[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
CYBERSECURITY:
WHAT THE FEDERAL GOVERNMENT
CAN LEARN FROM THE PRIVATE SECTOR
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY &
SUBCOMMITTEE ON OVERSIGHT
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
January 8, 2016
__________
Serial No. 114-56
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
________
U.S. GOVERNMENT PUBLISHING OFFICE
20-826PDF WASHINGTON : 2017
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR., ZOE LOFGREN, California
Wisconsin DANIEL LIPINSKI, Illinois
DANA ROHRABACHER, California DONNA F. EDWARDS, Maryland
RANDY NEUGEBAUER, Texas SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas ERIC SWALWELL, California
MO BROOKS, Alabama ALAN GRAYSON, Florida
RANDY HULTGREN, Illinois AMI BERA, California
BILL POSEY, Florida ELIZABETH H. ESTY, Connecticut
THOMAS MASSIE, Kentucky MARC A. VEASEY, Texas
JIM BRIDENSTINE, Oklahoma KATHERINE M. CLARK, Massachusetts
RANDY K. WEBER, Texas DONALD S. BEYER, JR., Virginia
BILL JOHNSON, Ohio ED PERLMUTTER, Colorado
JOHN R. MOOLENAAR, Michigan PAUL TONKO, New York
STEPHEN KNIGHT, California MARK TAKANO, California
BRIAN BABIN, Texas BILL FOSTER, Illinois
BRUCE WESTERMAN, Arkansas
BARBARA COMSTOCK, Virginia
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
RALPH LEE ABRAHAM, Louisiana
DRAIN LAHOOD, Illinois
------
Subcommittee on Research and Technology
HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma DANIEL LIPINSKI, Illinois
MICHAEL T. MCCAUL, Texas ELIZABETH H. ESTY, Connecticut
RANDY HULTGREN, Illinois KATHERINE M. CLARK, Massachusetts
JOHN R. MOOLENAAR, Michigan PAUL TONKO, New York
BRUCE WESTERMAN, Arkansas SUZANNE BONAMICI, Oregon
GARY PALMER, Alabama ERIC SWALWELL, California
RALPH LEE ABRAHAM, Louisiana EDDIE BERNICE JOHNSON, Texas
DRAIN LAHOOD, Illinois
LAMAR S. SMITH, Texas
------
Subcommittee on Oversight
HON. BARRY LOUDERMILK, Georgia, Chair
F. JAMES SENSENBRENNER, JR., DON BEYER, Virginia
Wisconsin ALAN GRAYSON, Florida
BILL POSEY, Florida ZOE LOFGREN, California
THOMAS MASSIE, Kentucky EDDIE BERNICE JOHNSON, Texas
BILL JOHNSON, Ohio
DRAIN LAHOOD, Illinois
LAMAR S. SMITH, Texas
C O N T E N T S
January 8, 2016
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Barbara Comstock, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 7
Written Statement............................................ 9
Statement by Representative Daniel Lipinski, Ranking Minority
Member, Subcommittee on Research and Technology, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 11
Written Statement............................................ 13
Statement by Representative Barry Loudermilk, Chairman,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 15
Written Statement............................................ 17
Statement by Representative Donald S. Beyer, Jr., Ranking
Minority Member, Subcommittee on Oversight, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 19
Written Statement............................................ 20
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 22
Written Statement............................................ 24
Witnesses:
Mr. John B. Wood, Chief Executive Officer and Chairman, Telos
Corporation
Oral Statement............................................... 27
Written Statement............................................ 30
Dr. Martin Casado, Senior Vice President and General Manager,
Networking and Security Business Unit, VMWare
Oral Statement............................................... 39
Written Statement............................................ 41
Mr. Ken Schneider, Vice President of Technology Strategy,
Symantec Corporation
Oral Statement............................................... 49
Written Statement............................................ 51
Mr. Larry Clinton, President and Chief Executive Officer,
Internet Security Alliance
Oral Statement............................................... 61
Written Statement............................................ 63
Discussion....................................................... 80
Appendix I: Answers to Post-Hearing Questions
Mr. John B. Wood, Chief Executive Officer and Chairman, Telos
Corporation.................................................... 106
Dr. Martin Casado, Senior Vice President and General Manager,
Networking and Security Business Unit, VMWare.................. 108
Mr. Ken Schneider, Vice President of Technology Strategy,
Symantec Corporation........................................... 109
Mr. Larry Clinton, President and Chief Executive Officer,
Internet Security Alliance..................................... 110
Appendix II: Additional Material for the Record
Statement by Representative Eddie Bernice Johnson, Ranking
Member, Committee on Science, Space, and Technology, U.S. House
of Representatives............................................. 114
CYBERSECURITY:
WHAT THE FEDERAL GOVERNMENT
CAN LEARN FROM THE PRIVATE SECTOR
----------
FRIDAY, JANUARY 8, 2016
House of Representatives,
Subcommittee on Research and Technology &
Subcommittee on Oversight,
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittees met, pursuant to call, at 9:04 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. Barbara
Comstock [Chairwoman of the Subcommittee on Research and
Technology] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. The Subcommittees on Research and
Technology and Oversight will come to order.
Without objection, the Chair is authorized to declare
recesses of the Subcommittee at any time.
Good morning. Welcome to today's hearing titled
``Cybersecurity: What the federal government Can Learn from the
Private Sector.''
In front of you are packets containing the written
testimony, biographies, and Truth in Testimony disclosures for
today's witnesses.
I now recognize myself for five minutes for an opening
statement.
Today's hearing continues this Committee's commitment to
find solutions for one of the great challenges of the 21st
Century: cybersecurity. This is the second hearing we have held
on cybersecurity since the news over the summer that the Office
of Personnel Management was the target of two massive data
breaches, exposing the sensitive information of over 21.5
million Americans, including many of my constituents. The OPM
breach highlighted the growing challenge of preventing and
responding to cyber threats for both the public and private
sectors.
In 2014 and 2015, cyber-attacks on Target, eBay, Home
Depot, and Anthem Health Insurance were only a few of the many
publicly disclosed breaches. The data breach of Anthem alone
exposed the Social Security numbers of 80 million Americans.
The time has come for every manager and every employee in
both government and private organizations to make cybersecurity
a top priority in their daily work, and for leaders to be held
accountable for negligent failures to protect information. The
American public and shareholders are demanding it.
When criminal hackers gained access to some 40 million
Target customer credit cards, the CEO and the CIO were fired,
in the private sector. Although the OPM Director resigned in
the wake of the OPM breaches, I am still not satisfied that the
responsible parties have been held accountable for the failure
of the agency to address known security vulnerabilities.
The most recent IG audit found that OPM still has 23
systems that have not been subject to a thorough security
controls assessment. OPM does not even have a complete
inventory of servers, databases and network devices in their
system.
Just this week I met with newly appointed Senior Cyber and
Information Technology Advisor Clifton Triplett and the OMB
Senior Advisor on Cyber and National Security.
I look forward to working with my colleagues and all
federal agencies to ensure we are protecting the identities of
our employees, applicants, and their families.
The cyber criminals, hacktivists, and state-sponsored cyber
terrorists are getting more creative and bolder in their
attacks. The private sector has been at the forefront of
dealing with these threats for some time, as both the target of
many of these attacks and as the leaders in developing the
technology and workforce necessary to counter cyber threats.
Visa, which is in my district, is preparing to open a new
Cyber Fusion Center in my district just this week. This state-
of-the-art cyber facility brings together nearly 100 highly
trained security professionals into one high-tech campus, and
provides for collaboration both internally and with payments
and with partners enabling information sharing, rapid response,
et cetera. I am privileged to have a number of companies who
are very much on the forefront in this area in my district, and
we have a number of those witnesses here today, and I look
forward to hearing from our witnesses, who are all innovative
thinkers from the private sector.
I hope we can take the lessons we learn from you today, and
help apply them towards protecting our federal information
systems and the sensitive and valuable information they
contain. We clearly must work together and be able to be more
agile and adaptive to the ongoing threats that we know with the
multiplication of information in our all of our systems which
is just going to exponentially increase over the coming years.
This will be a permanent employment area for all of you, I'm
sure.
[The prepared statement of Chairwoman Comstock follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. I now recognize the Ranking Member of
the Research and Technology Subcommittee, the gentleman from
Illinois, Mr. Lipinski, for his opening statement.
Mr. Lipinski. Thank you, Chairwoman Comstock and Chairman
Loudermilk, for holding this hearing. I want to thank all the
witnesses for being here today, and I look forward to hearing
your testimony.
Chairwoman Comstock had mentioned in her opening statement
the real need to make sure we do more in this area. We need to
make sure that both in the public and private sector that
people are held responsible for the hacks that do occur. We
need to make sure that we have in place what we can do here,
that Congress does what it can do to make sure that there is an
incentive both in the public and private sector to try to avoid
these hacks, this loss of information, so I'm very interested
to hear more from our witnesses on this.
I am certainly pleased that we're holding our first hearing
on cybersecurity, which is certainly an increasingly urgent
challenge for our national security and the personal security
of every American. It's important that we continue to hear from
experts in government and the private sector about the latest
developments with respect to both the risks that confront
security in cyberspace, and the technologies and policies to
combat those threats.
Our Committee plays an important role in both the
technology side and the policy side, and this is an area in
which Members have successfully collaborated across the aisle.
In December 2014, Congress enacted the Cybersecurity
Enhancement Act, a bipartisan research, education, and
standards bill that I worked on with Mr. McCaul over several
years. Over the last month, Congress enacted a cybersecurity
law to promote information sharing and strengthen coordination
between the private and public sectors. As a Committee and as
Congress, we need to continue to confront these serious cyber
threats.
Unfortunately, we continue to see an increase in major
cyber-attacks in both the public and private sectors. In a
hearing we held here in July, we heard about the significant
breach at the Office of Personnel Management, in which the
personal information of millions of current and former federal
employees and job applicants was compromised, including some of
us here. Highly sensitive security-clearance files were also
compromised, making it not just a problem for all those
individuals but a national security issue as well.
We have laws in place to address the security of federal
information systems. The Federal Information Security
Management Act, or FISMA, and subsequent amendments establish
the necessary policies and procedures for the development of
standards and protocols. NIST has an important role in this.
But it is clear that federal agencies need to do a better job
implementing NIST's standards and protocols, and that Congress
needs to give them adequate resources to do so.
The private sector is also under constant threat from
cyberattacks. In the case of large-size companies, a recent
study conducted by the Ponemon Institute found that there was a
19 percent increase in cybercrimes between 2014 and 2015. The
study also found that cybercrimes cause significant economic
damage. For 2015, cyber attacks resulted in a total average
cost of $15 million. While the threats continue to grow, many
in the private sector are increasingly taking steps to protect
their information systems and the personal information of
Americans that they gather in their routine business.
To reduce our risk and improve the security of cyberspace,
it will take the combined effort of the Federal government, the
private sector, our researchers and engineers, and the general
public. Although cyber attacks are becoming more sophisticated,
often cyber attacks are successful because of human error, such
as unknowingly opening a malicious email or allowing one's
credentials to be compromised. Part of our effort must be to
educate the public. Another part must be to better understand
human behavior in order to make new tools and technologies more
effective, such as the work being done at NIST and elsewhere to
move beyond passwords.
I look forward to hearing from our witnesses today about
industry cybersecurity best practices as well as opportunities
for public-private partnerships that could help address our
shared cybersecurity challenges. I'm also interested in hearing
to what extent private businesses and organizations voluntarily
implement FISMA standards developed by NIST, and how you may be
participating in or benefiting from other efforts at NIST,
including the Cybersecurity Center for Excellence and the
Framework for Critical Infrastructure.
Thank you, and I yield back the balance of my time.
[The prepared statement of Mr. Lipinski follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you, Mr. Lipinski.
I now recognize the Chair of the Oversight Subcommittee,
the gentleman from Georgia, Mr. Loudermilk, for his opening
statement.
Mr. Loudermilk. Well, thank you, Chairwoman Comstock,
especially for continuing this important discussion on the
security of our federal information systems.
I would also like to thank our witnesses for being here
today to help us understand industry's best practices when it
comes to cybersecurity. I look forward to hearing about lessons
learned and how to apply those lessons to our federal systems
to help prevent future cyber-attacks.
It is clear that our federal systems are not adequately
protected. In fact, just this past summer, a witness from the
Government Accountability Office before this Committee stated,
``It is incumbent upon federal agencies to implement the
appropriate security controls to mitigate those risks at a
cost-effective and acceptable level, and we found out that
agencies have not consistently implemented agency-wide
information security programs to mitigate that risk
effectively.'' When I asked that same witness to grade our
federal cybersecurity, he gave it a D. A rating of D is not an
acceptable grade.
