threat. conclusion Looking ahead, with the described threat spectrum in mind, the United States must strike a careful and powerful balance between offense and defense, to include a well-developed and well-articulated cyber deterrence strategy.\33\ Historically, that balance has tilted heavily toward defense.\34\ More recently, however, we have seen and heard evidence that the pendulum has shifted significantly. These indicators include General Alexander's testimony before the Senate Armed Services Committee last week (in his capacity as head of U.S. Cyber Command and director of the National Security Agency), in which he referenced and detailed a series of cyber teams attached to Cyber Command--and underscored the role of these teams in contributing to and supporting offensive capabilities.\35\ As for U.S. cyber deterrence strategy, it must reflect the best ways and means of raising the (actual and perceived) costs and risks of action, to our adversaries, so as to prevent them from taking steps that would harm U.S. interests. --------------------------------------------------------------------------- \33\ Frank J. Cilluffo, Sharon L. Cardash, and George C. Salmoiraghi, ``A Blueprint for Cyber Deterrence: Building Stability through Strength'', in Military and Strategic Affairs, Vol. 4, No. 3 (Dec. 2012) at 3-23. http://www.gwumc.edu/hspi/policy/INSS.pdf \34\ Frank Cilluffo and Sharon Cardash, ``Defense Cyber Strategy Avoids Tackling the Most Critical Issues'' in Nextgov.com (July 28, 2011) http://www.nextgov.com/cybersecurity/2011/07/commentary-defense- cyber-strategy-avoids-tackling-the-most-critical-issues/49494/. \35\ Ellen Nakashima, ``Pentagon creating teams to launch cyberattacks as threat grows'', Washington Post (March 12, 2013). http://www.washingtonpost.com/world/national-security/pentagon- creating-teams-to-launch-cyberattacks-as-threat-grows/2013/03/12/ 35aa94da-8b3c-11e2-9838-d62f083ba93f_print.html. --------------------------------------------------------------------------- An ``active defense'' capability, meaning the ability to immediately attribute and counter attacks, is needed to address future threats in real-time. U.S. companies cannot be expected to go it alone, unassisted, against foreign intelligence services. If a thief robs a bank, the police will not stand idly by as the robber races away with his take. Similarly, the public and private sectors must partner together to prevent major heists on-line--and when private defenses are breached, the U.S. Government must work closely with companies to ensure that there are consequences for the perpetrator(s). Active defense is a complex undertaking however, as it requires meeting the adversary closer to their territory, which in turn demands the merger of our foreign intelligence capabilities with U.S. defensive and offensive cyber capabilities (and potentially may require updating relevant authorities).\36\ At the end of the day, however, perhaps the best deterrent--irrespective of the threat/actor--is the ability to recover, reconstitute, and bounce back quickly. --------------------------------------------------------------------------- \36\ Testimony of Frank J. Cilluffo before the Senate Committee on Homeland Security & Governmental Affairs, ``The Future of Homeland Security: Evolving and Emerging Threats'' (July 11, 2012). http:// www.gwumc.edu/hspi/policy/Testimony%20-%20SHSGAC%20Hearing%20- %2011%20July%202012.pdf. See also: Testimony of Frank J. Cilluffo before the House of Representatives' Homeland Security Committee, ``The Department of Homeland Security: An Assessment of the Department and a Roadmap for its Future'' (September 2012). --------------------------------------------------------------------------- In conclusion, the threat is clear, but it is not monolithic. It will also continue to evolve over time. We may see nation-states intertwine increasingly with proxy actors, to include skilled hackers for hire.\37\ Now is the time to examine and deconstruct the high-end threat in its many permutations and combinations, so as to devise nuanced and effective counterstrategies and tactics. Thank you again, to the subcommittee and its staff, for the opportunity to testify today. I would be pleased to try to answer any questions that you may have. --------------------------------------------------------------------------- \37\ Frank J. Cilluffo and Joseph R. Clark, ``Thinking About Strategic Hybrid Threats: In Theory and in Practice'', PRISM 4, no. 1 (December 2012) http://www.ndu.edu/press/strategic-hybrid-threats.html. Mr. Meehan. Mr. Cilluffo, thank you for that very, very sobering assessment. It is my judgment that we would be better positioned at this point in time to move over as quickly as we can, vote, and then I will ask the members of the panel to, as quickly as possible after the last vote, to return here so we can continue. Mr. Bejtlich, I would rather you have the comfort of not feeling rushed. Your testimony, the great work that you did with Mandiant, your organization, and your testimony, I think, are too important for us to rush through. So I thank the panel for your recognition. We look forward to joining you again shortly after votes. So the committee stands in recess until such time is called back to order. Thank you. [Recess.] Mr. Meehan. The Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies will now come back into order after our break to conduct our votes. When we were last together we enjoyed the opportunity to hear Mr. Cilluffo's testimony and we are going to continue now at this point in time to continue to listen to the testimony of our distinguished panel and I am grateful to the panel for your forbearance in working with us during those votes. So at this time, the Chairman recognizes Mr. Bejtlich for-- oh I am sorry--yes, Mr. Bejtlich for your testimony. Thank you. STATEMENT OF RICHARD BEJTLICH, CHIEF SECURITY OFFICER AND SECURITY SERVICES ARCHITECT, MANDIANT Mr. Betjlich. Thank you Mr. Chairman. Thank you Ranking Member Clarke and distinguished members of the panel. My name is Richard Bejtlich and I am the chief security officer of Mandiant. As chief security officer, part of my role at the company is to protect Mandiant and our customers from digital threats. Last month, Mandiant gave the world a glimpse of one of these threats. It was a Chinese military unit we identified internally as APT or Advanced Persistence Threat One. We identified that unit as being 61398, which is a term the Chinese military uses itself to assign to this unit. This unit, we found to be operating approximately 141 companies in the United--primarily in the United States and then in some other locations as well. This is only one of the two dozen or so groups that we track. Many of those are Chinese but there are several that are Russian and we have a second category of groups that we have not formally attributed, some of which we believe may be from places such as Iran. We are starting to see them for the first time. As a result of our work, we are encountering these intruders on a daily basis and as we sit here Mandiant is responding to intrusions at dozens of companies, and our software and our services are helping dozens or even hundreds more deal with advance threats. So you might be wondering why is it that these groups, whether they are from Russia or China or Iran, or other places, why is it that they are able to succeed in compromising targets? I would like to quickly summarize six reasons that we think that is the case. The first reason is the attacks that were previously reserved for the Government have migrated to the private sector. In other words, what intruders used to use against highly-defended targets are now used against many targets, many of whom are just not positioned to defend themselves. Second, these attacks are targeting people less than computers or at least conceptually, they are targeting the people. In other words, the intruders are figuring out ways to get you to execute code, visit links, take actions that will result in their computers being compromised. Many times without even the user knowing it. Third, many of these attacks are coming from the inside and by that I mean it is common now to see attackers go after smaller companies or partner companies or other trusted entities as way to get in to the ultimate target which is another company. So the larger companies who can afford to defend themselves have become harder and harder topics, so now we are seeing the attacks migrate to the periphery and then they are working their way in. The fourth reason that these attacks are successful is that there is an imbalance between offense and defense. A single attacker or a group of attackers can keep hundreds or even thousands of defenders busy, there is such an asymmetry there. As I have noted in the testimony to other committees we do have issues with science, technology, education, and math such that we can have trouble producing the types of engineers, developers, defenders, to protect ourselves. The fifth reason that many of these attacks are successful is that the countries that harbor these intruders are unwilling to hold them accountable. In many cases, these attacks are government sanctions or directly government targeted and sponsored and this was defiantly the case as we saw of the Chinese military unit I mentioned. The final reason of these six is that one of the most valuable resources we have in defending ourselves, threat intelligence is unevenly distributed in the Western world honestly. Not enough defenders have it. The Government has a lot of the information that is required but there are challenges regarding protection of sources and methods, classification, so forth to getting that information at the hands of defenders. Even when that information is available, it is not in a format that you can just put into a tool, put into your processes. There is a lot of reading an e-mail, retyping, and so forth. So at Mandiant, we try to emphasize machine languages that can exchange information with each other. We have an open standard called OpenIOC that we recommend people take a look at. You put that together and you will have a little better results. So what to do about it? We do recommend that the Government encourage threat intelligence sharing. We like to stress the threat intelligence does not mean information about individual Americans. It is not personally identifiable information. If you take a look at the report we released, it does not include anyone's name or phone number or credit card or that sort of thing. Second, we encourage the notification by entities like the Federal Bureau of Investigation to tell companies that they have been compromised. This is a program that has been happening now for several years and it is very effective. Then finally, we believe that it is important for the Government to hold the most egregious offenders of cyber espionage and other attacks accountable. If it were simply possible to turn down the level of activity slightly to internationally recognized norms or at least historical norms, the private sector in particular would have an easier time defending itself. Thank you again for the opportunity. I look forward to answering your questions. [The prepared statement of Mr. Bejtlich follows:] Prepared Statement of Richard Bejtlich March 20, 2013 Thank you, Chairman Meehan, Ranking Member Clarke, and Members of the subcommittee, for inviting me to discuss threats to our Nation's computer networks. My name is Richard Bejtlich and I am the chief security officer (CSO) at Mandiant. As CSO, part of my role is to understand the threats affecting Mandiant and our customers. I developed these skills as a military intelligence officer with the Air Force Computer Emergency Response Team and as director of the Computer Incident Response Team for General Electric, where I helped defend over 300,000 employees and more than half a million computers. Mandiant protects the assets of the world's most respected organizations from digital intruders. In addition to responding to high-profile computer security incidents, such as the New York Times, we equip security organizations with the tools, intelligence, and expertise required to find and stop attackers who would otherwise roam freely