[Senate Hearing 111-667]
[From the U.S. Government Publishing Office]
S. Hrg. 111-667
CYBERSECURITY: NEXT STEPS TO PROTECT
OUR CRITICAL INFRASTRUCTURE
=======================================================================
HEARING
before the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
FEBRUARY 23, 2010
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
----------
U.S. GOVERNMENT PRINTING OFFICE
57-888 PDF WASHINGTON : 2010
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii KAY BAILEY HUTCHISON, Texas,
JOHN F. KERRY, Massachusetts Ranking
BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine
BARBARA BOXER, California JOHN ENSIGN, Nevada
BILL NELSON, Florida JIM DeMINT, South Carolina
MARIA CANTWELL, Washington JOHN THUNE, South Dakota
FRANK R. LAUTENBERG, New Jersey ROGER F. WICKER, Mississippi
MARK PRYOR, Arkansas GEORGE S. LeMIEUX, Florida
CLAIRE McCASKILL, Missouri JOHNNY ISAKSON, Georgia
AMY KLOBUCHAR, Minnesota DAVID VITTER, Louisiana
TOM UDALL, New Mexico SAM BROWNBACK, Kansas
MARK WARNER, Virginia MIKE JOHANNS, Nebraska
MARK BEGICH, Alaska
Ellen L. Doneski, Staff Director
James Reid, Deputy Staff Director
Bruce H. Andrews, General Counsel
Ann Begeman, Acting Republican Staff Director
Brian M. Hendricks, Republican General Counsel
Nick Rossi, Republican Chief Counsel
C O N T E N T S
----------
Page
Hearing held on February 23, 2010................................ 1
Statement of Senator Rockefeller................................. 1
Statement of Senator Snowe....................................... 3
Prepared statement........................................... 5
Statement of Senator Ensign...................................... 36
Statement of Senator Pryor....................................... 38
Statement of Senator Begich...................................... 41
Statement of Senator Klobuchar................................... 43
Statement of Senator Thune....................................... 47
Witnesses
Vice Admiral Michael McConnell, USN (Retired), Executive Vice
President, National Security Business, Booz Allen Hamilton..... 7
Prepared statement........................................... 10
James A. Lewis, Director and Senior Fellow, Technology and Public
Policy Program, Center for Strategic and International Studies. 12
Prepared statement........................................... 14
Scott Borg, Director and Chief Economist, U.S. Cyber Consequences
Unit........................................................... 17
Prepared statement........................................... 19
Mary Ann Davidson, Chief Security Officer, Oracle Corporation.... 21
Prepared statement........................................... 23
James Arden ``Jamie'' Barnett, Jr., Rear Admiral, USN (Retired),
Chief, Public Safety and Homeland Security Bureau, FCC......... 27
Prepared statement........................................... 29
Appendix
Hon. Tom Udall, U.S. Senator from New Mexico, prepared statement. 55
Written questions submitted by Vice Admiral Michael McConnell to:
Hon. John D. Rockefeller IV.................................. 55
Hon. Tom Udall............................................... 55
Response to written questions submitted by Dr. James A. Lewis to:
Hon. John D. Rockefeller IV.................................. 56
Hon. Tom Udall............................................... 57
Hon. John Ensign............................................. 57
Response to written questions submitted by Hon. John D.
Rockefeller IV to Scott Borg................................... 58
Response to written questions submitted by Mary Ann Davidson to:
Hon. John D. Rockefeller IV.................................. 60
Hon. Tom Udall............................................... 62
Hon. John Ensign............................................. 72
Response to written questions submitted by Rear Admiral James
Barnett, Jr. to:
Hon. John D. Rockefeller IV.................................. 75
Hon. John Ensign............................................. 77
CYBERSECURITY: NEXT STEPS TO PROTECT OUR CRITICAL INFRASTRUCTURE
----------
TUESDAY, FEBRUARY 23, 2010
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 2:40 p.m. in room
SR-253, Russell Senate Office Building, Hon. John D.
Rockefeller IV, Chairman of the Committee, presiding.
OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV,
U.S. SENATOR FROM WEST VIRGINIA
The Chairman. Welcome, all. And this hearing will come to
order. And members will be coming in.
Before I give my opening statement, I just want to make
sure that everybody knows who is testifying. And Vice Admiral
Michael McConnell, U.S. Navy, Retired, Executive Vice President
of National Security Business, Booz Allen Hamilton. He and I
have done a lot of work together, including on FISA, other
matters. Dr. James Lewis, Director and Senior Fellow,
Technology and Public Policy Program Center for Strategic and
International Studies. And Dr. Lewis is there, working on his
computer, I think. Mr. Scott Borg, Director and Chief
Economist, U.S. Cyber Consequences Unit. And Rear Admiral James
Arden Barnett, Jr., Chief, Public Safety and Homeland Security
Bureau, Federal Communications Commission. I'm really glad
about that. And Ms. Mary Ann Davidson, Chief Security Officer,
Oracle Corporation. So, you're going to have some attention
focused on you today.
This Nation--is it OK if I proceed? OK. This Nation and its
citizens depend enormously on communication technologies in so
incredibly many ways every single day. Vast network expansions
have transformed virtually every aspect of our lives:
education, healthcare, how businesses grow, don't grow,
function, and the development of an interconnected, more
democratic conversation. Our government, our economy, our very
lives rely on technology that connects millions of people
around the world in real time and all the time. And yet, these
powerful networks also carry great risks which people, for the
most part, don't understand--understandably don't understand--
but are going to have to come to understand.
In recent years, hackers have attacked numerous Federal
agencies, key media outlets, large companies across the private
sector, targeting intellectual property, stealing valuable
information vital to our national and economic security.
What was it? An article I read in the paper, somebody from
DOD says, ``We're getting attacked every day, all day, 7 days a
week.'' And that's what they do. And these attacks are coming
with increasing regularity and increasing sophistication. A
major cyber attack could shut down our Nation's most critical
infrastructure: our power grid, telecommunications, financial
services; you just think of it, and they can do it--the basic
foundations on which our communities and families have been
built, in terms of all of their lives and who are trying to
have a future.
So, this hearing is a next step in examining the important
action we should be taking right now, as a government and as a
national economy, to harden our defenses and safeguard critical
infrastructure against a major cyber attack. Having said that
they're happening all the time, that would seem to be out of
order, but, you know, it needs--both need to be said.
Now, I understand it's no secret that cybersecurity is one
of my top securities; it isn't a secret, at least, to Olympia
Snowe and myself. As the former Chair of the Intelligence
Committee, and now Commerce, I know that it's both national
security and our economic security at stake. But, obviously,
I'm not alone. Many experts, business leaders, public
officials, including two of our former directors of national
intelligence, have pointed, time and time again, to
cybersecurity as this country's chief security problem.
President Obama called cyberspace a strategic national
asset. However, this very important point, critical to the
challenge we're discussing here today, unlike the other
strategic national assets, cyberspace is 85-percent owned and
controlled by private companies and individuals. That means
that no one--neither the Government nor the private sector--can
keep cyberspace secure on their own. Both must work together.
All must work together. And that is why the wonderful Senator
Snowe, from Maine, and I have introduced comprehensive
legislation--the Cybersecurity Act 2009--to modernize the
relationship between the Government and the private sector on
cybersecurity.
And I have to say that on--there's--it's such a sensitive
subject, particularly with the private sector, that I--we were
on our fourth draft, because we kept calling in the
stakeholders. They kept saying, ``Well, this is wrong, this is
wrong, this is wrong.'' And so, we would adjust, and do another
one. I mean, we did it the way legislation should be developed.
Our legislation calls for developing a cybersecurity
strategy and identifying the key roles and responsibilities of
all the players, private and public, who will respond in a time
of crisis.
I'm sure you've all heard about last week's Cyber ShockWave
exercise. I watched. The process made it enormously clear; if
we are serious about responding effectively to real cyber
emergencies, we need a very strong top-level coordination. Too
much is at stake for us to pretend that today's outdated
cybersecurity policies are up to the task of protecting our
Nation and/or our economic infrastructure.
We have heard the reassurances and seen the best efforts of
the many in the private sector working to secure their
networks. But, it's clear that even the largest, most
sophisticated companies are not immune from attack. So, we have
to do better. And that means it will take a level of
coordination and sophistication to outmatch our adversaries and
minimize, as much as possible, the threats. So, it's that
simple. We can't wait; we've got to get going on this. We've
got to get people educated on it. And it's a massive, massive
undertaking.
I want to introduce, to speak first--one, because he has to
leave at 4 o'clock and, second, because he's kind of senior
around here--Admiral Mike McConnell, who, you know, was NSA,
DNI, private sector, and we worked together very closely on
FISA and other legislation.
So, I now call upon Admiral--I'm very aware that you have
to go----
Admiral McConnell. Yes, sir.
The Chairman.--and we will work that, and make it work.
But, Senator Snowe ranks here today.
No, but I want you to make an opening statement, if you
want to.
Well, John, that's a quandary. I mean, you know, Olympia
ought to make a little bit of an opening statement. You could
take a 3-minute opening statement.
STATEMENT OF HON. OLYMPIA J. SNOWE,
U.S. SENATOR FROM MAINE
Senator Snowe. OK. Thank you, Mr. Chairman, you're so
gracious and generous.
I also want to take this opportunity to commend you for
your extraordinary leadership on this paramount issue for the
security of our Nation. And I also want to extend my sincere
appreciation to our esteemed witnesses here today who represent
a combined depth and breadth of knowledge and experience to
provide invaluable insight into the multiple facets of this
threat posed by cyberintrusion and attack and how we should
mobilize as a nation to leverage both the public and the
private sector to confront this exceptional challenge.
As Senator Rockefeller indicated, we filed a comprehensive
cybersecurity bill, just a year ago, to accomplish that. We
have since had multiple drafts. We are trying to bring new,
high-level governmental attention to developing a fully
integrated, thoroughly coordinated public private partnership,
as we see this as the only means to address our Nation's 21st-
century vulnerability to cybercrime, global cyberespionage and
cyber attacks.
As crossover members of both the Intelligence Committee and
the Commerce Committee, Senator Rockefeller and I, are keenly
aware of the gravity of these circumstances and the astonishing
dimensions of this threat. Moreover, our legislation reflects
the recommendations of the Center for Strategic and
International Studies' Blue Ribbon Report that was issued to
the President. And the bill has undergone a number of
revisions, following literally hundreds of meetings with
industry and government thought leaders on this vital subject.
We sought to carve a course for our country to embrace a
national security policy that will protect and preserve
American cyberspace, which the President has rightly deemed a
strategic national asset, because it is simply undeniable that
the interconnection and integration of global systems, the very
backbone of our functioning modern society, creates myriad
opportunities for cyber attackers to disrupt communications,
electrical power, and other indisputably essential services.
And over the past several years, let there be no mistake,
cyberexploitation activity has grown more sophisticated, more
serious, and more targeted.
According to the Director of National Intelligence, Dennis
Blair, a burgeoning array of state and non-state adversaries
are increasingly targeting the Internet, telecommunications
networks, and computers. And we're being assaulted on an
unprecedented scale by well-resourced and persistent
adversaries seeking to gain a glimpse into America's mission-
critical vulnerabilities.
In an unclassified setting just 2 weeks ago, the Director
testified that the national security of the United States, our
economic prosperity, and the daily functioning of our
government are dependent on a dynamic public and private
information infrastructure that is now severely threatened. As
the Director also noted, the recent intrusions reported by
Google that appear to have originated in China should serve as
a wake-up call to those who have not taken this problem
seriously. That's why Senator Rockefeller and I have said that
our failure to implement effective policies and procedures to
prevent unauthorized intrusions have proven extremely
consequential. And if we fail to take swift action, we risk a
cybercalamity of epic proportions, with devastating
implications for our Nation.
We've already experienced breaches to our supply chains.
According to the SANS Institute, there have been several
incidents involving infected memory sticks sold in U.S. retail
stores. Furthermore, the FBI has alerted the Administration
that malevolent actors have actually begun selling counterfeit
networking equipment infected with viruses to consumers.
Indeed, government agencies, as well as the private sector, are
identifying an increasing number of security incidents.
According to Verizon, more electronic records were breached
last year than the previous 4 years combined, resulting in loss
of privacy, identity theft, and financial crimes. Today,
hijacked personal computers, known as ``botnets'' are used to
send spam or viruses. And all of this is done without the
owner's knowledge.
And just this week, according to a recently released report
from NetWitness, hackers gained access to data at close to
2,500 companies and government agencies, from credit card
transactions to intellectual property over the last 18 months,
in a coordinated global attack. In fact, it was described as
one of the largest and most sophisticated attacks, in the
Washington Post this month.
Then, according to a report drafted by the chief
information security officer of In-Q-Tel, the CIA's venture
capital arm, hackers currently charge about a penny for every
thousand e-mails of spam, and only $1 for a credit card that
includes every piece of information necessary to compromise
one's credit.
I commend the President for deeming cybersecurity a top
priority and recently naming Howard Schmidt, whom Senator
Rockefeller and I met with just a few weeks ago, as the
Administration's national cybersecurity coordinator. However,
we remain concerned that this position does not possess the
institutional heft that it requires. We would prefer and
recommend, in our legislation, a Cabinet-level, Senate-
confirmed national cyberadviser that reports directly to the
President and is directly accountable to the American people.
It is imperative that the public and private-sectors
marshal our collective forces in a collaborative and
complementary manner to confront this urgent threat and reduce
the risk posed by cyberintrusion or catastrophic cyber attack.
As part of this effort, we must identify incentives for the
private sector. Limiting liability for the companies that
improve their cybersecurity posture, improving threat
information-sharing, providing a safe harbor for exchanging
vulnerability data, as well as tax credits contingent on a
company complying with certain security practices, should all
be considered.
It is equally urgent that government take proactive steps,
always mindful of privacy concerns. The Government should work
with the private sector to recognize and promote cybersecurity
performance measures and best practices and develop a robust
workforce of cybersecurity professionals, promote innovation
and excellence in products and services, and institute a
campaign, as Senator Rockefeller has indicated, to educate the
public about cybersecurity risk, using the Government's
purchasing power, as well, to raise standards through
procurement.
Ultimately, we must recognize that time is not on our side,
and it's clear that our adversaries will continue to change
their tactics as technology evolves. Congress must take action.
I look forward to hearing from our distinguished witnesses
and working closely with the Chairman and all members of this
committee and others, and throughout the Congress, in order to
accomplish this goal this year.
Thank you.
[The prepared statement of Senator Snowe follows:]
Prepared Statement of Hon. Olympia J. Snowe, U.S. Senator from Maine
Thank you, Mr. Chairman, and I would like to take this opportunity
to commend you for your extraordinary and visionary leadership on this
paramount issue for the security of our Nation.
I also want to extend my sincere appreciation to our esteemed
witnesses for joining with us today. All of you bring to bear a
combined depth and breadth of knowledge and experience to provide
invaluable insight on the multiple facets of the threat posed by cyber
intrusion and attack, and how we should mobilize as a nation to
leverage both the private and public sector to confront this
exceptional challenge.