This Administration owes it to the American people to
significantly improve this deplorable standing in order to
sufficiently protect government information and thereby our
national security. This Administration also needs to explain
how it is protecting the American people's personal
information. As I stated at the hearing this summer, the breach
of data from the Office of Personnel Management is exactly why
the Oversight Subcommittee that I chair continues to look into
the collection of Americans' personal data through the website
HealthCare.gov. In fact, I am still waiting for complete
answers from the Administration to questions I posed in letters
to the Office of Science and Technology Policy and the Centers
for Medicare and Medicaid Services back in June. This
Administration has not sufficiently explained why it was ever
necessary to indefinitely store Americans' personnel--personal
data they submitted when logging into the HealthCare.gov
website, particularly those who did not end up enrolling. One
would think that President Obama would agree that such a
practice is unnecessary as he identified cybersecurity as one
of the most serious economic and national security challenges
we face as a nation, but one that we as a government or as a
country are not adequately prepared to counter. If
cybersecurity is one of the most serious challenges that this
government faces, why on earth would the government ever
consider storing all of this personal information indefinitely
in data warehouses? As the Chairman of the Oversight
Subcommittee, I will continue to ask questions and demand
answers until we are satisfied that federal departments and
agencies are making decisions in the best interest of
protecting the personal information of all Americans. The
safety and security of Americans and this Nation must be our
number one priority.
Having continuously subpar security of our federal systems
is embarrassing and must be rectified immediately. The delays
must stop. It's time to finally do something about federal
cybersecurity.
I look forward to the witnesses' testimony at today's
hearing. I hope to learn more about the various industry best
practices and lessons learned in hopes that it will shed light
on what the government could and should be doing to protect our
citizens from constantly evolving cyber threats.
Madam Chairwoman, I yield back the balance of my time.
[The prepared statement of Mr. Loudermilk follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you, Chairman Loudermilk.
And I now recognize the Ranking Member of the Subcommittee
on Oversight for his opening statement.
Mr. Beyer. Thank you, Chairwoman Comstock and Chairman
Loudermilk, for holding today's hearing. Thank you, witnesses,
for spending Friday morning with us.
As we keep relearning after each new attack, cybersecurity
is obviously a critical and daunting challenge. Today the data
we create, store, access, and often share online contains
information about almost every aspect of our lives. Our
collective digital universe is composed of banking records,
birth records, personal health files, government records, tax
filings, on and on.
Last week, I was going on realage.com to see how long I was
going to live, and now the cybersecurity attackers are going to
know my cholesterol, my weight, the name of my dog, and the
last year I had a cigarette. I took an Alzheimer's test last
night online, which results I hope don't show up in my next
campaign.
We electronically communicate with our kids' teachers about
their academic achievements. I find that none of my kids will
return my phone calls but they will text me right back. News
flash: None of this information is secure, and immediate access
to these digital connections provides tremendous advantages for
businesses and consumers. In our family business, we're highly
dependent on all the information we've gathered on our
customers, the next time Congresswoman Bonamici needs an oil
change on her Subaru, for example. It also offers abundant
nefarious opportunities for cyber criminals, foreign
governments intent on cyber espionage, and perhaps even more
dangerous actors.
Protecting against known and emerging cyber threats is an
ongoing enterprise that requires consistent vigilance and
continuing adoption. Last year's OPM attack was a huge concern
for all the federal workers that live in our districts across
the country, and there were management and procedural failures
at OPM that are now being addressed.
But nobody is immune to cyber attacks, not in the
government and not in the private sector. According to Privacy
Rights Clearinghouse, a nonprofit, nonpartisan, organization
that tracks cyberattacks, in 2015 there were 17 reported
breaches against .gov or .mil addresses that resulted in access
to 27.8 million records. The big one there obviously was OPM.
During the same time period, the private sector experienced 184
confirmed breaches that resulted in exposure of 131.5 million
records. It's a huge problem for both sides.
I believe that sharing best practices to reduce IT
vulnerabilities, educate federal workers is very important. I
really look forward to today's hearing. I'm sure there are many
lessons that we will learn from you today. I also look forward
to the equal certainty that there is much that the private
sector can learn from the government, especially the Department
of Defense and our intelligence community.
So I look forward to today's discussion, and thank you so
much for being with us.
Mr. Chair--Madam Chair, I yield back.
[The prepared statement of Mr. Beyer follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you, and I now recognize the
distinguished Chairman of the full Committee, Mr. Smith.
Chairman Smith. Thank you, Madam Chair.
Last year, more than 178 million records of Americans were
exposed in cyber-attacks. The breach of the Office of Personnel
Management alone compromised the personal information of more
than 20 million people, which included Members and staff of
this Committee.
The United States is a top target for foreign countries.
Cyber criminals and hacktivists exploit vulnerabilities in our
networks and cyber systems to obtain valuable information. The
number of cybersecurity incidents reported by federal agencies
has increased over 1,000 percent in the last eight years. In
2014, more than 67,000 cyber-attacks were reported, and many
others, of course, were not.
A number of federal agencies guard America's cybersecurity
interests. Several are under the jurisdiction of the Science
Committee. These include the National Science Foundation, the
National Institute of Standards and Technology, the Department
of Homeland Security's Science and Technology Directorate, and
the Department of Energy. All of these agencies support
critical research and development to promote cybersecurity and
set federal standards.
However, it is clear that too many federal agencies, like
OPM, fail to meet the basic standards of information security.
More must be done to ensure agencies make cybersecurity a top
priority.
Last year, audits revealed that 19 of 24 major federal
agencies failed to meet the basic cybersecurity standards
mandated by law yet the Administration has allowed deficient
systems to stay online.
What are the consequences when a federal agency fails to
meet its basic duties to protect sensitive information? What
does it say to federal employees, not to mention our
adversaries, when cabinet secretaries don't take cybersecurity
seriously and fail to follow the most basic email security
practices involving our country's classified information?
In the private sector, those who neglect their duty to keep
the information of their customers secure are usually fired. In
the federal government, it seems the only people penalized are
the millions of innocent Americans who have their personal
information exposed.
During the last Congress, the Science Committee approved
the Cybersecurity Enhancement Act, which was signed into law.
This law improves America's cybersecurity abilities and
strengthens strategic planning for federal cybersecurity
research and development. It supports NSF scholarships to
improve the quality of our cybersecurity workforce. It also
improves cybersecurity research, development, and public
outreach organized by NIST.
Last month, a similar bill, the Cybersecurity Act of 2015,
was signed into law. Very importantly, this bill encourages
private companies to voluntarily share information about
eminent cyber threats with each other as well as with the
federal government.
The Science Committee will continue its efforts to support
research and development to strengthen America's cyber
defenses. I look forward to hearing from our witnesses today
about what more we can do to support innovation and help set
national standards and guidelines that will enhance our
country's cybersecurity.
Thank you again, Madam Chair, and I yield back.
[The prepared statement of Chairman Smith follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you, Mr. Chairman.
At this time I would now like to introduce our witnesses.
John Wood is Chief Executive Officer and Chairman of the
Board for Telos Corporation, a leading technology company that
addressees cybersecurity, secure mobility, and identity
management for corporations and governments worldwide. Mr. Wood
serves on the Boards of the Northern Virginia Technology
Council, the Wolf Trap Foundation for the Performing Arts, home
of the nationally acclaimed Wolf Trap Institute for Early
Learning through the Arts and its Early STEM Arts Program. He
is also the founding chairman of the Loudoun County CEO Cabinet
and served for five years as Chairman of Loudoun County's
Economic Development Commission. Prior to joining Telos in
1992, Mr. Wood worked on Wall Street after earning his degree
in finance and computer science at Georgetown University. I
know he also is very active in STEM education throughout
Loudoun County in our district in getting young people engaged
and involving them personally, I know both with your company
and with our school system. We appreciate all you do in that
area.
Dr. Martin Casado is a VMWare Fellow and Senior Vice
President and General Manager for the Networking and Security
Business Unit. Dr. Casado joined VMWare in 2012 when the
company acquired Nicira, of which he was Co-Founder and Chief
Technology Officer. Dr. Casado has previously held a research
position at Lawrence Livermore National Laboratory, where he
worked on network security in the information operations
assurance center. Dr. Casado has been recognized as one of the
industry's leading innovators and has been featured as one of
Business Insider's 50 Most Powerful People in Enterprise Tech,
Forbes Next Generation Innovators, and Dr. Casado received his
master's and Ph.D. from Stanford.
Mr. Ken Schneider serves as Vice President of Technology
Strategy at Symantec, where his focus is on driving an overall
technology strategy across the company. He was previously Chief
Technology Officer of the Enterprise Security and Security and
Data Management Groups. Prior to joining Symantec, Mr.
Schneider served as CTO and VP of operations for Brightmail,
the leading anti-spasm software company that was acquired by
Symantec. Before Brightmail, Mr. Schneider South Beach
Software, a software consulting company that developed products
for the professional video market. He also received a master of
science in mechanical engineering from University of California
Berkeley and a bachelor of science in engineering from
Swarthmore.
Mr. Clinton is the President and Chief Executive Officer of
the Internet Security Alliance, a multisector trade association
focused on cyber thought leadership, policy advocacy, and
promoting sound security practices for corporations. Mr.
Clinton has widely published on cybersecurity and is the
principal author of the Cyber Risk Handbook for corporate
boards published by the National Association of Corporate
Directors in 2014 and endorsed by the Department of Homeland
Security in 2015. The NACD also named Mr. Clinton as one of the
100 most influential individuals in the field of corporate
governance last year. Mr. Clinton is in demand internationally,
having spoken in Europe, Asia, and Latin America, and we are
glad to have him here today.
In order to allow time for your discussion, please limit
your testimony to five minutes, and then your entire written
statements, which I know are more extensive and have lots of
good information that we'll have in our public record, and
since we're on C-SPAN today, I would encourage the public to
also look at those full statements to get more information
there, and with that, I will recognize Mr. Wood for five
minutes to present his testimony.
TESTIMONY OF MR. JOHN B. WOOD,
CHIEF EXECUTIVE OFFICER AND CHAIRMAN,
TELOS CORPORATION
Mr. Wood. Thank you. I'd like to thank Chairwoman Comstock
and the other Chairs and Ranking Members for the invitation to
share some thoughts on behalf of Telos Corporation on industry
best practices for cybersecurity and risk management.
As I noted in my written testimony, Telos protects the
world's most security-conscious enterprises, providing our
customers with solutions and services for cybersecurity, secure
mobility, and identity management.
The first point I'd like to highlight is that all
enterprises, public and private, need to emphasis cyber hygiene
in their day-to-day operational practices and employee
training.
Why do I make this first point? Because the 2015 Verizon
data breach investigations report found that the overwhelming
common denominator in security incidents is people. Nearly all
of the security incidents Verizon cataloged might have been
avoided if organizations had taken basic steps to help their
employees follow simple cybersecurity precautions.
Here are five basic steps that organizations should take to
help better protect themselves from attacks. First, establish
and enforce cybersecurity policies and procedures. Second,
include effective password management practices. Third, require
regular security awareness training. Fourth, implement timely
updates and patches to manage vulnerabilities. And fifth, to
use up-to-date endpoint security solutions. These five basic
steps serve as the foundation for a strong cybersecurity
program. Every IT security professional knows them, and yet the
importance of following through with them cannot be overstated.
Further, these practices must be embraced in the boardroom,
and by management, so that a culture of cybersecurity is
created throughout the organization from the top town.
That being said, every organization with high-value digital
assets needs to assume it has already been breached or will be.
This leads to my second point, and that is that incident
response and remediation are just as important to organizations
as cyber defense and depth strategies.
Telos has developed a rigorous framework for incident
response with essential steps like preparation, containment,
eradication and recovery, which we use ourselves and implement
for our customers.
Further, it isn't realistic to expect every organization to
have the time or financial and human resources needed to
successfully defend everything. That's why management is so
critical to effective cybersecurity. Risk management involves
identifying, evaluating, and either accepting or mitigating
uncertainty in decision making.
Private and public sector organizations need to make cost-
benefit choices about which systems to defend and how to defend
them based on the likelihood of an asset being attacked, the
value of the asset being attacked, the cost of defending the
asset, and the cost of losing the asset. That approach is
reflected in the continuous diagnostic and mitigation program
established by Congress ``to provide adequate risk-based and
cost-effective cybersecurity and more efficiently allocate
cybersecurity resources.'' This continuous diagnostic to
mediation program, or CDM program, extends continuous
monitoring into the areas of diagnostics and mitigation while
acknowledging that risk management is called for when you have
to meet nearly infinite needs with finite resources.
