[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
FACILITATING CYBER THREAT INFORMATION SHARING AND PARTNERING WITH THE
PRIVATE SECTOR TO PROTECT CRITICAL
INFRASTRUCTURE: AN ASSESSMENT OF DHS CAPABILITIES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
MAY 16, 2013
__________
Serial No. 113-17
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
_____
U.S. GOVERNMENT PRINTING OFFICE
85-613 PDF WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Paul C. Broun, Georgia Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice Brian Higgins, New York
Chair Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Jeff Duncan, South Carolina Ron Barber, Arizona
Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania Filemon Vela, Texas
Chris Stewart, Utah Steven A. Horsford, Nevada
Richard Hudson, North Carolina Eric Swalwell, California
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Vacancy
Greg Hill, Chief of Staff
Michael Geffroy, Deputy Chief of Staff/Chief Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Patrick Meehan, Pennsylvania, Chairman
Mike Rogers, Alabama Yvette D. Clarke, New York
Jason Chaffetz, Utah William R. Keating, Massachusetts
Steve Daines, Montana Filemon Vela, Texas
Scott Perry, Pennsylvania Steven A. Horsford, Nevada
Vacancy Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Alex Manning, Subcommittee Staff Director
Dennis Terry, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Patrick Meehan, a Representative in Congress From
the State of Pennsylvania, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies................................................... 1
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 19
Prepared Statement............................................. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security.............................................. 2
Witnesses
Ms. Roberta Stempfley, Acting Assistant Secretary, Office of
Cybersecurity and Communications, U.S. Department of Homeland
Security, Accompanied by Larry Zelvin, Director, National
Cybersecurity and Communications Integration Center, U.S.
Department of Homeland Security:
Oral Statement................................................. 5
Joint Prepared Statement....................................... 8
Mr. Charles K. Edwards, Acting Inspector General, U.S. Department
of Homeland Security:
Oral Statement................................................. 14
Prepared Statement............................................. 16
FACILITATING CYBER THREAT INFORMATION SHARING AND PARTNERING WITH THE
PRIVATE SECTOR TO PROTECT CRITICAL INFRASTRUCTURE: AN ASSESSMENT OF DHS
CAPABILITIES
----------
Thursday, May 16, 2013
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to call, at 9:05 a.m., in
Room 311, Cannon House Office Building, Hon. Patrick Meehan
[Chairman of the subcommittee] presiding.
Present: Representatives Meehan, Clarke, Vela, Horsford,
and Thompson.
Also present: Representative Jackson Lee.
Mr. Meehan. The Committee on Homeland Security Subcommittee
on Cybersecurity, Infrastructure Protection, and Security
Technologies will come to order. The subcommittee is meeting
today to examine the Department of Homeland Security's National
Cyber and Communications Integration Center, better known as
the NCCIC, and its capabilities to protect critical
infrastructure from cyber attack.
I would like to welcome everybody to today's hearing, which
will give Members an opportunity to examine in-depth the work
of the Department and Homeland Security's National
Cybersecurity Communications and Integration Center.
The NCCIC is one of the U.S. Government's key civilian
interfaces with the private sector for cyber-threat information
sharing, incident response, and protecting the U.S. critical
infrastructure. The NCCIC is a collaborative method for Federal
agencies, State and local governmental entities, the private
sector, all to communicate cyber-threat information, analysis,
and prevention methods in real time.
The subcommittee has been crafting a body of work that will
help establish key areas where we can improve the Department's
critical infrastructure protection from cyber attack. We have
examined the threat, particularly from nation states. We have
looked at protecting U.S. citizens from civil liberty
violations. Today we look at the threat mitigation capabilities
at the Department of Homeland Security.
The director of the National Intelligence, James Clapper,
testified before Congress this year, stating that cyber is the
No. 1 National security threat facing our country. On March 12,
Director Clapper stated, and I quote: ``We assess that highly
networked business practices and information technology are
providing opportunities for foreign intelligence and security
services, trusted insiders, hackers, and others to target and
collect sensitive United States National security and economic
data.''
In addition, the director for the National Security Agency,
General Keith Alexander, has said that cyber espionage has
caused the ``greatest transfer of wealth in history.''
Our Nation is in a new era and our security is no longer
protected by oceans and borders. Indeed, American achievement
in the 21st Century will be intricately tied to our ability to
secure our networks, primarily our critical infrastructure
networks.
While our military protects our Nation from foreign
adversaries, the security of our critical infrastructure--our
economy, our roads and bridges, domestic energy, water and
public utility systems--must be a collaborative effort between
the private sector, the local, State, and Federal Government.
We need a civilian agency to facilitate this partnership, and
that agency is the Department of Homeland Security.
Today's hearing will give us an opportunity to hear from
our expert panel regarding ways the NCCIC currently brings a
collaborative, National response to cybersecurity. Our capacity
within the Committee on Homeland Security is to provide proper
oversight to ensure that the NCCIC is functioning properly and
is capable of leading in the protection of Federal agencies in
cyberspace; it is capable of partnering with critical
infrastructure owners and operators to share information and
reduce risk; and providing the necessary intelligence elements
to assure that State and local critical infrastructure
operators are mitigating cyber threats and, I would add,
responding appropriately in the aftermath of any kind of
activity.
I am looking forward to hearing from our witnesses,
particularly in areas that will help the committee as
legislators strengthen the Department's capabilities.
We must examine ways to encourage increased participation
from owners and operators of critical infrastructure, many of
those--most of it--in the private sector. We need to ensure the
Department is successfully disseminating threat data with other
Federal agencies--in particularly, the Department of Justice
and Defense. Most importantly, we must make sure that there are
sufficient privacy protections in place to ensure that the
Department is able to anonymize data for both personally
identifiable information and stakeholder identifiable
information.
I look forward to hearing from our panel.
The Chairman now recognizes the Ranking Member of the
overall Committee on Homeland Security, Mr. Thompson.
Mr. Thompson. Thank you, Mr. Chairman. Thank you for
holding today's hearing.
I also want to thank the witnesses for testifying here
today.
Over the past few years the cybersecurity mission of the
Department of Homeland Security has undergone an unprecedented
expansion in funding and a change in organizational structure.
Today I look forward to hearing the testimony from some of the
officials responsible for implementing these expanded programs
and activities and overseeing the change in the organizational
structure and culture.
I also look forward to hearing about how these changes will
assist DHS in its efforts to become, in perception and reality,
the civilian lead for cybersecurity in the Federal sector.
Though once in doubt, it now appears that DHS is bringing
together the necessary elements to solidify its leadership
role.
In support of these efforts, last month Chairman McCaul and
I sponsored an amendment to cyber information-sharing
legislation, CISPA, that would establish a center within DHS as
the Federal hub for information sharing. I hope this amendment
sent a clear signal that any cybersecurity legislation passed
by Congress during this session should have a strong role for
DHS as a Federal leader in areas where Government and the
private sector must work together to prevent cyber attacks and
mitigate their impacts.
Today, I want to hear more about DHS's human capital
resources. It is my understanding that DHS, like all Federal
agencies, is suffering from a shortage of cyber personnel.
As DHS works to ensure its role as a Federal lead for
domestic cybersecurity, we cannot ignore our Nation's ability
to prepare for, respond to, and recover from advanced cyber
threats in a forward-looking endeavor that cannot succeed
without sufficient, qualified personnel. We cannot rely on
other countries to develop our cyber workforce.
While we cannot predict what cyber threats may occur, we
can certainly be prepared and be ready. Be prepared and be
ready is a philosophy DHS encourages the public to adopt for
natural disasters. Yes, when the oncoming disaster may be a
man-made cyber threat, the Department seems to have adopted a
``let tomorrow take care of itself'' philosophy. Surely this is
not acceptable.
DHS must adopt a preparedness philosophy in all aspects of
its work. In the world of cyber threats, a part of preparation
must be capacity-building programs that include education,
outreach, and awareness initiatives.
This year, as hundreds of millions of dollars are poured
into Einstein and continuous diagnostic programs, the
administration's budget request slashed funding for National
initiative for cybersecurity education by $4.8 million, cutting
the program by one-third. These cuts will delay efforts to
provide cyber outreach and education to 1.7 million high school
students.
We cannot continue to complain about the lack of skilled
cybersecurity professionals in the American workforce if we are
willing to allow DHS to cut the funding it uses to develop the
cyber workforce. Again, let me say: We cannot rely on other
countries to develop our cyber workforce.
Mr. Chairman, I look forward to hearing from the witnesses
and hope that we can work together to restore this funding and
ensure that DHS is properly building a defense-in-depth
strategy to protect the Nation far into the future.
I yield back.
Mr. Meehan. Let me thank the gentleman from Mississippi.
Let me also let the other Members of the committee
appreciate that opening statements may be submitted for the
record, and we are pleased today to have a distinguished panel
of witnesses before us on this very, very important topic.
[The statement of Ranking Member Clarke follows:]
Statement of Ranking Member Yvette D. Clarke
May 16, 2013
After a significant expansion of the Department of Homeland
Security's cybersecurity mission and programs, beginning in fiscal year
2012, I am glad that we are finally holding a hearing to look at these
programs in depth and to assess the progress of the Department in
carrying out that mission.
This is the subcommittee's third hearing on cybersecurity this
Congress--first, we held a hearing on the threats in cyberspace to our
critical infrastructure from state and non-state actors. Next, we
learned about how DHS protects the privacy of our citizens in
cyberspace.
And with that background in place, today we will hear from the
witnesses about whether the Department has the people, programs, and
resources in place to successfully address the significant cyber
threats to our critical infrastructure while protecting privacy. It is
high time that our subcommittee takes a closer look at these programs,
some of which did not even exist just a few years ago.
The continuous diagnostics and EINSTEIN programs, in particular,
have undergone rapid expansion, and I am pleased that the Department is
fulfilling its role as the protector of the dot-gov domain, with the
resources to match. But though these Federal network security programs
get the majority of the funding and attention, I believe the
Department's responsibilities for protecting critical infrastructure,
most of which is found in the private sector, is equally important.
For this reason, I am particularly pleased that we are joined by
Deputy Inspector General Charles Edwards, who can discuss recent work
done by the OIG to assess the progress that ICS-CERT has made to brand
itself as the Cyber 9-1-1 for critical infrastructure before, during,
and after cyber incidents.
ICS-CERT, recently incorporated as an operational arm of the NCCIC,
has done great work in mitigating cyber risks to critical
infrastructure, and I look forward to learning more about this mission
and the challenges that still remain to share information with the
private sector quickly and efficiently.
Finally, I want to register my concerns over the continuing drain
of senior cybersecurity leadership at the Department, a trend that has
gotten particularly bad in the last 6 months, with the departures of
the assistant secretary and the deputy under secretary.
We have been hearing about the difficulties DHS faces in attracting
and retaining skilled junior and mid-level cyber employees for a long
time, but what does it say about the Department's cyber organization
when it cannot retain its senior leaders, either? Rumors are
circulating about future replacements for these losses, and I am sure
DHS would like to make a splash with these appointments, getting
leaders who command respect in the information security and critical
infrastructure worlds. But most of all, DHS needs to find leaders who
believe in the mission and will stay on board as a steady hand on the
wheel during this period of immense expansion and evolution of our
cybersecurity efforts.
As part of this process, I believe DHS needs to do some soul-
searching and identify why their senior officials have been leaving,
and if changes need to be made to ensure future leaders will be more
empowered to do their job, I expect that the Department will do so. I
hope to work with the Department in this endeavor to guarantee that the
vital cybersecurity mission gets the leadership it needs.
Mr. Meehan. I have had the chance to visit the NCCIC and to
see the great work that is done there, and to listen first-hand
to the explanation of what they do, and as a result, it is a
great privilege for us today to have the people who are at the
front end of that.
First, Ms. Roberta Stempfley is the acting assistant
secretary of the Office of Cybersecurity and Communications,
where she plays a leading role in developing the strategic
direction of the cyber communications and security. A lot of
the problem is you have got to figure out all of these letters
in operating things, but it oversees five strategic divisions.
She has previously served as the deputy assistant secretary
for the CS&C and as the director of the National Cybersecurity
Division. Prior her to work at the CS&C, Ms. Stempfley served
as the chief information officer for the Defense Information
Systems Agency, where she was responsible for supporting the
director in decision making, strategy development, and
communication, and management of information technology
resources at that agency.
Mr. Larry Zelvin is the director of the National
Cybersecurity and Communications Integration Center, the NCCIC,
which is housed at the Department of Homeland Security. The
NCCIC is comprised of several components, including the U.S.
Computer Emergency Readiness team, the National Coordination
Center for Telecommunications, the Industrial Control Systems
Cyber Emergency Response team, and a 24/7 operations center.
Mr. Zelvin is a retired U.S. Navy captain and naval aviator
with 26 years of active service.
Mr. Charles Edwards is the deputy inspector general of the
Department of Homeland Security. Mr. Edwards is the head of the
Office of Inspector General, a role he first attained when
named acting inspector general in February 2011. Mr. Edwards
has over 20 years of experience in the Federal Government and
has held leadership positions at several agencies, including
the TSA, United States Postal Office, Inspector--the Office of
the Inspector General, and the United States Postal Service.
The witnesses' full written statements appear in the
record, and I know that Ms. Stempfley and Mr. Zelvin have
offered a joint statement.
So the Chairman now recognizes Ms. Stempfley for 5 minutes
to testify, but I do want you to make sure that you hit the
important points you have in your testimony. So thank you, Ms.