Indeed, Senator Rockefeller and I filed a comprehensive
cybersecurity bill almost a year ago to accomplish just that. We sought
to bring new high-level governmental attention to developing a fully
integrated, thoroughly coordinated public-private partnership as that
is the only way we can address our Nation's 21st century vulnerability
to cyber crime, global cyber espionage, and cyber attacks.
As crossover members of both the Intelligence and Commerce
committees, Senator Rockefeller and I are keenly aware of the gravity
as well as the astonishing dimensions of the threat. Moreover, our
legislation reflects the recommendations of the CSIS report to
President Obama, and the bill has undergone a number of revisions
following literally hundreds of meetings with industry and government
thought-leaders on this vital subject.
Senator Rockefeller and I sought to carve a course for our country
to embrace a national security policy that will protect and preserve
American cyberspace, which the President has rightly deemed a
``strategic national asset.'' Because it is simply undeniable that the
interconnection and integration of global systems--the very backbone of
our functioning modern society--creates myriad opportunities for cyber
attackers to disrupt communications, electrical power, and other
indisputably essential services. And over the past several years, let
there be no mistake--cyber exploitation activity has grown more
sophisticated . . . more targeted . . . and more serious.
According to Director of National Intelligence Dennis Blair, a
burgeoning array of state and non-state adversaries are increasingly
targeting the Internet . . . telecommunications networks . . . and
computers . . . and we are being assaulted on an unprecedented scale by
well-resourced and persistent adversaries seeking to gain a glimpse
into America's mission-critical vulnerabilities.
In an unclassified setting just 2 weeks ago, the Director testified
that ``the national security of the United States, our economic
prosperity, and the daily functioning of our government are dependent
on a dynamic public and private information infrastructure'' that is
now ``severely threatened.'' As the Director also noted, the recent
intrusions reported by Google that appear to have originated in China
should ``serve as a wake-up call to those who have not taken this
problem seriously.''
That is why Senator Rockefeller and I have said that our failure to
implement effective policies and procedures to prevent unauthorized
intrusion has proven extremely consequential, and if we fail to take
swift action, we risk a cyber-calamity of epic proportions with
devastating implications for our Nation.
We have already experienced breaches to our supply chain. According
to the SANS (Systems Admin, Audit, Network, and Security) Institute
there have been several incidents involving infected memory sticks sold
in U.S. retail stores. Furthermore, the FBI has reportedly alerted the
administration that malevolent actors have actually begun selling
counterfeit networking equipment infected with viruses to consumers.
Indeed, government agencies as well as the private sector are
identifying an increasing number of security incidents. According to
Verizon, more electronic records were breached last year than the
previous 4 years combined, resulting in loss of privacy, identity
theft, and financial crimes. Today, hijacked personal computers known
as botnets are used to send spam or viruses. And all of this is done
without the owner's knowledge.
Just this week, according to a recently released report from
Netwitness, hackers gained access to a data at close to 2,500 companies
and government agencies, from credit-card transactions to intellectual
property, over the last 18 months in a coordinated global attack. Then,
according to a report drafted by the Chief Information Security Officer
of In-Q-Tel, the CIA's venture capital arm, hackers currently charge
about a penny for every 1000 e-mails of spam and only about $1.00 for a
credit card that includes every piece of information necessary to
compromise one's credit!
As you all know, 85 percent of our vital infrastructure is owned
and operated by the private sector, and, according to a 2009 Verizon
report which examined data breaches at 45 major U.S. firms in 15
different industries, ``the average cost for a data breach reached an
eye-opening $6.75 million''--that's the cost to the average large
company every single day. Cyber attacks represent both a potential
national security and economic catastrophe.
I commend President Obama for deeming cybersecurity ``a top
priority'' and recently naming Howard Schmidt--whom Senator Rockefeller
and I met with a few weeks ago--as the administration's national
cybersecurity coordinator. However, we remain concerned that this
position still does not possess the institutional heft that it
requires, as the coordinator is not accountable to Congress and the
American people nor does he does report directly to the President--
significantly more can and must be done. It is imperative that public
and private sectors marshal our collective forces in a collaborative
and complementary manner to confront this urgent threat and reduce the
risk posed by cyber intrusion or a catastrophic cyber attack.
As part of this effort, we must identify incentives for the private
sector. Limiting liability for the companies that improve its
cybersecurity posture, improving threat information sharing, providing
a ``safe harbor'' for exchanging vulnerability data, as well as tax
credits contingent on a company complying with certain security
practices, should all be considered.
It is equally urgent that government takes proactive steps always
mindful though of privacy concerns. The government should work with the
private sector to recognize and promote cybersecurity performance
measures and best practices, develop a robust workforce of
cybersecurity professionals, promote innovation and excellence in
products and services, institute a campaign to educate the public about
cybersecurity risks, use the Government's purchasing power to raise
standards through procurement, and promote government and private
sector teamwork in emergency preparedness and response in the event of
a catastrophic cyber attack.
Ultimately, we must recognize that time is not on our side and it
is clear that our adversaries will continue to change their tactics as
technology evolves. Congress must take action--I look forward to
hearing from our distinguished witnesses and working closely with my
colleagues to implement a comprehensive cybersecurity strategy for our
Nation.
The Chairman. Thank you, Senator Snowe.
Admiral if you would present your testimony, please, and
then we'll go right on through.
I just want to point out that I--was it four years ago?
Five years ago?
Admiral McConnell. Three years ago, sir.
The Chairman. Three years ago----
Admiral McConnell. Yes, sir.
The Chairman.--that you took the entire Intelligence
Committee to an offsite place and spent a whole day on
cybersecurity.
Admiral McConnell. Right.
The Chairman. And you were so intense that day that I don't
think any of us were quite the same afterwards. And it was one
of those things that, you know, was a wake-up call that we
needed. You gave us amounts of information, and now we have
people on the Intelligence Committee who are following this
subject very closely.
We welcome you, sir.
STATEMENT OF VICE ADMIRAL MICHAEL McCONNELL,
USN (RETIRED), EXECUTIVE VICE PRESIDENT,
NATIONAL SECURITY BUSINESS, BOOZ ALLEN HAMILTON
Admiral McConnell. Thank you, Mr. Chairman, Senator Snowe,
members of the Committee. It's a pleasure to be here.
Let me first say I not only agree, I fully endorse and
verify everything that the two of you said in your opening
statements. Based on what I know, at a classified level, my
experience since being the Director of NSA in 1992, I've been
worrying about this issue and following it, and you're exactly
right. And thank you for your leadership as a forcing function.
Now, what I will attempt to do in some very brief comments
is put a sharper edge on it and then make some associations, on
a historical basis, about what we may need to do.
You asked me to talk to threat, actions to mitigate, and
public-private partnership. You mentioned that we're at
significant risk; let me make it sharper. If the Nation went to
war today in a cyberwar, we would lose. We would lose. We're
the most vulnerable. We're the most connected. We have the most
to lose. So, if we went to war today in a cyberwar, we would
lose.
As an intelligence officer, I'm often asked to make
predictions. I want to make three predictions for you:
The first is, we will not mitigate this risk. We'll talk
about it, we'll wave our arms, we'll have a bill, but we will
not mitigate this risk. And as a consequence of not mitigating
the risk, we're going to have a catastrophic event. In our
wonderful democracy, it usually takes a forcing function to
move us to action. And it is my belief, having followed this
from the early 1990s, it's going to take that catastrophic
event.
Now, my second prediction is, the Government's role is
going to dramatically change. It is going to be a very active
role in the future of telecommunications in this country and,
in fact, in global telecommunications.
My third prediction is, we're going to morph the Internet
from something that's referred to, generally, as ``dot-com'' to
something I would call ``dot-secure.'' It will be a new way of
communicating. Because when transactions move billions of
dollars, or when transactions route trains up and down the East
Coast or control electric power or touch our lives in the way
they do at such a significant level, the basic attributes of
security must be endorsed. And the first attribute of security
is not a scrambled text to protect a secret. The first
attribute is authentication; who's doing this transaction. If
it's a $10-billion transaction, don't you need to know for sure
who's conducting the transaction? The second attribute is data
integrity. You didn't move that decimal. The third is
nonrepudiation.
Now, the reason I pick it up that way is because, as the
Director of NSA, everybody knows the mission is to break code;
break the codes of potential adversaries, so we know their
secrets. The other mission of NSA is to make the code to
protect our secrets. And the attributes of security mostly are
in focus when you talk about nuclear weapons. So, if you're--if
you ever contemplated using nuclear weapons--heaven forbid, we
never do--authentication--order from the President--becomes the
single most important feature. Data integrity is the second
most important. Nonrepudiation is the third. So, thinking about
it that way changes one's perspective.
So, we're not going to do what we need to do. We're going
to have a catastrophic event. The Government's role is going to
change dramatically, and then we're going to go to a new
infrastructure.
Now, let me speak to the Government's role. I wanted to get
historical perspective, so I asked some of my associates to do
some research. And the astounding thing that we discovered is,
there is a technology cycle that runs about every 50 years.
Could be closer to 60, or maybe 40, but it's about every 50
years. Every time there's new technology, there's a rush to
invest, there's a frenzy, there's a period when there's a bust,
then there's strong intervention by the Government, and then it
settles out, going forward.
And the first example that I'll use is railroads. United
States has been the largest economy in the world since 1880.
Most people don't know that. We captured the Industrial
Revolution from the British. We laid rail coast-to-coast, and
our economy was off and running. What happened? The railroads
became so powerful they started to dictate to the Government.
So, what was the result? Antitrust legislation; break it up.
The Government's role changed very dramatically.
You can extend that argument to automobiles. Same argument.
When I was a child, 60,000 people a year died on the highway;
the population of the Nation was 150 million. Today, it's
30,000; our population is 300 million. What changed? The
Government's role significantly changed. Interstate highways,
for safety, guardrails, seatbelts, flashers, all the things
that industry was forced to do because it affected so many
people. So, in my view, the Internet--global communications,
moving money at the speed of light from Tokyo to New York, or
from New York to Singapore--billions of dollars--the
transportation systems of the world, the electric power grid of
the world--that is so significant that the Government's role is
going to change very dramatically. And I would predict we will
have a different Internet at some point in time.
Now, what are the things we have to do? International
agreements with partners and with competitors. Because it's in
the interest of China, as an example, to have a Net that's
secure, for which there's authentication, for which there's
data integrity, for which there's nonrepudiation features built
in. You can achieve that with mathematical certainty. It's a
simple function of applying the right kind of tools and
techniques and encryption. I would argue it's not in China's
self-interest to destabilize the U.S. money--money supply.
Now, what I really worry about today is, not a nation-
state. If we had a war with a nation-state, we would engage in
ground combat, maritime combat, air combat, space combat, and
cyberspace combat. That's not likely in our future. But, what
is likely in our future is a group that's not deterred, who
wishes to destroy the system, who has the technical
capability--because the cost of entry is pretty low--has the
technical capability to attack something. And I'll use the
money supply as an example.
I majored in Economics 101, way back as an undergraduate,
and I was astounded to learn there's no gold backing up all
those dollars. We left that standard in the 1930s. And then I
was astounded to learn that they're not even dollar bills
printed; there's--only about 6 percent of the value of the
country is actually in dollar bills. So, where's the value?
It's an accounting entry. And I believe the right kind of
talent could attack the global money supply.
As an example, our gross domestic product, on a yearly
basis, is 14 trillion--just over 14 trillion. Two banks in New
York move 7 trillion a day. So, if an extremist group with the
right kind of tools could scramble that data, they could
destroy confidence in global banking. New York is the banking
center of the world.
So, that's the risk. Will we be required to experience that
catastrophic event before we move to action?
I'll finish with just an example. Nuclear weapons are easy
to imagine, because there's the mushroom cloud and the
shockwave. When nuclear weapons happened, this Nation took
action to put the government in charge. There was a joint
committee of Congress to oversee it and fund it, and the law
said only the government could own things that were nuclear.
Now, that's mitigated over time. That committee was determined
to be unconstitutional, and we created the Department of
Energy, and it has gone on. We've got commercial nuclear energy
and so on. So, we learned over time to adjust to that.
If you take telecommunications and the Internet, it's
almost entirely in the private sector, and it's going in the
other direction. But, it has become so important and so
potentially significant, in my view, it rivals nuclear weapons,
in terms of potential damage to the country.
So, the government was hands-off to start. And if you look
at the evolution of the 50-year cycles, whether it was building
canals or textile machinery or railroads or automobiles, that
cycle repeated, where the government had a greater role when it
affected more people. And we're reaching that point now. So,
either we have a forcing function through a catastrophic event
or, hopefully, your bill will be law and we can have the
forcing function to deal with this in the way we must deal with
it. We must develop a deterrence policy, and we're probably
going to have to figure out how we engage in preemption, where
those that wish us harm cannot be deterred.
Mr. Chairman, that's my warm-up. I look forward to your
questions. Thank you very much.
[The prepared statement of Admiral McConnell follows:]
Prepared Statement of Vice Admiral Michael Mcconnell, USN (Retired),
Executive Vice President, National Security Business, Booz Allen
Hamilton
Introduction
Mr. Chairman, members of the Committee, thank you for the
opportunity to speak to the Committee on Commerce, Science, and
Transportation today.
First, I want to open with a simple statement:
If we were in a cyberwar today, the United States would lose.
This is not because we do not have talented people or cutting edge
technology; it is because we are simply the most dependent and the most
vulnerable. It is also because we have not made the national commitment
to understanding and securing cyberspace. While we are making progress:
the President's cyberspace policy review completed last May,
the appointment of the Cybersecurity Coordinator in
December, and
recent investments in the Comprehensive National
Cybersecurity Initiative (CNCI) are moves in the right
direction but
these moves are not enough.
The Federal Government will spend more each year on missile defense
than it does on Cybersecurity, despite the fact that we are attacked
thousands of times each day in cyberspace and we are vulnerable to
attacks of strategic significance, i.e., attacks that could destroy the
global financial system and compromise the future and prosperity of our
Nation. Securing cyberspace will require a more robust commitment in
terms of leadership, policies, legislation, and resources than has been
evident in the past.
Seizing Opportunity . . .
The cyber revolution has transformed our economy, enriched our
society, and enhanced our national security. The Information and
Communications Technology (ICT) sector contributes over $1 trillion to
our economy each year; ``smart'' electric grids promise to transform
our energy system; intelligent transportation systems are altering the
way we move and the way we manage commerce; electronic medical records
and telemedicine promise to reduce costs while improving quality. The
global financial sector relies on information technology to process and
clear transactions on the order trillions of dollars each day. To put
that in perspective, while the U.S. total GDP was just over $14T last
year, two banks in New York move over $7T per day in transactions.