That's also the value of initiatives like the NIST risk
management framework and the NIST cybersecurity framework. They
put cybersecurity solutions and best practices in the context
of risk management and compliance, which brings me to my third
point. The standards in the NIST cybersecurity framework are
very good but they cannot succeed unless companies follow them.
We should be looking for ways that market forces can
incentivize companies to voluntarily take the strongest
possible actions to protect themselves, which includes
following the NIST standards and best practices.
The various critical infrastructure sectors are just that:
critical. They're so important to our national defense, our
economy, and our way of life that it's imperative government
and private sectors encourage organizations in these sectors to
use best security practices.
One promising area of incentivizing companies is tied to
the growth of the cyber insurance market. The Commerce
Department has described cyber insurance as ``an effective
market-driven way of increasing cybersecurity.'' The Treasury
Department has also suggested that the increasing demand for
cyber insurance may help drive private sector policyholders to
adopt the NIST cybersecurity framework. As insurance companies
get their arms around the cybersecurity actuarial data they
accumulate with each new breach, they'll want to have insights
into what their clients are doing to protect themselves. Are
they applying sufficient ongoing protection for their systems
and data? Are they using the NIST framework or an equivalent
standard? In fact, insurance companies may well require their
clients to adopt the NIST framework in order to demonstrate
insurability and reduce their premiums. When that happens, we
could see greater market-based pressure brought to bear that
will effectively require companies to do the same. So market
forces and the fear of legal liability may make NIST voluntary
guidelines the de facto standards for companies to demonstrate
to insurers or in court that they've exercised all due care to
protect their customers and their assets.
One additional point: Cybersecurity is just too important
to do on the cheap. Overreliance on ``lowest price technically
acceptable'' contracts can be very risky in a field that has so
little room for error.
Similarly, our fifth war-fighting domain, cyberspace, must
be appropriately funded. U.S. Cyber Command has been funded at
a level this year that represents a mere 1/1000ths of the
overall DOD budget. By contrast, just four banks--JP Morgan
Chase, Bank of America, Citibank and Wells Fargo--are spending
three times the amount on cybersecurity. JP Morgan, after they
got hacked, decided to double their IT security spend from $250
million a year to $500 million a year, more than all of Cyber
Command. The financial sector is an example of the private
sector taking its cybersecurity risk management
responsibilities very seriously and devoting the resources
necessary to protect themselves.
Again, I appreciate the opportunity to share with you
Telos's perspective, and I'd be glad to answer any questions.
Thank you.
[The prepared statement of Mr. Wood follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you.
And now we'll hear from Dr. Casado.
TESTIMONY OF DR. MARTIN CASADO,
SENIOR VICE PRESIDENT AND GENERAL MANAGER,
NETWORKING AND SECURITY BUSINESS UNIT, VMWARE
Dr. Casado. Chairwoman Comstock, Chairman Loudermilk,
Ranking Member Lipinski, Ranking Member Beyer, and other
Members of the Committee, thank you for the opportunity to
testify today. I'm super thrilled to be here.
I'm Martin Casado, Senior Vice President and General
Manager of Networking and Security at VMWare. VMWare is the
fourth largest software company in the world with 2014 revenues
of over $6 billion and over 18,000 employees.
The nature of security breach at the Office of Personnel
Management was not particularly unique. Hackers were able to
penetrate perimeter networks' security systems and gain access
to OPM and Department of Interior systems where they were free
to access and steal sensitive data over a period of several
months. Hackers typically use this attack methodology because
traditional perimeter-centric security systems are structurally
designed to be doors to the network. These doors allow
authorized users access to network systems and prevent
unauthorized users from entering a network or data center.
However, perimeter security is a single point of entry that
must be breached or circumvented in order to enter the data
center network. Once the intruder has passed the perimeter,
there's no simple means to stop malicious activity from moving
throughout the data center. In many cases, the response from
companies, agencies, and network security vendors is to add
more security technology to the perimeter, which ignores the
structural issue, creating basically a Maginot line.
VMWare submits three salient points for consideration. One:
Every recent agency breach has had one thing in common: the
attacker, once inside the perimeter security, was able to move
freely around the agency's network. Two: Perimeter-centric
cyber security policies, mandates, and techniques are
necessary, but insufficient and ineffective in protecting U.S.
government cyber assets alone. Three: These cyber-attacks will
continue, but we can greatly increase our ability to mitigate
them and limit the damage and severity of the attacks when they
do.
So in today's legacy networks, there are a lot of
perimeter-centric technologies that are designed to stop an
attacker from getting inside a network. Clearly, this approach
is not sufficient to combat today's cyber-attacks. Perimeter-
centric security solutions are analogous to a locked door that
can only be accessed with a key. The primary function of the
door is to deny initial unauthorized entry by anyone who does
not have a key. However, once the door is forced open or
breached, the unauthorized actor is free to move throughout
unabated.
In order to effectively prevent an attacker from moving
freely around the network, agencies must compartmentalize their
existing network perimeter security by adding zero trust or
micro-segmented network environments within the data center. A
zero trust environment prevents unauthorized lateral movement
within the data center by establishing automated governance
rules that manage the movement of users and data between
business systems or applications within the data center
network. When a user or system breaks the rules, the potential
threat incident is compartmentalized and security staff can
take any appropriate remediation actions. To build on the
analogy above, compartmentalization is equivalent to securing
each interior room with locks, limiting the intruder's ability
to move around freely within the house significantly. This
mitigates the magnitude of a perimeter security breach, or
break-in. These new approaches are already the gold standard in
commercial industry and need to become the gold standard across
the federal government.
VMWare has seen many government agencies conclude that the
most effective means of mitigating the potential for a breach
is to build a new network or data center called a
``greenfield'' environment with enhanced security protocols.
Agencies reach this conclusion because existing data centers,
or ``brownfield'' environments, are assumed to be compromised
and unsalvageable. This is a legitimate strategy. However, it
fails to address the persistent security threat to existing
cyber infrastructure.
There are two main issues with this approach. Existing
networks or data centers continue to operate while the new
environment is being provisioned, which leaves sensitive data
vulnerable to continuing attack. It can take months or years to
stand up a new greenfield environment. As we've seen, this is
what happened with the attack at OPM. They were building a new,
enhanced network but the attack occurred on the existing
system. Without clear cyber security guidelines mandating new
software based security strategies that go beyond perimeter-
centric security, the new environments are subject to attack as
soon as they become operational.
In an era of constrained resources and imminent threat,
this approach is insufficient and untimely. Agencies have the
ability today to upgrade the security posture of their existing
cyber infrastructure and add zero trust software defined
solutions that are inherently more cost-effective than new,
expensive hardware-based solutions. By deploying these
technologies within our nation's existing networks and data
centers, agencies can avoid billions of dollars of additional
investment in new greenfield infrastructure when the compelling
driver for a greenfield investment is strictly security
related.
Thank you very much for the opportunity to testify today,
and I look forward to answering the Committee's questions.
[The prepared statement of Dr. Casado follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you.
And now we will hear from Mr. Schneider.
TESTIMONY OF MR. KEN SCHNEIDER,
VICE PRESIDENT OF TECHNOLOGY STRATEGY,
SYMANTEC CORPORATION
Chairwoman Comstock, Chairman Loudermilk, Chairman Smith,
Ranking Members Lipinski and Beyer, thank you for the
opportunity to testify today.
The focus of today's hearing is right on point:
Cybersecurity is a shared responsibility, and the public and
private sectors must work together closely to counter ever-
evolving threats.
Many of the recent headlines about cyber-attacks have
focused on data breaches, both in government and across the
spectrum of industries, but cyber-attacks do much more than
that, and the incidents we see today range from basic
confidence schemes to massive denial-of-service attacks to
sophisticated and potentially destructive intrusions into
critical infrastructure systems. The attackers run the gamut
and include highly organized criminal enterprises, disgruntled
employees, individual cyber criminals, so-called hacktivists,
and state-sponsored groups. Attack methods vary, and the only
constant is that the techniques are always evolving and
improving. For instance, spearfishing, or customized targeted
emails containing malware or malicious links, is still one of
the common forms of attack. Social media is also an
increasingly popular attack vector as people tend to trust
links and postings that appear to come from a friend's social
media feed.
We've also seen the rapid growth of targeted web-based
attacks known as ``watering hole attacks'' and trojanized
updates where malware is cloaked in legitimate software
updates. For example, last year, legitimate software developers
were tricked into using compromised software to publish their
apps. These apps were then pushed into Apple's App Store and
downloaded by unsuspecting consumers.
Further, the attack surface continues to expand as both the
private and public sectors move to the cloud, and the internet
of things and the billions of new devices coming online will
bring them with a new generation of security challenges. For
example, CCS Insight predicted the sale of 84 million wearables
in 2015. Each of those 84 million users is transmitting
sensitive data into cloud platforms that must be secure.
Preventing these attacks requires layered security and an
integrated attack. At Symantec, we refer to this as our
uniformed security strategy. The National Institute of
Standards and Technology's framework for improving critical
infrastructure security reflects this holistic approach and its
core five functions serve as a useful outline for discussing a
unified approach to security.
First is identify. Simply put, you can't protect what you
can't see, but the task goes beyond just identifying hardware
and software and includes a risk-based approach to ensure that
the most critical assets are identified and protected.
Next is protect, and it starts with people. An organization
needs to ensure that its workforce practices good cyber hygiene
and is alert for the latest scams and schemes. But of course,
technology is important too. Modern endpoint security examines
numerous characteristics of files to discover unknown or
emerging threats that might otherwise be missed. It's critical
to monitor the overall operation of a system to look for
unusual, unexpected, or anomalous activity that could signal an
infection. Information protection is equally important. This
requires a data loss prevention system that indexes, tracks,
and controls the access to and movement of data across an
organization.
The third function is detect. An organization needs to know
what is going on inside of its systems as well as who is trying
to access what and how they are trying to do so. Monitor
security analytics platforms and just a whole volume of machine
and user data and use advanced behavioral and reputational
analytics to know whether a series of anomalies is an indicator
of malicious activity. By doing so, these systems are able to
detect threats that bypass other protections.
Fourth is respond. Good planning is the foundation of an
effective cybersecurity strategy. If and when an incident
occurs, an organization must have a well-defined and practice
playbook to be able to respond quickly and effectively.
Interviewing potential vendors and assigning roles and
responsibility is not a good use of time while an organization
is hemorrhaging sensitive data.
The last function is recover. This is twofold: getting the
impacted systems back up and running, and improving security
based on the lessons learned from the incident. Effective and
efficient recovery requires preparation and planning. For
example, poor preparation could leave an organization with
incomplete or corrupted backups. But perhaps the most important
part of fixing identified flaws in both systems and processes
is to learn from the incident.
Cooperation is key to improving cybersecurity, and Symantec
participates in numerous industry consortia and public-private
partnerships to combat cyber crime. These include National
Cyber Forensics and Training Alliance, FBI, Europol, Interpol,
NATO, and Ameripol. We've also been involved in several
operations to take down criminal networks including several
high-profile botnets such as the financial fraud botnet
Gameover Zeus, the ransomware network Cryptolocker, and the
Ramnet botnet.
The only path to improving security for the Nation is
through partnership and shared expertise, and the government
can learn from the private sector's experience incorporating
cutting-edge security tools into their security programs.
We appreciate the Committee's interest in learning from
Symantec's expertise and best practices, and I'll be happy to
take any questions. Thank you.
[The prepared statement of Mr. Schneider follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you.
And now we'll hear from Mr. Clinton.
TESTIMONY OF MR. LARRY CLINTON,
PRESIDENT AND CHIEF EXECUTIVE OFFICER,
INTERNET SECURITY ALLIANCE
Mr. Clinton. Thank you, Madam Chair and Members of the
Committee. It's an honor to be here. I appreciate the
opportunity.
I'd like to focus on five areas I think where the federal
government can learn from the private sector. First, government
needs to invest much more in cybersecurity. Private-sector
spending on cybersecurity has nearly doubled in the last
several years to $120 billion annually. The federal non-defense
spending on cybersecurity this year will be between $6 and $7
billion. Private-sector spending on cybersecurity will increase
24 percent next year. Federal government spending is increasing
about 11 percent. I know of two banks who have a combined
cybersecurity budget of $1.25 billion for next year. DHS's
entire budget for cybersecurity next year is about $900
million, 75 percent of what two banks are spending by
themselves. Cyber crime costs our nation a half trillion
dollars a year, yet we are successfully prosecuting maybe one
percent of cyber criminals. We simply need to spend more on
cybersecurity.
Two, government needs to act with greater urgency. It took
Congress six years to pass a modest information-sharing bill.