Stempfley. The Chairman now recognizes you for your testimony.
STATEMENT OF ROBERTA STEMPFLEY, ACTING ASSISTANT SECRETARY,
OFFICE OF CYBERSECURITY AND COMMUNICATIONS, U.S. DEPARTMENT OF
HOMELAND SECURITY, ACCOMPANIED BY LARRY ZELVIN, DIRECTOR,
NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER,
U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Stempfley. Thank you very much, Chairman Meehan,
Ranking Member Thompson, and distinguished Members of the
committee. I appreciate the time you have taken today and it is
certainly our pleasure to appear before you to discuss the
Department of Homeland Security's National Cybersecurity and
Communications Integration Center and its role in protecting
critical infrastructure from cyber attacks, securing our
Federal networks, and coordinating cybersecurity information
sharing with the private sector.
Before I begin, I want to thank you for your leadership,
sir--Mr. Thompson commented in his opening statement, as well--
during the recent legislation debate over the Cyber
Intelligence Sharing and Protection Act, and especially in
supporting the passing of that amendment designating DHS as the
lead civil Federal entity to receive cyber threat information.
Cybersecurity puts the confidentiality, integrity, and
availability of critical services at risk. DHS, along with its
Government and private-sector partners, work to counter these
threats while supporting a cyber ecosystem that is open,
transparent, and less vulnerable to manipulation. The NCCIC
supports this effort by providing comprehensive and robust
information sharing, incident response, technical assistance,
and analysis capabilities to and with our private sector,
Government, and international partners. While coordinating with
these partners, our goal is to ensure that privacy,
confidentiality, civil rights, and civil liberties are not
diminished by our security initiatives.
The Department's transparency and public accountability
allow us to act as a pipeline to get cyber threat information
in the hands of critical infrastructure owners and operators.
We are able to share experiences and trends with law
enforcement and intelligence communities while preventing
malicious actors from gaining access to sensitive sources and
methods.
Within DHS's National Protection and Programs Directorate,
the Office of Cybersecurity and Communications focuses on
managing the risk to communications and information technology
infrastructures and the sectors that depend on them. Our role
is to enable timely response and recovery of these
infrastructures under all circumstances.
The Department manages and facilitates cybersecurity
information-sharing efforts, analysis, and incident response
activities through the NCCIC. It is a round-the-clock
organization where Government, private-sector, and
international partners work together towards a whole-of-Nation
approach to address cybersecurity and communications issues at
the operational level.
We thank those of you who have come out for a tour and
invite those who have yet to to do so to come and see the
center in operation, with our private-sector partners shoulder-
to-shoulder with us in the capabilities.
The NCCIC has experienced over the last year a 68 percent
increase from 2011 to 2012 in incidents reported. In 2012 we
received 190,000 cyber incidents reported to the NCCIC.
Recently we have been working with the Departments of
State, Justice, Treasury, and other interagency partners as
well as our industry partners, such as the Financial Services
Information Sharing and Analysis Center, to respond to the
series of denial-of-service attacks against our financial
services industry that have occurred over the past few months.
US-CERT has worked, along with the FBI and other interagency
partners, to provide technical data, on-site assistance,
classified and unclassified briefings in order to help
financial institutions and their information technology service
providers improve their defensive capabilities.
In addition to sharing with the private-sector entities, we
have provided this information to over 120 international
partners, many of whom have contributed to the mitigation
efforts. These efforts have not only helped financial
institutions blunt the impact of these attacks, but have helped
the industry develop new strategies that DHS is sharing with
other sectors of critical infrastructure should they face
similar attacks.
The Industrial Control Systems Computer Emergency
Response--Cyber Emergency Response Team's mission is to reduce
the risk to the Nation's critical infrastructure and the
control systems that operate within it by strengthening those
control systems. We have responded to almost 200 incidents over
the last year with 89 on-site visits and 15 teams deployed
jointly with the US-CERT to assist in significant private-
sector engagements.
In March 2012, the Control Systems--the ICS-CERT identified
a campaign of cyber intrusions targeting natural gas pipeline
sector with spear phishing e-mails that dated back to December
2011. Responding quickly, we immediately began an action
campaign with the Department of Energy and other partners to
conduct classified and unclassified briefings across the
country providing warnings and mitigation. These entities have
been very--have benefitted from this rapid information sharing.
The third entity in the NCCIC is the National Coordination
Center for Telecommunications. It leads and coordinates
initiation, restoration, and reconstitution of National
security emergency preparedness telecommunication services
under all conditions.
It has recently collaborated with industry in response to
Hurricane Sandy, which enhanced wireless coverage to emergency
responders providing emergency services to the 33,400 citizens
in Long Beach, New York, the 1.4 million citizens in Nassau
County, and the 130,000 citizens in faraway Queens. Their
effort supported the recovery of communications to the U.S.
financial sector by coordinating fuel and power restoration to
key facilities in New York City, ensuring no impact to
international financial trading.
The Department's efforts to protect critical infrastructure
are enhanced by the recently-issued cybersecurity Executive
Order and Presidential Policy Directive on critical
infrastructure security and resilience. Both of these documents
improve the NCCIC's ability to execute its mission in support
of the private sector by strengthening and securing the
resilience of critical infrastructure, increasing the role of
cybersecurity and securing physical assets, and expanding the
coordination and information sharing with critical
infrastructure partners.
The Executive Order also supports DHS's strong privacy and
civil liberty goals by reinforcing those protections and their
incorporation in every aspect of our cybersecurity efforts. The
Department believes, however, that the comprehensive suite of
cybersecurity legislation is still an essential to improving
the Nation's cybersecurity and we are pleased that the
administration will continue to work with Congress to achieve
this.
Thank you so much for your support and continued attention
to this critical issue, and I look forward to your questions.
[The joint prepared statement of Ms. Stempfley and Mr.
Zelvin follows:]
Joint Prepared Statement of Roberta Stempfley and Lawrence Zelvin
May 16, 2013
introduction
Chairman Meehan, Ranking Member Clarke, and distinguished Members
of the committee, it is a pleasure to appear before you today to
discuss the Department of Homeland Security's (DHS) National
Cybersecurity and Communications Integration Center (NCCIC).
Specifically, I will discuss the NCCIC's role, responsibilities, and
future planning to protect our Nation's critical infrastructure from
cyber attacks, secure Federal networks, and coordinate private-sector
cyber-threat information sharing.
Before I begin, I would like to thank the committee for its
leadership during the recent legislative debate over the Cyber
Intelligence Sharing and Protection Act, especially in support of
passing an amendment to designate DHS as the lead civilian Federal
entity to receive cyber threat information. Cybersecurity threats put
the confidentiality, integrity, and availability of critical services
at risk. DHS, along with its Government and private-sector partners,
works to counter these threats while supporting a cyber ecosystem that
is open, transparent, and less vulnerable to manipulation. The NCCIC
supports this effort by providing comprehensive and robust information
sharing, incident response, technical assistance, and analysis
capabilities to private-sector, Government, and international partners.
current threat landscape
Cyberspace is woven into the fabric of our daily lives. According
to recent estimates, this global network of networks encompasses more
than 2 billion people with at least 12 billion computers and devices,
including global positioning systems, mobile phones, satellites, data
routers, ordinary desktop computers, and industrial control computers
that run power plants, water systems, and more. While this increased
connectivity has led to significant transformations and advances across
our country--and around the world--it also has increased the importance
and complexity of our shared risk. Our daily life, economic vitality,
and National security depend on cyberspace. A vast array of
interdependent IT networks, systems, services, and resources are
critical to communicating, traveling, powering our homes, running our
economy, and obtaining Government services. No country, industry,
community, or individual is immune to cyber risks.
The United States confronts a dangerous combination of known and
unknown vulnerabilities in cyberspace and strong and rapidly expanding
adversary capabilities. Cyber crime also has increased significantly
over the last decade. Sensitive information is routinely stolen from
private-sector and Government networks, undermining the integrity of
the data contained within these systems. The Department currently sees
malicious cyber activity from foreign nations and non-state actors
engaged in intellectual property theft and information operations,
terrorists, organized crime, and insiders. Their methods range from
distributed denial of service (DDoS) attacks and social engineering to
viruses and other malware introduced through remote access, thumb
drives, supply chain exploitation, and leveraging trusted insiders'
access.
The Department has seen motivations for attacks vary from
intellectual property theft to criminals seeking financial gain and
hackers who may seek bragging rights in the hacker community.
Industrial control systems also are targeted by a variety of malicious
actors who may have intentions to damage equipment and facilities or
steal data. Foreign actors also are targeting intellectual property
with the goal of stealing trade secrets or other sensitive corporate
data from U.S. companies in order to gain an unfair competitive
advantage in the global market.
Successful response to dynamic cyber threats requires leveraging
homeland security, law enforcement, and military authorities and
capabilities, which respectively provide for domestic preparedness,
criminal deterrence and investigation, and National defense. DHS, the
Department of Justice (DOJ), and the Department of Defense (DOD) each
play a key role in responding to cybersecurity incidents that pose a
risk to the United States. To achieve a whole-of-Government response,
DHS, DOJ, and DOD coordinate continuously to effectively respond to
specific incidents. While each agency operates within the parameters of
its authorities, the U.S. Government's response to cyber incidents of
consequence is coordinated among these three agencies such that ``a
call to one is a call to all.''
nccic's cybersecurity mission
DHS coordinates the overall Federal effort to promote the security
and resilience of the Nation's critical infrastructure by ensuring
maximum coordination and partnership with the private sector while
ensuring that privacy, confidentiality, and civil rights and civil
liberties are not diminished by its security initiatives. Accordingly,
the Department has implemented rigorous privacy and civil rights and
civil liberties standards, which apply to all of its cybersecurity
programs and initiatives. In order to protect privacy while
safeguarding and securing cyberspace, DHS institutes layered privacy
responsibilities throughout the Department, embeds fair information
practice principles into cybersecurity programs and privacy compliance
efforts, and fosters collaboration with cybersecurity partners.
Within DHS's National Protection and Programs Directorate (NPPD),
the Office of Cybersecurity and Communications (CS&C) focuses on
managing risk to the communications and information technology
infrastructures and the sectors that depend upon them, as well as
enabling timely response and recovery of these infrastructures under
all circumstances. CS&C executes its mission by supporting 24�7
information sharing, analysis, and incident response; facilitating
interoperable emergency communications; advancing technology solutions
for private and public-sector partners; providing tools and
capabilities to ensure the security of Federal civilian executive
branch networks; and engaging in strategic-level coordination for the
Department with private-sector organizations on cybersecurity and
communications issues.
To better manage and facilitate cybersecurity information-sharing
efforts, analysis, and incident response activities, the Department
established the NCCIC, a round-the-clock information sharing, analysis,
and incident response center where Government, private-sector, and
international partners all work together. The NCCIC is comprised of
four branches: The United States Computer Emergency Readiness Team (US-
CERT), the Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT), the National Coordinating Center for Telecommunications
(NCC), and Operations Integration (O&I). As mutually-supporting and
integrated elements of the NCCIC, these branches provide the unique
authorities, capabilities, and partnerships needed to drive a whole-of-
Nation approach to addressing cybersecurity and communications issues
at the operational level.
US-CERT provides advanced information sharing, incident
response, and analysis expertise for malicious cyber activity
targeting private-sector and Government networks. US-CERT's
global partnerships allow it to work directly with analysts
from across multiple sectors and international borders to
develop a comprehensive picture of malicious activity and
mitigation options. US-CERT's mission focuses specifically on
computer network defense, and it is able to apply its full
resources to supporting prevention, protection, mitigation,
response, and recovery efforts.
ICS-CERT reduces risk to the Nation's critical
infrastructure by strengthening the cybersecurity of systems
that operate our Nation's critical infrastructure. It carries
out this mission by performing incident response to support
asset owners with discovery, analysis, and recovery efforts as
well as providing situational awareness through training,
alerts, and advisories to warn of cyber-based threats and
vulnerabilities affecting critical infrastructure assets. In
addition, ICS-CERT conducts assessments and technical analysis
of malware, digital media, system vulnerabilities, and emerging
exploits and partners with the control systems community to
coordinate risk management activities.
NCC leads and coordinates the initiation, restoration, and
reconstitution of the National Security/Emergency Preparedness
(NS/EP) telecommunications services or facilities during any
human-caused or natural event where physical communications
infrastructure is damaged or vulnerable. NCC leverages
partnerships across Government, industry, and international
partners to gain situational awareness and determine priorities
for protection and response. NCC's presence in the NCCIC allows
DHS to synchronize operational processes supporting both the
physical and the virtual components of our Nation's information
and communications technology infrastructure.
O&I applies planning, coordination, and integration
capabilities to synchronize analysis, information sharing, and
incident response efforts, ensuring effective synchronization
across the NCCIC.
strategic goals
The NCCIC works to proactively analyze cybersecurity and
communications threats and vulnerabilities and coordinate their
findings with partners to manage risks to critical systems; create
shared situational awareness among public-sector, private-sector, and
international partners by collaboratively developing and sharing timely
and actionable cybersecurity and communications information; and
rapidly respond to routine and significant cybersecurity and
communications incidents and events to mitigate harmful activity,
manage crisis situations, support recovery efforts, and assure NS/EP.