Meanwhile, major investments in broadband--by both the government
and private sector--empowers small businesses and our citizens; digital
classrooms are changing the way our children are educated; and ``open
government'' initiatives make government data more accessible and
useable for business and individuals alike. Our military and security
services have benefited as well. The Department of Defense has
aggressively adopted network-centric operations, linking sensors,
commanders and operators in near-real time and providing the U.S. a
decisive advantage in the battlespace. The intelligence community and
homeland security have benefited from cyber technologies by improving
collaboration and information sharing across formerly impenetrable
organizational divides. In short, the microprocessor and Internet have
been as transformative as the steam engine and railroads in the 19th
century and as impactful as the internal combustion engine and
interstate highway system in the 20th century.
. . . Managing Risk
The reach and impact of cyberspace will accelerate over the next 10
years, as another billion users in China, India, Brazil, Russia,
Indonesia and Middle East gain access to the Internet. As a
consequence, cyberspace will be much more diverse, distributed, and
complex. As cyberspace becomes more critical to the day-to-day
functioning of business, society and government, the potential damage
from cyber attacks, system failures and data breaches will be more
severe.
In the early stages of cyberspace, the threat largely originated
from ``hackers'' who wanted to their test skills and demonstrate their
technical prowess. Criminal elements followed, resulting in attacks
against financial institutions, credit card accounts, ATMs for personal
gain. More sophisticated actors emerged as state-based intelligence and
security organizations developed robust exploitation and attack
capabilities as part of a larger national security strategy.
Recently, ``hactivists''--non-state actors mobilized in support of
a particular issue or motivated by patriotic reasons--have entered the
fray. Generally speaking, we know and understand these threats--their
capabilities and intentions.
However, of particular concern is the rise of non-state actors who
are motivated not by greed or a cause, but by those with a different
world view who wish to destroy the information infrastructure which
powers much of the modern world--the electric grid, the global
financial system, the electronic health care records, the
transportation networks.
Of increasing concern is that the sophistication of cyber attack
tools continues to increase at cyber speed, while the barriers to entry
continues to fall as attack tools proliferate in chat rooms, homepages,
and websites. The challenges we face are significant and will only
grow; our response must equally bold and decisive.
Recommendations for Cybersecurity
Despite the complex and seemingly unprecedented nature of the
challenge, there are some immediate actions we can take to secure
cyberspace and the future of our Nation.
Cyber Policy--The U.S. needs a long-term cyberspace strategy that
spells our specific goals and objectives and clarifies roles and
responsibilities across the Federal Government. This should be preceded
by a cyber equivalent to President's Eisenhower's ``Project Solarium''
in the early 1950s in developing the Nation's nuclear deterrence
policy. Today, we need a full and open discourse with a diverse group--
business, civil society, and government--on the challenges we face in
cyberspace. This dialogue should result in a strategic framework that
will guide our investments and shape our policies, both domestically
and internationally.
We need a national strategy for cyber that matches our national
strategy that guided us during the cold war, when the Soviet Union and
nuclear weapons posed an existential threat to the United States and
its allies. Cyber has become so important to the lives of our citizens
and the functioning of our economy that gone are the days when Silicon
Valley could say ``hands off' to a Government role. To offer historical
perspective on how the Government's role has increased in every case as
emerging technologies effect the Nation and greater numbers of our
citizens, I am attaching to this statement a review conducted by my
colleagues and I entitled ``The Road to Cyberpower.''
Cyber Operations--The Cybersecurity challenge to the Nation today
mirrors our response to counter terrorism after 9/11--a host of Federal
and state and local agencies, each with their own authorities,
missions, operations centers and information systems. The risk is that
we fail to learn the lessons around counterterrorism information
sharing and operations and create more silos by individual agencies,
potentially creating an atmosphere of bureaucratic rivalry and
duplicative investments. To that end, the U.S. should establish a
National Cybersecurity Center, modeled on the interagency National
Counter Terrorism Center (NCTC), that integrates elements of DoD's
proposed Cyber Command, DHS's National Cybersecurity and Communications
Integration Center (NCCIC), FBI's cyber operations, state and local
government, and the private sector. This center should operate at the
highest levels of classification for all members and serve as the hub
of information sharing and integration, situational awareness and
analysis, coordination and collaboration. Only sharing information
across all sectors will we be able to provide incident response across
all domains of cyberspace--.gov, .mil, and .com.
Such a center would utilize the legal authorities of each agency
while protecting privacy and civil liberties with appropriate oversight
by the Attorney General and the Congress. The center also could serve
as the information sharing and collaboration hub with our allies and
other Cybersecurity organizations, providing a single conduit for
outside entities.
Cyber Technology--The U.S. risks being left behind in Cybersecurity
technology. Currently, multiple organizations within the government and
private sector are focused on developing new technologies to protect
our networks, computer systems, data and applications. However, most of
the efforts are fragmented and sub-scale. The U.S. should approach this
challenge as we successfully addressed to the challenge to our
semiconductor industry in the 1980s through a public-private
partnership focused on Cybersecurity technologies.
The U.S. should establish a Cybersecurity Collaborative Consortia,
modeled after SEMATECH, a public-private partnership that supports
basic research and development and develops foundational technologies
and techniques of common concern--identity and access management,
secure networks, intrusion detection, dynamic defense, etc. Such an
organization should work closely with the National Institute of
Standards and Technology (NISI) and with the National Security Agency
(NSA) to define standards for Cybersecurity that could be used for
government, business, and individuals in both the public and private
sectors because there are no effective boundaries in cyberspace.
Cyber Human Capital--The U.S. needs a Cyber Education and Training
Initiative (akin to the National Defense Education Act of 1958 after
the launch of Sputnik) to build our national human capital base in
math, science and technology, electrical engineering, computer science,
and cybersecurity. Recent initiatives by Congress in programs like the
Federal Cybersecurity Scholarship for Service and the Information
Assurance Scholarship Program are a start, but need to be more
aggressively funded to build the expertise we need in cyberspace. As a
country, our vulnerabilities will only grow without a highly trained
workforce than can respond to the daunting cyber challenges and
opportunities of the 21st century.
Cyber Management--Current spending and oversight on Cyber is spread
among multiple accounts and dispersed over multiple committees in
Congress. It is difficult to understand the current level of investment
in cyber and evaluate the effectiveness of our investments given this
complexity and lack of transparency. OMB, working with Congress, should
identify Cybersecurity investments, develop performance criteria
aligned against a national cyber strategy, address the gaps and
eliminate duplicative or conflicting efforts, and improve
accountability for results. We can not spend our way out of this
challenge, prioritization, accountability, management and oversight are
key.
Summary
Cyber technologies offer unprecedented opportunities for the
nation; however, they also present significant risks to our
infrastructure, our financial systems, and our way of life. We
prevailed in the Cold War through strong leadership, clear policies,
strong alliances, and close integration of all elements of national
power--economic, military, and diplomatic--supported by a bi-partisan,
national consensus around containment and deterrence. We must do the
same with Cybersecurity.
The Chairman. Thank you, Admiral.
Dr. Lewis.
STATEMENT OF JAMES A. LEWIS, DIRECTOR AND SENIOR
FELLOW, TECHNOLOGY AND PUBLIC POLICY PROGRAM,
CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES
Dr. Lewis. Thank you, Mr. Chairman, and I'd like to thank
the Committee for the opportunity to testify.
And I want to congratulate you on the Cybersecurity Act of
2010. This is a very important bill, and if it was passed, it
would make an immense improvement to our national security and
our economic well-being. The bill provides a broad rethinking
of our approach to cybersecurity and the role of government.
And a lot of what I'm going to say is going to sound a lot like
Admiral McConnell, which may be good, or not.
The people who pioneered cyberspace--the people who
originally designed it--they wanted governments to have a
limited role. They expected the Internet would be a self-
governing global commons. And they argued there were no borders
in cyberspace and that technology moved too fast for government
to intervene and that the old rules of business and national
security didn't apply. None of this was right.
People thought we would get a peaceful global commons.
Instead, we've got the Wild West. The Internet was not designed
to be secure. The rules and contracts put in place when it was
commercialized were not written with security in mind. The
result is a very Hobbesian environment; cyberspace is not safe.
So, the issue for me is, How do you bring law to the Wild
West? How to move from a do-it-yourself homebrew approach to
cybersecurity, and how to secure the digital global
infrastructure we now depend on. Legislation like the
Cybersecurity Act can play a crucial role in bringing needed
change.
You will hear--I think you've already heard--a litany of
criticism. You will be told the bill is not perfect. But, I
note that the Constitution says our goal is ``more perfect,''
not perfection. This bill would make cybersecurity more
perfect.
People will say that we cannot measure or certify
cybersecurity. This might explain why we're in such a mess.
But, I think we're now at the point where we're beginning to
collect data that shows what works; and if we can determine
what works, we can teach it and we can certify people to it.
Many will say that we should let the market fix
cybersecurity. I'm familiar with this one because I, myself,
wrote it in 1996, and I'm still waiting. The government needs
to give the market a kick.
There's a desire to say that the President should not have
authorities, during a crisis, to respond to the kind of cyber
attack that Admiral McConnell was talking about. I call this
the Hurricane Katrina approach to cybersecurity. There will be
complaints that cybersecurity will get in the way of
innovation. But, to build on the car metaphor, requiring safer
cars did not kill innovation in the automobile industry, or we
would still all be driving 1956 DeSotos.
Some claim the private sector can do a better job defending
networks than government. This is like saying we can rely on
the airlines to defend our airspace against enemy fighters.
Private companies will never be a match for foreign
intelligence service or foreign militaries.
But, moving to the policies we need for cybersecurity will
not be easy. In the past, when a new technology has come along
and reshaped business and warfare in society, it has taken the
United States decades to develop the rules it needed; the laws,
the judicial precedents, and the regulations that would
safeguard society.
The difference now is that we don't have decades to do
this. We're under attack every day, as you said. We're losing,
every day, vital secrets. We're at tremendous risk. If we had a
war, we would lose. So, we can't wait. You know, when it was
steam engines or automobiles or telephones, we could take 20 or
30 or 40 years to come up with the rules we needed. But, we
don't have that luxury now, right? Prompt action is necessary.
The prospects for growth and improvement in cyberspace
remain great, but to obtain these benefits, we need to close
the frontier, end the pioneer approach, say the Wild West is
over, and bring the rule of law to cyberspace. We need a new
framework for cybersecurity, and this bill helps provide it.
The work of this committee has really helped force the
debate in this issue, and so I really applaud you for it.
People have had to think hard about real serious issues. And I
hope, with that, that we see passage of the bill sometime this
year.
Thanks again for letting me testify, and I'll be happy to
take your questions.
[The prepared statement of Dr. Lewis follows:]
Prepared Statement of James A. Lewis, Director and Senior Fellow,
Technology and Public Policy Program, Center for Strategic and
International Studies
I would like to thank the Committee for this opportunity to testify
and I would like to congratulate it for its comprehensive
``Cybersecurity Act of 2009.''
This bill is important because it is a broad step to rethinking our
approach to the Internet, to cyberspace, and to the role of government.
The pioneers of cyberspace wanted governments to have a very
limited role. They expected a self-governing global commons to emerge,
and argued that there were no borders, that technology moved to fast,
that old rules of business and security did not apply. They expected a
global commons; instead they got the wild west. The Internet was not
designed to be secure; the rules and contracts put in place when it was
commercialized were not written with security in mind. The result is
Hobbesian, that is to say nasty and brutish, if not short. So the issue
for the Nation is how to bring law to the Wild West, how to move from a
do-it-yourself homebrew approach to cybersecurity, and how to secure a
global digital infrastructure upon which we now depend. Legislation
like the Cybersecurity Act 0f 2010 can play a crucial role.
Cybersecurity has become an important issue over the last decade as
the Internet changed to become a significant global infrastructure. The
U.S. in particular has woven computer networks into so many of its
economic activities that we are as reliant on the Internet as we are on
any other critical infrastructure. Networked activities can be cheaper
and more efficient, so companies large and small have migrated to the
Internet because it can provide competitive advantage. Our national
defense relies heavily upon networks. Networks reinforced existing
trends in military the realization that intangible factors--greater
knowledge, faster decisionmaking increased certainty--would increase
effectiveness of our military force.
That technologies designed in the early 1970s have worked so well
and have so cleanly scaled to support more than a billion users is an
amazing triumph, but anyone with malicious intent can easily exploit
these networks. The Internet was not designed to be a global
infrastructure upon which hundreds of millions of people would depend.
It was never designed to be secure. The early architects and thinkers
of cyberspace in the first flush of commercialization downplayed the
role of government. The vision was that cyberspace would be a global
commons led and shaped by private action, where a self-organizing
community could invent and create. This ideology of a self-organizing
global commons has shaped Internet policy and cybersecurity, but we
must now recognize that this pioneer approach is now inadequate.
There are two reasons for this inadequacy. First, private efforts
to secure networks will be always be overwhelmed by professional
military and criminal action. The private sector does not have the
capability to defeat an advanced opponent like the SRV or the PLA,
organizations that invest hundreds of millions of dollars and employ
thousands of people to defeat any defense. We do not expect airlines to
defend our airspace against enemy fighter planes and we should not
expect private companies to defend cyberspace against foreign
governments.
Second, absent government intervention, security may be
unachievable. Two ideas borrowed from economics help explain this--
public goods and market failure. Public goods are those that benefit
all of society but whose returns are difficult for any individual to
capture. Basic research is one public good that the market would not
adequately supply if government did not create incentives.
Cybersecurity is another such public good where market forces are
inadequate.
We talk about cyber attack and cyber war when we really should be
saying cyber espionage and cybercrime. Espionage and crime are not acts
of war. They are, however, daily occurrences on the Internet, with the
U.S. being the chief victim, and they have become a major source of
harm to national security. The greatest damage to the U.S. comes from
espionage, including economic espionage. We have lost more as a nation
to espionage than at any time since the 1940s. The damage is usually
not visible, but of course, the whole purpose of espionage is not to be
detected.
This is not cyberwar, Russia, China, and cybercriminals of all
types have no interest in disrupting Wall Street, the Internet, or the
American economy. There is too much to steal, so why would anyone close
off this gold mine. As with any good espionage exploit or mafia racket,
the perpetrators want stability, a low profile, and smooth operations
going so they can continue to reap the benefits.
There is a potential for cyber attack, but it is so far constrained
by political and technological barriers. Terrorists likely do not yet
have the advanced cyber capabilities needed to launch crippling
strikes. The alternative, that they have these capabilities but have
chosen for some reason not to use them, is ridiculous. There are
nations that could launch a crippling strike, but they are likely to do
son only as part of a larger armed conflict with the United States.
These nations do not love jihadis any more than we do, so they are
unlikely in the near future to transfer advanced cyber capabilities to
terrorists. Presumably, in the case of Russia and China their cyber
criminal proxies are also instructed not to take jihadi clients
(although there is one incident where it is alleged that Russian
hackers served as mercenaries for Hezbollah, against Israel). Should
any of these conditions change--the technological constraints that
limit terrorists and the political constraints that limit states and
advanced cyber criminals - the U.S. is in no position to defend itself
against cyber attack.