In 2009, major trade associations presented Congress and the
Administration detailed recommendations on cybersecurity. In
2011, the House GOP task force report on cybersecurity embraced
these recommendations, as did President Obama's Executive
Order, but four years after the House task force report, we
still have not seen any substantial work on the top
recommendation in that report or the Executive Orders. For
example, the GAO task force report and the Executive Order and
the national infrastructure protection plan all call for the
creation of a menu of incentives to promote the adoption of
cybersecurity yet aside from the information-sharing bill, the
President has not proposed, Congress has not introduced a
single incentive strategy bill. Last month GAO reported that 12
of 15 sector-specific agencies had not identified incentives to
promote cybersecurity even though that's called for in the
national infrastructure protection plan. The President's
Executive Order called for the NIST cybersecurity framework to
be both cost-effective and prioritized. Three years later,
there has been no objective measurement of the framework's
effect on improving security, adoption or its cost-
effectiveness.
Three: The government needs to educate top leadership as
the private sector is doing. In 2014, ISA and AIG created
handbook on cybersecurity for corporate boards, which was
published by the National Association of Corporate Directors
and is the heart of the training program that they are
launching. PriceWaterhouseCoopers recently validated the
success of this approach. They said boards appear to be
listening to the NACD guidance. This year we saw a double-digit
increase in board participation in cybersecurity leading to a
24 percent boost in security spending. Other notable outcomes
include the identification of key risks, fostering an
organizational culture of security, and better alignment of
security with overall risk management and business goals.
We believe, Madam Chair, that the government needs a
similar program to educate the government equivalence of
corporate boards: Members of Congress, members of the Cabinet,
agency Secretaries. Most senior government officials are not
sophisticated with their understanding of cybersecurity. If
they are educated as we're educating the private sector, we
think we could have more effective policy.
Four: The government needs to reorganize for the digital
age. Over the past several years, the private sector has moved
away from the IT department as the central focus of
cybersecurity and is evolving a more integrated enterprise-wide
risk management approach. Unfortunately, the federal government
is still caught up in legacy structure and turf wars that are
impeding our efforts. A Bank of America/Merrill Lynch study
found in 2015 that the U.S. government is still in the process
of determining who will have jurisdiction in cyberspace.
Departments, agencies, and commands are all battling for
jurisdiction and funding. The result is a fragmented system,
muddled political agendas that is hindering the development of
a secure system.
And finally, five: Government needs to become more
sophisticated in managing their own cybersecurity programs. A
2015 study compared federal civilian agencies with the private
sector, and found that the federal agencies ranked dead last in
terms of understanding cybersecurity, fixing software problems,
and failed to comply with industry standards 75 percent of the
time. The reason the government does so badly, according to
GAO, is that they simply evaluate by a predetermined checklist.
The private sector, on the other hand, uses a risk management
approach wherein we anticipate what the future attacks are
going to be based on our risk posture and then forward looking
attempt to adopt standards and practices.
We believe that the government needs to follow the private
sector's lead. They need to become more educated, more
sophisticated, and more innovative and act with greater
emergency and commitment with respect to cybersecurity.
I appreciate the opportunity to speak to you today. Thank
you.
[The prepared statement of Mr. Clinton follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. I thank the witnesses for their
testimony, and we now will move to questioning. I will
recognize myself for the first five minutes.
Thank you all so much for your expertise and your passion
about this important issue. I remember back in 2014, I was able
to sit down with Mr. Wood, and we spent a pretty long afternoon
identifying a lot of the problems, and I'm sorry to say that
everything you said came true and all the problems you
identified were dead-on, but I appreciate that you're here to
help us address that.
I was at the consumer technology conference earlier this
week, and so we're seeing a lot of the new things that are in
practice, and certainly the concept of ``innovate or die'' is
very much a reality here.
So I was wondering, because I think you've all addressed a
little bit, but how do existing government contracting
provisions impact the ability for the public sector to be agile
and to be able to do what you do in the private sector? I know
this is a little bit out of our jurisdiction in terms of
government contracting but sort of identifying the problem and
how we can address it. You know, we have the standards, we have
the practices. We know we need to be more risk management-based
instead of just a checklist. How can we all get those type of
policies in the government that are as agile as what you're
dealing with in the private sector? Do you want to start, John?
Mr. Wood. One suggestion I would have is that I think it
would be very helpful for the government to move more towards a
best-value approach to government contracting versus lowest
price, technically acceptable approach. The same individuals
that we put on assignment with the government often we will
receive a much higher rate for those individuals when we're
working commercially because commercial companies tend to value
the kind of capabilities that our security professionals have,
and when I say ``much higher,'' often it's, you know, 200 to
300 percent higher, and I think at the end of the day, that's a
really big issue that the government needs to at least address,
because otherwise you tend to get what you pay for.
Chairwoman Comstock. Yes, Mr. Clinton?
Mr. Clinton. I agree completely with Mr. Wood, and I think
this speaks to part of the education issue that I was speaking
to. We need to have a better understanding of the breadth of
cybersecurity. What you're talking about, Madam Chairman, is
frankly not an IT problem; it is an economic problem. That's
what cybersecurity is. It is not an IT problem, it is an
economic problem, and we need to find a way to move away from,
as Mr. Wood said, lowest cost items, particularly in the
federal space. We have examples where federal agencies are
buying equipment off eBay from nonsecure suppliers because it's
lower in cost, and while we appreciate the tension and the need
for economy in these times, we have to understand that there is
a direct tradeoff between economy and security, and we're just
going to have to come to grips with that, and we haven't. I
think if we could educate the federal leadership in the way
we're educating corporate boards--where by the way we had
exactly the same problem a few years ago. We might be able to
get a better appreciation of the interplay between the
economics of cybersecurity and the technology of cybersecurity.
The real problem that you're speaking to, in my opinion,
mostly comes in the smaller business elements of cybersecurity.
If you're going to deal with, for example, the major defense
contractors, frankly, you compensate them perfectly well and
they have pretty good cybersecurity, but because of the
procurement system, they are required essentially to farm out a
lot of the procurement to smaller firms across the country in
Congressional districts and those smaller firms do not have the
economies of scale to meet the cybersecurity standards that the
primes have. We have to find a way to provide incentives for
those smaller companies to come up to grade because it is not
economic from their business point of view in order to do that.
Now, we think that there are a number of suggestions that we've
made and I referred to in my oral statement and in the trade
association paper that can talk about how we can better
incentivize the smaller companies so that we can get them up
closer to where the majors are, and if we can do that, we can
achieve our goal, which is a cybersecure system as opposed to
cybersecure entities.
Chairwoman Comstock. Mr. Schneider?
Mr. Schneider. I think another thing--this isn't directly a
contract issue--is to use the tools that they've already
purchased. I think one thing we see a lot in both the private
sector and in the public sector is the acquisition of
technologies that then aren't even configured properly and used
properly. So a lot of the investment that happens both within
private organizations as well as the public organizations is to
take the technology purchases and make sure that you have the
right human capital and the right best practices to deploy
those properly. I mean, the most cost-effective thing you can
do is use the money that you've already spent more wisely, so I
think that's one key that we see as well.
Chairwoman Comstock. Okay. Thank you.
Dr. Casado?
Dr. Casado. Just kind of quickly more on a positive note,
I'm kind of a personal success story of this, so when I
graduated with my Ph.D., I was thinking about being a
professor, and instead I started working in the intelligence
community, who decided to fund a startup that we were doing,
and they were great to work with early on, and kind of to
Congressman Beyer's point, I do think that there's a lot that
we can learn from the government, and that turned into kind of
one of the largest tech acquisitions in the private sector ever
and a huge security initiative. So I think, you know, more
working with the startup ecosystem--I mean, I'm a Silicon
Valley guy--but more working with the startup ecosystem,
funding that, allowing us access to the way that you think
about the security technology I think will hugely help
innovation.
Chairwoman Comstock. Thank you, and I want to particularly
note the--I think, Mr. Wood, you call it the fifth war fighting
command is cyber here. I'm running out of my time, but if we
can get--and Mr. Clinton, the numbers and the comparison
between private sector and the public sector and what we're
spending and sort of the quality, I think that's a very helpful
contrast and understanding. This is part of our defense system,
and certainly as we've seen social media being used in the
terrorism area and all those. So I appreciate you putting real
emphasis on that. Thank you.
And I'll now recognize Mr. Lipinski.
Mr. Lipinski. Thank you. There are so many things to talk
about here, and I just got set off in another direction by what
Dr. Casado had just said, so first I'll say it's good to see a
Stanford and Berkeley guy be able to sit next to each other.
I'm a Stanford guy.
So I'm going to ask Dr. Casado, you had just mentioned
there should be more done by the government to engage Silicon
Valley entrepreneurs. What more could the federal government be
doing right now in this area?
Dr. Casado. I'm actually very positive about the actions
that the government has taken over the last few years. I mean,
I've worked with Incutel, I've worked directly with government
agencies, and I think continuing to fund efforts that engage
directly with startups, understanding that they're risky
propositions and understanding that there's a high level of
risk, I think is very beneficial. Again, I mean, all of the
work that I've done in the last eight years has been based on
my experience personally in the government and then funding
from the government and it's turned into a major industry
initiative, and so I would just encourage you to continue a lot
of the work that you're doing, and----
Mr. Lipinski. Is there anything that's not being done now
that you think should be done on the federal government side of
engagement?
Dr. Casado. Well, I think--I mean I think--I think it--the
problem is, you're great at funding on the early stage, and
then I think when things get a little bit bigger, it's harder
for the startups to engage with the government because you get
into these difficult procurement processes that are kind of
owned by a number of people. So I would say normally what
happens is, you do a great job kind of getting these guys
incubating and then they find out that we can't really actually
sell to the government because it's too hard and it's too
sticky, so we go ahead and sell it to the private sector.
So one thing that you could really help out with is not
only get these guys incubated and starting and providing them
the initial funding but actually give them inroads into selling
to the government, being an actual vendor to the government and
helping that out. That was my--so originally we tried to
actually engage the government, and it wasn't until eight years
later that we could actually do it in a viable way, and now
we're doing it in a way that we're very excited about, but
actually having hand-holding of the procurement process early
on would have been hugely helpful.
Mr. Lipinski. Thank you.
Anyone else on this subject before we move on? Mr.
Schneider?
Mr. Schneider. Yeah, we're starting to see a lot more
engagement in Silicon Valley from various elements of the
government. One example is the DHS has obviously been very
active over the last couple of years. There's a new DOD project
called DIUX where they've now established in Moffett Field
right across from Silicon Valley trying in much the way that
Incutel's been able to invest in startups to bring some of
their technology needs to the Valley, so I think we're seeing a
lot more engagement over the last year.
Mr. Lipinski. Anyone else? Mr. Wood?
Mr. Wood. Thank you, sir. I'm honored to sit on the
Commonwealth of Virginia's Cybersecurity Commission as well,
and one of the things that I've been encouraging the
Commonwealth of Virginia to do is to encourage much closer
relationships between the university ecosystem and the business
ecosystem, and to really promote research. I think that will
help propel a lot of the startup activity that the gentlemen to
my left are both talking about. Whether it's in Silicon Valley
or Research Triangle or in the State of Virginia, at the end of
the day we need far more research than we currently have, and
the reason is because when I talked about earlier the dollars,
the difference between spent in the federal government and the
commercial side, it's very simple. We have a real scarcity of
resources in terms of cybersecurity professionals, and so we
need more tools being able to deal with the complex environment
that's going on out there and those tools, i.e. automation, are
the way forward, I think, in order to help deal with that
scarcity of personnel resources. There are other things we can
do as well, but I think that research would really help us a
lot from a cybersecurity perspective, really as a nation.
Mr. Lipinski. And very quickly, and continuing with Mr.
Wood, I want to thank you for your work in STEM education and
thank you for bringing up how important it is that the human
behavior is critical in preventing so much of this, and I think
you said nearly all of these attacks could have been avoided
with better behavior, and I think that brings up the
importance, as I always talk about here, in understanding human
behavior and funding social science research into things like
this.
But the last thing I wanted to ask you is, you talked about
insurance, and I'm very interested in how do we incentivize the
private sector. Is this something that you think should be
required or do you just think that this will develop over time?
Do you see a need for the government to require insurance for
these--against these types of attacks?
Mr. Wood. Sir, I personally don't think there's a need for
the government to require it because I think the lawyers will--
at the end of the day will help corporations and other
organizations understand the legal liability associated with
not taking the appropriate actions.
Mr. Lipinski. Have companies really suffered that much who
have been--who've had these data breaches?