on their networks. We serve more than 30% of the Fortune 100. As I sit here Mandiant is responding to dozens of computer security incidents while our products protect hundreds more organizations from targeted attackers. We have investigated millions of systems, and we receive calls almost every single day from companies that have suffered a cybersecurity breach. These intrusions affect many industries, including law firms, financial services, manufacturers, retailers, the defense industrial base, telecommunications, space and satellite and imagery, cryptography and communications, government, mining, software, and many others. It is reasonable to assume that, if an advanced attacker targets a particular company, a breach is inevitable. That surprises many people, but it is the result of the gap between our ability to defend ourselves and our adversaries' ability to circumvent those defenses. There are at least six reasons why attackers continue to successfully exploit this gap in security: First, the sophisticated, cutting-edge attacks that were previously reserved solely for Government targets have spread to the private sector. Many American corporations, even if they are compliant with appropriate cybersecurity regulations and best practices, are not prepared for these advanced threats. Second, the attackers are targeting people, not computers. While previous generations of attacks targeted technology and exploited vulnerabilities in software, attackers now target human weaknesses. These attacks focus on individuals and leverage personal information the victim made public via social media. These personalized attacks can be difficult to detect and prevent because they exploit human vulnerabilities and trust. Third, more attacks are coming from the ``inside.'' It is common to see attackers compromise smaller companies with fewer security resources, and then ``upgrade'' their access from the trusted, smaller companies to the main target. This problem also occurs when large businesses ``acquire'' infected networks through a corporate merger or acquisition of a smaller company. The fourth reason a security gap exists involves an imbalance between offense and defense. A single attacker can generate work for hundreds, if not thousands of defenders. A lone attacker need only breach his target's defenses once to accomplish his goals, but the victim must try to prevent 100% of the attacks. This imbalance is compounded by the critical shortage of skilled security professionals here in the United States. Fifth, many advanced attackers reside in nations that not only refuse to hold attackers accountable for their actions, but also provide resources and direction to the attackers. So long as state- sponsored criminals can infiltrate American networks and steal American intellectual property without risks or repercussions, these attacks will continue unabated. Mandiant documented one example of this threat in our APT1 report, released on February 19, 2013. We identified the Chinese cyber espionage unit we call Advanced Persistent Threat 1. We assess APT1 to be Unit 61398, a military hacking unit inside the People's Liberation Army. Unit 61398 is one of approximately 20 groups targeting intellectual property from companies around the world that we assess as operating out of China. Unit 61398 is a single operation that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of sheer quantity of information stolen. While it seems clear that Unit 61398 is headquartered in Shanghai, it should be stated that Mandiant tracks dozens of APT groups and not all of them originate in China. Finally, one of the most valuable resources in detecting and responding to cyber attacks--accurate and timely threat intelligence-- is often unavailable to many defenders. Even if defenders have threat intelligence, the means to share it are cumbersome and manual. The United States needs an effective framework for sharing information among commercial entities, and between corporate America and the Government. Because of these six factors, corporate America continues to be routinely compromised. However, there are steps we can take to significantly narrow the security gap and increase the costs and effort required to steal our intellectual capital. First, the Government should promote policies that encourage sharing threat intelligence between the private sector and Government, and among private-sector entities. Threat intelligence does not contain personal information of American citizens and privacy can be maintained while learning about threats. Intelligence should be published in an automated, machine- consumable, standardized manner. Current systems rely on exchanging emails with documents that people must read and transcribe. Mandiant's free OpenIOC standard is one example of a way to codify and exchange threat intelligence. Second, the Government should support and expand programs whereby law enforcement agencies notify private-sector victims of compromise. Mandiant's recent 2013 M-Trends report shows that only a third of advanced intrusion victims discover breaches on their own. Two-thirds of the time, an external entity, such as the FBI, tells the victim that a foreign entity has stolen their data. External notification is a powerful tool to counter cyber thieves. Third, the Government should encourage governments hosting or sponsoring the most egregious cyber spies to reduce their activity to internationally acceptable norms. All governments spy to some degree, but they should not target and overwhelm private-sector companies, organizations, and individuals. Countering digital threats is challenging, but adopting these three recommendations will help reduce the security gap. I look forward to your questions. Thank you, Mr. Chairman. Mr. Meehan. Thank you, Mr. Bejtlich. Again, I want to express at least in my position as Chairman, the appreciation for what I believe is the courageous move by Mandiant. I know that there was a great deal of consideration given both with regard to whether you ought to make public what you know and as well as, you know, in effect, sources of methods and other kinds of things that--but at the same time, it created a firm record which I think helped to establish very importantly that activity and I think it was a great effort on behalf of our efforts to secure cyber space. I now turn to the testimony for Mr. Ilan Berman. Mr. Berman, the floor is yours. STATEMENT OF ILAN BERMAN, VICE PRESIDENT, AMERICAN FOREIGN POLICY COUNCIL Mr. Berman. Thank you, Mr. Chairman. Thank you and thank you, Ranking Member Clarke and the Members of the subcommittee, for the opportunity to appear before you again today. Let me also take the opportunity to thank you as my colleague did for your leadership on the issues specifically of Iran and cyber warfare. It is a topic that sadly has not yet percolated throughout the width and breath of the U.S. Government, but this committee has really blazed a trail in terms of rising awareness of the issue. I think it is particularly relevant to the topic today because what you have seen over the last year has been an evolution, a significant evolution, of Iran's capabilities in the exploitation of cyber space, both as a tool of internal repression and as a goal of offensive capability with regard to the asymmetric conflict that is now taking place over the Iranian regime's nuclear program Let me turn first to the domestic dimensions of what Iran is doing. A little over 3\1/2\ years ago, the fraudulent re-election of Mahmoud Ahmadinejad to the Iranian presidency galvanized the largest organized and sustained protest to the Iranian regime that had occurred since 1979 Islamic Revolution. That movement, which we have begun to colloquially refer to as ``The Green Movement'' relied extensively on the internet and on social media such as Facebook and Twitter to organize and to get its message out to the outside world. As a result, the Iranian regime also relied heavily upon the medium of the World Wide Web to both curtail and then subsequently to repress The Green Movement and opposition elements that have emerged afterwards since that time period. Today, you are seeing an escalation in terms of what Iran is doing domestically on several different fronts. This is, sort of, a little bit of a greatest hits, if you will. But I think it bears noting that the Iranian regime is building an ambitious project that it calls a ``second internet'' in which ordinary Iranians who access the internet will be shunted to regime-approved sites. They have also referred to this as the ``Halal Internet.'' As of October of last year there were about 10,000 computers within the Islamic Republic that were connected to this integrated, they were both private user and public user; governmental user. The ultimate goal of the regime is to force all Iranians to eventually rely on this. Now, I understand there is a lot of skepticism on that score and it may not be possible to do that, but it bears noting that the Iranian regime has set this as a goal and is perusing that objective. Iran is also building new on-line and software capabilities to better track and control to social media outlets like Facebook. It has created a domestic homegrown alterative to YouTube, known as Mehr. It is even beginning the physical persecution and assault on Iran's netizens, on those Iranian citizens that are active in cyber space. All of this is, I think, driven by something that is approaching that the Iranian regime fears very much, which is the fact that the Iranian regime in a couple of months will face the first presidential election in which Mahmoud Ahmadinejad will not stand for the presidency; he is term- limited. As a result, this is an election that, no matter how stage- managed the regime will make it, will be a referendum of sorts on the stewardship of the clerical regime, particularly at a time when the western community of nations is bearing down increasingly effectively on Iran with its economic pressure. It is also augers the potential for a revival of this green wave of opposition elements. As a result, you are seeing Iran invest heavily in domestic repression in anticipation of potential unrest stemming from the elections. The second, and I think more relevant aspect of Iran's cyber warfare activities here, is what Iran has been doing externally. Iran has evolved a very significant and a maturing offensive cyber warfare capability. Iranian officials now believe cyber war to be, ``More dangerous than a physical war,'' in the words of one Iranian Revolutionary Guard official. As a result they have invested heavily, particularly at a time when their economy is constrained by Western sanctions in the development of both domestic and international capabilities. Iran has a, what it calls, a ``Cyber Army,'' which is made up of official, quasi-official, and non-official elements, including hacktivists, and patriotic hackers that pursue objectives that are consonant with regime objectives. They are increasingly carrying out hacking attacks on U.S. financial institutions. In August 2012 they also carried out a hacking attack on Saudi Aramco. All of this is intended by way of demonstration. What the Iranians are trying to do through these activities is to demonstrate both that they have the capability to reach out and touch the United States and its allies in the event of a conflict, and also that they are willing to do so. So what all this means is, I think, two major things. First that Iran is a maturing cyber threat. Iran still does not possess the capabilities that are as robust as you see coming out of China, coming out of Russia, but this is not--and I repeat--not an insurmountable problem. Iran can acquire very quickly and surreptitiously extensive cyber warfare capabilities from the grey and black markets. It can also acquire them from a strategic partner, partners like China and North Korea, where Iran is already collaborating on other strategic spheres such as ballistic missile development and nuclear development. The second big take-away is that Iran is a qualitatively different cyber actor than the other countries that we have mentioned here today. China and Russia are both focused primarily on cyber theft and cyber espionage. Iran is not. Iran boasts today little