Short of armed conflict (over Taiwan or Georgia), China or Russia
are unlikely to use cyber strikes against the U.S. The political risk
is too high--it would be like sending a bomber or a missile against a
power plant, and the U.S. response would be vigorous. Our opponents,
however, have reportedly conducted reconnaissance missions against
critical infrastructure--the electrical grid, for example--to allow
them to strike if necessary in the event of conflict. Cyber attack is
cheaper and faster than a missile or plane, there is some chance that
the attacker can deny responsibility (because of the weak
authentication on the Internet). Right now, our opponents have the
advantage but it is within our capabilities to change this.
Getting this change requires a new approach. Many of the solutions
to the problem of cybersecurity our Nation has tried are well past
their sell-by date. Public-private partnerships, information sharing,
government-lead-by-example, self-regulation, and market-based solutions
are remedies we have try for more than a decade without success. These
policies overestimate incentives for private action and misalign
government and private sector responsibilities.
Like other new technologies in the past--airplanes, cars, steam
engines--the appeal and the benefits are so great that we have rushed
to adopt the Internet despite serious safety problems. These problems
are amplified by the global connectivity of the new infrastructure, as
the speed of Internet connections means that geographical distance
provides little in the way of protection. For those earlier
technologies, safety came about through innovation driven by government
mandates, and by agreements among nations. The same process of
development is necessary to secure cyberspace. The Cybersecurity Act of
2009 could play a vital role in this improvement.
This will not be an easy task. The United States does not like to
deal with market failure. This has been true since the earliest days of
the republic. Steam engines, although notoriously unsafe, had to wait
forty years until a series of savage accidents costing hundreds of live
led Congress to impose safety regulations. Automobile safety rules took
more than half a century and initially faced strong opposition from
manufacturers. The initial air safety regulations appeared only twenty-
three years after the first flight. There is the recurring hope that
``intellect and practical science,'' to quote a 19th Century
Congressional report explaining why regulation was unnecessary for
steamboats put it, will lead to improvement via some automatic and
self-correcting market process and without government intervention.
Just as cars were not built to be safe until government pressure
changed auto manufacturers' behavior, cyberspace will not be secure
until government forces improvement. Twelve years of reliance on
voluntary efforts and self-regulation have put us in an untenable
situation. Some may argue that a move away from the market or a greater
emphasis on security or a larger role for government will damage
innovation in cyberspace. This argument is in part a reflection of
competition among various bureaucracies, advanced to protect turf, but
is also reflects a misunderstanding of the nature of innovation. There
are grounds to be concerned about the ability of the U.S. to innovate
when compared to other nations, but the real obstacles are a weak
education system, poorly designed tax policies, damaging immigration
rules, and mis-investment that makes it hard to develop new
technologies and competitors. Removing these obstacles would be
politically difficult and face strong opposition. It is easier to
insist instead that keeping the Internet open and anonymous or bringing
broadband to undeserving areas will somehow generate growth. Greater
security is more likely to increase innovation, by reducing the loss of
intellectual property and by increasing demand for more valuable
Internet services.
Another reason put forward for not taking action is the supposedly
borderless nature of cyberspace. The pioneers of cyberspace wanted
their new creation to be a global commons, a shared space that no one
owns. The designers of the Internet built the network to reflect their
values, which were non-hierarchical and to a degree, anti-authoritarian
and anti-government. One of the original cyberspace theorists was also
a songwriter for the Grateful Dead, and it was he who issued the famous
Declaration of Independence of cyberspace, saying there was no room or
need for governments. Cyberspace would be a global commons where a
self-organizing community could invent and create.
This is an ill-conceived notion that continues to distort our
thinking. Cyberspace is an artificial construct produced by machines.
Those machines are all owned by individuals or organizations and all
exist in some physical location that is subject to the sovereign
control of some nation.
Cyberspace is like the public space in a shopping mall, a ``pseudo
commons'' or a condominium.
In some instances, of course, such as the Internet Engineering Task
Force or the Open Source Software Movement, this vision of an open,
nonhierarchical community has worked exceptionally well. But to use a
historical analogy, many of the pioneers of the Internet expected
Woodstock and the ``Summer of Love,'' instead they got Altamont and the
Hells Angels. The combination of unplanned global access, porous
technologies, and weak governance makes this newly critical
infrastructure exceptionally vulnerable. As our reliance as a nation
increases, so does our vulnerability to remote exploitation and perhaps
attack.
Cyberspace is not a global commons. It is a shared global
infrastructure. There is rarely a moment when a collection of bits
moving from one computer to another is not actually on a network that
someone owns and that is physically located in a sovereign state. The
exceptions might be undersea cables or satellite transmissions, but the
action still takes place on an owned facility were the owner is subject
to some country and its laws. At best, this could is a ``pseudo
commons.'' It looks like a commons but actually is not, as someone owns
the resources in question and that someone is subject to the laws of
some nation. Cyberspace is in fact a more like a condominium, where
there are many contiguous owners.
Governance of this condominium is both weak and fragmented. There
are no agreed rules, other than business contracts, and no
``condominium board,'' no process to develop rules. Action in
cyberspace takes place in a context defined by commercial law and
business contracts. When the United States commercialized the Internet,
it chose this legal construct accommodate business activity, but it is
inadequate for security, particularly as the Internet spread to
countries around the world and to nations with very different values
and laws.
The proposed legislation would go a long way to correct these
problems. To put the problem in a larger perspective, it is time to
move from the policies created in the pioneer phase of the Internet. It
is time to close the Wild West. This will require a broad rethinking of
American law and policy, and will require adapting to the technologies
we now depend on. It will need new kinds of international agreements,
new standards and rules for industry, and new approaches to the
professionalization of those who operate networks. This is no small
task but, judging from experience, it is inevitable. This process has
occurred before, often with help from the government. The Commerce
Department of the 1920s, for example, encouraged several major
industries, including the automotive and radio industries, to
standardize, to professionalize, and to create associations and rules
that serve the public interest.
A ``one size fits all'' strategy will not work. We will need to
manage international engagement, critical infrastructure regulation,
and economic stability all at the same time. Progress faces significant
obstacles. There are legitimate concerns over civil liberties. There
are strong business interests in avoiding regulation. And there are the
tattered remnants of a vision of cyberspace as some kind of utopian
frontier. Governance is a central issue for each of these. Governance
is the process for creating rules, resolving disputes, and ensuring
compliance. Our beliefs about the nature of cyberspace have downplayed
the role of formal governance and now we are paying the price. Changing
this, as we did for steamboats, cars and airplanes, is part of the
long-term process to adjust to new environment created by technological
change.
This bill contains many of the essential elements of the new
approach we need. A comprehensive national strategy that considers all
aspects of national security and puts forward along term vision for
cyberspace is an essential starting point for making this new
infrastructure secure. It will be essential, of course, to avoid merely
repeating the formulas of 1998 or 2003 in a new strategy. We've heard
repeatedly that there is a shortfall of individuals with the requisite
skills for cybersecurity. The scholarships, competitions and workforce
plans outlined in this bill would go a long way to repair this. The
legal review and the intelligence assessment are long overdue. The call
for the creations of a response and restoration developed with the
private sector that the President could implement in a crisis is
crucial for national defense.
As with any major piece of legislation, there will be considerable
criticism. Some of this criticism is ideological, some reflects self-
interest, and some is the result of a healthy skepticism as to our
ability to carry out some of the ambitious measures contained in the
bill. There was initially concern that emphasizing the authorities the
President already has to intervene in network operations during a
crisis would somehow give the ability to shut off the Internet. This
stemmed mainly from an inaccurate reading of the bill and perhaps from
the desire to preserve the notion of cyberspace as an untrammeled
commons where government has little or no role. Frankly, efforts to
deny the President adequate authority in a crisis are like expressing a
preference for Katrina-like disaster management. I hope we can do
better.
No one ever disagrees with the notion of more education, but the
more contentious aspect of the workforce development is the requirement
for certification and training. Being able to certify that someone has
the necessary skill and knowledge is a requisite part of
professionalization. We do this for doctors, lawyers, pilots, barbers,
plumbers and real estate agents. Some certification requirements are
Federal, many are developed by states. Many in the IT industry believe
that they are not ready for this step. Certification requires knowing
what is useful and necessary and being able teach it and test it. It is
on the former that there is disagreement--that we do not know what is
necessary for security.
This may have been true at one time but I believe it is changing.
In the last few years, as people have been able to collect more data on
security problems, to develop metrics, and to identify steps will
reduce risk, it is possible to think of a training program for
cybersecurity. This is part of a larger move from compliance drive
security, which has largely failed, to performance driven security. The
concept of a cybersecurity dashboard found in Section 203 reflects this
shift to a data driven approach to cybersecurity. The Act, if passed,
will accelerate the development and professionalization of those parts
of cyberspace that provide critical services to the Nation.
These are all politically difficult issues, but this situation is
not new. Every time a new technology has reshaped business, warfare and
society, there has been a lag in developing the rules--law, judicial
precedents, regulations--needed to safeguard society. Cyberspace is
different in its global scope and in the immediate nature of the damage
America suffers. Waiting for some natural process or perfect solution
not only puts our Nation at risk, it gives our opponents an advantage.
We would be well served if Congress passed this bill.
The Chairman. Thank you, sir.
Mr. Borg.
STATEMENT OF SCOTT BORG, DIRECTOR AND CHIEF ECONOMIST, U.S.
CYBER CONSEQUENCES UNIT
Mr. Borg. Thank you for inviting me.
My name is Scott Borg. Oh, I should turn this on. I'm the
Director of the U.S. Cyber Consequences Unit. This is an
independent, nonprofit, research institute that investigates
the economic and strategic consequences of cyber attacks. We
supply our results only to the U.S. Government and to the
public.
At the USCCU, I've had the privilege of leading an
extraordinary team of cybersecurity experts, economists, and
other investigators, many of whom have national reputations.
This team has included Warren Axelrod, John Bumgarner, Joel
Gordes, Ben Mazzotta, Michael Mylrea, Ardith Spence, Paul
Thompson, Charles Wheeler, and a number of others.
Since 2004, we have been visiting facilities in critical
infrastructure industries, and interviewing employees, to
determine what cyber attacks are actually possible and what
their consequences would be. We have been given access to the
business records of large critical infrastructure corporations
so that we could analyze their dependence on their suppliers
and their customers' dependence on them. We've developed
powerful conceptual frameworks and analytic tools for making
sense of this information.
There are three points I would like to make today. First,
cyber attacks are already damaging the American economy much
more than is generally recognized. Second, the biggest growth
opportunities for the American economy all depend on better
cybersecurity. Third, in order to get the improved
cybersecurity we urgently need, we must fix a number of broken
or missing markets.
The greatest damage to the American economy from cyber
attacks is due to massive thefts of business information. This
type of loss is delayed and hard to measure, but it is much
greater than the losses due to personal identity theft and the
associated credit card fraud. The reason the loss from
information theft is so great is that we really do operate in
an information economy. The amount of value a company can
create and capture is generally proportionate to the amount of
information that it can utilize that its global competitors
can't.
Education is economically important because it allows us to
create and apply more information. The greater portion of the
value, even in most manufactured goods, is not in the materials
from which things are made, but in the information they
contain. A modern automobile or airplane, from an economic
standpoint, is primarily an information product.
To understand what this means, think of how a company makes
money. It introduces a new product or a new feature, and
collects a premium from it until its competitors start offering
something comparable. Even after that, the company will
probably still be able to make a profit on that item because it
will know how to produce it for less. When a new production
facility opens, there will typically be a 5- to 15-percent drop
in costs each year for the first 3 to 6 years. This is because
the company is learning how to do everything more efficiently;
it's about information. The amount by which the company's costs
are lower than the costs of its competitors is normally all
profit.
Now think what happens if the company's information is
stolen. The period during which it can collect a premium will
be reduced to almost nothing, because the competitors will be
able to offer a comparable product almost right away. The
profits due to lower costs will be gone, because the
competitors will have all the detailed information that made
the greater efficiencies possible. The competitors' costs will
actually be lower than those of the victimized company, because
the competitors won't have the expense of creating the
information. Instead of collecting a healthy profit, the
victimized company might now be struggling to survive.
Most of the other factors allowing companies to prosper can
also be wiped out by information thefts. To get an idea of the
effect of information thefts on the larger economy, imagine
this sort of example multiplied thousands of times.
The biggest large-scale growth opportunities for the
American economy also depend on better cybersecurity. This is
because nearly all the more innovative ways of creating value
need information technology to be developed efficiently.
There are eight big growth opportunities that I've been
able to identify. I think you've been given a list of them.
These include things like the flexible re-allocation of
capacity, which lies behind the Smart Grid and cloud computing;
mobile information support, which boosts efficiency of tools
like electronic medical records; and smart products, which
allow products, such as smart phones, to increasingly contain
services. Examining this list reveals that each of these
opportunities requires networked computers, and is vulnerable
to cyber attacks. Awareness of this is the main thing that is
slowing down the implementation of many of these strategies.
And most of them could be brought to a screeching halt by a
greater awareness of the vulnerabilities they're introducing.
The solutions to these problems are not something that the
government can directly legislate into existence. The reason is
that both the information technology and the techniques
employed in cyber attacks are developing so rapidly. If the
government tries to mandate standards, they will be out of
date, and an actual impediment to better security, before they
can be applied. This is not like fire codes for building
constructions, where the big changes take decades. We don't
know what the minimum code of cybersecurity should look like 4
years from now.
If there's any area of the American economy that needs
creative entrepreneurial problem-solving, it is, therefore,
cybersecurity. Yet, our markets are currently not delivering
the improvements in cybersecurity at anything like the
necessary rate. In some cases, they are not delivering
improvements at all.
When markets are not functioning properly, there are
identifiable reasons. I think you've got a list of these
reasons; there happen to be six of them. Sometimes it's because
companies are not being charged for all of their costs or paid
for all the benefits they produce. Other times, the individual
agents are not adequately motivated to act in the long-term
best interests of their company. Still other times, there isn't
enough information available for good market choices.
Each of these market problems, each of these market
breakdowns, has possible remedies. It's these remedies to the
market failures that should be at the center of our discussion
of how to improve our cybersecurity.
Thank you.
[The prepared statement of Mr. Borg follows:]
Prepared Statement of Scott Borg, Director and Chief Economist,
U.S. Cyber Consequences Unit
Thank you for inviting me. My name is Scott Borg. I am the Director
of the U.S. Cyber Consequences Unit. This is an independent, non-profit
research institute that investigates the economic and strategic
consequences of cyber attacks. We supply our results only to the U.S.
