[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
BOLSTERING THE GOVERNMENT'S CYBERSECURITY:
ASSESSING THE RISK OF KASPERSKY
LAB PRODUCTS TO THE FEDERAL GOVERNMENT
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT &
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
October 25, 2017
__________
Serial No. 115-33
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
_________
U.S. GOVERNMENT PUBLISHING OFFICE
27-672 PDF WASHINGTON : 2018
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California ZOE LOFGREN, California
MO BROOKS, Alabama DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois SUZANNE BONAMICI, Oregon
BILL POSEY, Florida ALAN GRAYSON, Florida
THOMAS MASSIE, Kentucky AMI BERA, California
JIM BRIDENSTINE, Oklahoma ELIZABETH H. ESTY, Connecticut
RANDY K. WEBER, Texas MARC A. VEASEY, Texas
STEPHEN KNIGHT, California DONALD S. BEYER, JR., Virginia
BRIAN BABIN, Texas JACKY ROSEN, Nevada
BARBARA COMSTOCK, Virginia JERRY MCNERNEY, California
GARY PALMER, Alabama ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia PAUL TONKO, New York
RALPH LEE ABRAHAM, Louisiana BILL FOSTER, Illinois
DRAIN LaHOOD, Illinois MARK TAKANO, California
DANIEL WEBSTER, Florida COLLEEN HANABUSA, Hawaii
JIM BANKS, Indiana CHARLIE CRIST, Florida
ANDY BIGGS, Arizona
ROGER W. MARSHALL, Kansas
NEAL P. DUNN, Florida
CLAY HIGGINS, Louisiana
------
Subcommittee on Oversight
HON. DRAIN LaHOOD, Illinois, Chair
BILL POSEY, Florida DONALD S. BEYER, Jr., Virginia,
THOMAS MASSIE, Kentucky Ranking Member
GARY PALMER, Alabama JERRY MCNERNEY, California
ROGER W. MARSHALL, Kansas ED PERLMUTTER, Colorado
CLAY HIGGINS, Louisiana EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas
C O N T E N T S
October 25, 2017
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 4
Written Statement............................................ 6
Statement by Representative Darin LaHood, Chairman, Subcommittee
on Oversight, Committee on Science, Space, and Technology, U.S.
House of Representatives....................................... 8
Written Statement............................................ 10
Statement by Representative Donald S. Beyer, Jr., Ranking Member,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 12
Written Statement............................................ 14
Statement by Representative Eddie Bernice Johnson, Ranking
Member, Committee on Science, Space, and Technology, U.S. House
of Representatives............................................. 16
Written Statement............................................ 17
Witnesses:
Ms. Donna Dodson, Associate Director and Chief Cybersecurity
Advisor, Information Technology Laboratory; and Chief
Cybersecurity Advisor, National Institute of Standards and
Technology
Oral Statement............................................... 18
Written Statement (Joint statement with Dr. Kent Rochford)... 21
Mr. David Shive, Chief Information Officer, U.S. General Services
Administration
Oral Statement............................................... 27
Written Statement (Joint statement with Ms. Lisa Casias)..... 29
Mr. James Norton, President, Play-Action Strategies LLC; and
Adjunct Professor, Johns Hopkins University
Oral Statement............................................... 34
Written Statement............................................ 35
Mr. Sean Kanuck, Director of Future Conflict and Cyber Security,
International Institute for Strategic Studies
Oral Statement............................................... 44
Written Statement............................................ 46
Discussion....................................................... 54
Appendix I: Answers to Post-Hearing Questions
Mr. Sean Kanuck, Director of Future Conflict and Cyber Security,
International Institute for Strategic Studies.................. 70
Appendix II: Answers to Post-Hearing Questions
Document submitted by Representative Clay Higgins, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 78
Document submitted by Representative Barry Loudermilk, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 81
BOLSTERING THE GOVERNMENT'S CYBERSECURITY:
ASSESSING THE RISK OF KASPERSKY LAB PRODUCTS
TO THE FEDERAL GOVERNMENT
----------
Wednesday, October 25, 2017
House of Representatives,
Subcommittee on Oversight and
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittee met, pursuant to call, at 10:06 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. Darin
LaHood [Chairman of the Subcommittee] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. The Subcommittee on Oversight will come to
order.
Without objection, the Chair is authorized to declare
recesses of the Subcommittee at any time.
I want to welcome you to today's hearing titled
``Bolstering the Government's Cybersecurity: Assessing the Risk
of Kaspersky Lab Products to the Federal Government.''
The subject of today's hearing involves some information
that is classified. I remind Members that their questions may
call for a response that the witnesses know to be classified.
Please be mindful of this fact. I would like to instruct the
witnesses to answer to the best of their ability, but should an
answer call for sensitive information, it may be addressed if
we vote to move into executive session at the end of the
hearing.
At this time, I'm going to yield to the Chairman of the
Full Committee, Chairman Lamar Smith, for his opening statement
at this time.
Chairman Smith. Thank you, Mr. Chairman. I appreciate your
deferring to me and yielding me time, and let me apologize to
the panelists. I have to leave immediately for a Judiciary
Committee markup where they are considering a piece of
legislation that I've introduced, so that's why I have to leave
early, but perhaps I'll be able to get back.
Cybersecurity breaches are so prevalent today that it is
hard to keep track of them. Every news cycle seems to include a
new major incident. To address the federal government's
cybersecurity weaknesses, the Committee hopes to bring H.R.
1224, the NIST Cybersecurity Framework, Assessment, and
Auditing Act of 2017, to the House Floor for a vote.
Specific to Kaspersky Lab, new revelations regarding cyber-
espionage continue to surface. This Committee has engaged in
robust oversight of Kaspersky Lab, thanks to questions raised
by Congressman Higgins during a hearing in June.
On July 27, 2017, this Committee requested all federal
departments and agencies to disclose their use of Kaspersky Lab
products. This was less than a month after the U.S. General
Services Administration banned Kaspersky Lab products from its
government-wide schedule contracts. However, we still have
questions: Why was the software approved for government use?
And was removing it from the approved GSA schedule sufficient
to protect U.S. interests?
I support this Administration's subsequent actions. The
interagency working group on cybersecurity has begun to address
the problem.
On September 13, 2017, the Department of Homeland Security
issued a government-wide order directing federal departments
and agencies to identify and remove the company's products from
use. In subsequent hearings, we will need to assess whether the
federal government's response has been sufficient.
While once considered reputable, Kaspersky Lab, its founder
and their Russian ties have created a significant risk to U.S.
security. According to several media investigations, these
connections have allowed Kaspersky Lab to be exploited not only
by the Russian government but also by criminal hackers around
the world. Mr. Kaspersky's history and recent remarks have done
little to alleviate these concerns.
As we move forward with this hearing and future hearings,
we expect to uncover all aspects of Kaspersky Lab. We are
particularly interested in what led the previous Administration
to include Kaspersky Lab products on two GSA schedules. I look
forward to the testimony of Mr. Shive, the GSA Chief
Administration and Information Officer. I am also interested in
proactive steps GSA has taken to assist other departments and
agencies in rooting out the presence of Kaspersky products on
their systems.
Also, we need to better understand the recent news related
to the breach of an NSA contractor's personal computer.
The threat Kaspersky Lab products present to the government
has now been publicly identified and confirmed by the Israeli
government. I urge anyone with knowledge of potential risks to
contact the Committee and share that information with us. We
must be vigilant in addressing this wolf in sheep's clothing.
Thank you, Mr. Chairman. I'll yield back.
[The prepared statement of Chairman Smith follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Chairman.
At this time I recognize myself for five minutes for an
opening statement, and again I want to welcome our witnesses
here today.
Today we intend to discuss and evaluate the cybersecurity
posture of the federal government. Specifically, we will
examine the concerns that this Committee has raised about the
risks associated with using Kaspersky Lab's products on federal
information technology systems, as well as actions that the
Trump Administration has taken in response to these concerns.
As part of today's hearing, we will hear from government
and private sector cybersecurity experts about the potential
risks that Kaspersky Lab products and services pose to agency
IT systems. In doing so, we hope to find effective and
efficient ways to improve agency practices related to the
design, acquisition, development, modernization, use and
performance of federal IT resources.
Kaspersky Lab is based in Moscow, Russia, and was founded
in 1997 by Eugene Kaspersky. The company is one of the world's
largest providers of cybersecurity software and services,
including both consumer and enterprise solutions. As early as
2015, reports began to surface alleging that Mr. Kaspersky
maintained close ties to Russian spies. Not only for Mr.
Kaspersky--not only was Mr. Kaspersky educated at a KGB-
sponsored university, he also wrote code for the Soviet
military.