by way of a cyber espionage capability. Rather, what Iran is building is a cyber capability that is retaliatory in nature, and it is built largely around Iranian perceptions of the unfolding conflict that is now on-going between itself and the West over its acquisition of a nuclear capability. This makes the situation with Iran's cyber warfare capabilities particularly vulnerable--volatile because while these other countries are pursuing a degree of diplomatic normalcy with the United States, Iran is not. Iran is actually anticipating in erecting its cyber infrastructure a catastrophic breakdown of diplomatic relations with the West in which cyber will play a role in conjunction with kinetic effects in war fighting against the West. I will stop there. Thank you. [The prepared statement of Mr. Berman follows:] Prepared Statement of Ilan Berman March 20, 2013 the iranian cyber threat, revisited Chairman Meehan, distinguished Members of the subcommittee: Thank you for the invitation to appear before you again today. Let me begin by commending the House Homeland Security Committee for its continued leadership on the issue of Iran and cyber warfare. It is a topic that is of the utmost importance to the safety and security of the United States. A year ago, I had the privilege of testifying before this committee regarding the Islamic Republic's cyber warfare capabilities, and the threat that they could potentially pose to the American homeland. Today, the questions that were posed at that time are more relevant than ever. The past year has seen the Iranian regime evolve significantly in its exploitation of cyber space as a tool of internal repression, with significant consequences for country's overall political direction. During the same period, Iran also has demonstrated a growing ability to hold Western targets at risk in cyber space, amplifying a new dimension in the asymmetric conflict that is now taking place over the Iranian regime's nuclear program. iran versus the world wide web A little over 3\1/2\ years ago, the fraudulent reelection of Mahmoud Ahmadinejad to the Iranian presidency galvanized the largest outpouring of opposition to the Iranian government since the 1979 Islamic Revolution. That protest wave, colloquially known as the Green Movement, made extensive use of the internet and social media in its anti-regime activities. Iranian authorities responded with a similar focus--one that has both persisted and expanded in the wake of their successful suppression of the Green Movement during the 2009/2010 time frame. Most conspicuously, the Iranian government is moving ahead with the construction of a new national internet system. As of October 2012, some 10,000 computers--from both private users and government offices-- were found to be connected to this ``halal'' or ``second'' internet, which is aimed at isolating the Iranian population from the World Wide Web.\1\ The eventual goal of the Iranian regime is to force all Iranian citizens to use this system. Iranian officials thus have announced plans to reduce internet speeds within the Islamic Republic, as well as increase costs of subscriptions to Internet Service Providers (ISPs) within the country.\2\ --------------------------------------------------------------------------- \1\ Sara Reardon, ``First Evidence for Iran's Parallel Halal Internet,'' New Scientist no. 2886, October 10, 2012, http:// www.newscientist.com/article/mg21628865.700-first-evidence-for-irans- parallel-halal-internet.html. \2\ Reporters Without Borders, ``The Enemies of Internet: Iran,'' March 12, 2013, http://surveillance.rsf.org/en/iran/. --------------------------------------------------------------------------- Along the same lines, Iran in December 2012 launched Mehr, a home- grown alternative to YouTube that features government-approved video content designed specifically for domestic audiences.\3\ Iranian authorities also reportedly are working on new software suites designed to better control social-networking sites (a hub of activity during the 2009 protests and after).\4\ --------------------------------------------------------------------------- \3\ David Murphy, ``Iran Launches `Mehr,' Its Own YouTube-Like Video Hub,'' PCMag, December 9, 2012, http://www.pcmag.com/article2/ 0,2817,2413014,00.asp. \4\ Golnaz Esfandiari, ``Iran Developing `Smart Control' Software for Social-Networking Sites,'' Radio Free Europe/Radio Liberty, January 5, 2013, http://www.rferl.org/content/iran-developing-smart-control- software-for-social-networking-sites/24816054.html. --------------------------------------------------------------------------- The Iranian regime likewise has expanded control of domestic phone, mobile, and internet communications. In the months after the summer 2009 protests, Iranian authorities installed a sophisticated Chinese- origin surveillance system to track and monitor phone, mobile, and internet communications.\5\ They have since supplemented such tracking with methods intended to limit access to such media. Just this month, for example, Iranian authorities blocked most of the virtual private networks (VPNs) used by Iranians to circumvent the government's internet filters.\6\ --------------------------------------------------------------------------- \5\ Steve Stecklow, ``Special Report: Chinese Firm Helps Iran Spy on Citizens,'' Reuters, March 22, 2012, http://www.reuters.com/article/ 2012/03/22/us-iran-telecoms-idUSBRE82- L0B820120322. \6\ ``Iran Blocks Use of Tool to Get around Internet Filter,'' Reuters, March 10, 2013, http://www.reuters.com/article/2013/03/10/us- iran-internet-idUSBRE9290CV20130310. --------------------------------------------------------------------------- The Iranian regime has stepped up its detention and intimidation of reporters and activists who utilize the world wide web as well. Its tool of choice to do so has been the Cyber Police, a dedicated division of the country's national police that was established in January 2011.\7\ Earlier this year, the European Union added the Cyber Police to its sanctions list for the unit's role in the November 2012 torture and death of blogger Sattar Beheshti while in police custody.\8\ In all, some 58 journalists and ``netizens'' are currently imprisoned by Iranian authorities, according to the journalism watchdog group Reporters Without Borders.\9\ --------------------------------------------------------------------------- \7\ University of Pennsylvania, Annenberg School of Communications, Iran Media Program, ``Internet Censorship in Iran,'' n.d., http:// iranmediaresearch.org/sites/default/files/research/pdf/1363180689/1385/ internet_censorship_in_iran.pdf. \8\ ``EU Sanctions Iran Judges, Cyber Police for Rights Abuse,'' Agence France-Presse, March 12, 2013, http://www.france24.com/en/ 20130312-eu-sanctions-iran-judges-cyber-police-rights-abuse. \9\ Reporters Without Borders, ``Intelligence Ministry Admits Arresting News Providers, Blames Foreign Media,'' February 20, 2013, http://en.rsf.org/iran-intelligence-ministry-admits-20-02- 2013,44099.html. --------------------------------------------------------------------------- The Iranian regime also has established a new government agency to monitor cyber space. The Supreme Council on Cyberspace was formally inaugurated by Iranian Supreme Leader Ali Khamenei in April 2012, and serves as a coordinating body for the Islamic Republic's domestic and international cyber policies.\10\ --------------------------------------------------------------------------- \10\ University of Pennsylvania Iran Media Program, ``Internet Censorship in Iran.'' --------------------------------------------------------------------------- All of these activities have been propelled by a sense of urgency on the part of the Iranian leadership. This June, Iranians will go to the polls to elect a new president. That political contest, although sure to be stage-managed by clerical authorities, will nonetheless serve to some degree as a referendum on the Iranian regime's stewardship of the nation amid deepening Western sanctions. It could also see renewed activity by Iran's opposition forces, which have been politically sidelined in recent years. Iran consequently has made what the U.S. intelligence community terms ``cyber influence'' a major governmental focus, clamping down on internet activity ``that might contribute to political instability and regime change.''\11\ --------------------------------------------------------------------------- \11\ James R. Clapper, ``Worldwide Threat Assessment of the US Intelligence Community,'' Statement for the Record before the Senate Select Committee on Intelligence, March 12, 2013, 2, http:// www.dni.gov/files/documents/Intelligence%20Reports/ 2013%20ATA%20SFR%20for%- 20SSCI%2012%20Mar%202013.pdf. --------------------------------------------------------------------------- from defense to offense Iran's offensive cyber capabilities likewise continue to evolve and mature. Over the past 3 years, repeated cyber attacks have targeted the Iranian nuclear program, with considerable effect. In response, Iranian officials have focused on cyber space as a primary flashpoint in their regime's unfolding confrontation with the West. Officials in Tehran now believe cyber war to be ``more dangerous than a physical war,'' in the words of one top leader of Iran's Revolutionary Guard Corps (IRGC).\12\ --------------------------------------------------------------------------- \12\ ``Iran Sees Cyber Attacks as Greater Threat than Actual War,'' Reuters, September 25, 2012, http://www.reuters.com/article/2012/09/25/ net-us-iran-military-idUSBRE88O0MY20120925. --------------------------------------------------------------------------- As a result, the Iranian regime has made major investments in its offensive cyber capabilities. Since late 2011, the Iranian regime reportedly has invested more than $1 billion in the development of national cyber capabilities.\13\ As a result, Iranian officials now claim to possess the ``fourth largest'' cyber force in the world--a broad network of quasi-official elements, as well as regime-aligned ``hacktivists,'' who engage in cyber activities broadly consistent with the Islamic Republic's interests and views.\14\ The activities of this ``cyber army'' are believed to be overseen by the Intelligence Unit of the IRGC.\15\ --------------------------------------------------------------------------- \13\ Yaakov Katz, ``Iran Embarks on $1b. Cyber-Warfare Program,'' Jerusalem Post, December 18, 2011, http://www.jpost.com/Defense/ Article.aspx?id=249864. \14\ ``Iran Enjoys 4th Biggest Cyber Army in World,'' FARS (Tehran), February 2, 2013, http://abna.ir/data.asp?lang=3&Id=387239. \15\ University of Pennsylvania Iran Media Program, ``Internet Censorship in Iran.'' --------------------------------------------------------------------------- Increasingly, the Iranian regime has put those capabilities to use against Western and Western-aligned targets. Between September 2012 and January 2013, a group of hackers known as the Izz ad-Din al-Qassam Cyber Fighters carried out multiple distributed denial-of-service (DDoS) attacks against a number of U.S. financial institutions, including the Bank of America, JPMorgan Chase, and Citigroup. Due to the sophistication of the attacks, U.S. officials have linked them to the Iranian government.\16\ --------------------------------------------------------------------------- \16\ Nicole Perlroth and Quentin Hardy, ``Bank Hacking was the Work of Iranians, Officials Say,'' New York Times, January 8, 2013, http:// www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work- of-iran-us-officials-say.html?pagewanted=1&_r=0. --------------------------------------------------------------------------- A similar attack attributed to the Iranian regime took place in August 2012, when three-quarters of the computers of Saudi Arabia's Aramco state oil corporation were targeted by a virus called ``Shamoon.'' The malicious software triggered a program that replaced Aramco's corporate data with a picture of a burning American flag at a predetermined time.