Mr. Wood. Oh, I definitely think they're beginning to. I'm
seeing more and more boardroom kind of calls being made to our
company than ever before. I think the very public retail
breaches that have occurred are now heading into not just the
CEO's office but right into the boardrooms. So I also believe
that the critical infrastructure industries that we have out
there that are already regulated feel the pressure associated
with doing something, and that's why I think that the insurance
companies are doing what they are in terms of really trying to
promote cyber insurance. Their feeling is that if they can--if
the corporations can provide evidence that they are doing
what's appropriate from a risk management point of view, that
that will result in two things. One is lower premiums to the
corporation who is looking to get the insurance, and then
secondly, a better legal defense to the extent that they are
sued.
Mr. Lipinski. Thank you. I yield back.
Chairwoman Comstock. Mr. Clinton wanted to----
Mr. Clinton. If I could just very quickly, Mr. Lipinski,
first of all, we're big fans of insurance so we've been
promoting cyber insurance for over a decade, but I don't think
that a requirement is appropriate, and----
Mr. Lipinski. If you've been promoting it for over a decade
and it doesn't seem like it's that widespread, is it?
Mr. Clinton. No, and that's because of systemic problems
within the insurance market, the lack of actuarial data, and in
particular, the enormous risk that the insurance companies
realize that if they insure and there is a major catastrophe,
they're on the line for everything.
We faced the same problem in terms of insurance in the last
century with crop insurance and flood insurance, and there are
systemic ways that we can work with the federal government in
order to address that problem, and I'd be happy to go into
those in some detail, but I wanted to get to the specifics of
the requirement piece.
I think one of the things the federal government could do
is require insurance, cyber insurance, for your information
systems in the same way that you require physical insurance
when you build buildings and everything else, and I think if
the government did that, it would be a market leader in that
regard.
The other thing I just want to point out, and this bears, I
think, a little more conversation because I think this is a
widespread misnomer, of the reality when you look at the data
of the economic impacts of the high-profile breaches is not
what you think. If you go back and look 6 months after the Sony
attack, their stock price was up 30 percent. If you go back and
look at six months after Target, the stock price was up about
26 percent. If you look at most of the high-profile breaches,
you find that there's an initial reduction and then there's a
bounce back, and I can explain why that is, because the smart
guys on Wall Street say ooh, nice distribution system, I like
the price point of their products, and ooh, the price is down,
buy opportunity. So the natural things that we assume are going
to happen really are not happening when we look at the data,
but Mr. Wood is exactly right about the fact that corporate
boards are spending much more attention on this, but I think
that has to do more with the threat to their intellectual
property which is being vacuumed out and is a tremendous
economic risk.
Mr. Lipinski. So they're not concerned about the consumers
and the people who are using their business, they're----
Mr. Clinton. Well, no, they're----
Mr. Lipinski. --concerned about their own----
Mr. Clinton. Yeah, so----
Mr. Lipinski. That's a suggestion there, that----
Chairwoman Comstock. We're going to have to move on to our
next question.
Mr. Clinton. I will get back to that but----
Chairwoman Comstock. And please do submit----
Mr. Lipinski. Okay.
Chairwoman Comstock. And I'd appreciate you submitting some
more information on the insurance area. I think that would be
very interesting.
Mr. Clinton. Sure.
Chairwoman Comstock. And I now recognize Mr. Loudermilk for
his five minutes.
Mr. Loudermilk. Thank you, Madam Chair.
And after spending 30 years in the IT industry myself, I
can equate to a lot of what you're saying, especially the cyber
insurance. Big supporter of cyber insurance simply because of
the standards that the insurance companies put upon these
businesses, and I sold my business a year ago, was greatly
relieved when I sold the business because while cybersecurity
was on my mind 24 hours a day owning this small company and
managing it, it was not on the minds of my customers.
Mr. Clinton mentioned eBay. We had many instances where we
put a secure network into place, a network of a small
government managing power distribution systems, and we engineer
it, we put the products in, some of the products that some of
you represent everything from spam filters, firewalls,
gateways, content managers, bandwidth managers, and then we
would find out that they would go and buy parts for these off
of eBay that would come from somewhere overseas, and we don't
know the firmware that's on it, and I understand that what's on
their mind, especially when you're dealing with small
businesses, is bottom line. Doctors are being doctors, lawyers
are being lawyers, they are doing what they're doing. We're
supposed to take care of that. But when we go forward and we
say this is what we need to do to upgrade and say we don't want
to do that right now, do we have to do it? Well, your network
will still function but you're at a high amount of risk. Well,
that usually doesn't change their mindset. So having those sets
of standards I think is important.
Another thing that was brought up is this risk-based
management. That's what we live by. We used to emphasize to our
employees, there's two types of computer users: those that have
been hacked and those that don't know that they've been hacked.
Another part of risk management is, we emphasize to our
customers, don't keep what you don't need. If you don't need
the data, you don't have it, you don't have to secure it.
And that really brings an issue that I have great concern
about here in federal government here and that's with the Midas
system, which according to news reports is storing information
on Americans who access the HealthCare.gov website, not just
those who got their health insurance, but those who even
shopped it, and it's storing personal identifiable information
of Americans without their knowledge in a data warehouse.
And for Mr. Wood, considering what's happened to the
federal government, the recent expansive data breaches, does it
concern you that the federal government will be holding
information on citizens without their knowledge, even for
citizens who did not get their healthcare coverage through this
system? Am I justified in my concern over the risk of storing
this data, especially data that is not needed.
Mr. Wood. So you're raising both a privacy perspective as
well as a cybersecurity, you know, issue. You know, at the risk
of being a Monday morning quarterback, you know, which is what
I would be doing if I were to reflect on the OPM situation, the
very unfortunate OPM situation because like all of you, I also
received my letter that gave me the good news. I think that in
retrospect, had OPM been using, you know, two-factor
authentication, had they been using encryption at rest, had
they had log files, we would've had a much different situation
than perhaps we ended up having with OPM.
So as it relates to the HealthCare.gov situation, I don't
know how they're storing the data to be able to reflect to you
about what is appropriate, but I think generally speaking, most
people are a little nervous because those of us that are in the
know worry that there just isn't enough resources being applied
from a financial perspective to the IT security issue, and it's
not just at the federal level, it's at the state level too.
Commercial corporations, on the other hand, I see around
the world are taking the appropriate steps. You know, I gave
the example early on in my testimony about JP Morgan Chase. You
know, when they were hacked, they were spending at that time
about $250 million. After the customer PII got out, they went
to the board. The board looked at it and determined that they
had to increase substantially their spend to do a couple
things. One was to actually buttress what they were doing from
an IT security perspective, but the other thing was to do was
to raise the confidence of their customers. So at the end of
the day, I would argue that while their shareholder price has
gone up over time, they absolutely--and every corporation cares
about their customer data. Thank you, sir.
Mr. Loudermilk. And I'd like to ask Mr. Clinton to respond
to the same question, but also Mr. Wood, part of mitigating
your risk is not keeping data that you don't need. Would you
agree that that is a good practice, if you don't need data to
not store it?
Mr. Wood. Yes, sir.
Mr. Loudermilk. Okay. Thank you.
Mr. Clinton? Microphone.
Mr. Clinton. I'll say it again: that's absolutely right,
sir. Thank you.
Mr. Loudermilk. Okay. Thank you.
Chairwoman Comstock. Thank you.
And now I'll recognize Mr. Beyer.
Mr. Beyer. Thank you, Madam Chairman--Chairwoman.
Dr. Casado, I was fascinated by your testimony, especially
the--I'm quoting you a little bit: Once the intruders pass the
perimeter security, there's no simple means to stop malicious
activity from propagating throughout the data center. This
whole notion of unauthorized lateral movement and your call for
zero trust micro-segmented network environments, interior rooms
with locks, is this recognition built into NIST's cybersecurity
framework, moving from just the perimeter security to the
internal stuff?
Dr. Casado. Yes. So we're actually working with NIST now
but I don't believe it's currently codified within NIST, so I
think that making it part of a standard would be greatly
beneficial.
Mr. Beyer. It sounds like an essential part of the
cybersecurity framework, it should be?
Dr. Casado. Yeah, I think this is rapidly becoming a best
practice within industry and the private sector, and actually
in some areas of management as well. I think putting it as part
of a standard would be very beneficial.
Mr. Beyer. Closely related to that, Mr. Schneider, you
said, and I quote again, ``We are well past the days when a
password, even a complex one, will be much more than a speed
bump for a sophisticated attacker, and multifactor
authentication, combining something you know like a password
with something you don't know like a text message is essential
for any system to be secure. Is this part of the cybersecurity
framework that NIST developed?
Mr. Schneider. I think it's very similar in that it's a
best practice that's not codified directly into the framework
but it's something that in the ability to protect your
information is becoming an industry best practice. The example
I would give in the discussion about in the future there
probably should not even be passwords as a core element of how
we access information because it's so eminently hackable, and
we really feel like a future with rich, multifactor levels of
authentication is the right approach, and you can imagine
yourself. You go back to your office afterwards, you sit down
to check your email. If you're using a mobile device that
tracks your location, there's already two or three factors of
authentication that say I'm supposed to be in my office, I'm in
my office, I'm accessing email, my device says I'm there, you
may then ask for a PIN or additional kind of level of
authentication but it's really having those kinds of dynamic
authentication we see in the future and not static passwords
that have been such a broken part of security today.
Mr. Beyer. So both of these are evolutions to CSF, which
leads me to Mr. Wood. You wrote very eloquently on page 4 of
your testimony that ``most businesses would prefer the
government impose the fewest possible requirements on them.''
We hear that every day in the House. But how many breaches will
it take before it's recognized that allowing the private
sector, especially critical infrastructure companies, to choose
the path of least resistance creates an opportunity that might
put our citizens' personal information at risk, put our
critical infrastructure at risk and put our national economy at
risk. NIST standards, the CSF, is purely voluntary. When do
businesses come together to recognize that this really needs to
be the mandated standard across the country?
Mr. Wood. So earlier we were talking about insurance, and
the insurance industry and why hasn't it adopted more cyber
insurance more quickly. The simple reason is because there was
no standard, there was no agreed upon standard until not that
long ago, and so I think that ultimately I look at the NIST
cybersecurity framework as a baseline, and what these gentlemen
are talking about are in fact good points, and they are
additive to the baseline, if you will, but if we can all get to
an agreement about what the baseline is and we all adhere to a
baseline, at least we know that the other person I'm dealing
with is going to be able to evidence for me that I can do
business with them because they're taking the appropriate
steps.
Mr. Beyer. It just seems to me--thank you very much--that
we look at so many things that affect us and we have mandated
it, and the regulations have to be cost-effective, but we did
airbags in cars and 5-mile-an-hour bumpers and seatbelts, you
know, healthcare in terms of the FDA. This may be, if it really
is this huge threat to our national security and to our
personal security, that we think about mandatory standards
rather than voluntary, rather than relying on the threat of a
lawyer's lawsuit and insurance to somehow cover this. Mr.
Clinton?
Mr. Clinton. With respect, sir, I would push back the
opposite direction. I would point out that in my testimony I
pointed to the fact that the federal government, which
basically does operate in the model that you're taking about
with FISMA standards that they must comply with, et cetera, and
when we evaluate them independently versus the private sector,
the federal government comes out dead last. The reason is, is
that this is not airbags, this is not consumer product safety
where there's some magic standard that we just come up to the
standard and we are set. The problem is not that the technology
is below standard. The problem is that the technology is under
attack. That's a very, very different problem. We need to be
forward looking. If we talked about mandating standards a
couple of years ago, we'd probably be talking about mandating
firewalls and things like that that we now see as basically
obsolete, and all of our companies would be spending a lot of
money complying with these outdated standards. So we need a
different model. The digital age is much more forward looking.
That's why the Obama Administration and the House Republican
Task Force and the private sector all agree that what we need
is a forward-looking, incentive-based model and we need to get
industries to understand that it is in their best interest to
be continually advancing security. They can't be looking
backward; they have to be looking forward.
We can do this, by the way, but it is a completely
different mindset, and I think we need to understand that in
the digital age, the old model just isn't going to work for
this modern problem that includes nation-states attacking
private companies. There's no minimum standard that's going to
protect them. We need a different model, and we think we can
develop that, but it is going to be different.
Chairwoman Comstock. Okay. Now I recognize Chairman Smith.
Chairman Smith. Thank you, Madam Chair.
Mr. Wood, let me direct a couple of questions to you, but
let me describe this scenario first, and then ask you to
comment on this particular situation. Let's say a senior
government official at an Executive Branch department
approached your company to set up a private email account and
server for conducting both official and personal business.
These emails could include sensitive or classified information
about national security. In addition, all emails would be
stored on a server located in their private residence. Cyber-
attacks and attempted intrusions would be obvious threats,
among other security risks. The material being transmitted on
the private email account could be a matter of national
security.