In May of this year, the concerns surrounding Kaspersky Lab
were brought to public light during a Senate Intelligence
Committee hearing, where several intelligence community
officials unanimously affirmed they would be uncomfortable
using Kaspersky Lab's software and services. In June of this
year, during this Committee's hearing on the WannaCry
ransomware outbreak, our witnesses expressed similar concerns.
The matter reached a tipping point in July, when the
General Services Administration, the GSA, announced the removal
of Kaspersky Lab products from its preapproved government
contracts schedules.
On July 27, the Committee commenced its investigation of
the matter, with Chairman Smith probing 22 federal departments
and agencies on their use of Kaspersky Lab products and
services. Last month, the Trump Administration took another
step toward addressing the concerns surrounding Kaspersky when
the Department of Homeland Security issued Binding Operational
Directive 17-01, ordering all federal departments and agencies
to remove Kaspersky Lab software from their systems within 90
days.
Mr. Kaspersky has been highly critical of the U.S.
throughout this entire process, frequently arguing that no
public evidence existed to support the concerns raised about
his company. Earlier this month, however, several prominent
American news organizations published startling revelations
that confirmed this Committee's gravest concerns: the Russian
government has wielded Kaspersky's software as a tool for
cyber-espionage. This Administration has been proactively
remedying the Kaspersky situation, and we must continue to take
steps to ensure that we do not repeat past mistakes.
To that end, I look forward to hearing from our expert
witnesses about how Kaspersky became approved for use on
federal systems, the policies and procedures that can be
implemented to bolster the federal government's cybersecurity
risk-management processes, and the actions that must be taken
to ensure that federal systems remain secure against nefarious
cyber actors.
Thank you.
[The prepared statement of Chairman LaHood follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. At this time I now recognize the Ranking
Member, the gentleman from Virginia, for his opening statement.
Mr. Beyer. Thank you, Chairman LaHood, and thank all of you
for being with us.
Security concerns related to the Kaspersky Lab products and
reported ties between Eugene Kaspersky, his company, and
Russian intelligence services have been brewing within the U.S.
intelligence community for years. This is deeply troubling
given that Kaspersky Lab, whose main product is antivirus
software, has offices in 32 countries, approximately 270,000
corporate clients, and its software is used by approximately
400 million people worldwide. And, until just recently, the
U.S. Government also used KL software.
The founder of Kaspersky Lab, Eugene Kaspersky, is a
software engineer educated at a KGB cryptography institute who
also worked for the Russian intelligence services before
starting his software company in 1997. He's been described as
the Bill Gates of Russia. Despite his background and the
concerns of the U.S. intelligence community, the company has
vigorously argued that it has no ties to any government.
Concerns about connections between Kaspersky Lab and
Russian intelligence services have become more pronounced over
the last year. In April, the Senate Intelligence Committee
asked the Director of National Intelligence and the U.S.
Attorney General to look into Kaspersky employees' potential
ties with Russian intelligence. In May, six U.S. intelligence
agency directors, including the Directors of the CIA and NSA,
told the Intelligence Committee that they would not be
comfortable using Kaspersky products on their networks. In
June, it was reported that FBI agents had interviewed U.S.-
based employees of Kaspersky Lab, and in July, Bloomberg
Businessweek published a story referencing internal company
emails that showed a close working relationship between
Kaspersky Lab and Russian intelligence.
Finally, earlier this month, the New York Times reported
that Israeli intelligence were able to determine that Russian
government hackers have been using the company's software to
search for the code names of U.S. intelligence programs.
Specifically, the Israelis discovered that a contractor to the
National Security Agency had his data compromised over two
years ago by these Russian hackers after he improperly took
classified documents home and stored them on his home computer.
Kaspersky's antivirus software had been installed on the
contractor's home computer, and KL Lab has repeatedly denied
any affiliation with the Russian hacking, but just today, the
company admitted in a blog post that it had collected the NSA
files through routine malware data collection.
All of this has led to legitimate security concerns about
the use of Kaspersky Lab software. I am glad that the U.S.
Government has realized this. In July, as our Chairman has
said, the General Services Administration removed Kaspersky Lab
from its list of approved federal vendors, and, last month, the
Department of Homeland Security issued a Binding Operational
Directive banning federal agencies from using any product or
service offered by KL, giving federal agencies until mid-
December to implement that directive.
But cybersecurity is no longer simply about defending our
data from theft. It's also about defending our democracy from
disinformation campaigns that combine cyber assaults with
influence operations. Since the 2016 election, it has been
well-established that Russia has spread falsehoods and
disinformation, seeking to sow divisions between us and
confusion among us. This is not, and should not be, a partisan
issue. Together we should be striving to defend our democracy
against those who seek to damage it.
Mr. Chairman, I hope we can have a future hearing where we
hear from social scientists, researchers, and technical experts
about the tools and technologies we can employ to help identify
these evolving threats beyond traditional cybersecurity and
defend against them.
I look forward to hearing from all our witnesses today and
especially Sean Kanuck, who happens to be one of my
constituents, an expert on these topics. He was appointed the
first National Intelligence Officer for Cyber Issues in 2011
and served in that position at the National Security Council
until 2016. Prior to that he spent ten years at the CIA in
their Information Operations Center. Today he joins us as the
Director of Future Conflict and Cyber Security at the
International Institute for Strategic Studies. So Sean,
welcome, and I look forward to all of your testimony.
Mr. Chairman, I yield back.
[The prepared statement of Mr. Beyer follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Beyer.
At this time I now recognize the Ranking Member of the Full
Committee, Ms. Johnson, for her opening statement.
Ms. Johnson. Thank you very much, Mr. Chairman.
Kaspersky Lab is one of the world's largest cybersecurity
companies, and makes a popular antivirus program used by 400
million users worldwide. But recent concerns by the U.S.
intelligence community about close connections between
Kaspersky Lab, its founder Eugene Kaspersky, and the Russian
intelligence services have led to much greater scrutiny of its
activities.
This hearing is premised on examining what threat that
Kaspersky software poses to the federal government. However,
the federal government has already preemptively addressed that
threat.
Last month, the Department of Homeland Security issued a
directive that required all federal agencies to identify any of
their networks using Kaspersky Lab software, and gave those
agencies a 90-day deadline to initiate a plan to remove the
Kaspersky Lab software from those computer systems. DHS decided
that the security risk of having a Russian company embedded on
federal computer networks was simply not worth it. I have
confidence in the ability of the federal government agencies to
eliminate the Kaspersky Lab products from their respective
computer systems.
I am less confident, though, in our collective ability to
identify and guard against cyber warfare actions from Russian
state actors. Russian hackers have infiltrated some of our
nation's nuclear power plants, private email accounts, and
state election databases. Russia, according to a publicly
available Intelligence Community assessment, conducted an
influence campaign in 2016 to undermine public faith in the
U.S. democratic process and to harm the campaign chances of
Hillary Clinton winning the Presidency.
The intelligence assessment should be a wake-up call for
all of us. We should expect attempts by foreign actors to
affect future elections using computer hacking, social media,
and other means, as was done in 2016.
Mr. Chairman, prior to the 2016 election, this Committee
held a hearing to review guidelines for protecting voting and
election systems including voter registration databases and
voter machines. I believe a follow-up hearing would be
appropriate to discuss protecting these same systems, in light
of last year's events, as well as examining the sophisticated
influence operations conducted by Russian intelligence services
to disrupt our democratic processes and damage our democracy.
With the knowledge of Russian cyber warfare actions in 2016, we
can have a more robust discussion on the measures hostile
actors have been using against America's voting infrastructure,
and we can discuss measures that need to be taken to bolster
the security of our elections.
Mr. Chairman, I hope that you seriously consider holding a
2016 election security postmortem with a focus on what the
Science Committee can do to help protect the vote going
forward.
I thank you, and yield back the balance of my time.
[The prepared statement of Ms. Johnson follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Ms. Johnson.
At this time let me introduce our witnesses here today. Our
first witness today is Ms. Donna Dodson, Associate Director and
Chief Cybersecurity Advisor of the Information Technology
Laboratory, and Chief Cybersecurity Advisor at the National
Institute of Standards and Technology (NIST). Ms. Dodson began
her career at NIST in 1987 as a Computer Science Researcher. In
2010, she was promoted to Computer Security Division Chief for
NIST. She holds a master's degree in computer science from
Virginia Tech. Welcome.
Our second witness is Mr. David Shive, Chief Information
Officer at the U.S. General Services Administration. Prior to
being named CIO, Mr. Shive was the Director of the Office of
Enterprise Infrastructure at the GSA. He received his
bachelor's degree in physics from California State University
in Fresno, his master's degree in research meteorology from the
University of Maryland in College Park, and his postgraduate
management certificate from the Carnegie Mellon Graduate School
of Industrial Management.