\17\ --------------------------------------------------------------------------- \17\ Nicole Perlroth, ``In Cyberattack on Saudi Firm, U.S. Sees Iran Firing back,'' New York Times, October 23, 2012, http:// www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil- firm-disquiets-us.html?pagewanted=all. --------------------------------------------------------------------------- The Iranian regime has also begun to proliferate its cyber capabilities to its strategic partners. Iran reportedly has provided the regime of Syrian dictator Bashar al-Assad, now locked in a protracted civil war against his own people, with crucial equipment and technical assistance for carrying out internet surveillance.\18\ This, in turn, has helped the Assad regime to more effectively target and neutralize elements of the Syrian opposition. --------------------------------------------------------------------------- \18\ Ellen Nakashima, ``Iran aids Syria in Tracking Opposition via Electronic Surveillance, U.S. Officials Say,'' Washington Post, October 9, 2012, http://articles.washingtonpost.com/2012-10-09/world/ 35500619_1_surveillance-software-syrians-president-bashar. --------------------------------------------------------------------------- a maturing threat Despite recent advances, Iran's cyber capabilities are still nascent when compared to those of China and Russia. There is broad agreement among technical experts that the cyber threat posed by the Iranian regime is more modest than that posed by either Moscow or Beijing, at least for the moment. Yet Iran's activities in, and exploitation of, cyber space should be of utmost concern to American policymakers, for several reasons. The first is opportunity. The capabilities ``gap'' that currently exists in Iran's ability to carry out sustained and significant cyber attacks against U.S. infrastructure could close rapidly. This is because all of the resources that the Islamic Republic requires, whether human or technological, can be acquired quickly and comparatively cheaply from gray and black market sources. Additionally, recent years have seen the Iranian regime receive significant inputs to its strategic programs from abroad, most prominently from China and North Korea. This assistance is known to have furthered Iran's nuclear and ballistic missile capabilities, perhaps significantly so. Given this history, there is every reason to conclude that cooperation between Iran and its strategic partners is on-going in the cyber domain as well. The second is intent. Over the past 2 years, no fewer than five distinct cyber assaults have targeted the Iranian regime's nuclear effort. (At least one, moreover, has been determined to be domestic in origin, suggesting the Iranian regime faces an internal cyber threat as well). As a result, Iranian officials have come to believe--with considerable justification--that conflict with the West has already begun. The cyber attacks that Iran has carried out in recent months provide a strong indicator that the Iranian regime is both willing and able to retaliate in kind. Finally, it is worth noting that Iran represents a qualitatively different cyber actor from either Russia or China. While both the PRC and the Russian Federation actively engage in cyber espionage against the United States, each has repeatedly avoided mounting a cyber attack so disruptive that it precipitates a breakdown of diplomatic relations with Washington. Iran, by contrast, could well countenance exactly such a course of action in the not-too-distant future. In his most recent testimony to the Senate Select Committee on Intelligence, Director of National Intelligence James Clapper noted that ``Iran prefers to avoid direct confrontation with the United States because regime preservation is its top priority.''\19\ This, however, has the potential to change rapidly in the event of a further deterioration of the current, tense standoff between the international community and Iran over its nuclear program. Iranian officials have made clear that they see cyber space as a distinct warfighting medium in their unfolding confrontation with the West. --------------------------------------------------------------------------- \19\ Clapper, Statement for the Record, 5. --------------------------------------------------------------------------- Government officials increasingly recognize this fact. A draft National Intelligence Estimate now circulating within the U.S. Government reportedly identifies Iran as one country which would benefit substantially from having the capability to target and disable sectors of the U.S. economy.\20\ What is not yet visible, however, is a comprehensive approach to understand, address and mitigate Iran's ability to hold American interests and infrastructure at risk via cyber space. --------------------------------------------------------------------------- \20\ Nicole Perlroth, David E. Sanger and Michael S. Schmidt, ``As Hacking against U.S. Rises, Experts Try to Pin Down Motive,'' New York Times, March 4, 2013, http://mobile.nytimes.com/2013/03/04/us/us- weighs-risks-and-motives-of-hacking-by-china-or- iran.xml;jsessionid=8304- B2493AF15262FDA4F217DDF0CAFE?f=19. --------------------------------------------------------------------------- cyber space and the iranian bomb Back in October, then-Secretary of Defense Leon Panetta warned publicly that the United States could soon face a mass disruption event of catastrophic proportions, a ``cyber Pearl Harbor'' of sorts. ``An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,'' cautioned the Defense secretary. ``They could derail passenger trains, or even more dangerous, derail trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.''\21\ --------------------------------------------------------------------------- \21\ Elisabeth Bumiller and Thom Shanker, ``Panetta Warns of Dire Threat of Cyberattack on U.S.,'' New York Times, October 11, 2012, http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat- of-cyberattack.html?pagewanted=all&_r=0. --------------------------------------------------------------------------- Such a scenario is plausible, although the U.S. intelligence community currently judges its likelihood to be ``remote,'' at least in the near term.\22\ However, geopolitical events could dramatically alter this assessment, and incentivize threat actors in cyber space to target both American interests and infrastructure. --------------------------------------------------------------------------- \22\ Clapper, Statement for the Record, 5. --------------------------------------------------------------------------- In this regard, no scenario is more urgent or potentially dangerous than the unfolding crisis over Iran's nuclear program. Despite a massive expansion of Western economic pressure over the past year, the Iranian regime still shows no signs of slowing its drive toward atomic capability. To the contrary, Iranian officials have taken a defiant stance, laying out the need for an ``economy of resistance'' with which they will be able to weather economic pressure from the United States and Europe until such time as they cross the nuclear Rubicon.\23\ As such, the near future could see a further escalation of the crisis, perhaps including the use of force against Iran by one or more nations. --------------------------------------------------------------------------- \23\ ``Iran Leader Calls for `Economy of Resistance,' '' Agence France-Presse, August 23, 2012, http://news.yahoo.com/iran-leader- calls-economy-resistance-134523014.html. --------------------------------------------------------------------------- Should that happen, cyber war with Iran could become a distinct possibility. So, too, could Iranian targeting of American forces, interests, and infrastructure, with potentially devastating effects on the security of the U.S. homeland. Mr. Meehan. Well on that note Mr. Berman--and I am sure we will follow up on that testimony. Now the panel will hear from our last distinguished panelist; Mr. Libicki the floor is yours. STATEMENT OF MARTIN C. LIBICKI, SENIOR MANAGEMENT SCIENTIST, RAND CORPORATION Mr. Libicki. Thank you and good afternoon Chairman Meehan, Ranking Member Clarke, and other distinguished Members of the subcommittee. Thank you for the opportunity to testify today on cyber threats and protecting American critical infrastructure. On September 11, 2001, 3,000 people died, and the physical damage was upwards of $200 billion. On September 12, the country responded. The next dozen years saw 6,000 dead, tens of thousands injured, and costs well over a trillion dollars. If cyber is similar, one might conclude that even though an attack on the United States may be damaging, the cycle of response and counter-response may be far more consequential. The issue of how the United States should manage crisis and escalation in cyber space is addressed in the recently- published Rand Report of that name. I now want to take the opportunity to summarize seven salient points in that document. The first point is to understand that the answer to the question you all have been here asked, is this cyber attack an act of war, is not a conclusion, it is a decision. Cyber wars are wars of choice. A country struck from cyber space has the opportunity to ask, what would be the most cost- effective way to minimize future suffering, and depending on the circumstances it might be war, alternatively it might not be. Second, is to take the time to think things through. Computers may work in nano-seconds, but the target of any response is not the computer, in large part because even if a computer is taken out a substitute may be close at hand. The true target of a response are those who command the cyber warriors, that is people. But people do not work in nano seconds. Persuasion and dissuasion of people work at roughly the same speed whether or not these people command cyber war or any other form of war. Third is to understand what is at stake, which is to say, what the United States hopes to gain by making the attackers cease their efforts. This goes for both responding to cyber attack and to responding to what might be deemed intolerable levels of cyber espionage. The fourth is to not take possession of a crisis unnecessarily, or at least if you are going to do so, do so on your own terms, which is to say, don't back yourself into a corner where you always have to respond whether doing so is wise or not. Fifth is in responding craft and narrative that helps take the crisis where you want to take it. In some cases in fact, the narrative might have to allow the attacker to cease its attacks without losing face by doing so. Sixth is to figure out what norms of conduct in cyber space, if any, work best for the United States. It may be encouraging that last week both the United States and China agreed to carry out high-level talks on cyber norms, but there are a lot of questions to work through. As an example, where does one draw the many lines among cyber war, cyber sabotage, cyber crime, cyber espionage, and violations of international trade law? The seventh is to manage cyber escalation wisely. That means remembering that the other side will probably react to what you yourself do, yet in cyber space, using tit-for-tat measures to modulate the other side's escalation can be a very uncertain and crude tool. Of course, one of the best ways of avoiding a 9/12 in cyber space is to avoid a 9/11 if you can. In that regard, I would like to toss out a few ideas. These are born of the notion that while there are many sources of cyber insecurity we wouldn't be worried about a catastrophic cyber attack or much of the advanced persistent system threat for that matter were it not for malware. Malware itself does not happen without systematic weaknesses in software architectures and implementations. In a world that spends $60 billion a year on security for instance, a much, much smaller total of that is spent eradicating vulnerabilities in widely-used software programs. Allocating Federal money from buildings to finding and thereby reducing the vulnerabilities in these programs, may be money well spent. The same logic, unfortunately, does not hold for machine control software such as SCADA Systems. Such software was designed for a relatively benign environment, not the internet. Vulnerabilities in such software are so common that they will take a long time to fix completely. In the mean time, leaving such systems connected to the rest of the internet may not necessarily be a particularly good idea. Isolation will reduce the odds of a catastrophic attack more than probably anything else will. Finally we need to rethink information sharing. There is nothing wrong say with two chemical companies sharing information with one another on cyber attacks, but we really need to hear not from the companies themselves but from the security firms that work for them, because they are the folks who actually understand what happens to the companies when they get attacked. The folks that they need to hear from are again not so much the companies themselves, although that is a good thing, but those who build software for such companies. Well, thank you very much. I am happy to answer any questions you might have. [The prepared statement of Mr. Libicki follows:] Prepared Statement of Martin C. Libicki \1\ --------------------------------------------------------------------------- \1\ The opinions and conclusions expressed in this testimony are the author's alone and should not be interpreted as representing those of RAND or any of the sponsors of its research. This product is part of the RAND Corporation testimony series. RAND testimonies record testimony presented by RAND associates to Federal, State, or local legislative committees; Government-appointed commissions and panels; and private review and oversight bodies. The RAND Corporation is a nonprofit research organization providing objective analysis and effective solutions that address the challenges facing the public and private sectors around the world. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors. --------------------------------------------------------------------------- March 20, 2013 managing september 12 in cyberspace \2\ --------------------------------------------------------------------------- \2\ This testimony is available for free download at http:// www.rand.org/pubs/testimonies/CT383.html. --------------------------------------------------------------------------- On September 11, 2001, terrorists attacked the United States. Three thousand people died and the physical damage was upwards of two hundred billion dollars. On September 12, the country responded. The United States strengthened its homeland security. We went to war twice. Over the next dozen years, the United States lost six thousand in combat. Ten to twenty thousand were seriously injured. Total additional expenditures exceeded a trillion dollars. I point this out not to criticize the policies that followed--but to indicate that even though an attack on the United States may be damaging, the cycle of response and counter-response may be far more consequential. Accordingly, even though a cyber-9/11 may be costly, it would be shortsighted to evaluate the threat in terms of immediate damage without considering how the United States would manage such a crisis in order to yield an outcome that works best for the American people. That is, we are right to be worried about a ``9/11 in cyber space,'' but we also ought to worry about what a ``9/12 in cyber space'' would look like. Indeed, one of the best reasons for working hard to avoid a 9/11 in cyber space is avoid having to deal with a 9/12 in cyber space. That noted, because a cyber 9/11 (or what looks like a 9/11) might happen, it is worthwhile to think about what we do the day after. The issue of how the United States should manage crisis and escalation in cyber space is addressed in the recently-published RAND document of that name.\3\ I now want to take the opportunity to touch on some of the salient points in that document, as well as follow-on thoughts. --------------------------------------------------------------------------- \3\ Martin Libicki, Crisis and Escalation in Cyberspace, Santa Monica CA (RAND), MG-1215-AF. --------------------------------------------------------------------------- The first point is to understand that the answer to the question-- is this cyber attack an act of war?--is not a conclusion, but a decision. In physical combat, such a question may be meaningful: If your neighbor's tanks are in your backyard heading for the capital, then war is on. But such a question is usually the wrong one to ask about cyber war. True, cyber war can disrupt life even on a mass scale. Cyber warfare can enhance conventional military power. But, it cannot be used to occupy another nation's capital. It cannot force regime change. No one has yet died from it. And, Stuxnet notwithstanding, breaking things with ones and zeroes requires very particular circumstances. A cyber attack, in and of itself, does not demand an immediate response to safeguard National security. Instead, a country struck from cyber space has the opportunity to ask: What would be its most cost-effective way to minimize such future suffering? If war fits the bill (and other nations understand as much), the victim of a cyber attack could declare that it was an act of war and then go forth and fight. Perhaps making war can persuade the attacker to stop. Yet, war also risks further disruption, great cost, as well as possible destruction and death--especially if matters escalate beyond cyber space. Or a country may look at policies that reduce the pain without so much risk--such as by fixing or forgoing software or network connections whose vulnerabilities permitted cyber attacks in the first place. Second is to take the time to think things through. Computers may work in nanoseconds, but the target of any response is not the computer--in large part because even if a computer is taken out a substitute can be close at hand. The true target of a response is those who command cyber warriors--that is, people. But, people do not work in nanoseconds. Persuasion and dissuasion of people work at roughly the same speed whether or not these people command cyber war or any other form of war. A corollary error is to assume that a confrontation in cyber space is inherently unstable--thereby necessitating being a quicker draw than the other guy. It is precisely, because unlike with nuclear war, a nation's cyber war capabilities cannot be disarmed by a first strike, there's not the same need to get the jump on the other guy, just as there is not the same need to match his offense with your offense, when it's your defense that dictates how much damage you are likely to receive. Third is to understand what is at stake--which is to say, what you hope to gain by making the attackers cease their efforts. This goes for both responding to cyber attack and responding to what might be deemed intolerable levels of cyber espionage. With cyber attack, what you are trying to prevent is not the initial attack, but the next attack--the effects of which might be larger than the initial attack but may also be smaller. (This is particularly true if the initial attack teaches the immediate victims, that, say, making industrial controls accessible to the internet may not have been the smartest idea.) As for espionage, we really have no handle on how to evaluate the damage that takes place to the country when other countries see what we don't want them to see. Fourth is not to take possession of the crisis unnecessarily--or at least do so only on your own terms. That is, do not back yourself into a corner where you always have to respond, whether doing so is wise or not. It is common, these days, to emphasize the cost and consequences of a cyber attack as a National calamity; last week the Director of National Intelligence proclaimed it as the primary short-term threat to the Nation. Making such arguments tends to compel the United States to respond vigorously should any such cyber attack occur, or even merely when the possible precursors to a potential cyber attack have been identified. Having created a demand among the public to do something, the government is then committed to doing something even when doing little or nothing is called for. In some cases, it may be wiser to point out that the victim had a feckless cyber security posture. In other cases, downplaying the damage may be called for. The more emphasis on the pain from a cyber attack, the greater the temptation to others to induce such pain--either to put fear into this country or goad it into a reaction that rebounds to their benefit. Conversely, fostering the impression that a great country can bear the pain of cyber attacks, keep calm, and carry on reduces such temptation. Correspondingly, despite good arguments in favor of drawing red lines for deterrence purposes--``if you do this, I will surely do that''--the cost of being credible is that if deterrence fails, such a declaration tends to constrain one into carrying out retaliation. To do nothing or nothing much, at that point, tends to hollow all deterrent postures, and not just in cyber space. Given the inevitable ambiguities associated with the consequences and causes associated with cyber attacks, inflexibility may also demand a response well before the facts are clear. There are careful trade-offs that have to be made. Fifth is to craft a narrative that facilitates taking the crisis where you want to take it. Narratives are, essentially, political morality plays, in which the United States has to select a role that puts it in a good light while retaining basic consistency between the facts of the matter, as well as with its previous narratives. Part of crafting a narrative requires finding the right role: Does the United States want to portray itself as a victim of cyber attack? As the righteous enforcer of international norms? As the superpower that demands respect? Narratives also have to find a role for the attacker, and the definition of such a role may, in some cases, have to encourage and accommodate the attacker's graceful and face-saving retreat from belligerence. After all, the odds that an attack in cyber space arises from, miscalculation, inadvertence, espionage with unintended consequences, or the actions of a rogue actor are nontrivial. Sixth is to figure out what norms of conduct in cyber space, if any, work best for the United States. Last week both the United States and China agreed to carry out high-level talks on cyber norms. Although nearly 4 years of Track II negotiations with the Chinese (in which I participated) have yielded meager results, there are still some grounds for optimism. But, first we have to address some salient questions. To what extent can the Laws of Armed Conflict apply in a domain where the patterns of collateral damage are poorly understood, where the distinction between civil and military is difficult to discern, where it's getting harder and harder to know where your information sits, and where the transparency required for neutrality simply does not exist? Where does one draw the many lines among cyber war, cyber crime, cyber espionage, and violations of international trade rule? Is it in the U.S. interest to make unconstrained espionage a casus belli? How well should states be able to monitor (let alone enforce) compliance before it can assure itself that the norms are worth having? Seventh is to manage cyber escalation wisely. This not only means remembering that the other side will react to what you do, but also understanding what a crude tool counter-escalation may be for influencing the other side. Consider that with Stuxnet, it took many tries to get the desired effect. The Iranians may not have known they were under attack until they read about it in the New York Times. It is also unclear whether we would have had much damage assessment had the centrifuge plant not been under independent inspection. To further illustrate what the fog of cyber war may mean to escalation control, assume a defender wants to place in an opponent's mind the thought that if he escalates and the defender will counter-escalate proportionally. But in cyber space what the attacker does, what he thinks he did, and what the defender thinks he did may all be different. The defender can only react to what he thinks the attacker did. That is because the defender's systems are usually different than the attacker's. Equivalence between perception of the attack and the intended response may be inexact. Then there's the similar difference between the defender's response and the attacker's perception of what was done in