Government and to the public. At the US-CCU, I have had the privilege
of leading an extraordinary team of cyber-security experts, economists,
and other investigators, many of whom are nationally famous in their
fields. This team has included Warren Axelrod, John Bumgarner, Joel
Gordes, Ben Mazzotta, Michael Mylrea, Ardith Spence, Paul Thompson,
Charles Wheeler, and a number of others. Since 2004, we have been
visiting facilities in critical infrastructure industries and
interviewing employees to determine what cyber attacks are actually
possible and what their effects would be. We have been given access to
the business records of large critical infrastructure corporations, so
that we could analyze their dependence on their suppliers and their
customers' dependence on them. We have developed powerful conceptual
frameworks and analytic tools for making sense of this information.
There are three points I would like to make today:
First, cyber attacks are already damaging the American economy
much more than is generally recognized.
Second, the biggest growth opportunities for the American
economy all depend on better cyber security.
Third, in order to get the improved cyber security we urgently
need, we must fix a number of broken or missing markets.
The greatest damage to the American economy from cyber attacks is
due to massive thefts of business information. This type of loss is
delayed and hard to measure, but it is much greater than the losses due
to personal identity theft and the associated credit card fraud. The
reason the loss from information theft is so great is that we really do
operate in an information economy. The amount of value a company can
create and capture is generally proportionate to the amount of
information it can utilize that its global competitors can't. Education
is economically important because it allows us to create and apply more
information. The greater portion of the value, even in most
manufactured goods, is not in the materials from which things are made,
but in the information they contain. A modern automobile or airplane,
from an economic standpoint, is primarily an information product.
To understand what this means, think of how a company makes money.
It introduces a new product or new feature and collects a premium for
it until its competitors start offering something comparable. Even
after that, the company will probably still be able to make a profit on
that item, because it will know how to produce it for less. When a new
production facility opens, there will typically be a five to fifteen
percent drop in costs each year for the first three to 6 years. This is
because the company is learning how to do everything more efficiently.
The amount by which the company's costs are lower than the costs of its
competitors is normally all profit.
Now think of what happens if the company's information is stolen.
The period during which it can collect a premium will be reduced to
almost nothing, because the competitors will be able to offer an
equivalent product right away. The profits due to lower costs will be
gone, because the competitors will have all the detailed information
that made the greater efficiencies possible. The competitors' costs
will actually be lower than those of the victimized company, because
the competitors won't have the expense of creating the information.
Instead of collecting a healthy profit, the victimized company might
now be struggling to survive.
Most of the other factors allowing companies to prosper can also be
wiped out by information thefts. To get an idea of the effect of
information thefts on the larger economy, imagine this sort of example
multiplied thousands of times.
The biggest large-scale growth opportunities for the American
economy also depend on better cyber security. This is because nearly
all of the more innovative ways of creating value need information
technology to be implemented efficiently.
There are eight big growth opportunities that I have been able to
identify. These include things like the Flexible Re-Allocation of
Capacity, which is what lies behind the smart grid and cloud computing,
Mobile Information Support, which boosts efficiency with tools like
electronic medical records, and Smart Products, which will allow
material products, such as smart phones, to increasingly ``contain
services.''
Examining this list reveals that each of these opportunities
requires networked computers and is vulnerable to cyber attacks. An
awareness of this is the main thing that has already been holding back
the adoption of practices like cloud computing. More important, nearly
all of these economic initiatives, including the smart grid and
electronic medical records, could be brought to a screeching halt by a
greater awareness of the vulnerabilities that they are introducing.
The solutions to these problems are not something that the
government can directly legislate into existence. The reason is that
both the information technology and the techniques employed in cyber
attacks are developing so rapidly. If the government tries to mandate
standards, they will be out of date--and an actual impediment to better
security--before they can be applied. This is not like fire codes in
building construction, where the big changes take decades. We don't
know what the minimum code for cyber security should look like 4 years
from now.
If there is any area of the American economy that needs creative,
entrepreneurial problem solving, it is therefore cyber security. Yet
our markets are not currently delivering improvements in cyber security
at anything like the necessary rate. In some cases, they are not
delivering improvements at all.
When markets are not functioning properly, there are identifiable
reasons. Sometimes companies are not being charged for all of their
costs or paid for all of the benefits they produce. Other times, the
individual agents are not adequately motivated to act in the long term
best interests of their company. Still other times, there isn't enough
information available for good market choices. There are six such
reasons altogether, and each suggests possible remedies. It is these
market remedies that should be at the center of our discussions on how
to save our economy from the destructive effects of cyber attacks.
Thank you.
The Chairman. Thank you, sir, very much.
And now Mary Ann Davidson, from Oracle, please.
STATEMENT OF MARY ANN DAVIDSON,
CHIEF SECURITY OFFICER, ORACLE CORPORATION
Ms. Davidson. Chairman Rockefeller and members of the
Committee, I'm Mary Ann Davidson, the Chief Security Officer
for Oracle.
I appreciate the opportunity to appear before you today,
and I want to commend the Committee for tackling the difficult
issue of cybersecurity and for including industry in the
drafting process of cybersecurity legislation, since
partnership between government and the private sector is
critical to secure our common infrastructure.
I have two specific recommendations to address the present
and future challenges of securing critical infrastructure.
First, we need to change the educational system so that we have
a cadre of people who know that critical cyberinfrastructure
will be attacked and to design and build accordingly and
defensively. Second, we need to stop upping the ante on
exposing critical infrastructure to, in some cases, large
systemic risk.
Some have proposed that we certify cybersecurity
professionals to improve the protection of critical
infrastructure. However, you can't secure something that was
not designed or built to be secure. Putting it differently, do
we certify interior decorators or the people who built the
house? It's architects and engineers and contractors who are
professionally licensed, not the people who move furniture
around and pick out color schemes, as important as that is.
Those who build software used in critical infrastructure do
not, in general, design and code defensively, because they're
not educated to do it. And yet, too many universities fiddle
while Rome burns, or at least fiddle while Rome is being
hacked. Several years ago, Oracle sent letters to the top
universities we recruit from, telling them that we spend
millions of dollars fixing avoidable, preventable coding errors
in software that creates security vulnerabilities. We have to
train all computer science graduates in how to write secure
code, because they were not taught this at universities.
Universities need to change their curricula to address this
clear and present deficiency. And the security of commercial
software has become a national security issue. Oracle received
precisely one response to this letter, and that was a request
for money. Is there a more tone-deaf response than that?
We must act now to change the educational system for all
computer science and computer-related degree programs,
including industrial control systems, so they include security
throughout the degree program. We should insist that
universities submit a plan to alter their curricula, and we
should link government research funding to phased change. If
parents can tell their toddlers that they don't get any dessert
until they eat their peas, the U.S. Government can certainly
tie monies to computer-related curricula change.
Something else we can do today is stop making cybersecurity
worse by using technology in ways we know very well we cannot
secure and that creates huge systemic risk. We need look no
further than the recent financial system meltdown in which
massive computer programs could quantify all kinds of risk
except the most important one: systemic risk.
One such area is Smart Grid, the idea that powerplants can
use near-realtime measurements on usage--devices in your home--
so we can price power better, be smarter about usage and build
fewer plants. Nobody is opposed to doing more with less,
unless, of course, the ``more'' includes a lot more risk.
And here's what we do know. We know we cannot secure
millions of IP-based clients; the millions of PCs that have
been co-opted into botnets are proof of that. We know that the
SCADA protocols used in control systems were not designed to be
attack resistant; they were originally used in
electromechanical systems, where you had to physically access
the control, turn the knob, and so on. Now we are increasingly
moving to IP-based control systems and connecting them to
corporate networks that, in turn, are connected to the
Internet.
We know that some Smart Grid devices are hackable. For
example, a prototype worm developed by a security research firm
was able, in a simulated attack--thank heavens--to spread from
meter to meter to take out power in more than 15,000 homes in
24 hours. We know that terrorists are increasingly interested
in targeting utility grids. We know that there are PDAs--
digital assistants--that talk SCADA, because it's just so
expensive to send a technician to the plant. Dare I say, move
the control rods in and out of the reactor? There's an app for
that. Will we one day scram a reactor when someone was merely
trying to answer the phone?
And last, we know that the people designing and building
these systems are not taught secure, defensive programming any
more than computer programmers are.
There are two things we can do now, and must do now. We
should insist on some standards, through existing standards
bodies, of Smart Grid components. NIST, for example, has led a
cybersecurity working group that recently released a second
draft of Smart Grid Cybersecurity Strategy and Requirements
document. Good on them.
Second, we need better transparency on how Smart Grid
components are built and of what they are built. There are some
mechanisms that can help establish this transparency, such as
the Common Criteria, which is ISO-standard, and the Department
of Homeland Security materials on improving software assurance
and acquisition.
Last, we do not think of the New Testament as a guide to
critical infrastructure protection, and yet, Jesus contrasted
the man who built his house on a rock with, quote, ``a foolish
man who built his house on sand.'' The rain came down, the
streams rose, and the winds blew and beat against that house,
and it fell with a great crash. The Gospel of Matthew.
This is an apt description of securing critical
infrastructure. If our infrastructure builders do not
understand the difference between building on rock and building
on sand, our house will collapse in the first good rainstorm.
Thank you, and I'll be happy to take your questions.
The Chairman. Thank you.
[The prepared statement of Ms. Davidson follows:]
Prepared Statement of Mary Ann Davidson, Chief Security Officer,
Oracle Corporation
Chairman Rockefeller, Ranking Member Hutchison, and members of the
Committee, I am Mary Ann Davidson, Chief Security Officer for Oracle. I
appreciate the opportunity to appear before you today, and I also want
to commend the committee for tackling the issue of cyber security--it's
a very tough and multi-faceted issue. I also want to thank the
committee for including industry in the drafting process of cyber
security legislation, partnership between government and the private
sector is critical for making our public infrastructure safe and
secure.
When many of us were young, we looked up to superheroes: Superman,
Batman, Aquaman and Wonder Woman: the people who could do almost
anything and were unstoppable (except--perhaps--by Kryptonite). When we
grow up, most of us realized that there are no superheroes: many
problems are very difficult to solve and require a lot of hard work by
a lot of smart people to fix. So it is with the security of critical
infrastructure: we cannot shine a signal in the sky and expect
SuperNerd to come and save us.
Many intelligent people have proposed a number of ways we can help
define the problem of critical infrastructure protection as it relates
to cybersecurity, ``bound'' the problem space and improve it. There are
two specific recommendations that may help stem the problems of the
present and change the dynamics of the future: both are necessary to
help secure not only today's but tomorrow's critical
cyberinfrastructure.
First, we need to change our collective mindset so that elements of
critical cyber infrastructure are designed, developed and delivered to
be secure. We do that in part by changing the educational system so
that we have a cadre of people who know that critical cyber
infrastructure will be attacked--and they build accordingly and
defensively. We do not generally think of the New Testament as a guide
to critical infrastructure protection, yet consider the parable of the
builders, in which Jesus contrasts the man who built his house on rock
with ``. . . a foolish man who built his house on sand. The rain came
down, the streams rose, and the winds blew and beat against that house,
and it fell with a great crash'' (Matthew 7:24-27). This parable is an
apt description of the problems in securing critical infrastructure: if
our infrastructure ``builders'' do not understand the difference
between building on rock and building on sand, our house will collapse
in the first good rainstorm.
The second recommendation is more straightforward: we need to stop
``upping the ante'' on exposing critical infrastructure to--in some
cases--unknowable risk--and we should walk away from the gambling
tables until we both understand the odds and the odds are better. What
we know now is that we continue to expose critical infrastructure to
the Internet in the interests of saving money, which massively
increases our attack surface, we do not, in many cases, know how
exposed we are, and we have determined enemies. ``Doubling down'' is
not a strategy--except a strategy for catastrophic loss.
Changing the Educational System
One of many cybersecurity risks the Department of Defense is
concerned with involves the supply chain of software--more
specifically, the risk that someone, somewhere will put something both
bad and undetectable in computer code that will allow enemies to attack
us more easily. However, that is but one type of supply chain risk we
should worry about and perhaps not even the most critical one. In fact,
``the software supply chain'' at a fundamental level includes the
people who design, code and build software. We should worry about the
supply chain of people as much or more than the supply chain of
software itself, because those who design, code and build software
don't know how to build it securely and the institutions--with some
notable exceptions--who educate them either don't know or do not care
to know how woefully inadequate their educational programs are. (Some
universities, of course, do care about security and have invested in
improving their computer science curricula accordingly. Kudos to them.)
If we were having a rash of bridge failures, and we discovered that
universities were failing to teach structural engineering to civil
engineers, we would not be discussing how to redesign tollbooths and
train tollbooth operators, or teach people how to drive safely on
bridges. Similarly, proposals to ``certify more cybersecurity
professionals'' is only a remedy for the cyber threats to critical
infrastructure if we understand the problem certifications attempt to
solve and ensure that we focus on the right set of professionals to
certify. This is especially true since ``cybersecurity professionals''
these days may well include Chad, the 12-year-old who installs anti-
virus on his technophobic grandparents' computer.
Several years ago Oracle sent letters to the top 10 or 12
universities we recruit from \1\--more specifically, to the chair of
the computer science (CS) (or equivalent) department and the dean of
the school in which the computer science department resided--telling
them that:
---------------------------------------------------------------------------
\1\ A heavily redacted form of this letter is available at http://
www.oracle.com/security/docs/mary-annletter.pdf and a larger discussion
of the supply chain ``personnel'' issue is available at http://
blogs.oracle.com/maryanndavidson/2008/04/the_supply_chain_problem.html.
a. We spent millions of dollars fixing avoidable, preventable
coding errors in software that lead to exploitable security
---------------------------------------------------------------------------
vulnerabilities;
b. We have to train CS graduates in how to write secure code
because they were not taught these skills in computer science
programs;
c. We need universities to change their curricula to address
this clear and present educational deficiency; and
d. The security of commercial software has become a national
security issue.
Oracle received precisely one response to these letters, and that
was a request for money to enable that university to create a ``secure
programming class.'' In the last 6 months, a representative that same
university--at a Department of Homeland Security Software Assurance
Forum no less--said publicly (and in apparent reference to the Oracle
letter) that his institutions' graduates were ``too good'' for vendors
like Oracle.
It's hard to imagine a more tone-deaf response to a ``customer''
request for a better ``product.''
Some have proposed that we certify ``cybersecurity professionals''
to improve the protection of our critical infrastructure. However,
certifying cybersecurity professionals--presuming we could define the
term precisely enough to avoid certifying absolutely everybody who
touches an information technology (IT)-based system--is too late in the
game. You can't secure something that was not designed to be secure or
that has holes big enough to drive the QEII through. Putting it
differently, in the physical world, do we certify interior decorators
or the people who build the house? It's architects, engineers and
contractors who are professionally licensed, not the people who move
furniture around and pick out color schemes. (No disrespect to security
administrators--or interior designers--is intended by this comparison;
the fact remains that cybersecurity professionals cannot necessarily
secure a system that was not designed to be secure.)