Our third witness is Mr. James Norton. He is the founder
and President of Play-Action Strategies LLC, and an Adjunct
Professor at Johns Hopkins University. Mr. Norton previously
served as Vice President of Strategy and Communications for the
Mission Systems Division at General Dynamics. He holds a
Bachelor of Science and a master's in business administration
from Salve Regina University.
Our last witness today is Mr. Sean Kanuck, Director of
Future Conflict and Cyber Security at the International
Institute for Strategic Studies. He previously served as the
National Intelligence Officer for Cyber Issues from 2011 to
2016. Mr. Kanuck holds a Bachelor of Arts and law degree from
Harvard University, a master's of science from the London
School of Economics, and an LLM from the University of Oslo.
Thank you all for being here. I will now recognize Ms.
Dodson for five minutes to present her testimony.
TESTIMONY OF DONNA DODSON
Ms. Dodson. Chairman LaHood, Ranking Member Beyer, and
members of the Subcommittee, I am Donna Dodson, Chief
Cybersecurity Advisor for the National Institute of Standards
and Technology, known as NIST. Thank you for the opportunity to
appear before you today to discuss NIST's role in cybersecurity
highlighting the Cybersecurity Framework, referred to as the
Framework, and the NIST cybersecurity portfolio.
As a non-regulatory agency, NIST leverages its deep
technical expertise as well as its power of convener of
stakeholders to develop and improve solutions to a wide range
of technical and policy cybersecurity challenges. NIST's role
in cybersecurity as codified in law is to research, develop,
and deploy information security standards and technology to
protect the federal government's non-national security
information systems against threats to confidentiality,
integrity, and availability, and to facilitate and support the
development of voluntary industry-led cybersecurity standards
and best practices for critical infrastructure.
In addition to providing resources that organizations of
all sizes can use to manage cybersecurity risk, NIST also
provides resources to help organizations recover quickly from
cybersecurity attacks with confidence that the recovered data
is accurate, complete, and free of malware and that the
recovered system is trustworthy and capable.
I will highlight five of NIST's critical cybersecurity
programs which are the Cybersecurity Framework, supply-chain
risk management, cryptography, the National Vulnerability
Database, and the National Software Reference Library.
The first resource, the NIST Cybersecurity Framework, or
Framework, was created in collaboration with industry, academia
and other government agencies. The Framework consists of
voluntary standards, guidelines and practices to promote the
protection of critical infrastructure and to manage
cybersecurity risks. While originally designed to help protect
critical infrastructure, numerous businesses use the Framework
to manage their cybersecurity risk. Since publishing the
Framework, NIST has released additional guidelines to help
small businesses manage their cybersecurity risk. Under
Executive Order 13800, every federal agency or department will
need to manage their cybersecurity risk by using the Framework
and then provide a risk management report to OMB and DHS. In
response to the EO, NIST released the Cybersecurity Framework
Implementation Guidance for Federal Agencies to help federal
agencies use the Framework in conjunction with an extensive set
of NIST cybersecurity risk management standards, guidelines,
and controls to manage their cybersecurity risk.
The Cybersecurity Framework also provides guidance for the
second critical area, which is the security of the supply
chain. Because of outsourcing, organizations must ensure the
integrity, security, and resilience of their supply chain. To
assist in this, NIST established the Supply Chain Risk
Management program to identify and evaluate effective
technologies, tools, techniques, practices, and standards that
help secure an organization's supply chain.
Another critical area is cryptography. NIST began its work
in cryptography in 1972. Today, NIST cryptographers research,
analyze and standardize cryptographic technology. Although
these standards apply to federal information systems, many
private-sector organizations voluntarily rely on them to
protect sensitive personal and business information. NIST also
runs a program that validates the test results of vendor's
cryptographic modules to the NIST standard. In this program,
NIST confirms that a company's underlying cryptography works
but is not validating the vendor or the company.
Two final critical components are the National
Vulnerability Database and the National Software Reference
Library. NIST maintains the repository for all known and
publicly reported IT vulnerabilities called the National
Vulnerability Database, or NVD. The vulnerabilities in the NVD
are weaknesses in coding found in software and hardware that if
exploited can impact the integrity of information systems. The
National Software Reference Library, or NSRL, is another tool
that along with DHS and other, federal, state and local
enforcement agencies is supported by the NIST. The NSRL is like
a fingerprint database for computer files that promotes
efficient and effective use of computer technology.
The programs that I have mentioned here are only a portion
of NIST portfolio and cybersecurity NIST worked to provide and
improve technical and policy solutions to an ever-growing set
of cybersecurity challenges continues to grow.
Thank you for the opportunity to testify today. I am happy
to answer any questions you may have.
[The prepared statement of Ms. Dodson follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Ms. Dodson.
I now recognize Mr. Shive for five minutes to present his
testimony.
TESTIMONY OF DAVID SHIVE
Mr. Shive. Thank you, and good morning, Chairman LaHood,
Ranking Member Beyer, and members of the Subcommittee. My name
is David Shive, and I'm the Chief Information Officer at the
U.S. General Services Administration. I welcome the opportunity
to share my organization's experiences related to the
cybersecurity posture of GSA and the federal government.
The mission of GSA is to deliver the best value in real
estate, acquisition, and technology services to government and
the American people. In support of that, one of my
organization's key goals in supporting GSA's mission is to
deliver technology that provides both a secure environment for
doing business while also ensuring that both IT and business
continue to run efficiently.
The Federal Information Security Management Act provides a
comprehensive framework which helps federal CIOs and federal
Chief Information Security Officers manage overall information
technology security risks across federal data and assets. The
FISMA framework supports the rigorous IT security program
implemented at GSA by the CISO under the auspices of the CIO's
authority. Our security program assures the risks to GSA's IT
systems are assessed and proper security controls implemented
to mitigate those risks down to an acceptable level. It also
ensures periodic evaluation and testing of the effectiveness of
IT security controls, including management, operational, and
technical controls.
Furthermore, GSA has a robust incident handling and
response program that strongly aligns with the NIST
Cybersecurity Framework. Due to the effectiveness of that
program, GSA received a rating level of 4, which is managed and
measurable under ``response'' on the latest FISMA report from
our Office of the Inspector General (OIG).
In accordance with FISMA, GSA adheres to all of NIST's
Federal Information Processing Standards and Special
Publications in implementing GSA's IT security program. In
addition, GSA completes a risk-based security assessment in
accordance with NIST guidance and issues a signed Authority to
Operate by the authorizing official with concurrence by the
CISO before any new system goes into production. This is
accomplished by prioritizing the implementation of security
controls and focusing on those that have the biggest impact on
securing the system and data such as securing--ensuring secure
configurations and patching of vulnerabilities, access
controls, and auditing and monitoring. GSA is in the process of
implementing Executive Order 13800. GSA has adopted the
framework for Improving Critical Infrastructure Cybersecurity
developed by NIST and has required--as required by the
Executive Order. GSA has provided a risk management report, as
well as an action plan to implement the Framework, to the
Secretary of Homeland Security and the Director of the Office
of Management and Budget. GSA continues to explore leading edge
technologies in order to stop the latest and most sophisticated
attacks from our adversaries. This includes next generation
antivirus solutions that use machine learning and artificial
intelligence, as well as advanced detection of malware that is
embedded in email attachments and links. Both of these
technologies will greatly protect the end user, which is one of
the primary vectors for exploiting federal government systems.
One of GSA's core missions is to assist in procuring goods
and services that can be made available to federal agencies.
GSA's Federal Acquisition Service (FAS) offers a continuum of
voluntary government-wide innovative solutions and services in
a number of areas. Federal agencies spend approximately $23
billion annually to acquire IT products and services through
FAS. This represents only 42 percent of the federal
government's $55 billion in total IT spend. Significantly, a
product's placement on a GSA schedule or contract vehicle only
certifies that the vendor meets the necessary regulatory
requirements for the product to be sold to the federal
government. It does not make any value or technical judgment
about the nature of the product.
With respect to Kaspersky Lab products, they were available
from three resale vendors on GSA schedules contracts. On July
11 of this year, GSA directed the three resellers to remove all
Kaspersky Lab manufactured products from their catalogs within
30 days. All three resellers complied. As of today, GSA does
not offer any Kaspersky Lab manufactured products through its
our GSA scheduled contracts.
GSA took a proactive stance and completed comprehensive
scanning of all IT assets for the presence of Kaspersky
products in June of 2017. GSA confirmed that there was no
installation of such products in our on-premise and cloud-based
systems, and reported this to DHS in accordance with Binding
Operational Directive) 17-01 on October 4. In addition, GSA's
FedRAMP PMO is coordinating this activity for the government-
wide cloud service providers that are covered by its ATOs.