return. After all this, the attacker may think the retaliation was proportional, understated, or went overboard in crossing counter- escalation red lines--red lines that were not originally crossed by himself. The effect is akin to playing tennis on a rock-strewn court. In sum, while I believe it is certainly worthwhile effort to prevent a future 9/11 in cyber space--and understanding the nature of the threat is an important component of that effort--similar levels of care and thought needs to be given to how to manage a potential 9/12 in cyber space. If not, we may find, as with the historical 9/11, that the consequences of the reaction and counter-reaction are more serious than the consequences of the original action itself. Mr. Meehan. Well, thank you, Mr. Libicki. Thank you for, all of the panel, for your opening statements. You have touched on collectively a number of critical areas for us in terms of framing the nature of the threat and commentary and more specific fashions as to where we see this thing going. I am grateful today to have the presence of the Chairman of the full Committee on Homeland Security and without objection I will go out of order and allow the Chairman to make some opening comments or if he has a few observations or questions for the panel, I would allow that to be entertained as well. Mr. McCaul. Well, I thank the Chairman for your generosity, and thank you to the witnesses for being here today. This is an issue of growing concern by the day. Today we just saw North Korea attack South Korea in a denial-of-service attack in an attempt to shut down its government. We have the representative from Mandiant here who reported recently that the Chinese military has hacked into our Federal Government to steal our military secrets. I think for me most disturbingly is what has happened not just with China, Russia, but as you Mitch and Mr. Berman, with Iran. I think the fear has always been that you know Russia is good at espionage and crime, so is China; they steal things, but it is the countries that disrupt and bring things down that is probably the thing that keeps us up at night the most. So I want to ask this question because the Iranian attack was particularly interesting in the sense that the attack against Aramco in the Persian Gulf was a very destructive attack that knocked out 20,000, 30,000 hard drives bringing them down in energy sector. The attack against our financial institutions in the United States on the other hand was a very disruptive denial-of-service attack crashing servers but not destroying. But the point remains that Iran has this capability to destroy. I asked the question, why the difference in attacks, and the answer was, well they are red-lining us. They are testing us. They want to know how far they can go with this before we actually ultimately respond. So my question, I guess I will start with Mr. Berman, anybody else on the panel is: At what point do we respond? At what point do these attacks--and we have debated what constitutes an act of warfare, but at what point do these attacks truly constitute an act of warfare to be met with an in-kind response? Mr. Berman. Well, thank you, sir, and I appreciate you asking such an easy question to get this ball rolling. This is actually, I think, the $64,000 question. It is not a question that can be answered by myself or by anybody here on this panel. It is a decision made by the National Command Authority with regard to framing a deterrence posture in cyber space and then also carrying out retaliatory attacks if it chooses to do so; if it perceives that a red line has been crossed. I would point out that you outlined very nicely sort of the Iranian motivation and the Iranian way of thinking about what it is doing; these cyber attacks that it has carried out against U.S. financial institutions. By the way, not only U.S. financial institutions, before it attacked Bank of America and JPMorgan Chase, it took aim at Israel's central bank, at Bank Hapoalim. So these are all demonstration attacks to a greater or lesser extent, to demonstrate that it has the ability to reach out and touch the United States and its coalition partners if the conflict over its nuclear program goes south in some substantial way. Iran is also doing something, which I think is more tangible and is of greater concern, which is the outlining how it would act definitively in the event of a breakdown in relations and coalition warfare against Iran over its nuclear program. The attack on Saudi Aramco can be seen as a signaling mechanism by which Iran is telegraphing to the international community that it plans to target C4I capabilities in the event of overt warfare with regard to Iran. This is--I think it is important to note that the Iranians are thinking about cyber warfare operationally in that context. Whether or not we choose to respond to these attacks is an entirely different question and it is one that stems from how we define the threat, and whether or not we actually do, as Mr. Libicki said, do draw definitive red lines that forces us to retaliate. Mr. Cilluffo. Mr. Chairman, to build on that point, and I agree very much with what Ilan has just expressed. But, I mean, one way to think about some of these cyber threats, especially--and I am reminded of how we used to discuss state- sponsored terrorism in the 1980s and 1990s. You have state- sponsored, state-sanctioned, and state-directed. What makes cyber so complex is the plausible deniability factor, obviously. Just like Iran has turned to its proxies to engage in kinetic attacks, obviously they will also look to proxies if they build-out the capacity to do so in the cyber domain. One thing that is worth noting, though, is whether it is IRGC or whether it is Quds Force, they are also home to one of the most sophisticated hacker underground communities that has been around for quite some time, noted as Ashiana. Some of these capabilities where they may provide what we would call in the military ``commanders intent,'' they are not necessarily even sure who is calling the shots where and when. There might be a good news story on the U.S. side. Maybe it was more difficult to get to some of our energy companies the way they were able to do so vis-a-vis Saudi Aramco. That said, if the balloon goes up, I am more concerned that they turn to their proxies in a kinetic kind of way where cyber becomes--it enhances the lethality. It is a force-multiplier effect. That is why I put it in the chart, why I put it at the blinking high-red in my prepared remarks. That is something that we shouldn't discount. U.S. interests overseas have long been lightning rods for terrorist activity. I think you would see a lot of similar sort of activity in the region. So, they are very good at electronic warfare. They have been doing this for a long time. So, here cyber is just another instrumentality to achieve those sorts of objectives and something we need to take seriously. Mr. McCaul. Let me just say thank you to the panel. I also want to again thank the Chairman and Ranking Member for your generosity in letting me sit here and ask questions. Also, the work you have done on this issue--I appreciate it and I look forward to the point where we end up marking up legislation on this committee. Thank you. Mr. Meehan. Thank you, Mr. Chairman. We are grateful for your support for the important work of this committee and look forward to working with you. As you can see, the testimony from this distinguished panel I think is helping to put in context the importance of what we are doing. That is a big part of what we are trying to approach today. Because I--Mr. Cilluffo, I thank you, as I recognize myself for 5 minutes of questioning. For your setting the table in the sense of us trying to put our arms around this, it is easy to get lost not only in the broad scope of the threat, but the failure to distinguish among different parts of the threat. You were articulate in explaining that there are various levels that actually get us to the places where we may be able to do a lot. Mr. Bejtlich and others discussed cyber high--we can do the deal with big parts of it that we probably are principally interested in this issue of state-sponsored activity. That even within the realm of state-sponsored activity, the question becomes: What becomes the kind of motivating factor that is tied with the capability that then becomes the creator of an intentional act? Now, we have seen actions as recently as this week that have been tied back, at least according to published reports, to Iran--once again, more sophisticated attacks against our banking system. I would be interested in your interpretation of those attacks, what you think they are, and how realistic they may be as whether they are precursors to something which is simply probing, or part of a pattern of activity that may indicate future vulnerability for the United States. Mr. Cilluffo. Mr. Chairman, thank you for that question. I think you do ask one of the most difficult questions. Because what I tried to do is parse out the computer network exploit from computer network attack. The one issue that is sort of in between both is the cyber equivalent of intelligence preparation on the battlefield. So, the fact is, is our critical infrastructure, the domain of this subcommittee and the committee generally speaking, are all identifiable and they have been probed and they have been mapped. At the end of the day, they have not necessarily been, at least with the actors we are most concerned about, looked at from a computer network attack perspective, but the fact that they have probed these systems, what other motive could they possibly have? They are not stealing secrets here. It is not espionage. It is to be able to come up with a potential battle plan in the future. Big concern. When you see the Iran clickety-clack of the keyboard behind that, then we have got some real significant lines, maybe not in the sand, but in the silicon that have clearly been crossed. Again, I think that Iran is going to look at it through a kinetic lens most directly. In terms of these DDOS attacks, the distributive denial-of- service attacks, they are becoming more powerful. You can rent a botnet for very little that can cause major disruption. That is not the same as destruction, but it can get to the point where companies that live and breathe on just-in-time inventories, that live and breathe on the ability to connect with their customers immediately, it has a huge impact. I just came back from Estonia, where I brought a bunch of my students that are part of an executive MBA program there, and they don't have bank tellers anymore. It is all computerized. Mr. Meehan. So, this capacity, as we have identified it, we focused on Iran most recently, but we have also spoken about North Korea and the capacity to be able to go out into the marketplace and therefore even enhance their capability by participating with other kinds of nation-state actors or others who have the ability to generate this. Mr. Berman, you used a---- Mr. Cilluffo. I am actually more concerned about North Korea in some ways. Mr. Meehan. North Korea. Mr. Cilluffo. It is about survival of the regime, wild cards, and traditionally crime tries to penetrate the state. In North Korea, it is the inverse. The state is penetrating organized crime and they are engaged in all---- Mr. Meehan. Mr. Berman, you spoke a great deal about that. You used the word ``retaliatory'' as being a precursor to some activities, and we see what happened this week in South Korea. So, explain to me how you interpret those in the context of whether they are retaliatory actions, and then most--the greatest concern is the added word ``volatility.'' Do they in combination create what you--this panel had testified before when we were asking questions about the willingness of the Quds Force to carry out an act of terrorism on United States soil. Then months later, we saw it. So, I respect your vision. What do you see happening now? Mr. Berman. Well, thank you, sir. I appreciate the kind words. I agree with my colleague. I think what we are looking at here is a mismatch between capability and intent. The Iranians are not nearly as sophisticated and persistent as the Chinese and even the Russians. But what