In the physical world, engineering degree programs are accredited
and engineering is a profession. Engineering graduates take the
engineer-in-training (EIT) exam--proof that they learned and absorbed
basic engineering principles in their degree program as part of their
career progression. Most who choose to actually practice the
engineering profession must become a licensed professional engineer
(PE). While it is true--as many academics are quick to point out--that
we understand the physics of, say, bridge design, and there are--as
yet--no ``physics'' of computer systems, that does not mean that we
should not expect people who are being educated in computer science to
know both what we know now, and what we do not know: specifically, how
to think about complexity and risk. At any rate, the fact that Oracle
and other large software vendors almost universally must teach the
basics of computer security to computer science graduates building IT-
based infrastructure should give all of us pause.
We know that embedding sound principles in curricula and
reinforcing those principles throughout a degree program works: this is
why physics is a ``core'' course for engineers and why civil engineers
cannot conveniently ignore physics in upper level classes. We also know
that an increasing number of professions involve computers and thus the
need for ``security''--embedded and reinforced throughout a number of
curricula and a number of classes within those curricula--is critical.
Control system design, for example, absolutely must include an
awareness of sound security principles or we will merely repeat the
mistakes we have already made. And yet, too many universities continue
to fiddle while Rome burns, or at least, fiddle while Rome is hacked.
A modest proposal in pursuit of curricula change would be to link
government research funding to phased educational reform in computer
and computer-related degree programs. That is, cutting off all money
until the curricula is fixed is counterproductive (as it penalizes
institutions that actually are making positive changes even if they are
not ``there'' yet). But we can certainly demand that universities
submit a plan to alter their curricula that includes specific delivery
dates for curricula change and insist that they make those changes as
delivered--or else. Currently, there is no forcing function to change
education. Many university professors are tenured and thus have no
incentive to ``cure.'' One of the few market forces we can exert is
money--such as grant money. If parents can tell their toddlers that
they don't get any dessert until they eat their peas, the U.S.
Government can certainly tie research funds to phased curricula change.
There are two additional reasons to--immediately and with some
urgency--forcefully impose curricula change on the universities that
deliver the pipeline of people building critical cyber-infrastructure.
The first is that we are already out of time: when the Soviet Union
launched Sputnik, it lit up the skies and lit up our eyes. The U.S.
rapidly moved to dramatically improve the science and technology focus
of our educational system so that we, too, could conquer space. As
regards cybersecurity, we have already had our Sputnik moment: in fact,
we in cybersecurity have such moments over and over, every single day.
The most damning comment one could make about the recent Google-China
headlines is that for those of us in industry, it was merely the
exclamation point on a long narrative, not an opening soliloquy.
The second reason is that everybody is looking for expertise to
secure what we have today--not to mention, what we are building in our
headlong rush to site critical infrastructure upon technical ``sand.''
For example, the Department of Homeland Security has stated that they
want to hire 1000 cybersecurity professionals.\2\ Where will they find
them? The military is standing up cyber commands \3\ and it seems
increasingly obvious that wars of the future will increasingly take
place in the cyber realm. Where are these future attackers and
defenders to come from?
---------------------------------------------------------------------------
\2\ http://www.cnn.com/2009/POLITICS/10/02/dhs.cybersecurity.jobs/
index.html.
\3\ http://www.informationweek.com/news/government/security/
showArticle.jhtml?articleID
=222600639.
---------------------------------------------------------------------------
In particular, the military views technology as a force multiplier
and their information systems increasingly form the background of their
ability to fight wars. What possible confidence can the military have
that the network elements on which they base their ability to prosecute
war can be trusted if the people who built them do not understand at a
very basic level that all software can and will be attacked? The people
designing and building software do not, in general, think, design and
code defensively because they are not educated to do it. We might as
well be turning out Marines who don't know that they have enemies, or
what a firefight is or what ``take the hill'' means. The results would
be and are predictable. Marines are lethal in no small part because
they know there are enemies, and they train to annihilate them.
Slow Our Exposure to Systemic Risk
There is an old saying that goes, ``quit while you are behind, and
when you are in a hole, don't dig.'' Nowhere is this truth more evident
than in our rush to increase the interconnectedness of critical
infrastructure and its exposure to the Internet--an exposure that
creates risks that we do not understand and thus cannot mitigate. We
embrace the interconnectedness because the benefits--and cost savings--
seem clear, but the risks are murky. No sensible person, of course,
should say that we cannot do anything that involves risk. Life is about
assuming risk.
That said, and as a cautionary tale of assuming risks we do not
understand, we need look no further than the recent financial system
meltdown in which massive computer programs could quantify all kinds of
risk except the most important one: systemic risk. The financial
superheroes ``in charge'' and the brilliant ``quants'' that were their
super-sidekicks got it wrong. Nobody really knew the degree to which
entity A was exposed to entity B and what would happen if the thread
between them was snipped. It turns out; systemic financial risk was the
Kryptonite that brought down Superman.
Alas, a lot of technophiles pushing new ``problems'' we need
sophisticated IT-based solutions for, or those eagerly embracing new
uses (and abuses) of technology, do not realize that everything--
including technology--has limits. The ``limits'' are not necessarily
those of bandwidth, or protocols we haven't invented yet. The most
important limitation is our inability to make rational, informed
decisions about risk because of complexities we simply cannot fathom.
In the many discussions on what the government can do to fix
cybersecurity, including ``spend more money on research,'' and
``certify cybersecurity professionals,'' it is worth noting that no
single proposal will ``save us,'' and certainly not any time soon.
There is, however, one thing we can do today: stop making cybersecurity
worse by rushing to use technology in ways we know very well we cannot
secure and that create huge systemic, unknown (and thus unmitigateable)
risk.
One such area is smart grid. The general idea, we are told, is to
allow power plants to: (a) get lots of near-real time measurements on
power consumption (e.g., from your house) to better price power
consumption accordingly and (b) do remote maintenance of grid elements
(e.g., deployed in your house). If we can do better demand pricing we
can build fewer plants and be ``smarter'' about power usage. Nobody is
necessarily opposed to ``do more with less'' premises, with one big
caveat: what if the ``more'' is ``more risk''--a lot more? More, in
fact, than we can fathom. What we know about smart grid should--if not
scare us--at least induce a very large gulp:
We already know we cannot secure millions of Internet
protocol (IP)-based clients: it's hard enough to secure
servers. The millions of PCs that have been co-opted into
botnets are proof enough of that.
We know that the SCADA (Supervisory Control and Data
Acquisition) protocols used in control systems were not
designed to be attack resistant: they were originally used in
electro-mechanical systems where you had to physically access
the control to use it (i.e., turn the knob).
We know people are increasingly moving to Internet protocol
(I P)-based control systems, and connecting them to corporate
networks that are, in turn, connected to the Internet. We thus
know that people can access controls for things they shouldn't
be able to from places they aren't supposed to be able to.\4\
---------------------------------------------------------------------------
\4\ http://www.c4-security.com/
The%20Dark%20Side%20of%20the%20Smart%20Grid%20-
%20Smart%20Meters%20%28in%29Security.pdf.
We know that many of the smart grid devices that have
already been deployed are hackable.\5\ For example, a prototype
worm developed by a security research firm was able--in a
simulated attack--to spread from meter to meter to take out
power in more than 15,000 homes in 24 hours.\6\
---------------------------------------------------------------------------
\5\ http://rdist.root.org/2010/02/15/reverse-engineering-a-smart-
meter/.
\6\ http://www.wired.com/threatlevel/2009/10/smartgrid.
We know that terrorists are increasingly interested in
targeting utility grids and in developing their hacking
expertise to be able to do so. \7\
---------------------------------------------------------------------------
\7\ http://www.scmagazineus.com/critical-condition-utility-
infrastructure/article/161689/.
We know that smart grid concepts are also starting to be
---------------------------------------------------------------------------
implemented in gas and water utilities.
We know that people have built personal digital assistants
(PDAs) that ``talk SCADA'' because ``it's so expensive to send
a technician to the plant.'' (It won't be long before we hear:
``Move the control rods in and out of the reactor? There's an
app for that!'' Some day we may have a power plant meltdown
when all someone was trying to do is answer the phone.)
And, last, we know that the people designing and building
these systems were never taught ``secure/defensive
programming'' any more than computer programmers were.
What we can infer from all the above is that the rush to ``save
money'' is being done by people who fundamentally do not understand
that they are vastly increasing the potential risk of a cyber attack
that can be launched from any home. Against the grid itself. In a way
that we do not know how to mitigate. In an increasingly hostile world.
If we think saving money on critical infrastructure is more important
than protecting it we might as well start sending the Marines into
combat with slingshots (so much cheaper than M 16s) and expecting them
to secure our Nation. Neither is acceptable, and both will involve
needless and senseless loss of life.
Before we keep trying to ``do more with less,'' let's take a deep
breath, step back and think seriously about worst cases and how we
avoid them in the first place. Hoping our enemies won't exploit a big
shiny new attack vector once we've deployed is not a strategy. Actually
minimizing the attack surface is.
There are a couple of things we can do to slow the lemming-like
rush over the smart grid cliff. One of them is to insist on some
standards (through existing standard setting bodies)--if not actual
certification--of smart grid components. N IST, for example, has led a
Cyber Security Working Group that recently released a second draft of
``Smart Grid Cyber Security Strategy and Requirements'' document.\8\
It's a start.
---------------------------------------------------------------------------
\8\ http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/
NISTIR7628Feb2010.
---------------------------------------------------------------------------
Second, we need a better transparency around how ``smart grid''
components are built, and of what they are built--given a lot of the
underlying components may be commercial software that was not
necessarily designed for the threat environment in which it will be
deployed. It will also help those building critical infrastructure to
know how robust the ``building materials'' are. There are existing
mechanisms that can help establish that transparency, such as the
Common Criteria (International Standards Organization (ISO)-15408) and
the Department of Homeland Security (DHS) materials on improving
software assurance in acquisition.\9\
---------------------------------------------------------------------------
\9\ https://buildsecurityin.us-cert.gov/swa/downloads/
SwA_in_Acquisition_102208.pdf.
---------------------------------------------------------------------------
Without knowing how software was built, and what care was and was
not taken in development--we are building a house from components we
know nothing about and hoping the resultant structure is sound. It
isn't merely that a house built on sand cannot stand, it's that a house
built of ice won't survive in the tropics and a house built of some
types of wood won't survive in a termite-friendly environment. Without
knowing what components are being used in the house, how they were
designed and built--and with what assumptions--we have no idea whether
even a house built on rock is going to stick around for the long haul.
There are, after all, earthquake zones.
It may seem difficult to change the status quo, and yet we have to
believe in the capacity for positive change--even if that embraces a
clear and abrupt departure from the status quo. As the prophet Isaiah
said, ``Whether you turn to the right or to the left, your ears will
hear a voice behind you, saying, `This is the way; walk in it.' Then
you will defile your idols overlaid with silver and your images covered
with gold; you will throw them away . . . and say to them, `Away with
you!' '' So be it.
The Chairman. And, finally, Rear Admiral Barnett, Chief,
Public Safety and Homeland Security Bureau, Federal
Communications Commission.
STATEMENT OF JAMES ARDEN ``JAMIE'' BARNETT, JR., REAR ADMIRAL,
USN (RETIRED), CHIEF, PUBLIC SAFETY AND HOMELAND SECURITY
BUREAU, FCC
Admiral Barnett. Thank you, Mr. Chairman and distinguished
members of the Committee. Thank you for the opportunity to
testify on this important topic.
My remarks to you today are focused on the transformation
of communications by the Internet and broadband technologies,
the cyberthreat that transformation has engendered, and how the
role of the FCC to ensure communications is being invigorated
to meet the challenge of the cyberthreat.
Advanced broadband communication technologies have
dramatically changed to lives of Americans by enriching the way
that we communicate, learn, work, and live. Virtually all major
communication networks are now connected to the Internet; and,
for that reason, those communication networks are vulnerable to
cyber attacks.
Most cyber attacks target information systems attached to
communication networks--the edge or end-users--not the
communications infrastructure itself. Nonetheless,
communications infrastructures are not immune to cyber attacks,
and they have vulnerabilities. We should not have a false sense
of safety. A successful attack on communication networks could
have a severe or even catastrophic effect.
The FCC has an important role to play in securing broadband
communications infrastructures in conjunction with our Federal
partners. We are the congressionally mandated regulatory agency
with authority over communication providers and communication
networks, and we must face the new reality that cyberthreats
now imperil our communication networks.
When I came to--came aboard as the Chief of the Public
Safety and Homeland Security Bureau at the FCC, our Chairman,
Chairman Julius Genachowski, asked me to convene a working
group to examine the Commission's cybersecurity posture and
recommend courses of action. This group delivered a report to
the Chairman, and many of its recommendations will be addressed
in the National Broadband Plan that will be delivered to
Congress next month, in March. In the report, and in the
National Broadband Plan, we developed a roadmap to fulfill our
cybersecurity role and responsibilities. And I'd like to
address just a few points in that--from that roadmap.
First, the FCC can provide the Nation a much greater
situational awareness of the status and performance of the
Internet, including attacks, than it currently possesses. Many
of the owners and operators of the backbone of the Internet are
communications companies who are licensees of the FCC. One of
the reasons why the communications in America are so reliable
is that, under FCC rules, those licensees provide us with near-
realtime data on network outages and problems, so that we can
analyze that data and work on solutions. We also have a
successful voluntary program of reporting in times of disasters
and emergencies.
If these near-realtime outage and incident reporting
systems were extended to the Internet, the FCC could provide
the Nation with an enhanced situational awareness of attacks
and incidents and provide vital information for defense against
attacks and restoration of communications.
Second, there are things that FCC can do to prevent or
mitigate the effects of cyber attacks. For example, a previous
FCC Federal Advisory Committee, the Network Reliability and
Interoperability Council, or NRIC, developed a set of detailed
cybersecurity best practices that are intended to be
implemented by communication providers on a voluntary basis.
We're exploring the creation of a voluntary certification
program, possibly using these best practices as criteria to
provide network operators with additional incentives to improve
their cybersecurity posture. And we're also looking to other
voluntary incentives.
In December 2009, the FCC launched a new expert advisory
panel called the Communications Security Reliability and
Interoperability Council, or CSRIC, to examine and recommend
other cybersecurity solutions, such as how to stem the stream
of malware that arrives at our networks.
We're increasing our contacts with communication regulators
in other nations, since cyberspace and security are not local,
but are truly global. We're at the start of a long journey,
working with our Federal partners and with industry to secure
our Nation's vital infrastructure against new and rapidly
evolving threats. And, Chairman, we are determined to do so.
Thank you for your--the opportunity to testify.
[The prepared statement of Admiral Barnett follows:]
Prepared Statement of James Arden ``Jamie'' Barnett, Jr., Rear Admiral,
USN (Retired), Chief, Public Safety and Homeland Security Bureau, FCC
Senator Rockefeller, Ranking Member Hutchinson and distinguished
members of the Committee, thank you for the opportunity to testify on
the important topic of cyber security, and thank you for your
leadership in holding this hearing to address this urgent problem.