Again, I thank the Subcommittee for its oversight and for
allowing me the opportunity to contribute to this important
topic. At this time, I'm happy to take any questions that you
might have.
[The prepared statement of Mr. Shive follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Shive.
At this time I recognize Mr. Norton for five minutes to
present his testimony.
TESTIMONY OF JAMES NORTON
Mr. Norton. Thank you. Chairman LaHood, Ranking Member
Beyer, and members of the Subcommittee, thank you very much for
inviting me to testify before you today. My name is James
Norton, and I am the founder and President of Play-Action
Strategies, a homeland security and cybersecurity consulting
firm here in Washington, DC. I'm also a member of the faculty
at Johns Hopkins University.
Previously, I served in multiple positions at the
Department of Homeland Security under President George W. Bush
including as Deputy Assistant Secretary of Legislation Affairs.
I was a member of the Department's first team tasked with
confronting the nascent cybersecurity threat.
Cyber threats pose a real and immediate danger to our
federal government and the American people it represents. In
2016, the federal government experienced 30,899 cyber incidents
that led to the compromise of information or system
functionality according to the Office of Management and Budget.
DHS's role in protecting government networks is
foundational. Because the Department cannot be well positioned
to assist the private sector and serve as a model of best
practices for state and local governments until it has its own
federal networks or federal systems secure. In order to meet
today's challenges, DHS must update its systems and technology
and strengthen the organization in support of its cybersecurity
functions. Together these issues have led to the use of
potentially problematic software that is the subject of today's
hearing.
To help DHS meaningfully address these challenges, I offer
the following recommendations: provide CIOs and other officials
across federal agencies with the resources necessary to invest
in high-quality, reliable cybersecurity tools; require the
development of a trusted vendor list that provides guidance on
approved cybersecurity vendors with a secure supply chain that
agencies can have confidence in; work with OMB and the White
House to prevent redundancy across the federal government so
that competing cyber organizations do not arise in other
federal agencies.
I thank the Committee for holding this important hearing,
and I look forward to your questions.
[The prepared statement of Mr. Norton follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Norton.
At this time I recognize Mr. Kanuck for five minutes to
present his testimony.
TESTIMONY OF SEAN KANUCK
Mr. Kanuck. Good morning. Thank you, Chairman LaHood,
Ranking Member Beyer, and Distinguished Members of Congress.
It's my pleasure to be here today, and being a strategic threat
analyst, I'm going to speak directly to the risks theoretically
posed by Kaspersky Lab and Russian cyber operations.
First, I think we need to understand the very nature of the
technologies that Kaspersky products offer. They are complete
network monitoring solutions that can see all activity on their
clients' networks, and they have remote administration
capabilities. In these ways, they are not dissimilar from many
other IT security vendors' products, but what is important to
note here is that discussions about surreptitious backdoors in
these kind of products is actually a fairly moot point because
the very nature of these products and services is to have a
wide-open front door. Clients pay for that 24/7 monitoring of
their entire network.
Now, what is interesting, that ends up an aggregate
providing Kaspersky Lab and other similar vendors incredible
optic and visibility into global internet activity including
malicious software, espionage activities, and other things. In
essence, it becomes a private global cyber intelligence
network, and as we've seen from the recent media reports this
month, that kind of capability is incredibly desired by
government intelligence actors. If we believe the media reports
in the public sector, then at least two foreign government
agencies have exploited Kaspersky's network, and in my mind,
that makes the question of ``is there a risk through Kaspersky
products'' to become nearly tautological because allegedly it's
already happened twice.
Furthermore, I do not personally feel it is necessary to
prove a willful complicity or collaboration by Kaspersky
employees or the company with the Russian government or any
other to show that there is a potential risk. That added
factor, if it were true, would of course be a
counterintelligence concern and a further cause for prohibiting
such software or products. But the mere fact alone that foreign
intelligence agencies have sought access through this implies
there is a risk.
So what I think we need to do is actually focus on that
foreign intelligence threat and let's take a moment to discuss
Russian cyber posture. I can't do it any justice better than
Director of National Intelligence Dan Coats did in his
worldwide threat assessment presentation in May where he
identified Russia as a primary cyber threat actor of the United
States with a continued interest in exploiting our networks not
only for espionage but for influence operations, and that
testimony further noted that even disruptive actions have been
undertaken by Russia against targets outside the United States.
So when we combine that willful interest in adversarial context
with the telecommunications surveillance and monitoring laws of
Russia and the access potentially posed by Kaspersky Lab
products, you have a potent combination.
Even without complicity, it is theoretically possible that
all Kaspersky Lab corporate communications transiting nodes in
Russia could possibly be monitored by the domestic security
service under their telecom surveillance laws. Therefore, if
you are trying to examine the full scope of this threat, a
simple review of Kaspersky's products themselves or the source
code would not be enough. You have to understand the commands
that remote administrators or unauthorized third parties may be
issuing to those client networks through that access point, and
you must understand traffic routing of the global internet and
how Kaspersky communications move between its regional offices
and different counterparts.
Moving to a strategic risk management perspective, I offer
that resilience is the key to better security, and my
witnesses--my fellow witnesses have already spoken to that to
some degree, and I believe that internal review of one's own
enterprise assets and who might be trying to compromise them is
essential.
I'll conclude by offering a couple thoughts on the
prohibition of Kaspersky Lab software in U.S. government
networks. I do believe there's a risk posed, and my assessment
is primarily based on historical arguments of what has already
happened as well as the access that I've described and the
foreign threat actors. I am also aware that U.S. government
actions against specific named foreign companies may likely
result in similar backlashes against U.S. corporate entities.
That's not a security risk assessment, it's a political
realism.
My last comment will be that I would encourage the U.S.
government to assess all IT products from all vendors
regardless of national origin because if we're trying to
protect sensitive information, we should be fully cognizant
that foreign intelligence actors will be willing to exploit any
IT vendor that we're using, even if it's not of their own
national origin.
Thank you very much.
[The prepared statement of Mr. Kanuck follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Kanuck, for your opening
statement, and thank all the witnesses for your opening
statement. We will begin the questioning part of the hearing
today, and with that, the Chair recognizes himself for five
minutes.
I'd like to start. After months of denying any improper
activity, and Kaspersky has claimed that any allegation they're
involved with cyber espionage or involved with the Russian
government, they claim that's false allegations, and today
there's an article by Reuters that came out this morning on the
cusp of this hearing titled, ``Kaspersky says it obtained
suspected NSA hacking code from U.S. computer,'' and that
article goes on to say, and Kaspersky Lab admits ``that its
security software had taken source code for a secret American
hacking tool from a personal computer in the United States.''
And in fact, in this article, the company admits that it
exfiltrated the code earlier than previously reported and that
Kaspersky gained access in 2014, and I think that's troubling
on a lot of levels.
Let me just start off with you, Mr. Norton. Should the
federal government have known about this incident?
Mr. Norton. Thank you for the question. You know, I think
that we need to take into effect that there's kind of the
military side of federal networks, the military networks, and
then there's the civilian side of networks, and I think, you
know, what we're seeing today is that it's been years of really
underfunded networks where we haven't really had the capability
or the staffing or the opportunity to really take a look, an
internal look at, you know, what is on the network outside of
kind of these kind of clean-up that's going on right now in
terms of removing what's on there. So I think that, you know,
we need to take into effect that we haven't really taken this
issue seriously. The Executive Branch is just now looking at
this in the last couple of years and so I think that it's
obviously a big miss and there's been a lot of success in terms
of foreign adversaries being able to infiltrate not only the
DOD, DHS and other networks as well as civilian networks, and
so I think that it's definitely an issue that it's important
that it's being covered in this hearing and that it is
something that we need to know going forward. However, you
know, I think we just haven't had the capability in place over
the last couple of years to even know what's there, and I think
that's part of the trouble.
Chairman LaHood. And Mr. Norton, what are the consequences
of this revelation?
Mr. Norton. Well, I think what you're seeing today is the
government essentially scrambling to fix this. I think the fact
that Homeland Security Secretary had this public announcement
of removing the software is really alarming in the sense that,
you know, for it to raise to that level, for the Secretary to
put out an immediate edict across the federal government, I
think that is certainly troubling and that's something that it
says that we're not where we need to be and we have a long way
to go to get there in terms of securing out networks.
Chairman LaHood. And does it surprise you that Kaspersky
has denied this all the way through until today?
Mr. Norton. You know, I don't have access to all the
intelligence. You know, I think that the issue is not only, you
know, Kaspersky but I think other, you know, possible intruders
that are, you know, on the network that are there. So I think
this is absolutely a global issue. I think that, you know, for
DHS and other intelligence communities to probably share more
would be a good thing so the general public has a sense of what
this means and how it is impacting our networks, so I think
it's important for them to tell us a little bit more so we know
what's going on.