you have is a set of actors-- and I say ``set'' because what we are talking about here is not just Iran, but also North Korea--that is hyper-politicized in the sense that both are engaging in active diplomatic warfare with the international community over their respective nuclear programs, over sanctions, over some deviant behavior, that may force them--or may cause them to lash out in ways that we would not predict. One of the saving graces of our China cyber problem and our Russia cyber problem is that while we may not be comfortable with the scope, we in general understand the direction. That is missing in our calculation with regard to Iran and increasingly with regard to North Korea. The shared geopolitical driver here is that both regimes are under growing international stress as a result of their rogue behavior. But it is also the type of international stress--economic, diplomatic, financial--that is forcing them to lash out in unpredictable ways. As a result, as Frank said, the cyber component of this behavior becomes very, very germane because if Iran seeks to retaliate and it is a perceived retaliation, because Iran already, if you look at the way it has written in speeches, the way it has spoken--its officials have spoken, they see themselves already at war with the West on some level. They see cyber as an adjunct to all the other things that they are doing in order to respond. Mr. Meehan. I look forward to following up, but at this point my time has expired. So I turn it to the Ranking Member, Ms. Clarke, for her questions. Ms. Clarke. Thank you very much, Mr. Chairman. I would like to start with Dr. Libicki. I am a bit concerned about how we classify the activities that are taking place. You know, this is a homeland security committee, and I want to just ask you, I understand that a lot of your work deals with questions of state-on-state cyber conflict and international issues. That is the domain of foreign-oriented departments, such as State and Defense. But I also appreciate your testimony on needing to be careful in our messaging of the cyber threat, and not calling everything cyber war. I, for one, believe that the vast majority of malicious cyber activity is directed against consumers in the private sector, and it is not appropriate for the military to play a role--the lead role in protecting against this type of activity. The threats are, indeed, great, but that doesn't mean it requires a military response. Do you agree, or do you have any thoughts on the right way to talk about cyber threats without doing it in a way that over-militarizes our response? Mr. Libicki. Well, if you going to respond with the military, I suppose your most important question is: Is it to your advantage to get into a war? If the answer is no, then you may think of other ways of responding. In many ways, however--and I mentioned--you mention narrative, if the United States goes around saying how vulnerable it is to cyber attack and how much it is afraid of cyber attack, then it sets up a situation in the minds of others that the United States is particularly sensitive if it gets attacked through this method. If we, however, adopt a posture, insofar as we can, that in fact these things happen to computers all the time, that computers can be occasionally volatile, but things happen to them, and that we are really talking about levels of annoyance, to a certain extent you can remove some of the disincentive for others to attack the United States, because the impact on what we do will not be very great. Ms. Clarke. So, let me dig a little bit deeper, because what we are trying to get a sense of is, you know, we have a domestic responsibility to private citizens whose identity may be stolen, the sort of garden-variety types of malicious cyber activity. We are trying to make a distinction here, because this whole hearing we have been talking about really an international connection. For the average American, it is like, you know, I just don't want my medical information sold in Russia, or, you know, I don't want my identity to be--how do we make that distinction and then how do we sort of create a flexible infrastructure that enables us to be sensitive enough to know where certain forces enter versus others? Mr. Libicki. Well, pretty much everything we are talking about, at least at the U.S. level, is considered a crime. Sometimes we can get our hands on these folks, sometimes we can't. Some of my colleagues pointed out because we don't have the cooperation of the Government. To a large extent, therefore, that means in these areas defense becomes a lot more important than it would other places. I think there is a great deal that the United States can do, that the United States Government can do to beef up defenses. I think there is a lot of good work being done by DHS. I think there are ways they can carry out more activities. I had mentioned reducing the vulnerabilities in a lot of software. I think a certain amount of progress is being made, but by no means fast enough. I think we can encourage a great deal of resilience. Standards of resilience may, at least, give you some guidelines as to what constitutes resilience in the first place. We have by no means exhausted the list of things we can do at the domestic level to reduce the level of threat to where, in fact, at a foreign policy level we can start ignoring it. Ms. Clarke. Let me ask Mr. Bejtlich, it seems that most consumers and corporations still look to anti-virus software as state-of-the-art. Recently, however, it seems that the market has been clamoring for new approaches, particularly focusing on resilience and mitigation strategies when companies are inevitably hacked. Over the years, have you noticed a real shift in companies' level of awareness of the cybersecurity threats to their business, and have companies been realizing that traditional anti-virus approaches just won't cut it and are they now looking for more sophisticated approaches to mitigating their risk? Mr. Betjlich. The best-performing companies that Mandiant interacts with have generally gone through a traumatic experience, where they have had a large intrusion, and they have realized that all of the approaches that they have adopted were not sufficient to stop the intruder, and they tend to adopt more of a fast-and-accurate detection model, followed by response and containment. You still need anti-virus. You still need these other technologies that will deal with a certain group of threats, but you have to realize there will be that gap a sophisticated or determined intruder will get through, and then you need to find them quickly and deal with them. So, while I will say that is becoming more accepted at the top tier, at the small- or medium-business level, they don't have the resources, the awareness. It is truly a big problem at those other levels. Mr. Meehan. Thank you, Ranking Member Clarke. The Chairman will now recognize Mr. Perry for his questions, if he has them. Mr. Perry. Thank you, Mr. Chairman. Thank you, gentlemen. It is a fascinating topic, and I am hopeful it is one that we can find some bipartisan cooperation on, although I think it is vexing every single one of us in the room how we work on that. With that, I would like to just get right to a whole host of questions. Regarding supply-chain cyber-threats, is that something that is legitimate? Should we be concerned? What countries would export such things so that users or purchasers would know, look, there is a potential danger in buying from X company, if that is appropriate to ask that kind of question. Anybody? Mr. Cilluffo. First crack at this. I think your colleagues at the House Permanent Select Committee on Intelligence, Mr. Rogers and Mr. Ruppersberger, did a fantastic service in identifying some of the potential concerns vis-a-vis Huawei and ZTE in particular. But I think it raises a bigger set of questions. We need to start baking security requirements into the design of our systems. Start with our weapons platforms and systems, and then we have got to start looking at critical infrastructure. To me, that is partially a Federal acquisition reform issue. We actually need to prioritize contracting acquisition opportunities for those that are baking security requirements. Yes, that is a big concern. I don't care how much security you have up here, if it is built on quicksand, who cares? Mr. Perry. So, with that, I mean, and with the Ranking Member's questions, I wonder, how much--first of all, is this information available to normal purchasers and users? Are products to thwart the threats that we are discussing commercially available on a wide scale right now? Mr. Betjlich. There is an emerging industry of companies, like Mandiant, who recognize that threats will get through, and you have to find them quickly and deal with it. However, there is still a large industry built around the legacy systems. To piggyback on Frank's comments, we have seen, through our own intrusion response, as the primary target gets harder, you move farther out into the ecosystem, and eventually you will get to the point where the ecosystem is hard enough that you have to start with the hardware, and then you work your way back in. So maybe that is why very hard targets, like the military, they have come to realize this is the No. 1 problem they have. It is not the No. 1 problem in private sector, but as the private sector gets its act together, you are gonna see the threat migrate to those supply chain problems. Mr. Perry. As a--I have spent over 30 years in the military, so I am really familiar with the IPB process and some other things that were discussed here, and I think that is kind of where most of us head. But I think in terms of selling this, for lack of a better phrase, to the public about the need for this and then how we address it, I think we are gonna have to discuss what is in it for them, and I think that it is hard to get your brain wrapped around that. So with that, let's say I have a firm that, like just about any other district, that makes some very critical components, whether it is defense or manufacturing, that they compete globally, who do they report it to? Like, what is the first phone call they make if they suspect? Where do people go? Mr. Betjlich. I would encourage anyone who believes that you are on the shopping list for an advanced threat, such as China or Russia, to have a relationship with your local FBI office. They will tell you whether or not the technology you produce or the business you are in is of interest to a foreign power. They will help you from that point forward. However, cyber still remains the one area where if there is a dead body on the ground, there is no police you call who will run to you and do the forensics and all that. For the most part, it is still a private-sector response. That is changing a little bit. I mean, in critical infrastructure, you can call the ICS-CERT and they will send a team. There is more of that going on. But my company was created 9 years ago because there was no one to call. So we are the ones that go out, and we answer the call on these intrusions. Mr. Cilluffo. Mr. Perry, could I---- Mr. Perry. Absolutely. Please do. Mr. Cilluffo [continuing]. Very briefly. This is a little philosophical way to think about it. At the end of the day, we need to get to the 80 percent solution, which is not going to stop the APT threats. It is not gonna stop Russia. It is not going to stop China. Russia, by the way, is more in the HUMINT business, and they have integrated cyber to be part of the human intelligence business. That is why I would say from a tradecraft standpoint, they are actually higher than China, even. But the one thing I would suggest is you get to that 80 percent solution so you can free up the limited resources that Uncle Sam has to focus on the real bad actors. Right now, they can't delineate between the kid in his mother's basement or the foreign intelligence service threat. We have got to get to the point where we can free up resources, limited as they are, to focus them on the higher end. That--you can't expect a company to defend themselves against the SVR. It is just--they are in the business of business. So we have got to build the business case. Any legislation should be