To accomplish its strategic goals, NCCIC relies on the voluntary
coordination, collaboration, capabilities, and resources of its
partners. The center works closely with those Federal agencies most
responsible for securing the Government's cyber and communications
systems, including the Departments of Treasury and Energy. The NCCIC
also actively engages with the appropriate private-sector entities,
information-sharing and analysis centers, State, local, Tribal, and
territorial governments, and international partners. As integral parts
of the cyberspace and communications community, these groups work
together to protect the portions of critical information technology
that they interact with, operate, manage, or own. These groups of
stakeholders represent natural communities of practice providing the
foundation for effective information sharing and response.
Threat Analysis
NCCIC collaborates with private-sector, Government, and
international partners to identify, research, and verify suspicious,
malicious, or potentially harmful cybersecurity and communications
activity, events, or incidents. For example, US-CERT operates NCCIC's
Advanced Malware Analysis Center, which receives malware samples and
other potentially malicious files from around the world. The Advanced
Malware Analysis Center analyzes those files, shares that analysis
broadly to alert partners to malicious activity, and provides them with
actionable indicators and recommendations to improve their ability to
protect themselves.
By understanding the nature of attacks, vulnerabilities, and risks,
NCCIC is able to determine possible impacts, set priorities, and
proactively develop and share effective mitigation strategies. NCCIC
strives to anticipate potentially harmful activity and provide
actionable alert and warning information to partners before they are
impacted. NCCIC's analysis efforts, whether focused on a new piece of
malware or a tropical storm with the potential to damage critical
communications systems, contribute directly to its information sharing,
response, and protection and prevention capabilities.
Situational Awareness
The success of the NCCIC's mission is heavily reliant on its
ability to establish shared situational awareness of potentially
harmful activity, events, or incidents across multiple constituencies
to improve the ability of diverse and distributed partners to protect
themselves. To do this, NCCIC integrates analysis and data received
through its own analysis, intelligence community and law enforcement
reporting, and data shared by private-sector and international partners
into a comprehensive series of actionable information products, which
are shared with partners in easy-to-digest machine-readable formats.
Multidirectional sharing of alerts, warnings, analysis products,
and mitigation recommendations among Federal, State, local, Tribal, and
territorial governments, private sector, including information sharing
and analysis centers, and international partners is a key element of
NCCIC's cyber and communications protection and prevention framework.
The NCCIC continuously works with a broad range of partners to explore
and innovate new ways to enhance information sharing and move closer to
network speed communications.
Rapid Response
The NCCIC applies the collective capabilities of its partners and
constituents to identify, prioritize, and escalate confirmed
cybersecurity incidents in order to minimize impacts to critical
information infrastructure. To ensure a 24�7 capability, NCCIC
maintains cross-functional incident response teams, which draw from the
capabilities of NCCIC's branches, along with expertise from elsewhere
in DHS such as the United States Secret Service (USSS) and Immigration
and Customs Enforcement (ICE). Working under a voluntary request for
technical assistance, these incident response teams analyze malware,
review network logs, and assess security posture to identify possible
malicious activity, its impacts, as well as mitigation and recovery
options.
Recognizing the possibility of a cyber incident with physical
impacts or a physical incident with cyber implications, NCCIC works
increasingly closely with NPPD's National Infrastructure Coordinating
Center (NICC). This collaboration, directed by Presidential Policy
Directive 21 (PPD-21), helps to ensure strong synchronization between
DHS's infrastructure protection efforts in both the cyber and physical
realms. In addition, the NCCIC assists in the initiation, coordination,
restoration, and reconstitution of the NS/EP telecommunications
services or facilities under all conditions, crises, or emergencies
including executing Emergency Support Function 2--Communications
responsibilities under the National Response Framework.
These efforts provide a whole-of-Nation approach to incident
response, efficiently and effectively leveraging capabilities from
across DHS's partner base while implementing key policies.
protecting critical infrastructure
Protecting critical infrastructure against growing and evolving
cyber threats requires a layered approach. DHS actively collaborates
with public and private-sector partners every day to improve the
security and resilience of critical infrastructure while responding to
and mitigating the impacts of attempted disruptions to the Nation's
critical cyber and communications networks and to reduce adverse
impacts on critical network systems.
DHS coordinates the National protection, prevention, mitigation,
and recovery from cyber incidents and works regularly with business
owners and operators to take steps to strengthen their facilities and
communities, and through collaboration between the NCCIC and the NICC,
integrates efforts across the physical and cyber domains. The
Department also conducts on-site risk assessments of critical
infrastructure and shares risk and threat information with State,
local, and private-sector partners. NCCIC enhances situational
awareness among stakeholders, including those at the State and local
level, as well as industrial control system owners and operators, by
providing critical cyber threat, vulnerability, and mitigation data.
These efforts provide unique value to private-sector partners by
integrating data from companies and industries that might not normally
communicate.
In 2011, DHS launched the Cyber Information Sharing and
Collaboration Program (CISCP), which is specifically designed to
elevate the cyber awareness of all critical infrastructure sectors
through close and timely cyber threat information sharing and direct
analytical exchange. Through the CISCP, participating private-sector
partners are able to share data directly with Government. When
requested, these datasets are covered by the Protected Critical
Infrastructure Information (PCII) program, which protects the name of
the company that shared the information from disclosure through Freedom
of Information Act requests, regulatory processes, civil litigation,
and other sunshine law requirements. Submitted datasets are analyzed in
the context of other data received from across sectors, and based on
this analysis regular analytical products are shared back out with
partners. CISCP has signed 40 Cooperative Research and Development
Agreements (CRADAs), and is in the process of finalizing agreements
with 66 additional entities to formalize a streamlined information-
sharing process. Since December 2011, CISCP has released over 900
products containing approximately 18,000 cyber threat indicators, which
are based on information the Department has gleaned from participant
submissions, open-source research, and from sensitive Government
information.
NCCIC has also benefited from close collaboration with the USSS and
ICE, which have complementary jurisdiction over the investigation of
computer crime violations that they exercise to protect the Nation's
leaders and critical infrastructure and strategically target
transnational organized criminals who are exploiting the financial
system through cybercrimes. By working closely together, NCCIC and its
law enforcement partners are able to leverage each organization's
expertise and unique authorities to more effectively and efficiently
execute DHS's cybersecurity mission.
responding to cyber threats
As the civilian Department at the intersection of public-private
information sharing, DHS is a focal point for coordinating
cybersecurity information sharing with the private sector, the
Department engages with owners and operators, based on their requests
for technical assistance, by providing on-site analysis, mitigation
support, and assessment assistance. The Department has repeatedly
demonstrated its ability to expeditiously support private-sector
partners with cyber intrusion mitigation and incident response.
Initiating technical assistance with any private company to provide
analysis and mitigation advice is a sensitive endeavor that requires
trust and strict confidentiality. DHS's efforts focus on civilian
computer network defense and protection rather than law enforcement,
military, or intelligence functions in order to mitigate threats to the
networks and reduce future risks.
Since 2009, the NCCIC has responded to nearly half-a-million
incident reports and released more than 26,000 actionable cybersecurity
alerts to the Department's public- and private-sector partners. An
integral player within the NCCIC, the US-CERT also provides response
support and defense against cyber attacks for Federal civilian agency
networks as well as private-sector partners upon request. In 2012, US-
CERT processed approximately 190,000 cyber incidents involving Federal
agencies, critical infrastructure, and the Department's industry
partners. This represents a 68 percent increase from 2011. In addition,
US-CERT issued over 7,455 actionable cyber-alerts in 2012 that were
used by private sector and Government agencies to protect their
systems, and had over 6,400 partners subscribe to the US-CERT portal to
engage in information sharing and receive cyber-threat warning
information.
The Department's ICS-CERT also responded to 177 incidents last year
while completing 89 site assistance visits and deploying 15 teams with
US-CERT to respond to significant private-sector cyber incidents, which
includes analyzing data and sharing results, developing mitigation
recommendations, and providing alerts and warning to potential future
victims. DHS also empowers owners and operators through a cyber self-
evaluation tool, the Cyber Security Evaluation Tool (CSET�), which was
used by over 1,000 companies last year. In addition, DHS provides in-
person and on-line training sessions that focus on network security.
The NCCIC, and its Federal partners, works with the private sector
and international partners in preventing intellectual property theft
with a whole-of-Government approach. For example, the United States
Secret Service--which brings together over 6,000 partners from across
sectors through its 29 domestic Electronic Crimes Task Forces (ECTFs)--
investigates cyber crimes within its jurisdiction, and the United
States Coast Guard contains a component of U.S. Cyber Command and U.S.
Strategic Command for the conduct of military missions. In each case,
DHS focuses not only on responding to the incident at hand, but also on
identifying trends, warning potential victims, and proactively engaging
with partners. DHS, in collaboration with FBI and other partners,
released a series of Joint Indicator Bulletins, containing cyber-threat
indicators to help private-sector partners take action to stop this
activity and protect them from theft of intellectual property, trade
secrets, and sensitive business information.
Most recently, and in close collaboration with interagency partners
as well as industry partners like the Financial Services Information
Sharing and Analysis Center, DHS has been engaged with private-sector
and international partners during the series of DDoS incidents over the
past few months. DHS has provided technical data and assistance,
including identifying hundreds of thousands of DDoS-related IP
addresses and supporting contextual information in order to help
financial institutions and their information technology security
service providers improve their defensive capabilities. In addition to
sharing with these private-sector entities, DHS has provided this
information to over 120 international partners, many of whom have
contributed to our mitigation efforts. DHS, along with the FBI and
other interagency partners, has also deployed on-site technical
assistance to provide in-person support, and has conducted numerous
classified briefings on the nature of the threat and mitigation
strategies to hundreds of financial-sector IT security specialists.
These efforts have helped to increase the U.S. Government's sharing and
coordination efforts internally and with private-sector partners.
Additionally, the mitigation strategies provided have not only helped
financial institutions significantly blunt the impact of these attacks,
but they have also helped the industry develop new strategies of their
own that DHS hopes to share with other sectors of critical
infrastructure to help mitigate similar attacks.
NCCIC's NCC played a vital role in response to Hurricane Sandy
recovery efforts. The NCC, as the coordinator for Emergency Support
Function No. 2 under the National Response Framework, provided a wide
range of communications support in partnership with industry to support
responders, citizens, and industry response and recovery. NCC worked to
improve first-responder actions by assisting in radio network
infrastructure restoration such as microwave connectivity supporting
local fire department dispatch and coordination. They also coordinated
aid to citizens through more than 170 instances of emergency
provisioning of communications installations supporting response
organizations such as the American Red Cross, Army Corps of Engineers,
Social Security Administration, and the Federal Emergency Management
Agency. Collaborating with industry, NCC enhanced wireless coverage to
first responders who provide emergency services to approximately 33,400
citizens in Long Beach, New York; 1,400,000 citizens in Nassau County
and 130,000 citizens in Far Rockaway, Queens. Their efforts also
supported the recovery of communications to the U.S. financial sector
by coordinating fuel and power restoration to a key facility in New
York City, ensuring no impact to international financial trading.
Finally, in March 2012, DHS identified a campaign of cyber
intrusions targeting natural gas pipeline sector companies with spear-
phishing e-mails that dated back to December 2011. The attacks were
highly-targeted, tightly-focused, and well-crafted. Stolen information
could provide an attacker with sensitive knowledge about industrial
control systems, including information that could allow for
unauthorized operation of the systems. While there is no evidence that
anyone has tried to subvert the operation of these industrial control
systems, the intent of the attacker remains unknown. DHS immediately
began an action campaign to alert the oil and natural gas pipeline
sector community of the threat and offered to provide assistance.
Industry partners have been responsive to these threats, and in May and
June 2012, DHS deployed on-site assistance to two of the organizations
targeted in this campaign: An energy company that operates a gas
pipeline in the United States and a manufacturing company who
specializes in producing materials specific to pipeline construction.
DHS also partnered with the Department of Energy and others to conduct
briefings across the country. Over 500 private-sector individuals
attended the classified briefings and hundreds more received
unclassified briefings providing warnings and mitigation strategies.
recent executive actions
As today's physical and cyber infrastructures become increasingly
linked, critical infrastructure and emergency response functions grow
ever more inseparable from the information technology systems that
support them. The Government's role in this effort is to share
information and encourage enhanced security and resilience, while
identifying and addressing gaps not filled by the marketplace. These
policies work in conjunction with Executive Order 13618 of July 6,
2012, Assignment of National Security and Emergency Preparedness
Communications Functions, which improves how the Executive branch
handles NS/EP Communications and ties cyber into emergency response
communications.
In February 2013, President Obama issued EO 13636, as well as PPD-
21 on Critical Infrastructure Security and Resilience, which will work
to strengthen the security and resilience of critical infrastructure
through an updated and overarching National framework that acknowledges
the increased role of cybersecurity in securing physical assets, and
will improve NCCIC's ability to execute its mission in support of the
private sector. The President's actions mark an important milestone in
the Department's on-going efforts to coordinate the National response
to significant cyber incidents while enhancing the efficiency and
effectiveness of our work to strengthen the security and resilience of
critical infrastructure, and these policies will further enable NCCIC's
mission. EO 13636 supports more efficient sharing of cyber-threat
information with the private sector and directs the National Institute
of Standards and Technology to develop a Cybersecurity Framework to
identify and implement better security practices among critical
infrastructure sectors. EO 13636 directs DHS to establish a voluntary
program to promote the adoption of the Cybersecurity Framework in
conjunction with Sector-Specific Agencies and to work with industry to
assist companies in implementing the framework.
EO 13636 also expands the DHS Enhanced Cybersecurity Services (ECS)
program, key aspects of which are operated by the NCCIC. ECS is a
voluntary information-sharing program that assists critical
infrastructure owners and operators to improve protection of their
systems from unauthorized access, exploitation, or data exfiltration.