Chairman LaHood. Ms. Dodson, same question for you in terms
of should the federal government have known about this incident
and what are the consequences of this revelation?
Ms. Dodson. So from the NIST perspective, security controls
that we provide through our guidelines and special publications
provide guidance on how to set up security for networks and be
able to take a look at those. But a second critical issue
relates to supply chain, and that is the ability to understand
your suppliers, the kinds of products and services that you
have and that you're using in your systems. NIST has been
working with the federal government and with industry to
develop supply chain guidelines as part of the Framework for
Improving Critical Infrastructure that can be used to give
organizations a much better understanding of those suppliers so
that they can have the trust and confidence that they need when
they put these products and services on their networks.
Chairman LaHood. As a follow-up on that, can you--what
confidence can you give us that the NSA, their ability to stay
ahead of our adversaries on this issue?
Ms. Dodson. I can't speak for another organization such
as----
Chairman LaHood. Do you have an opinion on that?
Ms. Dodson. The federal government as a whole is taking the
threat issues very seriously across government and working with
industry to set up information-sharing systems so that as
threat issues come up we can act and respond quickly. We are
all taking this kind of issue very, very seriously.
Chairman LaHood. Thank you.
I now yield to Mr. Beyer for his questions.
Mr. Beyer. Thank you, Mr. Chairman, very much.
Mr. Norton, thank you for bringing up the LPTA issue. I
will just quote you quickly: ``Many CIOs are forced to abide by
the lowest price technically acceptable, LPTA standard, which
often means they don't up with the best products.'' I couldn't
agree more, and we have a bipartisan bill, Mark Meadows and I,
which has been reported out of the Oversight and Government
Reform Committee unanimously. So if you can help us get it on
the House Floor, we can get it passed unanimously and send it
over to the Senate and not tie the hands of our purchasing
agents on lowest price rather than encouraging them to get the
best value.
Mr. Kanuck, Ms. Dodson talked about the voluntary risk-
based, flexible, repeatable and cost-effective approach of the
NIST Framework. So that's for the federal government. At what
point do we ever consider making it mandatory across the U.S.
business community or mandatory for subcontractors of the
federal government? When do we elevate it to just beyond where
we are?
Mr. Kanuck. Currently, that is not the approach under law
and regulation. Private-sector entities are left to their own
corporate policies and hiring cybersecurity elements to assist
them. As far as taking legislative or regulatory actions to
mandate certain activities, that may be forthcoming in the
future but I cannot speculate on that. What the NIST Framework
does is, it provides a baseline for a lot of the private sector
to emulate what the government is doing and is required as Ms.
Dodson said. I think that is universally viewed as a positive.
And the challenge remains, is the U.S. government going to
force actions on the private sector, and there are pros and
cons to that.
Mr. Beyer. One of the things we may think about is, do we
begin with government contractors?
Mr. Kanuck. That is actually a very interesting point to
start, and clearly in the defense industrial base that is done
through the procurement power of requiring certain aspects of
cybersecurity to be utilized or followed by entities that are
contracting with the U.S. government, and there's been success
with that model. So that may be a model to be extended beyond
just the defense contracting community. I think that would be a
wise option.
Mr. Beyer. Mr. Kanuck, you probably know what's been called
the Gerasimov Doctrine, so I'll take a moment to explain to
others who may not have read it.
In 2013, General Valery Gerasimov, Russia's Chief of the
General Staff, or head of its military, published an article
titled ``The Value of Science is in the Foresight'' in a weekly
Russian trade paper in which he let out--laid out his theory of
modern warfare. He blends tactics developed by the Soviets with
strategic military thinking about total war, which looks much
more like the hacking of an enemy's society than attacking it
head on. He wrote, ``The very rules of war have changed. The
role of non-military means of achieving political and strategic
goals have grown. In many cases, they have exceeded the power
of the force of weapons and their effectiveness. All of this is
supplemented by military means of a concealed character.''
So Mr. Kanuck, do you believe that we're seeing the
Gerasimov Doctrine in practice during this last election cycle,
and what are they trying to achieve by engaging these
aggressive assaults on our democracy?
Mr. Kanuck. Well, I think you're not only seeing it in the
form of influence operations in recent democratic elections in
the United States and/or France, I think you've also seen it
conjoined with military operations in Crimea or Ukraine as
well. The Russian Federation, as I alluded to in my written
comments and my opening statement, is very active in the area
of information operations beyond the simple layer of cyber or
critical infrastructure issues that we tend to think about.
They actually used the word ``information confrontation'' when
discussing this issue, and that is a wholesale part of their
strategic paradigm. You can read it in the open translations of
their strategic doctrine from 2000 onwards, and as you
articulated it, I would wholeheartedly concur that you are
seeing that assault on the intellectual and media space of
societies through cyber means. What they have found is the
perfect tool set, whether it's social media, remote hacking, et
cetera, to achieve their philosophical objective through that
stated doctrine.
Mr. Beyer. Thank you. Quick question. You wrote that all
similar companies, the antivirus, could be unwittingly
exploited by third parties. How at risk are Norton and MacAfee
of this, you know----
Mr. Kanuck. I am not----
Mr. Beyer. --especially when you talk about they create the
open front door.
Mr. Kanuck. So I'm not prepared to talk critically about
other companies besides Kaspersky today. I will say, though,
that a proper review of the features of a lot of these security
softwares would allow you to do a proper assessment, and quite
frankly, in my experience, foreign intelligence actors and
criminals alike, once they find out who has access to the
network they seek access will attempt to derive ways to exploit
that path in, and it's a matter of intent and resources. I do
not believe there is any network or any product that is
perfectly secure. It's all a risk management issue.
Chairman LaHood. Thank you, Mr. Beyer.
I now yield to Mr. Higgins for his questions.
Mr. Higgins. Thank you, Mr. Chairman. I ask unanimous
consent to enter a letter from Mr. Troy Newman, a cybersecurity
professional with whom I consulted, to the record.
Chairman LaHood. Without objection.
[The information appears in Appendix II]
Mr. Higgins. Thank you, Mr. Chairman.
Ms. Dodson, how long have you been a cybersecurity advisor
for the United States government?
Ms. Dodson. I have worked at NIST since 1987, and I've been
the Chief Cybersecurity Advisor for about four years.
Mr. Higgins. So you were in place in 2012?
Ms. Dodson. Yes.
Mr. Higgins. You mentioned in one of your responses that
the U.S. government is taking cybersecurity and the realm of
cyberattack very seriously. Were we taking it very seriously in
2012 when the State Department contracted with Kaspersky?
Ms. Dodson. The federal government has been working on
issues related to supply chain for about seven years, and we
continue to work on our guidelines there as the complexity of
our systems continue to grow. There are challenges in
understanding all that we have in our networks but it's
necessary to do that, and our work with the Framework to
improve critical infrastructure cybersecurity provided some
opportunities to think about supply chain, to think about
resiliency in our networks so that we can understand cyber
threat and respond quickly to those.
Mr. Higgins. So in your opinion, the United States
government was taking cybersecurity very seriously in 2012?
Ms. Dodson. I think NIST has been taking cybersecurity
seriously----
Mr. Higgins. Very well.
Ms. Dodson. --for a very long time.
Mr. Higgins. Mr. Chairman, Kaspersky product has over 400
million users nationwide. It's widely known Kaspersky's ties to
the FSB. That's the Federal Security Service, the Russian
Federation. FSB is the main successor to the Soviet Union's
former KGB. Kaspersky headquarters is headquartered in Moscow
in the former KGB headquarter buildings in Lubyanka Square, and
yet in 2012, the United States State Department contracted with
Kaspersky. I read from Mr. Newman's letter that I entered into
the official record earlier. Many security software users
believe that security software is akin to a shield, that this
shield wards off would-be attackers. The reality is that
security software is more similar to an inoculation, as Mr.
Kanuck pointed out earlier. Security software resides deep
inside the computers and infrastructure within the very most
sensitive and secure areas. In order to install any effective
security software, we must first expose the system, making all
information vulnerable. The security software has full access
to all input and output operations. Security software is fully
imbedded in such a way that it has complete access to total--to
the entire system.
Mr. Shive, you're familiar with the end-user license
agreement for security?
Mr. Shive. Yes, I am.
Mr. Higgins. That's the part that most Americans when we
purchase a cybersecurity product, it appears on the screen and
it's a lot of language that we don't read, we just click ``I
agree.'' Is that correct?
Mr. Shive. Yes.
Mr. Higgins. The end-user license agreement for Kaspersky
systems is governed by the laws of the United States or by the
laws of the Russian Federation?