So two questions. Could this scenario unnecessarily expose
classified information to being attacked?
Mr. Wood. Yes.
Chairman Smith. Do you want to elaborate, or that's pretty
clear?
Second question is this: How would your company respond to
such a request?
Mr. Wood. We wouldn't do it.
Chairman Smith. Does any other witness want to comment on
the scenario? And if----
Mr. Wood. Well, for the simple reason that you're exposing
classified data in the open, and at the end of the day,
that's--that would not be prudent and would also be illegal.
Chairman Smith. And why illegal?
Mr. Wood. Because the government requirement is that all
official information be used through official means, meaning
through government networks.
Chairman Smith. Okay. Thank you, Mr. Wood. I don't have any
other questions, and yield back, Madam Chair.
Chairwoman Comstock. Thank you, and I now recognize Mr.
Tonko.
Mr. Tonko. Thank you, Madam Chair.
All of this hearing isn't focused on research. I know that
Mr. Wood had addressed research as a component for growth in
this region, in this area.
As you know, the government plays an important role in
supporting cutting-edge research on all aspects of
cybersecurity from prevention to detection to recovery. And
through agencies such as the National Science Foundation, the
National Institute of Standards and Technology, and the
Department of Homeland Security, we fund everything from basic
research to testbeds for emerging technologies. And all these
federal investments in cybersecurity R&D are coordinated under
the longstanding networking and information technology R&D
programs.
So while Mr. Wood did raise the issue of research, are
there recommendations that you, Mr. Wood, or any of our
individuals who are testifying, any recommendations that you
would have about federal agencies and how to set research
priorities and what major research gaps might exist out there
so that we can better partner in a more effective manner with
research opportunity? Mr. Wood?
Mr. Wood. Sir, thank you for your question. I agree. I
think the national labs are doing a tremendous amount of work
around all kinds of initiatives that regrettably many don't see
the light of day ultimately. I think more can be done to, A,
make industry aware of what the national labs are up to, and
then B, provide a mechanism for industry to license some of
those very critical research and development initiatives that
really may have one specific customer but ultimately could have
an entire industry that it could help serve. I think that would
do a couple things. One, it would provide potentially an income
stream back to the labs and therefore the government, and the
other thing it would do is provide, if you will, more
innovation without having to spend a whole lot more dollars.
Thank you, sir.
Mr. Tonko. Thank you.
Anyone else? Mr. Schneider.
Mr. Schneider. One area that we're very invested in right
now is on helping kind of the people part of the equation. I
mean, technology will continue to be an important element of
any security approach and automation underneath, but clearly
it's the people on top that we have to make sure are adequately
trained, and one of the areas we've been highly invested in
over the last couple years is simulation platforms to help us
all understand what cyber breaches look like, what cyber
incidents look like and be able to respond to those. So many
companies today, for example, they send out fake phishing
emails to their employees and see whether they respond or not,
and if they report it to their security organizations. That's
one simple example. There's also simulation platforms that take
real-world breaches and model those and allow security
professionals to interact with those. So that's an area that's
been, I think, on the DOD side, you know, things like cyber
range initiatives, very mature for a number of years. This is
really now coming into the private sector and civilian agencies
and a scenario that Symantec has invested heavily in, and I
think there's a lot of potential for cooperation with some of
the labs.
Mr. Tonko. Thank you.
Mr. Clinton?
Mr. Clinton. Mr. Tonko, perhaps a slightly different level
of abstraction. I think we would strongly support the notion of
the government doing some research on the cost-effectiveness of
the NIST framework. We are big fans of the NIST framework. In
fact, we like to think it was our idea. At ISA, we published
material on this a number of years ago. The Executive Order
says it's supposed to be prioritized and cost-effective and
voluntary. We believe that if properly tested, we would be able
to determine various elements of the framework, and the
framework is enormous and applies in different ways to
different companies and sectors, but I think if we did cost-
effectiveness studies, we could demonstrate what elements of
that framework are most effective to varying sizes and sectors
of industry, and once you can demonstrate that the framework is
cost-effective, you don't need mandates for it. Companies will
do what it is cost-effective. But when you go to a boardroom,
you know, you can't just say hey, this is a great idea and
Congress passed it. They're going to say where are the numbers,
you know, show me that it's cost-effective, and if we did that
kind of research, which is pretty easy and pretty inexpensive,
I think we could get a lot of bang for the buck in terms of
doing what I think we all want, which is for industry to adopt
these things on a forward-looking voluntary basis.
Mr. Tonko. Thank you, and Dr. Casado, please?
Dr. Casado. Yes. I think for the last 15 years, I've had a
lot of experience getting kind of research grants from the
government. I was a research scientist in the National Lab. You
guys, you know--DHS paid for my Ph.D. program. I was a DHS
fellow and started my company. I've done a number of research
grants while I was at the Ph.D., and the biggest difference in
my experience between very useful funds and not very useful
funds is the number of constraints that are on them, so more
flexibility in applying funds to our direct research agenda led
to better research. So I think the more agenda that goes prior
to the funding, the harder it is for us to basically fit it
within our broader research agenda, and so I do think that it's
great to fund certain areas. I don't think it's so great to
overconstrain the problems that are being looked at.
Mr. Tonko. Thank you very much, and with that, I yield
back, Madam Chair.
Chairwoman Comstock. Thank you, and I now recognize Mr.
LaHood.
Mr. LaHood. Thank you, Chairwoman Comstock, and I thank the
witnesses for being here today and for your testimony.
Question: When we talk about cybersecurity and these
breaches whether in the private sector or in the government,
and whether we describe them as hackers or something more
sophisticated, every time this is done either in the private
sector or to a government agency or entity, would you describe
that as criminal behavior? Is that a violation of a state or
federal statute in some respect?
Mr. Schneider. I think one of the challenges of
cybersecurity is it's a global phenomenon, and many of the
attackers are not in the United States and they're not in a
particular state in the United States, but the assets that
they're protecting may be. So I think the legal kind of
considerations can be pretty complicated.
The other thing is, as more and more infrastructure moves
to cloud platforms, which are also deployed globally, even
where those assets are becomes more of a challenge. So I think
in general, the answer is yes, but there's a lot of complexity
to the global nature of cybersecurity.
Mr. LaHood. And I guess as a follow-up to that then, you
know, if we look at, you know, traditionally when there's
criminal behavior that is engaged in, eventually there's
somebody held accountable or responsible. There's a
prosecution, there's a legal process that happens. I guess the
question to you is, are you aware of a successful prosecution
where somebody's held accountable, where there's a deterrent
effect? It seems like there's no penalty, there's no pain,
there's no consequences to anybody that engages in this
activity. Yeah, Mr. Clinton?
Mr. Clinton. Yeah, Congressman, I think you've put your
finger on what I would think is one of the number one problems
in this space. I would answer that it absolutely should be
criminal, in many instances is criminal, but as Mr. Schneider
points out, it's not in certain places so we need to be doing
two things. We need to be dramatically increasing our law
enforcement capability. As I said in my testimony, we are
successfully prosecuting maybe one percent of cyber criminals.
There's no deterrent really on the criminal side or no viable
deterrent. So we need to be dramatically helping our law
enforcement guys who are doing a great job but they are
underresourced dramatically, and then we also need to be
working aggressively with our international community to create
an appropriate legal structure in the digital age. We don't
have it. We are operating in an analog world with cyber-attacks
and it simply is unsustainable. We need to be doing both of
those things.
Mr. LaHood. And I guess, is there anybody that's leading
the way on that, Mr. Clinton, out there either, internationally
or here domestically? I mean, where are we at with that
process?
Mr. Clinton. We are not doing nearly enough. I mean, there
are people who will give a speech here and there, and again,
I'm not going to point fingers at law enforcement. I think
they're doing everything they can. They're underresourced. I
think we need leadership from the Congress to demonstrate that
this is a priority and we are going to fund it much more
aggressively.
Mr. LaHood. Thank you.
Yeah, Mr. Wood?
Mr. Wood. Thank you for your question, sir. The issue is
that from a law enforcement perspective is first of all, as Mr.
Clinton pointed out, it requires, you know, global cooperation
but then the standards of prosecution also have to be the same.
So in other words, a standard of prosecution here at the
federal level might actually be different than at the
Commonwealth level, which might actually be different than in
Paris. So I think there needs to be some agreement as to what
the standards are for prosecution as well.
Mr. LaHood. Yeah, but why are we waiting around for that?
It would seem that this is ongoing, there should be some
standards set to do that instead and it doesn't sound like
there's a framework in place to even address that.
Mr. Wood. We did an analysis in the Commonwealth on just
that point. You know, it was a really great analysis which I'd
be more than happy to provide to you from the Commonwealth of
Virginia. I don't know why. All I can say is that the standards
even within the states are different for prosecution.
Mr. LaHood. And can you point to me in the Commonwealth of
Virginia where there's been a successful prosecution or that
deterrence has been put in place in Virginia?
Mr. Wood. We just changed the laws within the last six
months, and I'd have to refer to my colleagues in law
enforcement to let you know.
Mr. LaHood. Okay. Thank you. I yield back.
Mr. Wood. Thank you, sir.
Mr. Schneider. Actually, one point if I can.
Mr. LaHood. Go ahead.
Mr. Schneider. There are a number of great examples where
there's been cooperation between the private sector and law
enforcement to do takedowns. I could give you a number of them.
I mean, Gameover Zeus is a recent one where Zeus has been a
financial fraud botnet that's been around, very successful for
a number of years. It was put out by a private-public
partnership. The next version of that came online. Symantec and
a number of private companies as well as FBI and Europol
brought down that botnet. And this is the botnet that actually
was really propagating things like Cryptolocker, which maybe
you heard about, where it takes people's machines and encrypts
all the information and extorts you to get that information
back. So there's some very kind of successful examples, but I
think to your point, a much more consistent global approach is
needed.
Mr. LaHood. And in your case--I appreciate you mentioning
that--was there actual individuals held accountable? They're in
prison right now?
Mr. Schneider. Yeah, there's a particular individual in
Eastern Europe that has been prosecuted and convicted.
Mr. LaHood. And are they in the United States in prison?
Mr. Schneider. No. It's in Europe.
Mr. LaHood. Thank you.
Chairwoman Comstock. Thank you, and I now recognize Ms.
Bonamici.
Ms. Bonamici. Thank you very much, Madam Chair, and thank
you for holding this hearing. It's such an important issue, and
certainly one where there's a lot of room for bipartisan
cooperation. I think Mr. Clinton identified the challenge of
setting policy in this area because the technology always
changes so much faster than policy changes, so that being said,
I really look forward to working with all my colleagues and
continuing to raise awareness about this important issue, and
also come up with policy that not only addresses the issue but
prevents it.
I was recently out in Oregon visiting ID Experts, which is
an Oregon business that specializes in healthcare, health data
breaches. This is not just a federal issue, as some of my
colleagues might have suggested. I mean, look at the Anthem
Blue Cross. We're talking about millions of people here. And
most people think--when they think about identity theft, think
about the financial consequences, but with medical identity, if
someone gets a procedure or prescription or something and that
is entered into the individual's electronic health records,
there are health risks involved in that as well as financial
risks, and it's no surprise that the majority of people don't
carefully review their explanation of benefits statements just
like a lot of people don't carefully review their financial
statements, their credit card statements that might alert them
to something.
I want to follow up on something Mr. Lipinski started this
conversation about the psychological aspects and ask you, Mr.
Schneider, in your testimony you say this is--put a picture in
my mind here like the lion in the wild who stalks a watering
hole for unsuspecting prey, cyber criminals lie in wait on
legitimate websites that they previously compromised and used
to infect visitors. Most of these attacks rely on social
engineering, simply put, trying to trick people into doing
something that they would never do if fully cognizant of their
actions. For this reason, we often say that the most successful
attacks are as much psychology as they are technology. So now
I'm going to have this lion--this vision of a lion waiting and
maybe that'll help stop me from clicking on things that I
shouldn't click on.
But Mr. Schneider, could you talk a little bit about
whether do we need to fund more behavioral or social science
research? Do we need to do a better job educating people about
those risks and how to identify them? How do we get in--are we
adequately addressing that psychological aspect? Because when
we talk about the risk, and I think Mr. Casado, you--Dr.
Casado, you brought this issue up as well that we have to do
more to prevent that. So Dr. Casado or Mr. Schneider, could you
address that, please?