DHS works with cybersecurity organizations from across the USG to gain
access to a broad range of cyber-threat information. ECS consists of
the operational processes and security oversight required to share
sensitive and classified cyber-threat information with qualified
Commercial Service Providers (CSPs) that will enable them to better
protect their customers who are critical infrastructure entities. CSPs
can deliver approved services to validated critical infrastructure
entities through commercial relationships. The ECS program is not
involved in establishing commercial relationships between CSPs and CI
entities. ECS augments, but does not replace, entities' existing
cybersecurity capabilities. The ECS information-sharing process
protects Critical Infrastructure (CI) entities against cyber threats
that could otherwise harm their systems. ECS program participation is
voluntary and designed to protect Government intelligence, corporate
information security, and the privacy of participants, while enhancing
the security of critical infrastructure. Validated CI entities from all
16 CI sectors are eligible to participate in the ECS program and
receive ECS services from an eligible CSP.
In addition, the Presidential Policy Directive directs the
Executive branch to strengthen our capability to understand and
efficiently share information about how well critical infrastructure
systems are functioning and the consequences of potential failures. It
calls for a comprehensive research and development plan for critical
infrastructure to guide the Government's effort to enhance market-based
innovation. The strategic imperatives in PPD-21 also direct the NCCIC
and the NICC to ``function in an integrated manner and serve as focal
points for critical infrastructure partners to obtain situational
awareness and integrated, actionable information to protect the
physical and cyber aspects of critical infrastructure.'' As such, NPPD
is enhancing the existing coordination of its two critical
infrastructure operations centers, the NCCIC and the NICC.
continuing need for legislation
We continue to believe that carefully-crafted information-sharing
provisions, as part of a comprehensive suite of cybersecurity
legislation, are essential to improve the Nation's cybersecurity to an
acceptable level, and we will continue to work with Congress to achieve
this.
The administration's legislative priorities for the 113th Congress
build upon the President's 2011 Cybersecurity Legislative Proposal and
take into account 2 years of public and Congressional discourse about
how best to improve the Nation's cybersecurity. Congress should enact
legislation to incorporate privacy, confidentiality, and civil
liberties safeguards into all aspects of cybersecurity; strengthen our
critical infrastructure's cybersecurity by further increasing
information sharing and promoting the establishment and adoption of
standards for critical infrastructure; give law enforcement additional
tools to fight crime in the digital age; and create a National Data
Breach Reporting requirement.
conclusion
Set within an environment characterized by a dangerous combination
of known and unknown vulnerabilities, rapidly-evolving adversary
capabilities, and a lack of comprehensive threat and vulnerability
awareness, the cybersecurity mission is truly a National one requiring
broad collaboration. DHS is committed to creating a safe, secure, and
resilient cyber environment while promoting cybersecurity knowledge and
innovation and protecting privacy, confidentiality, civil rights, and
civil liberties in collaboration with its public, private, and
international partners. Thank you for your continued support and
attention to the critical issue of cybersecurity and I look forward to
your questions.
Mr. Meehan. [Off mike.]
One of us thinks we have to get technology as my button to
work.
Thank you, Ms. Stempfley, for your testimony. As I
identified at the outset, Mr. Zelvin joins in that testimony on
behalf of the Department of Homeland Security.
So now the Chairman recognizes Mr. Edwards, Inspector
General's Office of DHS, for your testimony.
STATEMENT OF CHARLES K. EDWARDS, ACTING INSPECTOR GENERAL, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Edwards. Good morning, Chairman Meehan, Ranking Member
Clarke, Ranking Member Thompson, and Members of the
subcommittee. Thank you for the opportunity to discuss DHS
efforts to secure the Nation's industrial control systems. The
majority of information that I will provide is contained in our
February 2013 report, ``DHS Can Make Improvements to Secure
Industrial Control Systems.''
Industrial control systems, or ICS, are systems that manage
and monitor the Nation's critical infrastructure and key
resources, or CIKR. ICS are increasingly under attack by a
variety of malicious sources, ranking from hackers looking for
attention and reputation to sophisticated nation states intent
on damaging equipment and facilities, disgruntled employees, or
competitors.
Successful attacks on ICS can give malicious users direct
control of operational systems, creating the potential for
large-scale power outages or man-made environmental disasters
and can cause physical damage, loss of life, and other
cascading effects.
DHS has strengthened the security of ICS by addressing the
need to share critical cybersecurity information, analysis
vulnerabilities, verify emerging threats, and disseminate
mitigation strategies. DHS has taken a number of actions to
improve ICS security and foster better partnership within
Federal and private sectors.
For example, DHS has established the ICS-CERT Incident
Response Team, also known as the fly-away team, to support the
public and private sectors through on-site and remote incident
response services on a variety of cyber threats. DHS has
improved the quality of its alerts and bulletins by including
actionable information regarding vulnerabilities and
recommended mitigations and best practices for securing ICS.
Finally, the Department has strengthened its outreach efforts
with the ICS community, including vendors, owners, operators,
and academic community and other Federal agencies.
Although DHS has made improvements, more needs to be done
to reduce the cybersecurity risks for the Nation's ICS. Many of
the private-sector partners we interviewed use portals such as
the Homeland Security Information Network, or HSIN, to retrieve
advisories, vulnerability information, and best practices.
There are 55 communities of interest on the HSIC Critical
Sectors portal intended to facilitate communication and
collaboration among all CIKR sectors and the Federal
Government.
However, DHS does not have a consolidated summary overview
page on the HSIN Critical Sectors portal that highlights new
information and activities to ensure that ICS cybersecurity
information is shared effectively. As a result, the content of
each of the CIKR sectors must be searched individually for
pertinent and updated information. These searches can be time-
consuming for the stakeholders.
In addition, all the sector-specific agencies senior
officials that we interviewed expressed a need to be notified
in advance when ICS-CERT is performing on-site or remote
technical assistant assessments with private companies within
their sectors. For example, these officials suggested that ICS-
CERT publish a heads-up or a quick anonymous informational
alert regarding an on-going investigative or pending event,
sectors and devices affected, and whether a potential fix
exists. Such notification would be helpful and would allow them
to react more accordingly if other companies call them with
questions.
Overall, officials acknowledge that DHS had improved the
quality of alerts and bulletins that address various cyber
topics. However, they expressed concern regarding the
timeliness of ICS-CERT's information sharing and
communications. ICS-CERT management acknowledged that sector-
specific agencies, councils, and private sectors concerning
regarding the sharing of active incidents and threats, such as
identified cyber intrusions and spear phishing e-mails.
However, proprietary information and on-going law
enforcement investigations sometimes limit the amount of
information ICS-CERT can disseminate. The report included two
recommendations and NPPD concurred with both.
Mr. Chairman, this concludes my prepared remarks, and I
would be happy to answer any questions that you or the Members
may have.
Thank you.
[The prepared statement of Mr. Edwards follows:]
Prepared Statement of Charles K. Edwards
May 16, 2013
Good morning Chairman Meehan, Ranking Member Clarke, and Members of
the subcommittee: Thank you for the opportunity to discuss DHS' efforts
to secure the Nation's industrial control systems. The majority of
information that I will provide today is contained in our February 2013
report, DHS Can Make Improvements to Secure Industrial Control Systems
(OIG-13-39).
Industrial control systems (ICS) are systems that include
supervisory control and data acquisition, process control, and
distributed control that manage and monitor the Nation's critical
infrastructure and key resources (CIKR).\1\ ICS are an integral part of
our Nation, and help facilitate operations in vital sectors. Beginning
in 1990, companies began connecting their operational ICS with
enterprise systems that are connected to the internet. This allowed
access to new and more efficient methods of communication, as well as
more robust data, and gain quicker time to market and interoperability.
However, security for ICS was inherently weak because it allowed remote
control of processes and exposed ICS to cybersecurity risks that could
be exploited over the internet. As a result, ICS are increasingly under
attack by a variety of malicious sources. These attacks range from
hackers looking for attention and notoriety to sophisticated nation-
states intent on damaging equipment and facilities, disgruntled
employees, competitors, and even personnel who inadvertently bring
malware into the workplace by inserting an infected flash drive into a
computer. A recent survey revealed that a majority of the companies in
the energy sector had experienced cyber attacks, and about 55 percent
of these attacks targeted ICS. These attacks involved large-scale
denial-of-service and network infiltrations. Successful attacks on ICS
can give malicious users direct control of operational systems,
creating the potential for large-scale power outages or man-made
environmental disasters and cause physical damage, loss of life, and
other cascading effects that could disrupt services.
---------------------------------------------------------------------------
\1\ There are 18 CIKR sectors: Agriculture and Food, Banking and
Finance, Chemical, Commercial Facilities, Communications, Critical
Manufacturing, Dams, Defense Industrial Base, Emergency Services,
Energy, Government Facilities, Healthcare and Public Health,
Information Technology, National Monuments and Icons, Nuclear Reactors,
Material and Waste, Postal and Shipping, Transportation Systems, and
Water.
---------------------------------------------------------------------------
Some recent cyber attacks have included the following:
In February 2011, the media reported that hackers had stolen
proprietary information worth millions of dollars from the
networks of six energy companies in the United States and
Europe.
In December 2011, a sophisticated threat actor targeted the
oil and natural gas subsector. Affected asset owners across the
sector voluntarily worked with DHS during the investigation.
Throughout 2011, there were reports of spear-phishing via
email in the energy sector; no negative impacts occurred to the
companies' control processes and operations.
In March 2012, an alert was issued regarding phone-based
social engineering attempts at two or more power distribution
companies. The callers attempted to direct the company
personnel to take action to correct a problem that would have
allowed the attacker to gain access to their ICS.
In April 2012, media reported that a Canadian ICS
manufacturing company inadvertently planted a backdoor login
account in its own operating systems, which contain switches
and servers used in mission-critical communications networks
that operate power grids and railway and traffic control
systems. This account could have allowed attackers to access
the devices via the internet.
The Industrial Control Systems--Cyber Emergency Response Team's
(ICS-CERT) operational capabilities focus on the private-sector CIKR
ICS and networks, which is essential to the Department's mission to
protect the Nation's critical infrastructure, particularly against
emerging cyber threats. Additionally, ICS-CERT uses the Request Tracker
Ticketing System to capture analytical and status information regarding
vulnerabilities and incidents. The ticketing system maintains the
incident response team's remote technical assistance and on-site
assessment status and reports. Tickets are color-coded based on age.
The ticketing system notifies the assigned personnel when the status of
a ticket is changed or further action is needed. Additionally, ICS-CERT
coordinates control systems-related security incidents and information
sharing with Federal, State, and local agencies and organizations, as
well as private-sector constituents, including vendors, owners, and
operators of ICS.
ICS-CERT exchanges information with stakeholders via the Homeland
Security Information Network (HSIN)--Critical Sector. The Office of the
Chief Information Officer (OCIO) develops and maintains HSIN and serves
as data governance steward for HSIN policy documents, including the
HSIN Model Charter and HSIN Terms of Service. Although OCIO is the data
steward, the office is not responsible for maintaining the content that
users and communities of interest post to any element of HSIN.\2\ Each
community of interest sponsor is responsible for maintaining and
sharing the content within the community of interest and through the
community of interest shared space.\3\ The administration and
governance of the communities of interest, including creation of
individual sites within the community, is at the discretion of their
sponsors. OCIO works in cooperation with each community of interest to
enforce the rules in the charter and terms of services. OCIO conducts
regular reviews of communities of interest to validate and justify its
purpose, objectives, and operational need. National Protection and
Programs Directorate (NPPD) sponsors and manages the critical sector
communities of interest.
---------------------------------------------------------------------------
\2\ HSIN communities of interest are separate environments wherein
users involved in the same subject matter area or industry may post and
view potentially relevant news and information and use collaborative
tools.
\3\ The HSIN shared space allows authorized stakeholders and
content contributors to publish finished products and relevant
documents that: (1) Have appropriate markings providing sharing
permissions at the document level, and (2) are targeted to an
authorized audience based on their credentials and related community of
interest and system-wide rules for sharing.
---------------------------------------------------------------------------
dhs' progress in improving the security of industrial control systems
We reported that Department needed to improve the security of ICS
and information sharing to enhance program effectiveness. DHS has
strengthened the security of ICS by addressing the need to share
critical cybersecurity information, analyze vulnerabilities, verify
emerging threats, and disseminate mitigation strategies. For example,
DHS has taken the following actions to improve ICS security and foster
better partnerships between the Federal and private sectors:
Establishing ICS-CERT Incident Response Team, also known as
the fly-away teams, to support the public and private sectors
through on-site and remote incident response services on a
variety of cyber threats, ranging from general malicious code
infections to advanced persistent threat intrusions.
Additionally, in March 2012, NPPD released the Cyber Security
Evaluation Tool Version 4.1. The updated tool assists users in
identifying devices connected to their networks, as well as
external connections, by creating a diagram of their systems.
Operating a malware lab that provides testing capabilities
to analyze vulnerabilities and malware threats to control
system environments. The team verifies vulnerabilities for
researchers and vendors, performs impact analysis, and provides
patch validation and testing prior to deployment to the asset-
owner community.
Improving the quality of its alerts and bulletins by
including actionable information regarding vulnerabilities and
recommended mitigations and best practices for securing ICS.