Mr. Shive. If they're doing business in the United States,
it would be governed by the United States.
Mr. Higgins. The end-user license agreement for Kaspersky
products, Mr. Chairman, according to my research, are governed
by the laws of the Russian Federation. We have certainly begun
recently taking cybersecurity very seriously, but I find it
alarming that although it was rather well known within the
cybersecurity realm that Kaspersky was--you know, posed a
particular risk--we continued to do business with them until
very recently.
Let me just ask quickly, Mr. Shive. Are U.S. government
employees restricted from using Kaspersky products, devices, on
their own at this time?
Mr. Shive. I can't speak for the entire government. TSA
employees are not restricted.
Mr. Higgins. Are Kaspersky products still allowed to be
purchased by U.S. government agencies outside or separate from
the GSA contract process?
Mr. Shive. Not if they're going to comply with the Binding
Operational Directive that DHS published.
Mr. Higgins. And my colleague asked earlier, are U.S.
government contractors restricted from using Kaspersky
products?
Mr. Shive. Yes, they are as a result of the Binding
Operational Directive.
Mr. Higgins. Mr. Chairman, my time has expired. I thank you
for your cooperation.
Chairman LaHood. Thank you, Mr. Higgins.
I now yield to Ms. Johnson for her questions.
Ms. Johnson. Thank you very much.
Mr. Kanuck, the Russians appear to have a very good
understanding of ways that they can attempt to influence
America's views on certain issues or disrupt democratic
institutions. Social scientists are now working with
journalists and technologists and others to help understand
these techniques and to identify them in order to forewarn the
public about the covert efforts that intentionally generate
disinformation and fake news for political purpose. Do you
believe a robust understanding of social science and investment
in the area of research can be applied to helping to thwart
these sort of disinformation influence campaigns in the future?
Mr. Kanuck. Absolutely. I think we would want a triumvirate
of government initiative efforts to protect systems. I think we
would want the corporations whose social media or other
platforms are being exploited to join the effort to preserve
the integrity of their own corporate interests and networks.
And then finally, broader public awareness and education to
appreciate the risk and to take measures to secure their own
systems would all be beneficial.
Ms. Johnson. Are there technologies we might be able to
invest in to get a better grasp on this?
Mr. Kanuck. Certainly. There are a number of different
innovative proposals, some being offered in the social-media
community, others in the block chain technology. I believe this
Committee even had discussions of quantum computing and quantum
cryptography recently. So there are a number of different
innovative technologies which may offer some additional
security solutions in the future, and I do hope that both
government and private-sector initiatives pursue them because
as of right now, it is incredibly difficult to detect and/or
prevent the kind of influence operations which you were
referring to.
Ms. Johnson. Thank you very much.
I yield back Mr. Chairman.
Chairman LaHood. Thank you, Ms. Johnson.
At this time I'll yield to Mr. Posey--no, he's not there.
We'll go to Mr. Marshall, Dr. Marshall of Kansas.
Mr. Marshall. Thank you, Mr. Chairman.
I think I'll start with Ms. Shive. Mr. Shive, is there a
problem with the Kaspersky software now? Is there really a
problem with it?
Mr. Shive. So the GSA position for Kaspersky is, there was
a problem with them being entered onto GSA schedules the way
that they were entered onto GSA schedules, hence them being
removed. GSA doesn't run Kaspersky products so we haven't done
deep and rich analysis into the capabilities or technologies
associated with that.
Mr. Marshall. Was or is the Kaspersky Lab a threat to
national security?
Mr. Shive. I'm not in a position to answer that. Our
partners at DHS felt there was something significant enough to
bar use of Kaspersky in the----
Mr. Marshall. When do you think they first would have
thought or been concerned, approximately?
Mr. Shive. Who is ``they''?
Mr. Marshall. DHS is who you mentioned.
Mr. Shive. Right.
Mr. Marshall. Or GSA, either one.
Mr. Shive. So GSA became aware that there was some
discussion about the risk associated with Kaspersky at the end
of last year, and then as news came out, we did a couple of
evaluations on the GSA internal enterprise. When we found that
we weren't running Kaspersky internally, we did no further deep
and rich analysis of the technology embedded within Kaspersky.
DHS can speak to when they became aware of----
Mr. Marshall. Mr. Kanuck, our friends in Israel obviously
go back to 2014, it looks like, with a concern about that. Is
that accurate that the Israel government maybe alerted us in
2014 that there was a problem?
Mr. Kanuck. Given the unclassified nature of this hearing,
I'm going to have to simply refer to the recent media
discussions that I saw in the New York Times, Washington Post,
and Guardian and others that took it back to 2015.
Mr. Marshall. Okay. Mr. Norton, when the government
identifies a problem in this aspect, whose responsibility is it
to fix something like this? Is it particular to the people that
are running the software or this is a bigger problem, maybe
more of a national-security problem? Whose responsibility is it
to fix the problem?
Mr. Norton. That's absolutely a national-security issue. I
think that, you know, on paper it's the Department of Homeland
Security's challenge for the civilian side of the networks to
fix this problem and to alert their other federal partners. I
think that DHS has been challenged essentially since day one to
kind of work their way around the bureaucracy that we have.
Mr. Marshall. It looks like to me this probably has been
going on for two or three years. Frankly, I'm embarrassed. I've
helped run a hospital and as well as part of a bank. I've seen
us take on all these IT problems over the past decade.
Absolutely convinced that if Thursday morning this is presented
to me and we weren't solving the problem by Friday that people
would have been fired and lost their job over it, and this
looks like to me it took three years when we knew there was a
problem, a potential problem. Even if it was just a potential
problem, if it's a national-security issue, we should have been
fixing it yesterday, not tomorrow. Am I--what's wrong with my
expectations, Mr. Norton?
Mr. Norton. I think your expectations are absolutely fair
and they're right on, and I think that the government has----
Mr. Marshall. Mr. Kanuck, are my expectations unrealistic?
Mr. Kanuck. I think the desire to remediate things as soon
as possible is very well placed. I'm also aware that the speed
of changes in government can occasionally be slow.
Mr. Marshall. Okay. You know, I think of this concept of
the fox and the henhouse. Again, I go back to my experience
working with a hospital and bank. If we would have vendors
applying to do our IT and to protect our stuff, and if I would
have brought to the board people with connections to the
Russian government, A, they would have probably fired me, and
B, they would have fired the IT person who even let them in the
door. I mean, did this pass the sniff test, Mr. Kanuck? Would
they pass the sniff test today to get this type of contract?
Mr. Kanuck. If it's meant to protect the information of a
sensitive national security type, I would think that it would
not pass the sniff test because of the foreign penetrations and
foreign influence that we have previously discussed here.
Mr. Marshall. Mr. Shive, in today's environment, would they
pass--the smell test is a better term. I've been corrected by
my colleagues across the aisle. We called it sniff in Kansas.
Maybe it's smell other----
Mr. Shive. Again, because we don't run that particular
software, I can't say specifically, and we don't base those
evaluations on press reports. What I can say is that every
agency CIO has a responsibility and obligation to vet any
software or technology or process that runs in that
organization, and that if Kaspersky or any similar tool was
going to be entered into service in that agency, it would be
put through a battery of tests to evaluate whether or not it
was suitable for that environment.
Mr. Marshall. Mr. Chairman, may I have 30 more seconds?
Chairman LaHood. I'll yield you 30 more seconds.
Mr. Marshall. You know, it feels like with all these IT
issues that we have, people are trying to rob the bank, and as
long as they don't get--as long as they don't rob the bank, we
don't prosecute them. What do we do when people are just trying
to rob the bank? So all these attacks on us, people are trying
to rob the bank. They're trying to rob us of information?
What's the solution to trying to--I mean, my gosh, I can't
believe this goes on this much. They're robbing--they're trying
to rob the bank, they don't accomplish it, so it seems like
nothing happens to them. Does anybody have a solution, a short
solution? Mr. Kanuck, you raised your hand.
Mr. Kanuck. Where we lack the ability to have cooperative
international law enforcement or forensic capabilities to
identify and prosecute those individuals, we are left with
recourse to improving our own networks' resiliency.
Mr. Marshall. Thank you. I yield back.
Chairman LaHood. Thank you, Dr. Marshall.
I now yield to Mr. McNerney.
Mr. McNerney. I thank the Chairman. I thank the witnesses.
It's certainly an important subject and I want to pursue a
little bit.
Mr. Norton, in your written testimony, you mentioned that
budget cuts across the federal government are affecting--are
forcing federal officials to use the lowest price technically
available standards. What aspects of security might be
compromised as a result of that lowering of standards?