Mr. Schneider. Yeah. I think ultimately social engineering
is always going to be part of the security equation because we
as human beings are fallible. So I think systems have to be put
in place to enable us to do a better job of helping to secure
our own information as well as, you know, our company, our
agency's information, and I mean, I think some of the examples
I would give you, though, are in the training area that we
talked about, helping all of us to think more about security,
be more thoughtful about security. But secondarily, it's the
kind of security architecture underneath that makes it much,
much harder for the attackers to get the information that we
care the most about. So all the world's information is not
created equal. As you identified, medical health records are
much more important to us or financial records are much more
important to us than the lunch menu that we're going to look at
today. So it's taken a much more, I think, granular approach to
information protection, identifying the sensitive information
that we care the most about and put more security investment
around those kinds of assets than kind of the generic assets
that are out there.
Ms. Bonamici. Dr. Casado, what's your thought on that?
Dr. Casado. Yeah. So I'm 39 years old, and when I was 37, I
got an email from my sister on my birthday and it was like, you
know, dear brother, I'm so happy you're my brother, and there's
a picture of us when we were kids that's really sweet, and
then, you know, it was nice to see you last week. There was a
picture of us more recently, and happy birthday, and there's a
little link and so forth, and I was like--the first thing I
thought, this is so sweet, you know, like my sister has never
remembered my birthday before, and I thought you know what? My
sister's never remembered my birthday before so I looked at the
mail headers. It had come from Russia. Now, listen, I've got a
technical background and I've got a sister that doesn't
remember my birthday, and if either of these weren't----
Ms. Bonamici. It's now on record.
Dr. Casado. And if either of these weren't true, I'd have
clicked on that link and I would have infected my computer, and
I think this tells me fundamentally that it's very important to
train users and it's very important to do passwords but a
determined attacker will find a way in. I mean, they got these
pictures off of Facebook. It wasn't that hard to do. That was
probably two hours of work to send me that email, and if I was
anybody else, I would have clicked on that link. And so I think
that's why I----
Ms. Bonamici. Can you just both real quickly--I'm almost
out of time but I also serve on the Education and Workforce
Committee. Where--what are we going to do in terms of educating
the next generation and the workforce to make sure that we are
getting a step ahead?
Dr. Casado. Well, I think there's two approaches. I think
core education around security perimeters--I think actually Mr.
Wood was very, very clear, and I think that these best
practices are important. The second thing is, there are
technical implements we need to put in place assuming a breach
will happen, because it will happen. I mean, it's just a
determined adversary will get in. Therefore, we need to
implement a zero trust-type model.
Mr. Schneider. And I think the other point is, there's a
huge gap of security professionals in this country today, so
creating the educational programs to enable returning veterans
and high school and college students to choose careers in
cybersecurity is something that's very important as well.
Ms. Bonamici. Thank you. My time is expired. I yield back.
Thank you, Madam Chair.
Chairwoman Comstock. Thank you, and I now recognize Mr.
Palmer, and actually, Dr. Casado, we'll have to work on that
birthday if you want to let your sister know right now what the
day is.
Mr. Palmer. Thank you, Madam Chairwoman. I'm happy to
report for the record that my sister does remember my birthday
but my brothers do not.
On that same line, though, Dr. Casado, you can have the
best technology in the world, you can have great training, but
if employees are negligent in their use of it, you're still
exposing yourself, and I bring this up in the context of an
article that was in the Wall Street Journal back June--actually
it was June 9th, and it relates to the fact that the
Immigration and Customs Enforcement Agency had sent a memo to
their employees in 2011 because they had seen an uptick in
cyber-attacks related to employees using the federal server to
access their personal websites or their personal email.
Unfortunately, the labor union filed a grievance and prevented
them from doing that, and that's apparently where one of the
breaches occurred later last year. And my question is, and this
would be both for corporations and for the federal government,
does it make sense to prevent employees either in the private
sector or in the government sector from using their company
servers or the federal servers to access personal information--
their personal servers, their personal websites, their emails?
Dr. Casado. Just very quickly, I mean, it seems to me IT
goes through these phases where it kind of collapses and
expands. We had mainframes, and they went to a whole bunch of
computers and then they collapsed recently, and now they're
expanding again. You've got mobile, iPhones, clouds, all of
this other stuff. I think it's unrealistic from a day-to-day
perspective, from an innovation perspective to assume people at
work aren't accessing outside information and people outside
aren't accessing work information. Every time I travel, I am
constantly connected no matter where I go, whether it's
vacation or not, and so I think we need to assume that this
information is going to be accessed no matter where they are or
what capacity that we're running under.
Mr. Palmer. Mr. Clinton?
Mr. Clinton. Mr. Palmer, I agree with Dr. Casado's
comments, particularly with respect to millennials. You know,
if you adopt that kind of workforce policy, you're probably not
going to be having much of a workforce left to deal with. But I
do think that there are things that we can do and we are doing
and some in the private sector.
So one of the things we're trying to do is move out of this
IT-centric notion of cybersecurity, and for example, involve
the human resources departments in this, and what we're
advocating and we're seeing some success with is that we are
integrating good cybersecurity policy into the employee
evaluation system so that, you know, if you have downloaded
things you shouldn't be downloading, you know, you are less
likely to get that step-up increase or that bonus at the end of
the year. We've got to make this part of the overall process.
And there are other things that we can do and we are seeing
adapted in the private sector such as having separate rooms
with separate equipment so that people can, you know, access
their personal information or their data without using the
corporate system.
And so I think if we are a little bit more inventive about
this and use that more incentive model, we're probably going to
have more success.
Mr. Palmer. I think that's a great point because you can
have a public access, a separate environment where people could
do that but they have to use it because, for instance, if you'd
been a federal employee, Dr. Casado, and you had opened that
email from your sister through the federal mainframe, would
that have potentially infected----
Dr. Casado. So I've worked in a SCIF. I had four computers
that would measure like how far apart they were, so I'm very,
very comfortable in these like high secure environments. I just
think if you want to be competitive from a business perspective
against other companies, you have to assume that your employees
are going to be fully connected at all times.
Mr. Palmer. But can you not create a separate environment?
Dr. Casado. I don't think you can do this without having an
operational overhead. I really don't. I think you will limit
the ability for the business to function.
Mr. Palmer. Mr. Wood, you wanted to comment?
Mr. Wood. Yes, sir. I would just want to follow up on what
Dr. Casado said. So as the use of the internet increases and as
the ``internet of things'' becomes more prolific, everything
has an IP address, so where do you draw the line? At some level
I would almost prefer that people use my infrastructure because
I know what we do from a security perspective. I don't know
what they do from a security perspective. And so to the extent
that, you know, you make the argument that there should be some
separation, I think there are very good arguments on both
sides. I'd rather have them in my infrastructure because I know
what we do. Thank you, sir.
Mr. Schneider. I think the approach that makes a huge
amount of sense when you think about all this connectivity is
to really understand and protect the information and the
identities of the folks that are trying to access it, and
that's really what we've seen in security over the last, you
know, five-plus years is this move toward not just protecting
systems and networks but truly understanding the information
and the most sensitive information and putting the right kinds
of protection around that.
Mr. Palmer. My time's expired but I do want to thank the
witnesses for the clarity of your answers. This has been an
excellent hearing.
Thank you, Madam Chairwoman, and I yield back.
Chairwoman Comstock. Thank you, and I now recognize Mr.
Swalwell.
Mr. Swalwell. Thank you, Madam Chairwoman, and I want to
first thank each of the panelists for their service and for
talking about this important issue, and Mr. Casado, I want to
highlight that you graduated from Stanford University in the
Bay Area and also that you began your career at Lawrence
Livermore National Laboratory, which is in my Congressional
district, and so I'm honored to represent the folks there as
well as Sandia National Laboratory, and many of them are
working on this issue.
And Mr. Casado, your solution for cybersecurity is to wall
off certain segments of one's network in order to prevent cyber
intruders who have penetrated outer defenses from gaining
access to particularly sensitive information. You argue that
such new approaches are already the gold standard for
commercial industry and need to become the gold standard across
the federal government. How much time and resources would it
take for the federal government to do this, and are the costs
worth the benefits?
Dr. Casado. That's a great question. So the technology and
adoption has evolved enough that we know how to do this without
disruption basically so early on it was kind of like well, you
know, it's an extremely secure environment and extremely
sensitive environment and, you know, we can kind of go and
retrofit things and now we've got mostly software-based
solutions that you can put in, you can do non-disruptively.
Cost-benefits from a business perspective makes sense, so much
so that, you know, this adoption is one of the fastest growing
sectors of the enterprise software space. So I think it's not
only practical but we have enough experience over the last
couple of years to see adoption. So yeah, I think that actually
this stuff is absolutely worth retrofitting.
Mr. Swalwell. Great. And just for all of the witnesses,
following up on Mr. LaHood's question earlier, as a former
prosecutor I too am quite frustrated that it seems that
individuals are able to attack networks and individuals with
relative little punishment, and I understand the challenges if
these attacks are originating in Russia, Ukraine or from state
actors, but for non-state actors, I'm just wondering, what
could we do internationally to maybe have an accord or an
agreement where we could make sure that we bring people to
justice?
I remember I asked a high-ranking cybersecurity official at
one of our laboratories, naively, I guess, you know, well, are
we going after these individuals, and this person kind of
laughed, not being rude but just saying we're not going after
them, we're just trying to defend against what they're doing,
and I agree with Mr. LaHood that until people start, you know,
paying a stiff price, I don't know if this is going to change.
And I know as a prosecutor, putting together a case like this
is very, very difficult, just the chain of evidence and, you
know, proving whose fingertips were touching the keys to carry
out an attack can be difficult, but what more can we do
internationally? Yes, Mr. Wood?
Mr. Wood. Thank you for your question, sir. So right
after--I'll answer your question over a period of time. Right
after September 11th, I was sitting in a meeting with a large
number of information security professionals from within the
intelligence community, and the question was posed in the
auditorium where there are about 250 people, when are we going
to start sharing information, and the answer came back from one
senior person, in 50 years, and the other--another answer came
back from another person, not in my lifetime. And it was very,
you know, disappointing to say the least.
Now, you roll forward 15 years and you look at where the
intelligence community at least in my opinion is today, it's
not like that at all. Today I see the intelligence community
sharing information in a way like they've never shared it
before from DNI on down, and I think what's happened is, as
more and more breaches are occurring and as more and more of
this culture of trust is occurring, there's a willingness to
work together that didn't happen before. I sit, as I mentioned
earlier, on the Cybersecurity Commission in the Commonwealth of
Virginia, and we work very closely with DHS and FBI and the
state police, and they work very closely with Interpol and
others, and I can say that there is a spirit of cooperation
that I haven't seen in a long time. What is lacking, however,
is the resources and the funding associated with actually
prosecuting, number one, and then number two, having a common
level of standards of what's prosecutorial and what's not.
Mr. Swalwell. Great. Thank you, Mr. Wood. Thank you all for
your service on this issue, and I yield back.
Chairwoman Comstock. Thank you, and I now recognize Mr.
Westerman.
Mr. Westerman. Thank you, Madam Chair, and I would also
like to commend the panel today for your very informative
testimony and also for the zeal that you have in working in
cybersecurity, and I believe it's, you know, potentially the
war of the future that we're fighting here in cybersecurity,
and I'm from Arkansas, and just for personal reasons, Mr.
Clinton, do you have any Arkansas ties just out of curiosity?
Okay. And I've been listening to the testimony and the answers
to the questions. I've got a 20-year-old college student, and I
had a fascinating conversation over Christmas, and you guys
were talking about how millennials are always connected, and he
was telling me that that's a huge consideration where you take
a job now, what the connectivity's feed is, you know, and that
wasn't something we considered when I was getting out of
college but it played a big key in where they would go to work
and where they would eventually live. So I know we're in this
connected world now.
To follow up on Mr. Swalwell's question, he was talking
about being on offense and the prosecution, but from the
technology side, is it all defensive or are there proactive
ways to combat hackers before they make their attack?
Mr. Schneider. I mean, I think there's a set of approaches
that are not defensive and are much more proactive that are in
place today and will continue to expand. So one example is
around things like honey pots, so if the bad guys are attacking
you and you give them a place that looks like a legitimate part
of your infrastructure that they go to and spend all of their
time and energy attacking, you protect your real assets and
you're able to study what they're doing at the same time.
There's also things like shock absorbers where the harder an
attacker hits you with traffic, the more you slow them down and
do things like tar pitting. So there's a whole set I think of
defensive and more proactive defensive measures that aren't
offensive, don't go directly after the attackers that are in
place today and are actually very successful within the
enterprise.