Providing products to the ICS community on a daily, weekly,
monthly, quarterly, and as-needed basis, through email,
website, and portal postings. These products help ICS-CERT to
improve the situational awareness of ICS and provide status
updates of its working groups, articles of interest, and
upcoming events and training.
Implementing a virtual private network solution to allow
NPPD program officials to access program applications and
systems (e.g., the ICS-CERT ticketing system) located at the
Idaho National Laboratory (INL).\4\
---------------------------------------------------------------------------
\4\ A virtual private network is a technology for using the
internet or another intermediate network to connect computers to
isolated remote computer networks that would otherwise be inaccessible.
Users can access resources on remote networks, such as files, printers,
databases, or internal websites.
---------------------------------------------------------------------------
Assisting in developing various roadmaps for the cross-
sector, dams, nuclear, water, and transportation. The road maps
provide vision and framework for mitigating cybersecurity risk
to the wide variety of systems critical to each sector's
operations.
Finally, the Department has strengthened its outreach efforts with
the ICS community, including vendors, owners/operators, academia, and
other Federal agencies. These efforts include participating in the
periodic meetings with the Cross-Sector Cyber Security Working Group;
Government Coordinating Council and Sector Coordinating Council; and
various sector-specific groups.
major challenges
Despite these actions, NPPD still faces challenges in reducing the
cybersecurity risks for the Nation's ICS. Further, NPPD can improve its
efforts to protect and secure control systems that are essential to the
Nation's security and economy. Specifically, ICS-CERT needs to
consolidate its information-sharing and communication efforts with
Sector-Specific Agencies and the private sector to ensure that these
stakeholders are provided with potential ICS threats and
vulnerabilities to mitigate security threats timely. In addition, DHS
needs to improve communications with Sector-Specific Agencies and the
private sector by providing advanced notification of ICS-CERT's remote
technical and on-site incident assessments.
Consolidation of Multiple Information-Sharing Communities of Interest
Many of the private-sector partners we interviewed (e.g., owners/
operators, regulators, and working groups) use the HSIN, ICS-CERT, and
United States Computer Emergency Readiness Team (US-CERT) portals to
retrieve advisories, vulnerability information, and best practices.
There are 55 communities of interest on the HSIN-Critical Sectors
intended to facilitate communication and collaboration among all CIKR
sectors and the Federal Government. However, DHS does not have a
consolidated summary overview page on HSIN-Critical Sectors that
highlights new information and activities to ensure that ICS
cybersecurity information is shared effectively. As a result, the
content for each of the CIKR sectors and must be searched individually
for pertinent and updated information. For example, the Dams, Emergency
Management, and Electricity and Oil and Natural Gas subsector
communities of interest, which are used by companies that belong to
multiple sectors, have to be searched individually and may contain non-
cybersecurity information, such as physical security, emergency
response, and planning. These searches can be time-consuming for the
stakeholders.
Additionally, each community of interest is arranged differently,
making it more cumbersome for the users to retrieve useful information.
For example, some HSIN users told us that the various communities of
interest contain duplicate information. As a result, some Sector-
Specific Agencies want to build additional portals for their
stakeholders to streamline the information DHS provides.
ICS-CERT officials acknowledged that existing communities of
interest could confuse owners/operators. To eliminate duplicate
information from the communities of interest, ICS-CERT created a
subcommittee to address stakeholder concerns regarding the communities
of interest. ICS-CERT officials said that ICS-CERT only contributed
content to the communities of interest and does not have the
responsibility for site set up. However, NPPD plans to hold discussions
with OCIO to determine whether these communities of interest could be
consolidated to better serve stakeholder needs.
We recommended that the Under Secretary, NPPD collaborate with OCIO
to streamline the HSIN portal to ensure that ICS cyber information is
shared effectively.
Advance Notification of Remote Technical and On-site Assessments
All the Sector-Specific Agencies senior officials that we
interviewed expressed a need to be notified in advance when ICS-CERT is
performing on-site or remote technical assistance assessments with
private companies within their sectors. For example, these officials
suggested that ICS-CERT publish a ``heads-up'' or ``quick anonymous''
informational alert regarding an on-going investigative/pending event,
sectors and devices affected, and whether a potential fix exists. The
Sector-Specific Agency officials told us that such notifications would
be helpful and would allow them to react more appropriately if other
companies call them with questions. For example, according to Nuclear
Sector-Specific Agency officials, the Department's Domestic Nuclear
Detection Office sends an email alert to State authorities and its
offices regarding upcoming site visits.
DHS does not communicate timely the results of its remote technical
and on-site assessments to the public. We interviewed officials from
three Sector-Specific Agencies, six Government and private-sector
councils, and 23 private companies from the dams, energy, and nuclear
sectors to evaluate whether ICS-CERT shared sufficient information and
communicated effectively. Overall, these officials acknowledged that
DHS had improved the quality of alerts and bulletins that addressed
various cyber topics. However, they expressed concerns regarding the
timeliness of ICS-CERT's information sharing and communications. As a
result, the stakeholders are concerned that a great deal of time might
elapse until stakeholders were made aware of the same or similar
incident that could affect their systems.
Additionally, both Sector-Specific Agencies and private-sector
officials said that an advance notification would be helpful to
increase dialogue with ICS-CERT on an event or threat that has not been
made public. The private-sector officials suggested that advance
notification can allow them to assist ICS-CERT in developing solutions
and mitigating strategies as well as determining whether an incident is
isolated or systemic.
ICS-CERT management acknowledged the Sector-Specific Agencies',
councils', and private sector's concerns regarding the sharing of
active incidents and threats, such as identified cyber intrusions and
spear-phishing emails. Additionally, ICS-CERT management told us that
the private sector perceives that ICS-CERT has more useful information
available than it is willing to share. However, ICS-CERT management
said that proprietary information and on-going law enforcement
investigations limit the amount of information ICS-CERT can
disseminate. For example, there were instances in which the Federal
Bureau of Investigation was engaged in an on-going investigation and
had withheld sensitive law enforcement information. Additionally, the
protected critical infrastructure information between DHS and the
private-sector owner prohibits ICS-CERT from sharing vulnerability and
malware assessment information.
We recommended that the Under Secretary, NPPD promote collaboration
with Sector-Specific Agencies and private-sector owners/operators by
communicating preliminary technical and on-site assessment results to
address and mitigate potential security threats on ICS.
Mr. Chairman, this concludes my prepared statement. I appreciate
your time and attention and welcome any questions from you or Members
of the subcommittee.
Mr. Meehan. Thank you, Mr. Edwards, for your testimony.
Before we go to the opportunity for my colleagues to
present their questions to you, I am pleased to be joined by
the Ranking Member of our committee, the gentlelady from New
York, and I recognize her now for opening comments that she may
have?
Ms. Clarke. Thank you very much, Mr. Chairman, and thank
you to the Ranking Member and my colleagues.
Mr. Chairman, I want to thank you once again for holding
this morning's hearing. After significant expansion of the
Department of Homeland Security's cybersecurity mission and
programs beginning in fiscal year 2012, I am glad that this
morning we have had the opportunity to examine these programs
and are now able to assess the progress of the Department in
carrying out the mission.
As you are aware, this is the subcommittee's third hearing
on cybersecurity in this Congress. First we held a hearing on
the threats in cyberspace through our critical infrastructure
from state and non-state actors. Next we learned about the
DHS--how DHS protects the privacy of our citizens in
cyberspace. With the background in place, today we have heard
from the witnesses about the Department and has the--about
whether the Department has people, programs, and resources in
place to successfully address the significant cyber threats to
our critical infrastructure while protecting privacy.
It is high time that our subcommittee take a closer look at
these programs, some of which did not even exist just a few
years ago. The continuous diagnostics and Einstein programs in
particular have undergone rapid expansion, and I am pleased
that the Department is fulfilling its role as the protector of
the dot-gov domain with the resources to match.
But though these Federal network security programs get the
majority of the funding and attention, I believe the
Department's responsibilities for protecting critical
infrastructure, most of which is found in the private sector,
is equally important. For this reason, I am particularly
pleased that we have been joined this morning by Deputy
Inspector Charles Edwards and that he has discussed the recent
work done by the OIG to assess the progress that ICS-CERT has
made to brand itself as the cyber 9-1-1 for critical
infrastructure before, during, and after cyber incidents.
ICS-CERT, recently incorporated as an operational arm of
the NCCIC, has done great work in mitigating cyber risks to
critical infrastructure and it was important that we learned
more about this mission and the challenges that still remain to
share information with the private sector quickly and
efficiently.
Finally, I want to register my concerns about the
continuing drain of senior cybersecurity leadership at the
Department, a trend that has gotten particularly bad in the
last 6 months, with the departures of the assistant secretary
and the deputy under secretary. We have been hearing about the
difficulties DHS faces in attracting and retaining skilled
junior and mid-level cyber employees for a long time, but
this--but what does it say about the Department's cyber
organization when it cannot retain its senior leaders as well?
Rumors are circulating about the future replacements of
these losses, and I am sure DHS would like to make a splash
with these appointments, getting leaders who command respect in
information security and critical infrastructure worlds. But
most of all, DHS needs to find leaders who believe in the
mission, that will stay on-board as a steady hand on the wheel
during this period of immense expansion and evolution of our
cybersecurity efforts.
As part of this process, I believe DHS needs to do some
soul searching and identify with why their senior officials
have been leaving. If changes need to be made to ensure future
leaders will be more empowered to do their job, I expect that
the Department will do so. I hope to work with the Department
in this endeavor to guarantee that vital cybersecurity mission
gets the leadership it needs.
Once again, I would like to thank all of you for testifying
before us this morning.
I yield back the balance of my time.
Mr. Meehan. I thank the Ranking Member for her opening
comments.
We are grateful, again, for your presence here today, of
this distinguished panel.
So I now recognize myself for 5 minutes of questioning.
Let me begin by sharing an observation that I believe we in
Congress, and in fact, across the Governmental sector, aren't
doing a good enough job of really alerting the citizens in
general about the true nature and scope of the threat that we
face. We often respond in the aftermath of an incident and
spend time analyzing what we could have done better.
I believe the work that you are doing is not only vital to
the security of our Nation, but you have done some tremendous
things in the form of anticipating and sharing and
communicating.
So please, if I can just ask Mr. Zelvin and Ms. Stempfley,
quickly, what is your assessment of the true nature of the
threat that we face today in the world of cybersecurity?
Ms. Stempfley.
Ms. Stempfley. I had to figure the button out, too.
Thank you very much for the opportunity to answer that
question. As we have all recognized, cyber pervades almost
every facet of our life--we do banking on-line, we do--I renew
my driver's license on-line, our workplace has gone entirely
on-line--and a recognition of that important part that the
cyber landscape plays in this is certainly not something I
think is widely known. So I agree with your point.
We in the Department have been very focused on sharing
actionable information, those threat indicators that can be put
out there, whether it from a criminal source, whether it come
from a hacktivist source, whether it comes from an intelligence
source--putting that in the hands of the people who can do the
most with it. I know Mr. Zelvin will give you very specific
indications of that as he goes through his response to this
question.
But we have to pair that with raising the overall
understanding of the population of the role that cyber plays,
and so some of the other programs that are outside the
technology programs that the Office of Cybersecurity and
Communication has in things like the ``Stop, Think, Connect''
campaign and other broad awareness campaigns will raise that--
serves to raise that awareness so that consumers can understand
what the impact is to them and will live up to some of their
obligations, as well.
Mr. Meehan. Mr. Zelvin, it is consumers, and Ms. Stempfley
focused to some extent on the impact on the everyday American,
but it is much broader than that, is it not, with respect to
the very infrastructure that we have in this Nation, including
our grids and other things of that nature?
Mr. Zelvin. It is, Mr. Chairman. When I look at the
challenge I look at the threats, I look at the victims, and I
look at the mitigation capabilities. So as you look at the
threats, it is as Ms. Stempfley said, it can affect the
individuals.
But there is also nation states. There are also criminal
actors. There are nefarious actors and there are just people
who want to see if they can do it for the sake of doing it.
When you look at the victims, you have companies that are
worth billions of dollars internationally. You have victims
such as my aunt, who called me on a weekend and said, ``Why is
DHS locking my computer and want $400 to unlock it?'' She was a
victim of something called ransomware. Some virus got on and
she couldn't unlock it.
So the victims are very sophisticated or they are an
elderly woman who doesn't understand why her computer isn't
working.
As you look at the mitigation capabilities, they are also
varied. Some companies have magnificent capabilities, and
probably we need the Government to provide information and a
warning of what is happening and some suggestions on what to
do, and then they are off and running and can deal with the
challenges.
Other places, they have no capability. They are not sure
what to do. They are very confused by the threat and they know
it is a problem, but they are not really sure what to do.
In many cases they buy products from the commercial
sector--anti-virus vendors--and hope that can be the solution.
But it many cases it won't as they are stealing personal
identifiable information, potentially financial information.
Mr. Meehan. Would you jump off of that point, because I
think it gets to the heart of what is so important about the
work you do in the NCCIC, and particularly the fact that we
have a moldable--or we have a broad range of capabilities, as
you identified, very sophisticated capacities that not only
rival but probably work in concert with the capacities--the
highest level of capacities that we have in the Government
sector, and I am talking about the banking sector, in some ways
the communication sector and others.
In other places we have systems that are dramatically
behind, and I am talking about things like water systems or
other kinds of municipal authorities, but all of which today
are tied to the internet, and therefore, the operating systems
are capable of being influenced and attacked.
At some point, Mr. Edwards, you have done work into looking
at that.