comprehensive, but it should also incorporate incentives. It should also incorporate liability exemption. We do need to have--we don't want this to be a cigarette wrapped in asbestos, forgive the pun, but we really do need to build up our security capabilities, focus the limited resources on the high-end threat spectrum, and the private sector can handle the rest. But right now, there is an unfair playing field. They are defending against Chinese intelligence services. That is just not fair. Mr. Perry. Thank you. Mr. Meehan. Thank you, Mr. Perry. Now, we have not only been called to vote, but the time has expired on our vote. But we are trying to--Mr. Vela has participated with us, and I am very grateful for his presence. Mr. Vela, do you have a question for the panel that you would like to---- Mr. Vela. Yes. I will make them quick. My question is: Given the significant energy production that we have in States like Texas, Pennsylvania, and the Dakotas, what is the real-life cyber threat to the energy sector in those places? Mr. Betjlich. So, Mandiant has responded to intrusions affecting the energy sector. We have not seen the intruders getting into the industrial control systems, but they have been in the corporate networks, and they have taken design documents, plans, other intellectual property. This has also been well-documented in the open press, in places like the Christian Science Monitor and elsewhere. So there is a real threat from espionage into the energy sector in the United States. Mr. Vela. So it is not just a matter of threat to the energy trading. It goes more to the intellectual property and the things that those companies work with. Mr. Betjlich. Yes, sir. Mr. Meehan. Let me thank this very, very distinguished panel. Once again, we have been called to votes, and I think rather than inconvenience you a second time, we are delighted and thankful that you have taken the time. I point all of those who are interested in this issue not just to the testimony you have given and the written testimony, but to the voluminous work each of you has done and the way you have helped us to frame this issue. I am hopeful that we can continue to work with you in this year ahead as we not only frame the issue, but work towards legislation to help us address the issues. I would like to ask unanimous consent that a statement from Mr. Dean Picciotti, president of Lexington Technology, a Philadelphia-based cybersecurity consulting firm, be included in the record. Without objection, so ordered. [The information follows:] Statement of Dean Picciotti, President, Lexington Technology Auditing March 20, 2013 Lexington Technology appreciates the opportunity to submit testimony for this important subcommittee hearing on protecting the Nation's critical infrastructure. It is important to explain the risks we face and how new legislation can strengthen our ability to protect this critical element of our country's civilian infrastructure. We need uniform minimum standards for cybersecurity defense and disaster recovery. about lexington technology Founded in 2011 by long-time industry leaders, Lexington is a Philadelphia-based cybersecurity consulting firm that provides advice and services to mass transit systems, State court systems, school districts, and other government and quasi-government agencies. The firm's efforts are focused mainly on the systems relied upon for our region's data security. We spend most of our workdays in the cybersecurity ``trenches.'' It is from this view point that we offer this testimony. what's at stake? The Earth is, crisscrossed by networks of wires, cables, waves, pulses, and signals. The computer systems that operate this world are all around us, yet just under the surface. Driven to design simplicity and ease of use into most systems, developers have learned to cleverly disguise the fact that you are even using a computer. But computers are, in every imaginable size, supporting every conceivable application--and it is all connected.
Smartphones, laptops, mobiles, desktops ATMs, store barcode scanners, credit card swipe machines Telephone systems, television systems High-rise elevator and HVAC system controls Ordering systems, payment systems, money-moving systems Factory production systems, assembly lines Food processing and packaging systems City water systems, sewage systems, rail lines, traffic signals Electric and gas utility processing/production and distribution As the world becomes increasingly interconnected and reliant on computers to run everything from our coffeemakers, rail roads, elevators, court systems, and nuclear plants, cyber space has become the fifth domain of warfare, after land, sea, air, and space. It is important to keep in mind however, that the threats are not only from foreign shores but also from within our borders. Destabilizing a nation's cyber-infrastructure is not an exact science. The results are not necessarily foreseeable or controllable. However, forcing a nation-state into chaos without an identifiable adversary is a perfect tool for the asymmetric attacks of terrorists. There is little lead time. There is little chatter. Assembling the devices necessary rarely requires embargoed or highly-regulated materials. a flawed convergence strategy and aging infrastructure Two decades ago, in an attempt to save money in the growing software-based process control and automation industry, companies began to explore the logistics, implications, and benefits of converging the pathways that control desktops, servers, and industrial equipment. Many malicious attacks take advantage of the inherent flaws in this convergence strategy. One of the flaws in convergence is the introduction of USB Memory Sticks (the same ones you may have on your keychain) to the factory floor. Industrial equipment rarely has USB ports, but because of convergence these devices, which now share networks with office-grade equipment, are integrated (knowingly or unknowingly) with desktop computers. As a result of this convergence, power plants, pipeline networks, refineries, mass transit, high-rise HVAC, elevator systems, water and sewage plants, grain elevators, communications networks and other large-scale System Control and Data Acquisition (SCADA) applications are susceptible not only to internet-delivered attacks but also to USB stick-borne viruses, even when the network is completely isolated from the internet. Imagine these systems infiltrated by malware, crashing, rendered useless, at least temporarily. The data grid fails. The power grid fails. The communication grid fails. The transportation grid fails. Imagine the potential for panic--financial and otherwise--in the face of these cascading network failures. Our infrastructure presents a dangerous combination of known and unknown vulnerabilities in the cyber domain, strong and rapidly expanding adversary capabilities, and limited threat and vulnerability awareness. While we are more network-dependent than ever before, improved interconnectivity has drastically increased the threat of unauthorized entities from taking control of, or damaging our infrastructure. No longer is the threat limited to physical attacks or embedded personnel. Successful and attempted attacks may be initiated with complete anonymity from anywhere in the world. Our daily life, economic vitality, and National security rely upon our information technology infrastructure. As our complex economy demands more and more connectivity each year, we are simultaneously increasing the potential attack surface. The operation of our economy depends on a vast array of interconnected communications and power sources that, at present, stand vulnerable to attack. recent attacks In January 2008 a 14-year-old boy derailed 4 trains in Poland using a modified television remote control. During the summer of 2011 several law enforcement agencies had their private emails leaked by Lulzsec, a small group of hackers that exploited weak SQL and PHP implementations on websites. This allowed them to deface websites and obtain username and password lists of authorized users. With that information, Lulzsec exploited the fact that many users use the same username and password combination on multiple sites: Disrupting our economy and reducing productivity. In 2012 a 24-year-old man gave a presentation at the DEF CON conference entitled ``How to Hack All the Transport Networks of a Country''. His presentation showed how a test to see whether free rides could be obtained allowed him to attach to internal processes, gain client data including financial information, and then how he was able to gain access to the System Control and Data Acquisition systems operating the entire transit system. He believes that the same, or similar, vulnerabilities exist in every transit system network in the world. Cyber incidents have increased dramatically since 2010 reports of nation-state, individual, and group attacks on infrastructure are occurring with regular frequency. In 2011, the DHS U.S. Computer Emergency Readiness Team (US-CERT) received more than 100,000 incident reports, and released more than 5,000 actionable cybersecurity alerts and information products. Preliminary reports have that number increasing dramatically in 2012 and beyond. The aftermath of Hurricane Sandy presented us with a brief glimpse of the dangers and hardship of a major transit system being shut down by a known natural occurrence. Imagine the devastation both in human lives, economic loss, and confidence should a coordinated attack bring down multiple transit systems or cause transit vehicles to be used as weapons of destruction. Recognizing the serious nature of this challenge, President Obama has made cybersecurity an administration priority and he reaffirmed the importance of securing our critical information systems by signing the Executive Order on Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience on February 12, 2013. We need a concerted effort and substantial funding on the part of our Federal Government to create uniform minimum standards to protect, secure, and constantly monitor critical information and control systems. We also need uniform minimum standards for disaster recovery in the event of a successful attack. Organization and continued funding of these efforts has to be a top priority if we are to keep these systems operating safely. minimum standards In order for the organizations that operate our critical infrastructure to be able to protect cyber systems from attack we need legislation that standardizes the minimum expectations for reasonable cybersecurity defenses and disaster recovery preparation. We need to make sure our critical infrastructure operators understand the expectations and have the information, tools, knowledge, and rights to continually update and harden systems against an ever- evolving threat. We cannot depend solely on Government agencies to be able to detect attacks and then drop in and take over unfamiliar systems with the speed and knowledge necessary to circumvent or recover from an attack. That can only be accomplished by the individuals that work with those disparate and complex systems every day. The United States Government should work with non-Federal critical infrastructure organizations to provide the necessary resources to meet the highest standards and best practices available today and as set by the National Institute of Standards and Technology and the Pentagon as they're published and modified in the future. In conclusion, our critical infrastructure, our economy, and even our lives depend upon secure information technology systems and industrial control systems. The number and frequency of attacks are increasing and significant changes are needed now to protect our transportation systems to prevent a future disaster that could cripple our economy and/or result in large numbers of casualties. Mr. Meehan. I want to thank the witnesses for their valuable testimony and Members for their questions. The Members of the committee may have additional questions for the witnesses, and I will ask you to respond to those in writing if they are submitted with 10 days. We will hold the record open. Without objection, the subcommittee stands adjourned. Thank you. [Whereupon, at 4:01 p.m., the subcommittee was adjourned.]