Mr. Norton. Well, I think that, you know, sequestration,
which was put in place 7 or eight years ago, right now what
we're seeing is the impacts of sequestration where we've
essentially conditioned government executives, CIOs, other
managers to really look for that LPTA product and they might
not necessarily look for the best type of software that's
available, maybe something that's customized, something that
might fit the particular need of an agency, and also we're
seeing where they're not turning on the software to fully
capability and that they maybe use part of an acquisition and
maybe not all of it and so I think all that goes to not having
enough resources and being kind of constrained to the
sequestration that's essentially still in place and kind of
hovering----
Mr. McNerney. Are there specific examples you could submit
to the Committee of this phenomenon you're describing?
Mr. Norton. I think that broadly I would say, you know,
program to program from, you know, federal agencies, you know,
like at DHS where they have, you know, component agencies like
Customs and Border Protection or other places where, you know,
you've got components that are purchased that might not
necessarily have a cyber component, you know, put inside of it.
I think if you think about the commercial attack back in
October of last year where essentially the internet was slowed
down because they were attacking a piece of the internet from a
small company in, you know, New Hampshire. You find these
little parts that can be exploited and slow down the internet
overall, and you think of that broadly in terms of other
products that maybe are purchased day to day at, you know, Best
Buy, for example, that don't necessarily have cyber built into
it goes to that lowest price technically acceptable.
Mr. McNerney. Thank you.
Mr. Shive, are commercial antivirus computer security
software products made by other companies also potentially
vulnerable to the same sorts of exploitation as in the case of
Kaspersky?
Mr. Shive. Because of the persistent nature of the threat,
all softwares are vulnerable, and that's why CIOs have the
obligation to assess those softwares before they enter them
into service in each of their agencies.
Mr. McNerney. Do you have any recommendations for federal--
to protect federal systems?
Mr. Shive. Increased investment in cybersecurity is a very
good idea.
Mr. McNerney. Ms. Dodson, has NIST made available any
guidelines or best practices concerning security of voting
infrastructure?
Ms. Dodson. NIST has developed guidelines for voting
infrastructures that relate to cybersecurity and in particular
looking at risk-management processes that can be put in place
for the different phases of voting systems and voting use.
Mr. McNerney. Should NIST be doing more in this arena?
Ms. Dodson. NIST is continuing to work with the voting
community as well as the Department of Homeland Security as
they are also looking at security and voting systems, so we are
continuing our efforts there.
Mr. McNerney. Okay. What limitation's do you face?
Ms. Dodson. I'm sorry. What kind of limitation do we face
in----
Mr. McNerney. Right.
Ms. Dodson. So NIST continues to look at a number of
different aspects of voting and work with that community. We
are looking at security. We are looking at the interoperability
and the usability, so many different aspects of voting systems
to support the United States and to support the different
states as they're developing and implementing their solutions.
Mr. McNerney. Thank you. Mr. Shive, what would you
recommend small businesses do to strengthen their cybersecurity
networks and practices?
Mr. Shive. For small businesses, employ the best practices
that exist for large business and government in their
cybersecurity practices, make an emphasis and focus on
cybersecurity from the ground up at the beginning of creation
of their product, tools, process or service rather than as a
bolt on at the end.
Mr. McNerney. But a lot of these small businesses don't
have the resources to have an IT person to take care of those
issues.
Mr. Shive. And then they'll suffer the same fate that every
other corporation that makes that fundamental mistake does and
they'll go out of business.
Mr. McNerney. Thank you. Mr. Chairman, I yield back.
Chairman LaHood. Thank you, Mr. McNerney.
I now yield to the gentleman from South Carolina, Mr.
Norman.
Mr. Norman. Thank you, Mr. Chairman.
Mr. Shive, when we talk about getting on the GSA's
preapproved contract list, who's got the final approval? Is it
a person, is it a group? Who would make the final call on that?
Mr. Shive. The Federal Acquisition Service in GSA, which is
made up of contracting officers, lawyers, and business
professionals who interact with the vendor community and create
a framework for their entrance into the schedules.
Mr. Norman. How many people is that?
Mr. Shive. I can get back to you with the number. I think
it's around 6,000 people.
Mr. Norman. Okay. Now, was Congressman Higgins right when
he mentioned the fine print of being under the--and I forget
which agency he mentioned but being under the, I guess the
legal guidelines of Soviet Union rather than the United States?
Is that right?
Mr. Shive. So thank you for asking that clarifying
question. So every company has a EULA as a part of their
business practice. The federal government, the U.S. federal
government is not obligated under that EULA to enter service.
There's a negotiation that takes place that includes on the
government side lawyers and contracting officers that assess
the EULA relative to the regulation and policy of the federal
government. If there's a disconnect there, then the vendor
can't do business with government.
Mr. Norman. Okay. So going forward, would that be--would
any changes be made on that?
Mr. Shive. No. I think it's a good process to have
government lawyers and contracting officers scanning that test
for corporations and making sure that it complies with federal
regulation and law.
Mr. Norman. Okay. And Mr. Shive, in your testimony you note
that three resellers included Kaspersky's products without
taking appropriate steps to modify the contracts. Is that
right?
Mr. Shive. That's right.
Mr. Norman. Did these three resellers comply with the GSA's
request to remove Kaspersky products from the list?
Mr. Shive. Yes, they did so immediately.
Mr. Norman. After the fact?
Mr. Shive. Yes.
Mr. Norman. Okay. Did the GSA evaluate whether these three
resellers needed to be sanctioned for including the products?
Mr. Shive. I'm not aware of the sanctioning process, of any
sanctioning process.
Mr. Norman. Do you think there need to be sanctions, at
least go down--to go down that path to have consequences?
Because it looks like just from what I'm hearing has really
been the--there's no consequences on this.
Mr. Shive. Right. So I'm actually not saying that there
were or were not consequences. I just don't know if there was.
We can circle back to you and get you that information.
Mr. Norman. Like Congressman Marshall mentioned, you know,
the consequences in the private sector, the consequences in
just about everything in the political arena, and it looks like
there ought to be consequences with this. It's pretty serious
from what I'm hearing today.
Mr. Shive. Understood. We're happy to circle back with you
and let you know what the consequences were, if there were in
fact any.
Mr. Norman. Thanks so much.
I yield back, Mr. Chairman.
Chairman LaHood. Thank you, Mr. Norman.
I now will yield to Mr. Perlmutter from Colorado.
Mr. Perlmutter. I thank the Chair, and just an inquiry of
the Chair. Was Mr. Kaspersky invited to testify or somebody
from his organization?
Chairman LaHood. Not to today's hearing. I know that we
plan to have a few more hearings on this, and we'll entertain
that as we move along.
Mr. Perlmutter. All right. Thank you.
And Mr. Norton, it's good to see you. We've had two records
today. You have had the shortest opening statement, and the
Ranking Member had the shortest questioning along with Mr.
Norman today that we've had I think on this Committee of all
time, so thank you all.
You know, over time the computers I've had, I've had
MacAfee, I've had Kaspersky, and I've had--and Mr. Norton, I
don't think it's your company but I've had Norton antivirus
too.
Mr. Norton. It is not my company.
Mr. Perlmutter. I think this is a very important hearing
we're having today. Mr. Higgins talked about the KGB
potentially having access into governmental records, talked
about--I think Dr. Marshall talked about the fox in the
henhouse and robbing the bank or attempting to rob the bank,
and words like ``trusted'' and ``complicit'' and ``willful''
and ``adversarial'' and ``espionage'' and ``intelligence risk''
and ``national security'' have been bandied about today. What--
I'll start with you, Mr. Kanuck. What is it that we're worried
about here?
Mr. Kanuck. I believe we're particularly worried about the
ability for unauthorized users to access systems and either
steal confidential information or disrupt the availability of--
--
Mr. Perlmutter. But a particular unauthorized user, who is
that? What is that?
Mr. Kanuck. Well, from my role as a Strategic Threat
Analyst, I would say there are numerous of them in the
international space. The one we seem to be focusing on today is
the Russian threat actor and that has theoretically, according
to open-source reporting, exploited Kaspersky products to that
end.
Mr. Perlmutter. Mr. Norton, are you familiar with Guccifer
2.0?
Mr. Norton. Yes.
Mr. Perlmutter. What is that?
Mr. Norton. Well, essentially it's hacktivism, if you will,
in terms of, you know, hacking into, finding information, you
know, getting into a system and then pulling information out. I
think your assessment in terms of what exactly we're talking
about here is a great point. I think there are multiple
threats. Whether they're here domestically or they're
international, I think the government is woefully behind in
terms of preparation in terms of what we've done now and what
we need to do, you know, going forward. I think that we seem to
be having, you know, these type of discussions every 6 to 12
months with these massive hacks that are occurring, and I think
that, you know, it's time to really kind of move on and figure
out what is the next step, whether it's massive research and
development funding for the government to hire these, you know,
more experts, bring people in to government. I think that
we've, you know, kind of assigned this opportunity to CIOs and
other people within the government that have had traditional
roles and now they seem to be the cybersecurity experts, and I
think they obviously do a great job for us but I also think
they need more help and more services and more, you know,
support.