But, Mr. Zelvin, explain the important role that the NCCIC
plays in being more or less a junction that is able to tie
together the capacity to take the best of what we have and
allow it to be available to support those industries which are
lagging dramatically behind.
Mr. Zelvin. Mr. Chairman, as I look at the--you know, you
mentioned what is it going to take for people to understand
this cyber challenge? I will tell you, there is a variety of
experiences, and those who have been attacked the most are
obviously the most aware and the most prepared, and that, I
think are the financial services sector and the communications
sector and the information technology sector. These are the
folks that are living and breathing attacks on a daily basis
and they are becoming more sophisticated by the day.
There are other sectors, as you mentioned, that haven't had
these attacks. So what we do in the NCCIC is we look across the
16 critical infrastructures and we try and raise the water to
keep all the boats at the same level, if you will.
So we highlight across the sectors. That is, what is
happening in one sector today could be happening in another
sector tomorrow. So we want to increase the awareness.
We are also sharing those mitigation strategies. In some
cases--in many cases--these are things that companies can do
themselves, so we just want to reinforce. There is a friction
within the critical infrastructure because in many cases--I
apologize--the information technology and the security folks,
they are not part of the profit, so--and there is money that
needs to be brought into this solution.
So what we try to do is we tell those that are in the
leadership position to really listen to these security
professionals and really deal with these cyber practices
because they can affect your core businesses.
I would also like to mention that we also work with State,
local, and Tribal, territorial governments. We work with
international partners. There are over 200 countries that we
deal with almost on a weekly basis.
So it is the critical infrastructure, it is our State,
local, Tribal, territorial, it is our Federal Department's
agencies, international, and as I said, the individuals. But
the cyber threat is literally global in nature and we are
trying to make sure we have awareness and help with the
prevention mitigation across the board.
Mr. Meehan. Well, my time is expired but I look forward to
following up on some of that with the second line of questions.
Now the Chairman recognizes the ranking lady from--the
gentlelady from New York, the Ranking Member, Ms. Clarke?
Ms. Clarke. Thank you, Mr. Chairman.
Ms. Stempfley, I wanted to delve into Einstein 3. DHS has
requested large funding increases to build out Einstein 3,
which will help prevent intrusions into civilian Federal
networks. While I am supportive of this program, I am concerned
about the progress of such a large initiative and want to make
sure it is carried out properly to ensure that our Federal
networks are secured and to keep the cost to the taxpayers
down.
A recent report by GCN Magazine raised concerns that
Einstein may be over budget and behind in implementation. For
the record, can you give the subcommittee an update on
Einstein, particularly Einstein 3? What is the schedule for
deploying it at all departments and agencies, and do you expect
there to be cost and time frame overruns?
Ms. Stempfley. Thank you, ma'am.
Einstein 3 is a part of a comprehensive set of capabilities
for perimeter protection known as the National Cybersecurity
Protection System. Just about a year ago we transitioned
Einstein 3 from being a consolidated, Government-provided
hardware and data capability--classified capability to be
deployed at the internet service providers--to one that takes
advantage of the innovation that the internet service providers
can provide into this environment, so that classified
Government information and countermeasures can be deployed in
an environment where the ISPs, who are most knowledgeable of
their own infrastructure and of the ability to transmit
traffic, can absorb that and innovate with the Government in
this environment.
We are pleased to have notified Congress, I believe 5 weeks
ago, of the award of the first of those contracts with
CenturyLink, the first internet service provider, and we are in
process of transitioning Federal departments onto that
capability.
An important piece of information here is that we
transition Federal departments who are using that service
provider. So we are not asking departments to move from
whichever internet service provider provides their connection;
we are employing this protection measure in place within that
mechanism.
So we are targeting those departments who are--whose
service provider is CenturyLink. We are continuing to actively
engage with the other four internet service providers for
contract award in those instances, and that has been
negotiation that is on-going. So we are very happy about that.
We are still on target to reach our final operational
capability in the end of 2015. This transition that we made a
year ago actually moved our final operational capability from
2018 back to 2015, so we saw that as a very beneficial
capability for us to employ this protection across the entire
Federal enterprise.
Ms. Clarke. Fabulous. With that efficiency in time is there
an efficiency in cost, as well?
Ms. Stempfley. As it turned out in the analysis, the cost
was identical between the two transitions within a small
margin. It did not actually save us money but it also did not
cost additional money over the life-cycle cost of the program.
Ms. Clarke. Very well. Thank you for that update.
Mr. Edwards, you released a report just yesterday detailing
serious information security deficiencies at CBP. Is this--a
little point of departure but I think it is critical when we
look at our vulnerabilities.
Some of the--what you outlined in your report is that there
are some poor practices, including computers that were not
locked or not password protected, a failure to require that
employees sign in--or sign nondisclosure agreements for
sensitive systems they received access to. Making matters
worse, many of these issues had been previously identified by
the OIG. Your recommendations based on these findings were
directed to the CBP chief information officer and the DHS chief
information officer but there is no role for the Office of
Cybersecurity Communications within NPPD to play to help the
rest of the Department improve their cyber practices.
Could you give us a little more of a sense of what your
observations and what this level of vulnerability can mean to
the overall cyber environment that we find ourselves in?
Mr. Edwards. Thank you, ma'am.
The report that I released yesterday was in reference to
the CBP I.T. management letter. Part of the financial statement
audit--we use KPMG to do our financial statement audits, and
part of that, we also do the I.T. part of it, we look at the
FISCAM functions. There are five controls that we look at. We
look at security management, access controls, integration
management, segregation of duties, and contingency planning.
So as we go through not only CBP but various different
components, we identified I.T. control weaknesses. Even though
CBP has fixed some of those weaknesses in the previous year
that we identified, there are still additional controls and
weaknesses that we have found that they need to address.
So as, you know, part of the password protection and people
being able to get into the systems, we have found not only in
CBP but other parts of--even when we did within one of the
components within NPPD we found almost a similar situation, so
it is prominent throughout the Department.
So I think sending a guidance to the entire Department on
best practices and, you know, one would think instead of having
a password as ``newuser1'' one would change it as soon as they
are able to log in, and then maintain that, as well. Not, you
know, quite often you find people, you know, writing the
username and password and leaving it under the keyboard and
other places where people can find it.
So the--part of the review, what we did was we looked to,
as the help desk we call up the component that we are doing the
audit on and say, ``I am from the help desk. Can you give me
your username and password?'' and without hesitation people
tend to just give that up.
Ms. Clarke. Mr. Chairman, I know that my time is lapsed
here. I just wanted to add that, you know, we can put all of
the new technologies we want in place but if cyber hygiene has
not become a practice, the vulnerabilities remain perilous to
us.
So I want to thank you for your report.
I yield back the balance--yield back to you, Mr. Chairman.
Mr. Meehan. I thank the gentlelady, and I share that same
observation.
We are hearing--I know it is something you are talking
about across the sector and we have heard testimony that more
than 80 percent of our vulnerabilities could be addressed with
better cyber hygiene. I think that is something--again, we talk
about this process of educating America and the role that they
can play with us. There is more sophisticated things and that
is what you are dealing with, but we need the Nation to join us
in battling the threat by doing better cyber hygiene.
Ms. Clarke. We start with our own agencies, right?
Mr. Meehan. We start with our own agencies, that is right,
by setting the example.
I am very grateful for that testimony, and now the Chairman
recognizes the gentleman from Texas, Mr. Vela, for any
questions he may have.
Mr. Vela. Yes. Yes. On the issue of workforce, can you
begin by explaining to us how your different divisions
interact?
Ms. Stempfley. Thank you, sir.
In the Office of Cybersecurity and Communication we have
five divisions, and those divisions span responsibility from
National security emergency preparedness communications--that
is the Office of Emergency Communications; the Office of
Stakeholder Engagement and Critical Infrastructure Resilience,
which is principally responsible for our outreach efforts, for
our engagement with critical infrastructure to raise their
understanding at a macro level, which is obviously supportive
of the operational role that the NCCIC plays; as well as our
Network Security Deployment Division, which is responsible
primarily for the building and deployment of the--and operation
of the National Cybersecurity Protection System; and finally,
our Federal Network Resilience Division, which is focused on
the dot-gov protections. That is both in terms of direct
interaction with Federal departments and agencies and the
building of the capability that you discussed earlier, the
continuous diagnostics and mitigation capability, which is
focused on the cyber hygiene for the Federal enterprise.
Those five divisions operate together under the Office of
Cybersecurity and Communications. You can see the mutually
supportive role that they pay.
For example, the communications infrastructure is moving to
being I.P.-based. With an I.P.-based communications
infrastructure you bring with it particular risks and
opportunities. The technology awareness mechanisms of that are
shared, then with the Stakeholder Engagement Organization and
the threat information provided from the NCCIC is then
disseminated and distributed.
That data all support the requirements that go into the
National Security--excuse me, the Network Security Deployment
Division, and the Federal--and we want the Federal Government
to be the best example of the right things to do within the
Federal Network Resilience Organization. We realigned this
structure last November, so not quite a year ago. It has been a
very beneficial activity for the Office of Cybersecurity and
Communication.
Within the Department, the deputy secretary chairs a panel
that ensures that we are--excuse me--coordinating across the
Department. There is both operational engagement on the NCCIC
floor from our Department colleagues for Secret Service, from
Coast Guard, and others. We have policy conversations across
the Department to ensure that we are sharing. We have a strong
partnership with the CIO so that those FISMA requirements that
we--the operational requirements that we publish in partnership
with OMB are coordinated with and shared with the CIO
organization to understand what that might mean to a large
department that is informing back to us.
Mr. Vela. The Ranking Member mentioned--or referenced a
problem with retention of workforce, and are you seeing that in
each of those five divisions, or--can you explain that?
Ms. Stempfley. Absolutely. It is a competitive landscape
for cybersecurity professionals. We are actively recruiting.
If you look at the growth in terms of civilians that we
have had in the Office of Cybersecurity and Communications in
the 3 years I have been here, we have been actively engaged in
this recruiting process. Mr. Zelvin shared earlier today with
me a fact that, you know, for each announcement that we put out
there we get candidates applying in numbers close to 100.
The issues that we have in this competitive landscape are
that the Department of Homeland Security's authorities for
meeting the hiring needs are not commensurate with the other
Federal departments' authorities, and so both in terms of pay
and retention capabilities, we are competing against our own
colleagues in the Federal Government and continue to compete
against our colleagues in the broad commercial landscape, as
well.
We have a phenomenal mission and we keep people in part
based on the mission responsibilities that we have. We do not
have an exorbitant attrition rate at the operational level,
certainly. People leave; they leave on, you know, based on
their family and life desires. We don't see this, you know,
exceptional attrition rate.
But we do see that strong competition.
Mr. Vela. So are you saying that you can't pay people
enough, essentially?
Ms. Stempfley. That is part of the issues, yes, sir.
Mr. Vela. I noticed that your title is you are an acting
assistant secretary. At the levels of leadership are there many
spots that have not been permanently filled?
Ms. Stempfley. Within the Office of Cybersecurity and
Communication the acting assistant secretary is the only
leadership position that has not been filled--or the assistant
secretary. I have full-time career leadership. I am permanently
the deputy assistant secretary so I am the full-time careerist
in that position. At each of the division director level I have
full-time fill in, you know, all of those as career positions.
Mr. Meehan. I thank the gentleman for yielding back.
We now recognize the gentleman from Nevada, Mr. Horsford,
for his questions.
Mr. Horsford. Thank you, Mr. Chairman.
Appreciate very much this panel. You know, we have been
meeting, as one of the new Members on this committee, a lot of
the people in the private sector, and I want to commend the
Center on its collaboration with a number of key private-sector
entities and sectors.
My question pertains to this collaboration with the private
sector.
You mentioned in your testimony the work with the over
6,400 private-sector firms that work with the Center, and
inevitably some of those have to be competitors, of course. So
can you discuss the protocols and measures that you all have in
place to ensure that one company's sensitive data does not pass
on to another, particularly to a competitor, and what
procedures are in place should such an incident occur?
Mr. Zelvin. Yes. Thank you, Congressman.
Last year alone, as Ms. Stempfley said, we had 190,000
incidents reported and we put out almost 8,000 reports. This
year we are going to exceed that just in--by May about 68
percent.
So when we get information there is a variety of ways a
business can report. They can tell us that it is okay to say it
is their company, and that is not an often occasion; they can
ask us to anonymize, and we have this thing called traffic
light protocol, and it is literally just an agreement between
friends that we will not share. When I first saw it I was
somewhat skeptical but it actually works, and we have a variety
of ways of quantifying using a stop light protocol--red,
yellow, green, so on and so forth, and it is actually an
effective means.
We have statutory capabilities under PII, Protected
Infrastructure Information--I think I have the acronym right.
But there is a statutory basis that we can anonymize
information, and let's say, you know, you work for a financial
sector. I will just refer to you as ``financial sector seven,''
or ``FIN7,'' or ``FIN8.'' What is important is not the identity
of the company but the ability to port across cross-sector what
is happening and, more importantly, what do you do about it.
So we have folks on the floor at the NCCIC, so we have NSA,
we have FBI, we have Secret Service, we have Cybercom. We also
have all the information sharing and analysis centers of the
financial services, communications, information technology, and
also folks from individual companies that have full access to
the floor even when we are at Top Secret or above
classification. They have full access to all our computer
systems, both the highly classified all the way down to below.