My remarks to you today are focused on the transformation of
communications by the Internet and broadband technologies, the cyber
threat that transformation has engendered, and how the traditional role
of the Federal Communications Commission to ensure communications is
being invigorated to meet the challenge of the cyber threat.
Advanced broadband communications technologies have dramatically
changed the lives of Americans and others around the globe by enriching
the way they communicate, learn, work and live. The Internet, which
relies on broadband communications infrastructure, is now a central
part of American interaction of all types. However, the manner in which
the Internet developed has left it exposed to cyber attacks.
Specifically, the Internet, which started as a small research network,
has evolved into a global network connecting over a billion people who
rely on it for social, economic, educational and political
applications, among others. The Internet's core design philosophy was
initially based on easy connectivity. The underlying Internet protocols
and architecture were not designed to be secure. As Internet usage has
increased and has become mainstreamed for everyday life, communications
providers have responded by adding features to improve the security of
their infrastructure and the services that ride on it.
As the public and private sectors continue to move toward more
online usage, bad actors, including criminals, have begun to lurk in
the shadows of cyberspace where they can launch costly attacks on end-
users. In 2008, the FBI Internet Crime Complaint Center logged $265
million in reported losses for Internet users, the highest loss ever
reported. No one is immune from attack, whether consumers, government
users or even our Nation's most sophisticated companies. Last year, it
was reported that ten to twenty terabytes of data were pilfered from
U.S. Government networks by a foreign entity, and in January Google
reported that it was subject to a sophisticated attack originating from
China. Reports show that at least ten other large companies, including
finance, media and chemical companies, have been the targets of similar
attacks. As attacks become more persistent, breaching computer systems
and establishing a foothold, these attackers are able to compromise
personal, confidential and classified information. We have seen the
effects of dedicated cyber attacks on Estonia and the Republic of
Georgia. Critical infrastructure sectors, such as energy, finance and
transportation, can all fall victim to these attacks.
All major communications networks are now connected to the
Internet, and for that reason, those communications networks are
vulnerable to cyber attacks. Most cyber attacks target information
systems attached to communications networks, the edge or end-users, not
the communications infrastructure itself. Cyber attackers currently
tend to view the communications infrastructure as the necessary
superhighway that will carry them to their victim. Accordingly, they
are reluctant to make it impassable.
Nonetheless, communications infrastructures are not immune to cyber
attacks, and they have known vulnerabilities. Accordingly, we should
not have a false sense of satisfaction with regard to the survivability
of our broadband infrastructure. A successful attack on communications
networks can affect all end-users that rely on broadband
infrastructure. For example, as 9-1-1 networks migrate from today's
technologies to Internet-based technologies concerns about the
vulnerability of these systems to cyber attacks have mounted. A
successful attack on such a network could severely obstruct the ability
of our first responders even knowing of emergencies.
We cannot allow the absence of a successful attack make us
complacent. The FCC has an important role to play in securing broadband
communications infrastructures. We are the Congressionally-mandated
regulatory agency with authority over communications providers and
communications networks. We must face the new reality that cyber threat
now imperils our communications networks and therefore our wellbeing
and even lives.
With the changing shape of the telecommunications infrastructure
and usage patterns, it is incumbent on the FCC to reassess our role in
cyber security. When I came aboard as Chief of the Public Safety and
Homeland Security Bureau, FCC Chairman Genachowski asked me to convene
a ninety-day working group to examine the Commission's cyber security
posture and recommend future courses of action. This group delivered
its report to the Chairman on November 30, 2009, and many of its
recommendations will be addressed in the National Broadband Plan that
will be submitted to Congress in March. Our Working Group report
demonstrates the critical role that the FCC has in cyber security, in
conjunction with its Federal partners. This report, in conjunction with
the National Broadband Plan, leads us to our plan to become further
engaged in cyber security. To this end, we have developed a roadmap in
which we plan to address cyber security utilizing our past experience,
technical expertise and our regulatory relationship with the FCC's
licensees to protect the communications infrastructure. I would like to
mention six major points from that roadmap.
First, we believe, based on past experience, that many cyber
security challenges can be met through public-private partnership
arrangements with industry. However, it would be ill-advised to assume
that intervention is not needed. In some cases, obligations may be
necessary. The Commission has a vital role to play in these situations,
and we will be working to craft a regulatory approach to cyber security
that strikes the right balance.
Second, we believe there are things the FCC can do to prevent or
mitigate the effects of cyber attacks. For example, recently, the
Network Reliability and Interoperability Council, an FCC Federal
advisory committee consisting of leading industry executives and
practioners, developed a set of detailed cyber security best practices
that are intended to be implemented by communications providers on a
voluntary basis.
We believe the opportunity exists for us to build on these best
practices to provide network operators additional ability to improve
their cyber security and to increase the adoption of these best
practices. A recent survey by PricewaterhouseCoopers found that
organizations following best practices experienced significantly lower
impact from cyber attacks, something that commercial industry should
find attractive. We believe that based on this survey that we should
explore methods, such as voluntary certification of compliance with
best practices that would create market-based incentives to increase
cyber security.
Third, we believe that a significant area for FCC involvement in
cyber security is to secure and analyze additional data received from
all broadband service providers concerning network and service
disruptions. However, our past experience in receiving data from
communications providers concerning disruptions in their networks has
been proven effective at providing us early warning of potential
problems and attacks on the Nation's existing communications
infrastructure. This information allows us, working with our Federal
partners and the communications industry, to expedite restoration of
service. Our work, which is based on a sector-wide view of
communications outages, also allows us to spot industry-wide or
carrier-specific reliability and security matters. We use this
information in conjunction with DHS and communications providers to
produce long-term improvements. For example, we recently observed a
statistically significant upward trend in the number of events
affecting wireline carriers. We worked with industry to establish a
team of experts who examined the data in closer detail and developed a
set of recommendations. In the intervening months we have measured a 28
percent decline in this category of outages. Obtaining similar
information from broadband and Internet service providers would enable
the FCC and its Federal partners to work with industry on sustained
improvements to Internet-based infrastructure. We are currently
examining the best path forward to obtain this information.
A fourth way in which we are exploring more active involvement in
cybersecurity is increase our ability to prepare reports which contains
situational awareness on broadband communications infrastructure during
disasters for use by our Federal partners, such as the Department of
Homeland Security (DHS). We currently gather such data for traditional
communications, and it has proven invaluable in emergency management
and communications restoration. Accordingly, we plan to coordinate with
DHS and communications providers in the near future to plan and
implement a cyber attack situational awareness system.
Fifth, another avenue we are pursuing is how to best address the
constant stream of malware arriving at the network, frequently from
end-users who are not aware that their systems are compromised. The
Commission has recently established an advisory committee, the
Communications Security, Reliability and Interoperability Council,
known as CSRIC. An important function of the Council is to examine this
problem and to recommend methods that communications providers can
implement to protect their networks from malicious traffic. We expect
to see reports from this Council in the near-term.
Sixth, and finally, cybersecurity is by nature international. The
networks are global, the threats are worldwide, and the human component
is universal. Through the State Department, the Commission participates
in various international activities and fora such as the United Nations
International Telecommunication Union (ITU) in which cyber security is
an issue. Cyber security is increasingly raised as an issue in
discussions with foreign regulators and at international meetings and
conferences, and the international aspects of cyber security is also a
more prevalent topic in the domestic arena. Going forward, there will
be increased need and opportunities for, greater FCC participation in
activities involving international aspects of cybersecurity--both in
the United States and abroad.
My intention has been to describe to you our vision of the FCC's
role in cyberspace and what we are doing to secure our critical
communications infrastructure in a broadband world. We are at the start
of a long journey, working with our Federal partners and industry, to
secure our Nation's vital infrastructure against a new and rapidly
evolving threat, and we are determined to do so.
Thank you for the opportunity to speak to you today.
The Chairman. Thank you very much, Admiral Barnett.
Let me ask the first question. The--this is directed to
Admiral McConnell and Mr. Borg and to Ms. Davidson.
You all talked, in various ways, about the need to have
people understand this at a very early age. You know, this--
they say, you know, kids are too fat these days, we ought to do
more exercise. Those things are--exercise is being cut out,
sports are being cut out, and sort of crowding the curriculum
is a really tough thing to do. On the other hand, if people
don't understand the threat of cybersecurity, it's all lose
from now on.
I made the point, Ms. Davidson, that 85 percent of the
critical infrastructure in this country are owned and
controlled by the private sector. And we found, as we were--at
least I found, as we were drafting this legislation, that
companies--I'm not saying Oracle; I'm not necessarily saying
big telecommunications companies--but, companies tended to
resist the idea of the government sort of getting in the way of
what they were already doing, which they felt to be adequate.
Now, my experience in general security with large companies,
and particularly like powerplants and chemical plants backed up
against rivers, and the rivers are patrolled by the Coast
Guard, except, of course, that there aren't enough boats or
people, so they're really not controlled by the Coast Guard, so
they're all vulnerable, but they say they're doing the job, and
thus, they--they're--you know, we had a lot of engagement with
industry. And so--and I look at your testimony here, Ms.
Davidson, and it's interesting, because I'm not sure what
you're saying. Your second recommendation, we need to stop
upping the ante, as you said, on exposing critical
infrastructure--in some cases, unknowable risk--and we should
walk away from the gambling tables until we both understand the
odds, and the odds are better. Doubling down is not a strategy,
except a strategy for catastrophic loss.
Now, what I'm--what I'd like the three of you to comment on
is, in that I think we all agree there has to be this
coordination between government and the private sector, are
you, in a sense, walking away, saying, ``We have to let time
pass so that people understand this problem better and kids--
it's part of their curriculum''? And--or are you not? And,
Admiral and Mr. Borg, if you could comment on this problem of
how--don't we have to take action really soon? But, then,
you've already said, whatever action--I think, Mr. Borg, you
did--whatever action we take is going to be outdated in 3 years
anyway. So, talk to me a little bit about this business of
cooperation, what we do. Is legislation any good? What do you
propose?
Admiral.
Admiral McConnell. Sir, let me use an example that touched
me personally. I'm old enough to remember Sputnik. And that
happened in 1957. And shortly after, the--an Act was passed. I
don't recall the exact name, something to the effect of the
National Defense Education Act. I went to college on that Act,
and it's likely I would not have gone to college except for
that Act. So, when I talk about an education bill--you heard in
my opening comments, I think the Nation reacts to two things:
crisis and money. Crisis will move us to act, money will move
us to act. So, if there is a bill that invests in the
youngsters of this Nation to make them smart about cyber and
cyber issues, and safe code, and secure code, and so on, I
think we will start to mitigate this problem.
I'll use an example. One of my colleagues is Gene--Dr. Gene
Spafford, at Purdue. Early mover, wonderful program, struggling
to keep it alive, because there's no interest or funding in it.
So, I think, since we react to crisis or money, that it's going
to take an investment, probably something on the order of the
National Security Education Act of 1958, for us to address this
problem. And if we do that, I think we'll make progress.
The Chairman. Will we make progress simply because people
grow up and go into business and go into government and,
therefore, work things out? Or----
Admiral McConnell. It's----
The Chairman.--it's a necessary starting point, no matter
what happens.
Admiral McConnell.--it is a necessary starting point. And,
for me, the example is, we put a man on the moon in 10 years.
So, Sputnik happened, the bill was passed, lots of engineers
and scientists and physicists, and so on, that were educated.
And when President Kennedy set it as a goal, then, 10 years, we
actually did it. So, for me, it's a necessary step to get us
started so we have the skill sets.
Now, one of the things I'm worry about is, we are
significantly outnumbered, in terms of population in China, in
India, and other places. So, we don't have a birthright to
intelligence. I mean, there are smart people all over the
world. It's an even distribution. And others are investing in
this in a major, major way. So, if we're going to compete and
be competitive and influence the world for a global standard in
cooperation in this arena, in my view, we have to produce the
electrical engineers, computer scientists, and other technical
talents that will allow us to do this.
The Chairman. OK. So, we--that is stipulated. I think there
would be no argument on that at all.
In this matter of cooperation between government and
business, and the point I raised, Ms. Davidson, about ``How do
I interpret what you said?''--I know that it was basically the
business community that came in and say, ``Look, we're fine. We
know what we're doing on this.'' I'm simplifying a little bit,
obviously. But, ``We don't need the government involved in
this.'' The Admiral and others are saying that the government
has to be involved in this, or else nothing really is going to
happen. And so, I don't--when you say ``walking away,'' I want
to know what you mean.
Ms. Davidson. What I meant by that was, there's an
expression, ``Quit while you're behind, and when you're in a
hole, don't dig.'' And the reason I use Smart Grid--and I was
very careful there; I didn't say, ``Oh, let's not do anything
that's insecure.'' You know, everything in life is about
assuming some risk. My concern is our failure to understand
systemic risk and going forward. And based on what we know
now--and all of those comments had footnotes to external
reports--what we see here is--this looks like we're assuming an
asymmetric risk we don't understand. I didn't say, ``Let's not
do more with less.''
The Chairman. But, you did say----
Ms. Davidson. ``Let's not make use of technology.''
The Chairman.--doubling down is not a strategy, except a
strategy for catastrophic loss.
Ms. Davidson. I did say that. And my comment was that we
continue to look at more ways we can use an IP-based backbone,
when we know, today, we cannot secure clients. And that's, on a
technical level, saying, ``OK, if I have to physically go in a
plant to turn a knob to do something bad, that's something I
can limit.'' If I'm now putting a device in everyone's home
that may or may not--that's the question mark--be appropriately
designed for a threat environment, you know, then I'm basically
saying, ``OK, now I've got a million ways to get into
something.'' Now----
The Chairman. Well, my----
Ms. Davidson. So, what I'm saying is----
The Chairman.--my time is----
Ms. Davidson.--is, let's understand--try to understand the
systemic risk. Let's look at how we actually impose enough
order that we understand what kind of risk we're assuming.
Right now, some of these devices have been hacked. We don't
know how they're built. We don't know whether--there is no
certification program for the devices. I have concerns about
that----
The Chairman. All right. Look----
Ms. Davidson.--based on just what I know.
The Chairman.--my time is out, OK? My time is out, and you
have to respect the rules of this committee.
I want to come back to you, because I don't think you've
answered the--my basic question. I think you've reaffirmed my
concern, ``Until people understand everything, or until
everything is prepared, don't act.'' Now, you do say you're
going to act in two ways, but I want to get back to that.
In the meantime, Senator Snowe.
Senator Snowe. Thank you, Mr. Chairman.
I guess it gets back to the question about, What will be
effective incentives for the private sector? I mean, if the
private sector owns and operates 85 percent of the
infrastructure, then obviously we have to concentrate on
providing the essential incentives for them to adapt.