Mr. Perlmutter. And the Congress has got to be in the lead
hopefully of providing those resources, which I think you now
mentioned and Mr. Kanuck mentioned.
So let me move to NIST and to the GSA for just a second and
then I've got a political statement I want to make. I think one
of the places where we can harden systems especially for small
business is through small business taking advantage of the NIST
Framework and that the GSA in its protocols demand that small
business have access, you know, taking advantage of those NIST
protocols or Framework, just if the two of you would comment
real quickly.
Ms. Dodson. NIST has developed some guidance specifically
for small businesses around the Framework to make that publicly
available, and we've worked with the Small Business
Administration, with our manufacturing Extension Partnership
and others to make sure these guidelines are available and that
small businesses can find out about them.
Mr. Perlmutter. But for you, they're guidelines. For GSA,
they could demand something like that as part of the purchase.
Mr. Shive. And that's exactly right. Increasingly we find
that business both big and small is increasingly availing
themselves of NIST policy, guide work and frameworks because
it's good IT and cybersecurity practice. As a CIO who purchases
softwares and technologies increasingly I'm asking my vendor
partners to conform to those standards as well.
Mr. Perlmutter. If I could have just a few more seconds,
Mr. Chairman----
Chairman LaHood. Absolutely.
Mr. Perlmutter. --for my political statement?
Chairman LaHood. It depends on what it is but----
Mr. Perlmutter. Well, you're not going to like it but I
mean, I think this is a very important subject but obviously,
you know, when we have at the White House an investigation
between connections between the White House and many of its
people with the guy who was the former head of the KGB,
Vladimir Putin, then we've got a lot of ground to cover,
whether it's within the cybersecurity or as to, you know, just
basic oldpersonal relationships and not have too many front
doors to Russia because I think that is jeopardizing our
national security, and with that, I yield back.
Chairman LaHood. Thank you, Mr. Perlmutter.
At this time I'll yield to Mr. Loudermilk of Georgia.
Mr. Loudermilk. Thank you, Mr. Chairman, and thank all of
you for being here today.
Spending 20 years in the IT industry, actually 30 if you
include my time in the intelligence community when I was in the
military, there are so many aspects of this issue that are so
disturbing that I can't even get my hands around all of it, and
some of it outside of this hearing such as an intelligence
analyst taking classified material home. I mean, that was a
felony when I was in the intelligence community. And then
somebody who is in that arena having pirated software, I mean,
anybody who works in this arena at all, you know that if it's
pirated software, it's dirty. It's likely dirty in some way. So
anyhow, that's outside the scope of this. This happened in a
previous Administration and hopefully we're cleaning up some of
the looseness that we've had in the intelligence community, but
I'm reading an article from Associated Press which, Mr.
Chairman, I'd like to introduce into the record.
Chairman LaHood. Without objection.
[The information appears in Appendix II]
Mr. Loudermilk. This thing reads like a Clancy novel, the
Israelis spying on the Russians who are spying on us, and they
alert us to the fact that the Russians are gaining information
that are being captured through this software.
Mr. Norton, in your experience, if a cybersecurity company
comes across, whether intentional or unintentional, comes
across classified information, I would think, through my
experience, that it not only legally but professionally you
should alert the agency of which it came from that--or at least
the proper officials that you have come across this
information. Am I wrong in that? Is that something that you
would assess if somebody just happened to come across this
information they would alert?
Mr. Norton. I think in the last couple of years that there
has been an effort in terms of sharing information amongst DHS
and other, you know, companies across the cyber realm, if you
will, in terms of moving information back and forth certainly
could be better but I think the process has started and I think
as you're seeing professionals kind of cross into the private
sector and back into government and back and forth, it's
getting a little bit better, but absolutely, it's something
that we need to continue to get our arms around and do a better
job.
Mr. Loudermilk. I mean, if in your business you come across
a piece of classified information that was not within your
realm of need to know, you would report to someone?
Mr. Norton. Of course.
Mr. Loudermilk. Okay. In this article from Associated
Press, you know, they reported that Israel notified us that
Russia was gaining classified information using the software.
Eugene Kaspersky spoke--in this article, he stated that they
did collect NSA materials clearly marked classified in 2014,
which were spirited to Moscow for analysis, and then deleted at
his direction. When asked if Kaspersky alerted the NSA that his
software discovered classified materials, he claimed that he
didn't want to see it in the news. If he is asked why he didn't
report it, he didn't want to see in the news that I tried to
contact the NSA to report the case, definitely I didn't want to
see it in the news. Is that plausible that he would not report
that they, you know, came across by unintentional means that
they came across classified information? Is it plausible that
he would have not reported it just because he didn't want to
see it in the news? Yes, Mr. Norton. I'm sorry.
Mr. Norton. I guess the answer is, sir, I don't know what's
going inside his head or what his thought process was. It's
hard for me to assess why he made that decision or didn't make
that decision.
Mr. Loudermilk. To me, from a legal aspect, maybe laws have
changed since I was in the intelligence community but I would
have a legal responsibility at that point to notify the
authorities look, our software came across this information,
you may need to go look at this employee. I also have issue
with them just reading the documents they come across as well.
Mr. Kanuck, do you think this is a plausible response by
Mr. Kaspersky?
Mr. Kanuck. My first observation would be that Mr.
Kaspersky may not be subject to a secrecy agreement of any kind
that would have the legal contractual binding nature that
yourself previously and myself have had before that would have
obligated us to report that information had we stumbled across
it. Secondly, I guess I am personally a little surprised that
knowing the scrutiny that his firm is under that he might not
have taken an opportunity to return it to the U.S. government
and try to get in our good favor.
Mr. Loudermilk. Maybe redeem himself, you know, to show
goodwill.
Let me ask you, why would he not inform the NSA? I mean----
Mr. Kanuck. Possibly because he felt there was no legal
obligation for him to, and in his personal decision thought it
was not in the best interest of his company, which again is a
Russian company.
Mr. Loudermilk. Mr. Norton, is it plausible that maybe the
suspicions that the Israelis have, that we have is that they're
purposely mining for information? Is that plausible?
Mr. Norton. I think that, you know, with the digital age
having really grown in the last 15 years that online
intelligence gathering is the normal. I think that we as, you
know, society need to continue to come to grips with the fact
that mining online data and the fact that you can target
individuals is the new normal and that we all need to be aware
of this, and I think that whether it's the Russians or other
adversaries, nation-states, individuals, absolutely our
networks are a target every day, every second, and we need to
be really aware of that.
Mr. Loudermilk. Why would be send it to Moscow? Is that not
suspect that he sent the documents to Moscow, then asked for
them to be deleted, Mr. Norton?
Mr. Norton. I think--again, I don't know what really
occurred or didn't occur. It seems like that would be something
that we would need to really kind of take a look at, and
hopefully our intelligence services is on that and they can
give us----
Mr. Loudermilk. Mr. Kanuck, would you--would you find it
suspect that he sends them to Moscow after seeing that they're
classified NSA documents determines to not notify the NSA but
then sends them to Moscow and then says I'm going to have them
deleted? I mean, that's pretty suspect to me.
Mr. Kanuck. So again, I'm not personally knowledgeable of
whether he himself was the one who did the discovering and the
forwarding. I would, as I said in my opening statement,
encourage the analysis of traffic flows within the Kaspersky
global communications network. That may have been standard
operating procedure or it may have been an ad hoc decision. I
can't speak to that because I don't work for that company.
Mr. Loudermilk. All right. Well, thank you, Mr. Chairman. I
yield back the time I have exceeded.
Chairman LaHood. Well, thank you, Mr. Loudermilk, for your
insightful questions there.
That concludes our questions here today. I want to thank
the witnesses for your valuable testimony here today. I think
this Committee as part of our oversight mission will continue
to investigate leads and evidence as it relates to this matter.
Secondly, I think we've just touched the surface as it relates
to Kaspersky and their alleged complicity and involvement with
cyber espionage, and this Committee will continue to work on
that. We anticipate more hearings and more testimony to come.
So with that, this hearing is concluded, and we thank you.
[Whereupon, at 11:31 a.m., the Subcommittee was adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
Answers to Post-Hearing Questions
Responses by Mr. Sean Kanuck
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
Additional Material for the Record
Letter submitted by Representative Clay Higgins
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Document submitted by Representative Barry Loudermilk
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]