So as you have these folks on board we are very cognizant
of the competitor aspect, so we have abilities to put a label
that anonymizes it that is either done through agreement or
through statutory. In the agreement, why do--you know, why
wouldn't we share? Well No. 1, I don't really need the
information; the second thing is I don't want to betray your
trust because if I do you will never talk to me again.
So, you know, we are very cognizant of it and we are very
successful at it, as well.
Mr. Horsford. So my other part of my question is, it seems
like some sectors are better at this than others, so how
concentrated are certain sectors in working with the centers
and do you see gaps? If so, what can we as Congress do to help
facilitate bringing the sectors who aren't doing their part,
you know, into the resources that you all have available?
Mr. Zelvin. Yes, sir. Who has really focused on meeting the
challenges really depends on their experience, as I mentioned,
in cybersecurity and the attacks. There are certain sectors
that have had a large number of attacks; there are others that
haven't yet. It is all of our challenge to go out to them and
say, ``Hey, this is really what others are facing, these are
the things that you could be facing, and these----''
Mr. Horsford. If I could be more specific----
Mr. Zelvin. Sir.
Mr. Horsford. So these people come into my office every day
and my job is to, you know, encourage them to participate. You
all have great capacity among Federal agencies, but as I have
heard it, as the Chairman and the Ranking Member have educated
us, the vulnerability is on the private-sector side and the
private sector isn't always doing its part, and there are key
sectors that seem to be completely kind of disengaged. So what
do you need from us as Congress specifically to get those
sectors to be more involved?
Mr. Zelvin. In my view it is the continued dialogue and the
continued conversation that we are having. I think, as I look--
you know, as I have briefed senior leaders, as I have briefed
staff, you know, people generally understand there is a problem
but they don't understand what to do about it, and when you
talk about the problem they don't really--they know there is
something wrong but they really have trouble quantifying what
is it.
The other thing I will tell you--and I say this often--the
lexicon in cyber is not English, so if I say ``phishing,'' if I
say ``D-DOS,'' if I say ``Trojan''--when I say ``phishing''
most people go to a lake someplace and think about, you know,
maybe catching a fish but that is not when I am speaking of.
I have often said also is that if I told you there was a
Category 4 hurricane that hit the Gulf Coast you would go,
``Oh, that is bad.'' Category 1? It is bad, but 4 is worse.
If I told you there was an 8.0 earthquake on the West Coast
you would automatically go, ``That is incredibly bad.'' 1.0?
Most Californians probably wouldn't do anything.
What is that in cyber? How do we get that imagery? How do
we get the awareness across to the public of, ``Boy, this is
something that is bad but we could probably be okay,'' or,
``This is catastrophic and we need you to do these measures
such as leave, you know, other precautions.''
So we are still working that and I am hopeful, but we are
not there yet.
Mr. Horsford. Thank you, Mr. Chairman.
Mr. Meehan. I thank the gentleman. I certainly, you know,
one of the aspects are the ISACs and other things that can be
present, and I think the gentleman's questioning was right on
target about those that are engaged and those we have to do a
better job of attracting.
It is important to appreciate the vital role that you play
and the interplay among our Governmental agencies at the outset
before we get down to dealing with the various private-sector
industries that are part of it, so I want to ask you to go for
a moment off of this important observations, and it comes from
General Alexander, who is the head of the NSA, and I use it in
his words, and he says, ``I see the Department of Homeland
Security as the entry point for working with industry,'' and
there is great reasons for it: Transparency, having everybody
doing exactly the right thing together to work as a team.
The FBI, NSA, Cyber Command--the FBI would lead law
enforcement and the attributions; NSA will work with foreign
intelligence; Cyber Command are defending the Nation. But they
have a civilian agency, by his own testimony, at the core of
the ability for us to have a communications infrastructure that
works across the Governmental sectors first and then
simultaneously work effectively in real time with our civilian
sectors.
So please give me your observations with regards to
somebody as significant as General Alexander looking at DHS as
the center point for the engagement of our approach to
cybersecurity.
Mr. Zelvin. Thank you, Mr. Chairman.
I agree with the general's assessment so much so I joined
the Department. DHS is purely that civilian entity, and when
folks come to us they know--and there is important other roles
in Government, but within DHS we are really about that
protection, prevention, mitigation, response, and recovery. We
really do want to help understand the problem not only
technically but through the tactics, techniques, and
procedures, and then work through those mitigations, and then
share that information, as I said, with the partners I have
mentioned--State, local, critical infrastructure,
international, other Federal departments and agencies.
So when folks come to us--and it has been interesting. A
number of private-sector partners have come to us because they
see us as that place in Government where they can have a
discussion where it is purely technical, there is not concerns
potentially of being asked a lot more questions that will lead
to other things and it is important for Government to do.
As you look at vulnerabilities in cyberspace, there are
things that have the potential for malicious activity but
haven't quite matured to that point yet, and I look at things
like have happened to a number of companies in that we discover
a vulnerability that if somebody did something it could be
catastrophic, but they haven't done it yet. Those are really
the areas that we want to get ahead of.
We don't always want to be responding. We don't always want
to be catching up to our adversaries. We want to get ahead of
those.
For companies it can be often uncomfortable to say, ``We
discovered a problem,'' and they don't want to be attributed--
they don't want their competitors to say, ``See, look. They are
having yet another problem.'' So they come to us and we have
the ability to provide the anonymity, work through the
technical solutions, and then get it across the Nation and
across the world so people can understand the threat and
mitigate it without the fear of additional questions about who
did it and where did they do it and how.
Mr. Meehan. Effectively, you are a civilian agency so it
removes some of the concern that legitimately people have
outside that we are having private sector share either back and
forth with our more sophisticated Governmental agencies like
the NSA or FBI.
Mr. Zelvin. That is correct, sir. It is absolutely a
civilian organization and I don't have the challenges that some
of my partners do in that I am not being pushed for things like
attribution; I am not being pushed for bringing prosecution.
There are other important entities that do that; that is not my
role. My role is just to understand the problem and come up
with the solutions.
Mr. Meehan. Let me jump into one other piece, because we
have done a good job of identifying the important role we place
vis-a-vis the other Governmental--critical Governmental
agencies, and of course, that extends down through the entire
Governmental structure. But at the same time, we have
relationships with the private sector.
Now, those looking from the outside can get lost in forest,
but there has been a lot of thought into how we are organized
and I am impressed by it. Explain quickly: We have 16 different
sectors--17 different sectors in which industries are
organized, and they have their own sector communication
coordinating councils in which they themselves look at the
unique nature of threats, such as something that may go
uniquely to banks, the denial of services as an example.
Within those coordinating councils some--and this goes to
Mr. Horsford's line of questioning--some have created what we
call the ISAACs, these information sector analysis coordinating
teams--very sophisticated for their--and they are housed with
you. But my recollection is we have only got about four that
are in there. They are some of the best, but we have got a lot
of agencies or private-sector entities that may be lagging.
Can you give me your observations with regard to how it is
that, you know, we are effectively organized in that way but
what we can do to begin to attract the collaboration of all of
the other entities?
Mr. Zelvin. Yes, Mr. Chairman.
We deal with all of the critical infrastructures. We are
working across the board. But I will tell you, as I look across
the financial services sector, and specifically the Financial
Services Information Sharing and Analysis Center, the FS-ISAC,
they have done an absolutely extraordinary job helping us work
through the recent distributed denial of services hacks that
have been going against the financial institutions.
So the Financial Services ISAC has not only been able to
coordinate with Government, but also among itself. They provide
extraordinary information not only with each other but also
with Government. Some of the best information I get from the
distributed denial-of-services comes from the private sector,
and it is not only the sharing with us but also sharing within
each other.
The Communications ISAC, the Information Technology ISAC
have similar experiences. I will also tell you, the Multi-State
ISAC, so the sharing between all the States and the possessions
and the territories--that information mechanism is very
effective.
There are others that we need to build up to that capacity,
but I would tell you, I don't see that as a negative; I see it
as a positive. We have learned a lot since these distributed
denial-of-services attacks, and also the malware attacks that
have affected Saudis and also in Qatar.
This has changed the dynamic in cybersecurity just in the
last few months. So ideas that were really well-thought-out
earlier are really being developed and we need to catch back up
with the others as we stay focused on the financial services
sector, the comms, and----
Mr. Meehan. You mean you are learning things with financial
services that could apply to other sectors.
Mr. Zelvin. That is exactly right, sir. I often tell folks
that we need to share this across because the financial
services sector needs power, they need water, they need
transportation, they need health. They say, ``Why would we
share with you? Why would you tell DHS?'' Well, because we have
the ability that is unique in that we can share with these
other sectors and we can make them aware of the challenges and
we can share the mitigations, so why would you rebuild that
capacity when it already exists?
Mr. Meehan. Well, thank you.
My time is expired and I now recognize the gentlelady from
New York for her follow-up questions.
Ms. Clarke. Let me thank you, Mr. Chairman, and acknowledge
that we have been joined by our colleague on the Homeland
Security Committee, the gentlelady from Texas, Ms. Jackson Lee,
and ask for unanimous consent that she be authorized to sit and
question the witnesses at today's hearing.
Mr. Meehan. Pleased to do so. Unanimous consent, the
gentlelady will be recognized in order, and I thank her for
coming today.
Ms. Clarke. Thank you very much, Mr. Chairman.
I want to question each of you, just get your perspective
on the dichotomy between the Enhanced Cybersecurity Services
and Einstein. I support the expansion of the Enhanced
Cybersecurity Services program to make sure that our critical
infrastructure companies can benefit from U.S. Government
intelligence on cyber threats. However, in the privacy impact
assessment the Department states that Federal agencies as well
as critical infrastructure may use ECS while the Einstein
intrusion prevention capabilities are still being built out.
My question is: Doesn't it seem a bit backwards or
redundant, and how is it that you could build a cutting-edge
cybersecurity program and have it available to the private
sector before the Government itself adopts it? What is it about
ECS that will make it available much more quickly than Einstein
3?
Ms. Stempfley. Thank you, ma'am.
The Enhanced Cybersecurity Services is, as you point out, a
cutting-edge capability in that it is the first time we have
been able to provide effectively classified and sensitive
countermeasures and indicators to commercial entities through a
trusted cybersecurity provider, I think is very important. So
we are very excited about this opportunity and engagement in
both growing the number of service providers and the market
that it generates with critical infrastructure partners.
It provides, as you point out, in the privacy impact
assessment, protection against--with two countermeasures:
Domain name service and e-mail protection. Those are not in the
traffic flow kinds of protection, which is the requirement for
Einstein 3, and so there is a fairly important distinction
there.
While we will work to enhance the Enhanced Cybersecurity
Services, enabling it to keep up with the threat environment
and to provide new countermeasures into that capability, we are
certainly in progress in that environment. We will reach that
in a much more rapid manner in the Einstein 3 capability
because its baseline requirement is to provide that in a real-
time capability inflow.
That is a very technical way of describing--a technical way
of describing it, the difference being inflow means you are
actually affecting through the pipe as it is going on; out of
line effectively means it gets stored, processed, and then
forwarded on.
Mr. Zelvin. Ma'am, I will tell you, there is some--I have a
truly exciting job, and one of the really exciting parts is as
you look at that dot-gov domain and the security awareness that
I have, it is unlike any of others--so you have the dot-com,
the dot-gov, and the dot-mil.
So right now on the dot-gov I have extraordinary awareness
of the traffic that is going on and we are watching that in
almost a real-time basis in my center at the NCCIC. I have met
with the Defense Department and we are building an awareness of
the dot-mil similar to what we have on the dot-gov. So between
the two of us we will have really strong awareness of what is
going on.
The dot-com will remain a challenge, but DHS has that dot-
gov responsibility. We are able to watch it, as I said, on a
near real-time basis, and as we get these new enhancements,
what we are able to do now is just to be able to see there is
malicious activity and warn. What we will able to be doing here
shortly is just not warn but actually mitigate and investigate
and analyze.
Because right now it is sort of like you know there is
something bad in the mail but you let it get to the mailbox.
Well, now we are going to be able to stop that and do
appropriate measures to make sure that that bad delivery isn't
made.
Mr. Edwards. I will just agree with both Larry and Bobbie
on this.
Ms. Clarke. Very well.
So is it anticipated that at some point the ECS will be
phased out or become obsolete, or is there a unique capability
within that instrument that is compatible or can partner with
Einstein 3?
Ms. Stempfley. Certainly. The ECS is intended to be a
program for that information sharing and protection for the
critical infrastructure. It has very, very limited report back
to Government, obviously. Only, ``Did that indicator work? Is
that a valuable piece of information for protection measures?''
We would anticipate that to continue and that we would
employ more countermeasures as we go through the legal,
privacy, and other considerations for employment of those
countermeasures in the unique situation of critical
infrastructure.
E3, and E3 Accelerated in particular, and its wide set of
capabilities for the Federal enterprise we anticipate existing,
as well. The specific countermeasures and which one would come
forward into the Government space or the critical
infrastructure space is really based on the very different
legal models that are appropriate for us in that space.
Mr. Meehan. I thank the Ranking Members.
The Chairman now recognizes the gentlelady, Ms. Jackson
Lee, for any questions she may have.
Ms. Jackson Lee. Let me thank, first of all, the Chairman
and the Ranking Member for holding the hearing and your
courtesies of allowing me to come and to ask questions for
something that I think is crucial for the entire Homeland
Security Committee.