Mr. Clinton. Congressman, if I may, I think that's of
course true, and there are some others, and I think I want to
build off this point into having a better understanding of the
multifaceted nature of the cyber problem. So for example, you
know, one of the technological mechanisms that we use in the
private sector is we understand that the bad guys are going to
probably get in, you know, a determined attacker will peruse
your system, but actually we have more control over the bad
guys when they're inside the network than when they're outside
the network, and if you are dealing with a cyber crime
situation, you're basically dealing with theft, which means
they have to get in the network, they have to find the data and
they have to get back out. So if we block the outbound traffic
rather than trying to block the inbound traffic, we can
actually solve the cyber breach problem. They get to have a
good look at our data but they don't get to use it at all, and
from a criminal perspective, that's a problem. But if you're
looking at this from a national security perspective, the
attacker may be interested in disruption or destruction. They
don't have to get back outside their network. They don't care
about getting outside your network. So we need to understand
that we're dealing with multiple different cyber problems, some
of which are national security, defense critical
infrastructure, making sure the grid doesn't go down, et
cetera, and we need a different strategy with regard to that
than we may need for the strictly criminal or theft problem,
and when we have a more sophisticated policy in this regard, I
think we're going to be able to make more progress.
Mr. Westerman. And also just to briefly follow up on a
question that Ms. Bonamici was talking about as far as
developing new workers for the cybersecurity workforce. Are
your companies seeing a workforce shortage? Do you foresee a
lot of growth for the future in that? Mr. Wood?
Mr. Wood. We do see an enormous shortfall of cybersecurity
professionals. In the State of Virginia alone, the state
government has announced that we've got about 17,000 unfilled
cybersecurity professional positions just in the Commonwealth
of Virginia.
Sir, if I might go back to your other question if you don't
mind about offensive?
Mr. Westerman. All right.
Mr. Wood. It's a question that's very much near and dear to
my heart. You know, if someone were to come in my house
uninvited and either hurt my children or my wife or take my
stuff, I have the right to defend myself, but if someone were
to come into my corporate house and virtually take my stuff,
whether it be intellectual property or customer data or
whatever it might be or financial information, whatever it
might be, we need the ability to defend ourselves, particularly
if our cyber command is not going to fund itself in a way that
gives us the comfort the same way that we have the comfort, I
think, as a nation from a standpoint of air, land, sea and
space. Thank you, sir.
Mr. Westerman. And Madam Chair, I'm out of time but I would
like to plug our Congressional app challenge and encourage all
Members to promote that in their district because it does help
develop a new workforce for cybersecurity and a lot of other
areas.
Chairwoman Comstock. Thank you, Mr. Westerman, and I will
also join you in plugging that. I know it's on our website and
our Facebook page, and I think the date is January 15th when
things are due, right?
Mr. Westerman. Unless you extend it.
Chairwoman Comstock. Now I recognize Mr. Abraham.
Mr. Abraham. Thank you, Madam Chairman, for having this
great hearing, and I want to thank the witnesses for giving
direct answers to direct questions. That's refreshing and
somewhat of a novel idea in a Committee hearing, so kudos to
you guys for answering straight up. We appreciate that.
Some of you have espoused the value of sharing
cybersecurity information whether it be a cyber threat tread or
a cyber crime with certainly other companies or government
officials. This last cybersecurity bill that we passed last
month, did that help or hurt in this area?
Mr. Clinton. Sir, I think that that was a good bill. We
endorsed the bill. We support the bill completely. The most
important thing, however, is that that is not the cybersecurity
bill. That's a very useful tool to have in the toolbox. It can
help, but it is nowhere near sufficient.
Mr. Abraham. So we need to do more is what you're saying?
Mr. Clinton. Absolutely we need to do a great deal more.
Mr. Abraham. And just give me your top three
recommendations. What would be your bullet points for the new
legislation?
Mr. Clinton. For new legislation, we would like to see the
incentive program that has been endorsed both by the President
and by the House Republican Task Force put in place. That would
include things like stimulating the cyber insurance market that
we've talked about earlier today. It would include with
providing some benefits for smaller businesses who don't have
the economies of scale in order to get in here. It would
include streamlining regulations so that we had an opportunity
to reward entities that were doing a good job with
cybersecurity in the way we do in other sectors of the economy.
A lot of the incentives we talk about and I refer to in my
testimony are things that we are already doing in aviation,
ground transport, agriculture, even environment. We simply
haven't applied these incentive programs to the cybersecurity
issue and so I think if we did that, we could do more.
And then the third thing would be, I think we need to have
a much better, a more creative and innovative workforce
development program. We've talked here about the fact that we
are we're always connected now and we all know this, but the
slogan that DHS uses for their workforce education program is
Stop, Think, Connect, which is directly out of the dial-up age.
No millennial stops and thinks before they connect. It just
makes no sense. We need to be leveraging ESPN and reaching to
the millions of young people who are interested in gaming and
popularize that and use that as a bridge to get them interested
in cybersecurity. We need to be much more aggressive, much more
inventive in this space, and by the way, they are doing these
things in other countries. We need to be taking a page from
that.
And then the final thing that I'll mention is, we would
like to see--I'm not kidding. We need an education program for
senior government officials like we're doing for corporate
boards who are just like you guys: really busy, lots of things
that they have to do, demands on their time. We found when we
actually educated them about cybersecurity, we got better
policy, we got more investment, we got better risk management.
We need to be doing that on the government side just like we're
doing that on the private-sector side.
Mr. Abraham. Very enlightening. Any you guys want to
comment anything else?
Mr. Schneider. If you think about, you know, threat
information, vulnerability information, I mean, for many, many
years in the cybersecurity industry we've been sharing those
kinds of information, and some of the keys are being able to
take it and aggregate it and anonymize it and share it in a
safe way because we're taking information that is, you know,
specific to a particular industry or a set of customers and
trying to gain the security knowledge but not, you know, not
put any of that information at risk. So it's something that's
been happening for many, many years in the security industry
and I think it's an important element but not, of course, the
final answer.
Mr. Abraham. Thank you, Madam Chairman. I yield back.
Chairwoman Comstock. Okay. And I will now recognize Mr.
Hultgren for his fiv minutes.
Mr. Hultgren. Thank you so much, Chairwoman. Thank you all
for being here. I know a lot of things have already been asked
and answered, but as we say around here, not everyone has asked
that same question yet, so my turn.
Now, I'm going to try and focus on a couple different
things, but thank you. I do think this is so important and I do
think the American people, our constituents, are waking up and
feeling some of that fear, and wanting to know the right thing
to do. So we always want to hear from you of how we can be
informing our own constituents of wise decisions along with
ourselves, our families and our staff to protect important
information. So much of our society, so much of our financial
systems is based on consumer confidence, and if there's a
feeling that this isn't safe or whatever it is, I think we're
going to lose the benefits that much of this technology has, so
we want to do this well.
I do want to talk briefly or ask you your thoughts. We've
talked a little bit about what government can do better,
learning from the private sector, and certainly the private
sector is ahead of us in so many areas. We've also heard--I
really appreciate it, Mr. Clinton, your response that, you
know, for us to say that this is like an airbag problem, it
isn't. It's completely different and, you know, so for us to be
prescriptive of saying you have to do this, we always pick the
wrong technologies always too late. So instead it's really this
framework, I think, of a way of thinking of how to solve this
problem, but a question I would have is really with impediments
that government is putting up to your business or other
businesses from new innovation. What would you say may be the
greatest impediment that you feel from government from your
business innovating or doing what you already do best? Is there
something that has been a hurdle that you've had to overcome,
Dr. Casado?
Dr. Casado. So this is going to be an indirect answer to
your question, but actually working with the government on the
procurement side, something that's very difficult is when there
isn't flexibility in budgeting, which I think it's actually
difficult for the agencies and the departments to adopt new
technology because the working capital that they have doesn't
allow them to move as quickly as possible, and so from a purely
financial side, more flexibility in their budgeting I think
will help them and certainly help us be able to introduce new
technologies into the government.
Mr. Hultgren. Mr. Clinton?
Mr. Clinton. I would offer two things, Congressman. First
of all, we need to really rid our government partners from the
``blame the victim'' attitude that they have, particularly at
some of the independent agencies. I'm thinking of the FTC and
the SEC, for example. As we have articulated here, and I think
is fairly common knowledge up in Congress, it's been said the
determined attacker is going to get in. The fact that you are
subject to a breach is not evidence of malfeasance or
nonfeasance. Now, there may be instances where you are
malfeasant or nonfeasant, and we should investigate those, but
breach per se is not one of them, and so we need to move beyond
that particular notion.
The second thing that I would say is that the government
really needs to get its act together with respect to
cybersecurity. Cybersecurity--you're right, sir.
Cybersecurity's real hot now so every entity in the government,
every state, every locality, they're coming up with their own
cybersecurity programs, and a lot of times these things differ
just a little bit and so when you try to do these things,
you're forced to meet with multiple different compliance
regimes trying to do essentially the same thing. Now, we're in
favor of the NIST framework and using that, et cetera, but
let's have one and let's make sure we're all working in the
same direction, because as we've also pointed out, we do not
have adequate resources in this space, and frankly, one of the
big problems that my companies tell us is that they're spending
all their time on compliance, which means they don't have time
to spend on security. I have one company that told me a story
about how they were following a legitimate best practice
quarterly testing, you know, testing your system every quarter
to make sure, you know, you've not been invaded, and they had
to go from quarterly pen testing to annual pen testing because
all their security were too busy doing compliance. That's a 75
percent reduction in a key cybersecurity best practice due to
overregulation coming from different elements. We need to
streamline that process, have a good process, but have one
process that is cost-effective.
Mr. Hultgren. Yeah. That's great. Go ahead. I think if you
both can speak on this, and then I'll be finished because I
think this is very important.
Mr. Schneider. The one point that I would make and kind of
double-click on again is education. I mean, there's a huge and
growing gap in the number of cybersecurity professionals
available, and Symantec's been doing a lot of work with local
universities, but it's not just universities, you know, it's
primary education, it's getting the boys and girls that are in
high school today and actually really focusing on girls as well
to think about careers in cybersecurity and the skill sets that
goes with that.
Mr. Hultgren. Mr. Wood?
Mr. Wood. Sir, I would just echo a comment but just follow
on top of it. So yes, the determined hacker can get in today,
there's no question, but as to the Verizon breach report
focuses on, you know, 94 percent roughly of those hacks
could've been avoided, and then you get the hacker has to focus
on the six percent or the eight percent, which is a lot harder
to get in then because we have the tools, we have the
standards, we have the approach.
The second point I make is the NIST framework is indeed
something that I think we can all sort of get behind, and I
think it's something that at least it's a baseline.
And then the third thing I would say and the last thing I'd
say is that look, compliance and mission are not mutually
exclusive. You can make compliance work but it has to be
automated and it has to be invisible to the guy that owns the
mission so it doesn't inhibit their ability to get their
mission done.
Mr. Hultgren. That's a good point.
Mr. Wood. Thank you.
Mr. Hultgren. Thank you, all. I'm over time. Thank you,
Chairwoman, and again, thank you all for being here.
Chairwoman Comstock. Thank you, and I thank the witnesses
for their very valuable testimony today and the Members for
their questions. I've gotten a lot of sort of assignments for
today and new issues and areas that we need to explore further.
So I would like to invite you all to keep an open dialog with
us and don't wait for us to call. Please provide us with any
additional information that you think or as you see issues
going on. This is going to be, as you all said, an
exponentially growing problem. You know, we do have a cyber war
that is being waged against us and we--it's a little bit like
post 9/11 when they're at war with us but we weren't at war
with them. And now we definitely have bad actors on all kinds
of fronts from individuals to nation-states who are, you know,
waging a cyber war on us, and we need to respond in kind and
have that be reflected in our budget but also our
responsiveness and how we plan and the 94 percent that we can
get covered if we get the right systems into place will then
allow us to spend our time on those six percent that we can't
prevent because I think we all agree here and we all understand
that no matter what we do, this exponentially increasing
information world, we are going to have breaches because it's a
little bit like I was talking earlier about when somebody
before the hearing when I was out in Las Vegas, they said it's
like asking never to get sick. You know, in the world that
we're going to be dealing with, there will be breaches, but
what systems do we have in place to identify them, and if it's
only six percent that we have to deal with, then our creative
resources and all that we need to do can be very quickly
identified there and then move on to solve these bigger
problems.
So I thank you for the challenges that you've put before
us, and the record will remain open for two weeks for
additional comments and any questions from the Members so if
there are questions that we didn't get an opportunity or people
who aren't here, and I thank the witnesses very much. You're
excused here and the hearing is adjourned.
[Whereupon, at 11:05 a.m., the Subcommittees were
adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
Answers to Post-Hearing Questions
Responses by Mr. John B. Wood
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by Dr. Martin Casado
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by Mr. Ken Schneider
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by Mr. Larry Clinton
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
Additional Material for the Record
Statement submitted by Committee Ranking Member
Eddie Bernice Johsnon
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]