Let me start out--and I am going to just offer for you to
answer the questions who can answer it, and I will then ask the
particular person if no one jumps in. The CERT teams that we
have--this is enormously important, this whole idea of
communication, the whole idea of reacting to the cyber threat--
with respect to the CERT systems, do we have the capacity to
have a particularly defined CERT for each of the industries? I
think of oil and gas; I think of the health-care industry,
which is massive.
That is my first question: Do we--are they defined so
specifically that they focus on the needs of a particular
industry?
Madam Secretary.
Ms. Stempfley. Ma'am, if I may take a----
Ms. Jackson Lee. Yes. Thank you.
Ms. Stempfley [continuing]. A first crack at your question,
the technologies that are in use across these industries are
very similar, and because of that the organization of our cyber
emergency response teams or computer emergency readiness teams
are oriented to be useful to all of the sectors, versus a
particular emergency readiness team focused on any one sector.
So you see the information technology infrastructure largely
covered by the US-CERT, then the operational technology control
systems community operated by the Industrial Control Systems
CERT.
So the infrastructures in the oil and natural gas, or in
transportation, or in those mechanisms are largely produced by
the same companies and in the same environment. This has proven
to be one of the most effective and efficient organization
models.
Ms. Jackson Lee. Let me follow it with two questions, and
maybe I will have time to make a comment. Thank you for that.
We all understand that finding a problem in computer
security or cybersecurity is like finding a needle in a
haystack, and so have we developed the sophistication to be
able to target where the problem is, to target where there is
activity?
My other question is on the Einstein 3 I notice that there
is certainly a need for skilled individuals, and my question
is: Do we as the Government have the capacity to bring people
in laterally? It speaks to my issue of the STEM and
diversifying. STEM education is great but it starts at
kindergarten. If we need people right now, do we have the
ability to cross-train them in the Government, which adds to
the diversity and the skills that we need?
I will--those are the two questions I will pose.
Mr. Zelvin. Congresswoman, if I can maybe finish your first
question and get to the second and----
Ms. Jackson Lee. Yes.
Mr. Zelvin [continuing]. Ask Ms. Stempfley to do the third.
So on the first question on the specific CERTs for each of the
sectors, I will tell you that when we operate in a sector we do
it in intimate partnership with the sector-specific agency and
the sector-specific coordination councils. So if there is an
energy problem we are with the Department of Energy; if it is
oil and natural gas, Department of TSA; Finance; Treasury; so
on and so forth. We are fully partnered.
So we bring the technical skills, the ability to understand
the virtual and I.T. environment. They bring the experience and
wealth of knowledge within----
Ms. Jackson Lee. Do we have the capacity to target if there
is activity that is in essence piercing our cyber framework
involving our proprietary information? If somebody is attacking
our system, you have that capacity?
Mr. Zelvin. We have the--some capacity. We do not have
absolute capacity.
Ms. Jackson Lee. What would you need to get absolute
capacity?
Mr. Zelvin. Extraordinary intelligence and information. So,
you know, in many cases there is vulnerability. So there was a
mistake made and then found, and so there are things you do to
correct that mistake.
There are attacks. There are people who are purposely
trying to do something you do not wish them to do. In many
cases and not all--in many cases you are there reacting to the
challenge and then building that technical mitigation to
prevent.
However, there are times they are are going to be--you
know, we have to be good every time; they have to be good just
some of the time. So I would never say that we are ever going
to get to that place where we will be able to protect
everything, but we have a great deal of information but it
doesn't mean that we don't have vulnerabilities.
I would ask Ms. Stempfley to follow up.
Ms. Stempfley. We want to certainly thank Members of this
committee and others for supporting the resource request that
the Department has had over a number of years. You have seen
the build-out of the capabilities in the National Cybersecurity
and Communications Integration Center, which has been directly
to your capacity question. We operate every day in that center,
sharing information as a part of it.
There is a responsibility the private sector has for
adoption of best practices and adoption of cybersecurity
principles, and we continue to work with them for further
movement in that area.
Your final question was on hiring and, in particular, is
there--if I understood your question correctly----
Ms. Jackson Lee. Cross-training.
Ms. Stempfley. Right. So is there an ability for lateral
hiring, I believe is what you said. One of the things that I
think is universally recognized is that, given the importance
of cybersecurity and the need for cybersecurity professionals
in this area, we--all of the Federal enterprise and our
commercial partners are engaged in trying to build the
capabilities to ensure we have that.
The Secretary chartered, through the Homeland Security
Advisory Council, a cyber skills study that looked at the
Department itself. The Department also has important
responsibilities under the National Initiative for
Cybersecurity Education, which continue to engage raising that
lateral mechanism, that cross-skills.
We certainly have to focus not only on, as you point out,
STEM starting young--I am raising several kids who I am trying
to direct into the technical workforce, as well--but to ensure
that we have the capacity at a lateral level.
We do this cross-training support in the Office of
Cybersecurity and Communications. When we have an incident the
NCCIC can call on individuals from across the SNC, can call on
individuals from across the Department. One of the findings out
of the Cyber Skills Task Force was the creation of a cyber
surge capacity within the Federal Government and the Department
specifically, to address your question.
Ms. Jackson Lee. I would like to follow up with you.
I thank the Chairman and Ranking Member for their
courtesies. Thank you very much.
Mr. Meehan. I thank the gentlelady for her attendance here
and for her questions.
I just have one--a couple of closing questions based on
your testimony here today.
Mr. Edwards, you identified something which goes to the
reality that while we are dealing with a lot of these issues
and the need for collaboration across sectors in the Government
and, simultaneously, with the private sector, one thing you
focused on that is the reality of this threat is speed. It is
happening in real time and there is a need for us to be
responsive in real time.
Now, you have looked critically at the challenges that we
face, so the first issue is, as you stated, sometimes
information has gotten to our partners in the private sector
but we have got to do a better job of organizing it so it
allows them to get to the heart of what they need to know. The
second thing is that we have got to try to find ways to be able
to coordinate with our partners more in the sense of: ``Hey, we
are seeing something in your systems and we are going onto
it.''
So how do we both maximize our ability to get the
information that people need to know across sectors, not just
in sectors? Then how do you tell people--when you are not even
sure what you are looking yourself, where do you find the right
balance of telling somebody you might be looking at something
in their systems versus creating an alarm that may not be
realized because you don't know what you have yet?
Mr. Edwards. Thank you, sir.
The Department has done a good job in advancing
cybersecurity. One of the recommendations that we made was when
you are passing out this information through--whether it is
HISN, and now they are going to move to HISN-3--is to--for the
entities to be able to share that information, you know, and
also not to drill down to get to a particular question they are
trying to answer. So I think HISN-3 is going to help towards
that.
But also the communication part of it. You know, there is
excellent collaboration between the private sectors and the
public sectors.
But among the folks that we interviewed, quite often we
found is a lot of this is also based on relationships, and the
Department has senior leadership positions where people from
the private sector pick up the phone and establish a
relationship to somebody by name and now that person has moved
on, they don't know who to contact. So rather than establishing
relationship based on individuals, it needs to be based on
processes and procedures, and I think the Department is moving
towards that.
But also, there is--private sector does a really good job
in handling best practices. Larry's team, you know, by the
reorganization and putting ICS and US-CERT and ISAC and C3O-I,
all of them at one level is moving toward that. But you also
find information and trend analysis that the CERT team is going
to help towards that.
Mr. Meehan. Well, I thank you.
Let me just ask Mr. Zelvin and Ms. Stempfley, how about the
private-sector companies themselves sharing information with
the Government? What kinds of challenges do we have in that
area?
Mr. Zelvin. Thank you, Mr. Chairman.
The biggest challenge, I will tell you, is a lack of
clarity, of understanding what information can be shared. So it
is quite often that we will meet with private sector entities
and we are--we believe we have the ability to share information
but there is anxiety. There is absolute determination not to
violate law, regulatory guidance.
Mr. Meehan. Is this information coming from you to them or
from them to you?
Mr. Zelvin. From them to me, sir. There is also, you know,
lack of clarity as to what I can share with them but, you know,
as we have looked across Government I have been given the
thumbs-up from leadership and also those who look at what we
are sharing in--across Government and says, ``No, this is
appropriate and this is okay.''
But that lack of clarity of what information can be shared
is--still exists and there is anxiety, so----
Mr. Meehan. What is the anxiety related to? Things like
liability protection or otherwise?
Mr. Zelvin. It is, sir. The ability to, as I said, that
they are not breaking law, that they are not breaking
regulatory compliance. They are just not sure so they err on
the side of caution.
As you mentioned, Mr. Chairman, speed is of the essence, so
as the folks review all this data it is taking up precious
time. We have, in our--many of our products and what we are
starting to receive from the private sector and just recently
this week an international partner is machine-readable
information. That is wonderful because it is starting to take
the humans out of the information exchange between us. What
would be even better someday would be that machine-to-machine
real-time information sharing.
But I will tell you, the technical challenge is not, in my
opinion, as great as the policy challenge. We first have to
define what is it that we are sharing, and then we can design
the machines to share it.
Mr. Meehan. Well, with the tremendous scope of information,
ultimately it is going to have to get to machine-to-machine
because of the computing capacity that could go through
something in hundredths of a second that would take days for
humans to be able to analyze.
Mr. Zelvin. Mr. Chairman, I agree. Right now there is a
great deal of time spent preparing the information, sending the
information, understanding the information, and then making the
information actionable. We need to compress that loop of
decision-making as small as we can get. I don't know if we will
ever get to zero but we sure as heck can do a lot better than
we are now.
Mr. Meehan. Okay.
Ms. Stempfley.
Ms. Stempfley. Sir, one of the important things that the
I.G. recognized and Mr. Zelvin spoke to is that this
information sharing is in part based on trust, and you have to
have a sense that the information will be used in the best
interest of all parties as we go forward. That trust used to be
person-to-person. We have moved it from person-to-person to
organization-to-organization and we will continue to do so.
One of the important ways that we are moving forward in
this model is to communicate with our private-sector partners
in ways that are most beneficial to them, which means that we
have to be able and willing to ingest that information in the
method that is most appropriate from our private-sector
partner, and we must be able to produce our indicators, our
alerts in methods that are appropriate without a--with a
recognition that it may not be identical. We talk about the
financial sector and the financial sector ISAC being one of our
mature ISACs, and there being other sectors who are not at that
level yet.
So providing a piece of information to a high, capable
organization may prove for it to be not as useful to an
organization that isn't ready to ingest that. So we have had a
real focus, not only in the NCCIC but across the entire Office
of Cybersecurity and Communications, to release this
information in a multitude of platforms and in a multitude of
formats. So this machine-consumable output is formatted in a
way that can be consumed by these different entities.
This two-way dialogue helps to build that trust, which is a
part of what we have to overcome is that sort of initial
distrust that comes in any relationship.
Mr. Meehan. Well, I thank you for the good work that each
of you is doing, and on behalf of all of your entities, for not
only creating the framework for this sharing of communication
but by virtue of the collaboration that you are doing,
enhancing that trust and enhancing our ability to protect our
home front from the serious threat. We opened this hearing with
discussing the very real concern about cybersecurity here in
the Nation.
Is there any closing thought that you--any of you have
before we close the record this morning?
Ms. Stempfley. If I may, I want to thank you again for this
hearing. I think it is--the topic is one of absolute import for
us as a Nation and we are grateful for your attention and your
time here.
I hope that you heard the commitment the Department has to
this important mission and to ensure that we account for those
mechanisms that are so vital: That inextricable tie between
privacy, civil rights and civil liberties, and cybersecurity;
the need for adoption of security principles across our
critical infrastructure partners for information sharing.
We talked about some of the important needs for hiring
authorities for some of the programs that I know you are
supportive of in Einstein. Our law enforcement colleagues in
the Department continue to seek tools they need to fight crimes
in the digital age, and that National breach reporting
requirements that I know you are discussing.
So thank you so much for your time and attention on this
matter, as well.
Mr. Meehan. Thank you.
Mr. Zelvin. Mr. Chairman and Ranking Member, I would just
also like to thank you for having us today. Really appreciate
the opportunity to talk to you.
You, your colleagues, your staff, and their colleagues are
welcome at the NCCIC any time. We would welcome the opportunity
to show you what the great men and women within the NCCIC,
within CC&C and DHS are doing.
I served 26 years in uniform in the Defense Department and
I will tell you, the people that I work with at DHS every day
are as good as fine as anyone I served with in uniform. Their
passion and their patriotism are just as high as those I served
with in uniform.
I would also like to say that our partnership with our
closest colleagues, both in the FBI and NSA, is critical. So it
is truly a unity-of-effort approach, and that integration
continues to grow and we look forward to the opportunity of
having it grow not only within Government but also private
sector and international.
So thank you.
Mr. Meehan. Thank you.
Mr. Edwards.
Mr. Edwards. Well, we live in a virtual world so, you know,
DHS has matured and it is improving and it is moving in the
right direction, but much work still needs to be done. The
threat is not only going to be coming from nation states, but
from hackers, but also the threat within. We have to be mindful
of that.
I hope I can come back and issue a report and say the
Department has done perfectly everything right and there are no
findings and no recommendations. That is what I hope I can do,
but still there is much work to be done.
Thank you.
Mr. Meehan. Well, we would all love to be able to do that,
but that is the important responsibility we have on oversight
and we thank you for the good work that you are all doing to
try to aspire to that standard.
So I thank all of you for your testimony. The Members of
the committee may have additional questions, and if they do we
will ask you to respond in writing in the appropriate time.
So without objection, the subcommittee stands adjourned.
Thank you.
[Whereupon, at 10:32 a.m., the subcommittee was adjourned.]