What do you think would be effective private-market
incentives, and is that the appropriate focus? Should we compel
them? Should we create incentives, in terms of adopting best
practices versus mandating standards? What approach do you
believe we should take that would be the most effective in that
regard?
Admiral McConnell?
Admiral McConnell. What I attempted to do in my opening
remarks--to make the analogy that in those historical cycles,
we go through this each time. So, if we were having this
discussion about railroads and robber-barons, you know, way
back in the 1880s, those that were in the railroad business
would argue very strongly, ``We don't want the government
involved.'' So, what we did was have legislation to break it up
and regulate it, and so on.
So, the way I would think about it is, the current system
is not secure; and so, without prescribing exactly what the
answers are, it is a requirement to make it more secure. Now,
there is talent that exists to have that dialogue, and in a
constructive way. It will introduce tension in the system.
There will be those that argue that we shouldn't do this. There
will be those that say the Government's going to spy on its own
citizens, and so on. But, it is setting an objective to make it
secure, to achieve the basic elements of security--the basic
elements of making something secure, which I tried to
highlight, with authentication and so on. Those things are
essential when the transactions are of such significance they
affect a broad portion of the population.
So, I think, properly framed, we could create such a
framework that would cause us to move forward in that
direction. But, it would be required; it would be mandated.
Because industry is not going to embrace this unless they're
forced to do it.
Senator Snowe. Yes. Dr. Lewis? Dr. Borg?
Dr. Lewis. Let me--I was a regulator for 3 years, right?
And what I found is that most companies will try and do the
right thing, and some companies will always do the right thing,
and some companies will never do the right thing; and so, if
you don't compel them, you're not going to get the right thing.
And since this is a network, and they're all connected, if 10
percent don't do the right thing, then 100 percent could be
vulnerable.
So, incentives are great, but what I'd also say is, How do
you ensure compliance? And that leads me to a mandatory
approach.
Senator Snowe. Yes. Dr. Borg?
Mr. Borg. Yes, I urgently would like to talk about this,
but I hardly know where to start.
I think the government urgently needs to do something. I
think most of the things in your bill, broadly speaking, need
to be done. However, we have a lot of things here that aren't
working in the markets. Government intervention is needed to
help those things to work.
The sheet that I waved--that I held up--lists 21 things
that you could consider doing to help markets function better.
Some of those things you're already proposing to do; some of
them are already in your bill. But, there are many other ways
in which these markets are not working.
There's a tendency, left over from the Cold War, to think
that we have two choices where markets are concerned. One is to
be the commissar and dictate from the government what everybody
should do, and the other is to go, ``Whoopee, let's hope the
markets will do it on their own.''
In fact, markets are engineered into existence, and the way
they work is greatly shaped by government policy. Things that
the government decides about what kind of information should be
made available can hugely shape the way a market functions.
In this area, we have a number of markets where there's
insufficient information for any of the participants with the
best intention in the world to do the right thing; there is
just no way they can make the right choices, where
cybersecurity is concerned.
We have other situations where there are financial
impediments to them doing the right thing. I completely agree
with James Lewis, that we have a lot of people out there who
would do the right thing, but we shouldn't be penalizing them
for doing so.
We have other situations where people are ready to jump in
and supply the kind of security that is needed--supply products
that will provide the right security, but there are economic
impediments for them doing that.
So, there's a whole area here that needs to be--opened up
for discussion, a whole area of possible government action
that's really not being addressed.
Senator Snowe. Ms. Davidson, would you care to comment, or
Admiral Barnett?
Ms. Davidson. So, there are lots of ways to correct
markets--market imbalances. And, you know, we can talk, as a
public policy issue, about, Is this more effective or that more
effective, or is it regulatory or something else? One of the
things I have pushed for, because I think it could be
effective, is--and I believe I talked about this in the context
of Smart Grid, but I talked about it in a much larger context--
is a little more transparency around how people build their
software. Why is that important? Because at least the people
who are taking a piece of software that may not have been
designed for some particular purpose, but is general-purpose
software, need to understand what was done and not done. You
know, we know more about used cars than you do about a lot of
pieces of software that are used in really large systems. So,
at least forcing some transparency, which is what DHS was
trying to get at, would require someone to show, What did you
do, and not do, in development? My entire group--purpose in
living is to enforce compliance around our own organization
which is that transparency. You know, which groups do, and do
not do, particular things. And how we build software goes to a
security oversight board and it goes to our chief executive
officer. So, we know, at any point in time, here's where we
are, in terms of complying with our own development processes.
We state it is--what we believe are to be best practices.
Now, is that perfect? No. Does it mean that somebody, maybe
in the Defense Department, who's buying a piece of software and
going to deploy it in some system we have no knowledge of,
understands what they're getting and not getting?
Forcing transparency, by the way--it's a strange analogy--
it's the bathing-suit test. When someone puts on a bathing suit
around March, and they know they're going to go out in the
water in June, by and large, they're going to look at
themselves and say, ``I look terrible. I need to get a trainer,
cut out the carbs. I want to look good next to the three other
people at the beach.'' So, forcing more transparency actually
does elevate people's performance, in that you're probably
going to do no--more if you know that someone's looking over
your shoulder. It's not perfect; it won't cure everything, but
I think that, as part of that correcting that market imbalance,
is--people need to understand, ``You gave me a piece of
software. What does it do, and not do? How well does it do it?
And what did you engineer into this? And what were your
assumptions about how it was going to be used and who is going
to attack it?'' That's not perfect, but it's a good start.
Senator Snowe. Thank you.
Ms. Davidson. And the government could enforce that,
through procurement.
Admiral McConnell. Senator, could I offer one other----
Senator Snowe. Yes.
Admiral McConnell.--quick comment--example. In the late
1960s, early 1970s, the United States dominated the
semiconductor industry. At a point in time, we went from 80
percent to 20 percent. So, we had to do something about that,
because it was so vital to us. So, what we did was create a
public-private partnership. It goes by the name of Symantec.
And Symantec--I think, it--I don't get the--remember the exact
numbers, about 250 million on the government side, about 250
million on the private-sector side. We recaptured the
semiconductor industry. That's the kind of thing that we could
invest in here, with regard to cybersecurity. It would create
the transparency that the case has been made well for. If----
So, there are a series of things that could be done to put
us in a position to create the kind of infrastructure that we
need that's secure enough to do the Nation's business.
Senator Snowe. That's an interesting analogy.
Thank you.
The Chairman. Thank you, Senator Snowe.
Senator Ensign.
STATEMENT OF HON. JOHN ENSIGN,
U.S. SENATOR FROM NEVADA
Senator Ensign. Thank you, Mr. Chairman.
I agree with you, in how important and how critical these
issues are to our Nation's economy and our national security;
it's very important that we have this hearing today and that we
explore it going forward into the future. And I appreciate the
input of our witnesses today on an incredibly complex issue.
Admiral McConnell, I have a great deal of respect for you,
but when you're talking about security in other industries, the
Internet and technology today is changing so much more rapidly
than any of those other industries ever did. And also remember
that with railroads we came in much later. The airline
industry, as well. I mean, can you imagine if the government
would have come in too early, for instance, in the airline
industry, before it became a mature industry?
The question is somewhat about balance. We do want to make
sure that innovation occurs, as well. But, cybersecurity is
very, very important for all of us; for all of our personal
identities; for our financial security, where somebody could
steal the money out of your bank account; for protecting some
of these critical systems that we have, like Smart Grids; and
for all of the other things that you all have laid out today.
Getting to a question, I would ask each one of you to
succinctly talk about what you believe is the single biggest
cybersecurity vulnerability that we have today. If you could
tell this committee just one thing, what would you say the
government should focus on?
Admiral McConnell. I'll go first, if that's all right.
Senator Ensign. Yes. Just right down the line.
Admiral McConnell. The area would be the financial system,
because it--as the comments, I made earlier, about it being
vulnerable. And the issue is, the authorities for dealing with
it are divided by statute, and it's compartmentalized in
boundaries. So, as a nation, cyber respects no boundaries; and
so, it's going to take some action on the Hill for various
committees who oversee pieces to address it more holistically
for the integration of the problem.
So, if you think about it as communications, exploitation
of communications, attack of communications, or defense of
communication, different statutes, different departments,
different committees, and it's, How would you put that together
in a way that you can ensure the effect of successful
communications while doing the things that would allow you to
gain insight of a potential adversary and then mitigate the
risk at network speeds, which are milliseconds? So, that's the
challenge.
Senator Ensign. Dr. Lewis?
Dr. Lewis. We, in our report of December 2008, said that
the one thing you ought to focus on is securing cyberspace. And
there were three components to that: the financial grid, as
you've heard; the electrical grid; and the telecommunications
networks.
And so, I would say you need to think about, What is it
that gives us this wonderful capability to do things over the
Internet? And you need those three things. Focus on them.
Senator Ensign. OK.
Mr. Borg?
Mr. Borg. Three of us here were on the Cyber Commission and
heartily endorse that report that Jim wrote.
It's--the center of all this has got to be, however,
critical infrastructure industries. That's what we mostly need
to protect. That's what could do us the greatest damage. That's
where the government needs to be focusing its attention.
Right now, if an electrical company wants to improve its
cybersecurity, it can't get permission to pass on the minute
rate increase that that requires; it can't get permission from
the local regulatory organizations.
With the best desire in the world to improve security, the
impediments to these companies doing the right thing are really
great. So, one of the first things to do is to remove the
impediments and make sure that there is a positive incentive to
take care of these urgent issues.
Senator Ensign. OK.
Ms. Davidson?
Ms. Davidson. I would certainly echo what my colleagues
have said, but I also want to distinguish between something
that is important but not urgent. And that--it still gets back
to this educational system, particularly college systems. We
don't send Marines out to take the hill who don't understand
that there are enemies--they will attack them--what weapons to
use and how to secure the perimeter. And yet, we are training--
the people who build IT systems are building infrastructure.
They don't understand that they're building infrastructure,
with all that that implies, and they particularly do not
understand the difference between things--you know, good input,
bad input, and evil input. Until we change the mindset of
people to understand their systems will be attacked, and to
build and design accordingly, we're not going to change the
structure. We might address it today or next year, but the next
generation coming forward will not understand that we're
continuing to build infrastructure, and the responsibilities.
We have to invest, today, in changing the mindset, and that's
the educational system.
Senator Ensign. Admiral Barnett, before you answer--Ms.
Davidson, you mentioned the government hanging carrots out
there. We give them a lot of money from the Federal Government
to tie in certain things. Remember, however, the private sector
also has great influence. I know Oracle is trying to get the
universities included. But, collectively, the private sector
could have greater influence, because there's a lot of money
that comes from private donors to the universities, as well,
and I would encourage you all to get together, and especially
with some of the larger donors who understand the critical
importance of what you were just talking about, to encourage
the universities to change what they're doing. And so, maybe we
could hit it from both sides.
Ms. Davidson. Thank you.
Senator Ensign. Thank you.
Admiral Barnett?
Admiral Barnett. Senator Ensign, it may be somewhat a
parochial answer, but, obviously, coming from the FCC, we see
making the telecommunications networks and infrastructure
secure to be a primary focus. We--you know, of course, going
back to Senator Snowe's question, as well, the front line, of
course, are private companies--the commercial things. But,
there may be a role for regulation in such things as Admiral
McConnell mentioned earlier, such as authentication, identity
management, that could help secure--and you can't have
piecemeal answers to that. A regulatory framework may be able
to help bolster the private companies in protecting our
telecommunications infrastructure.
Senator Ensign. Thank you.
Thank you, Mr. Chairman.
The Chairman. Thank you very much, Senator Ensign.
Senator Pryor.
STATEMENT OF HON. MARK PRYOR,
U.S. SENATOR FROM ARKANSAS
Senator Pryor. Thank you, Mr. Chairman, and thank you for
holding this hearing.
Admiral Barnett, I'd like to start with you, if possible.
And when I think of the FCC----
The Chairman. Incidentally, Senator--I mean, Admiral
McConnell has to leave in about 5 minutes, so if--particularly
if anybody has questions for him.
Excuse me. Go ahead.
Senator Pryor. OK. Thank you.
When I think of the FCC, I think of, you know, your role of
regulating, say, telecommunications, for example, and making
sure there's competition and consumer protection, and all those
types of things. But, are you saying that there--FCC does have
a role in protecting our communications and our Internet?
Admiral Barnett. Senator, what I would say is that we have
a role in making sure that we have the best policies and best
practices to ensure. I mean, our traditional role in--under the
Communications Act is to ensure and promote that there is a
vast, reliable, nationwide, global wire and radio
communications system. To the degree that the Internet is now
connected to our communication networks, the FCC has a role in
doing that. And so, what we have to do as we go forward is make
sure that we are continually looking at those policies and
making sure that we are bolstering our networks. So, yes, sir,
we do have a role.
Senator Ensign. Ms. Davidson, let me ask, if I may. We've
heard a lot today about the public sector and the private
sector. I think, obviously, we all need to do a better job of
working together to come up with smart policies, in a lot of
different ways, to make all this happen like it should. But,
right now, can the private sector talk amongst themselves about
what's going on out there, and can you share information? Or
when you start doing that, do you start to get into an
antitrust problem or another environment that companies either
can't do legally or are just reluctant to do because of
competition?
Ms. Davidson. You know, I think some of that's out of my
area of expertise. I have been told that there are sometimes
some challenges. A lot of the--a lot of it has to do with--at
some point, it's knowing who you're dealing with. People talk a
lot about information sharing, and I'm all for that, but we
need to remember, information sharing is a tactic, not a
strategy. So, it gets down to information sharing about what,
for what purpose, with whom, and how is that going to be used?
So, I'm sorry I can't give you a better answer. I'll be very
happy to research it and get back to you to make sure I'm
giving you a more precise one.
Senator Ensign. Admiral Barnett.
Admiral Barnett. Senator, if you don't mind me jumping in
on that. But, that is one of the things that I think the FCC
can help. Right now, we've had a very--a great deal of success
in the traditional communications world by getting information
on outages and problems in the communications network. Because
companies are not--competitors are not going to be willing, nor
is it proper for them, to share that information with each
other. And yet, at the FCC, it's confidential. We can look at
it; we can analyze what's happening across the entire network--
analyze it and work on solutions. It's been very effective for
our legacy communications systems.
One idea is to explore, Could that be extended to the
Internet, and could we obtain the same success in getting
situational awareness of what's happening?
Senator Pryor. Good. Thank you.
Admiral McConnell, let me ask you--I know you need to leave
in just 5 minutes or so. You gave a very strong opening
statement, and your insights have been very interesting to the
Committee members. But, you know, you focus pretty much solely
on U.S. policy. Is there a need for an international policy
here that, you know, the U.S. either leads or the U.S. plugs
into? I don't know that we've talked a lot about international
policy.
Admiral McConnell. And, sir, my view is, it can't be solved
without an international approach. And I don't--I apologize for
being the history buff here today, but I go back to think about
the face-off between the United States and its allies and the
Soviet Union in the cold war. So, it was an international
dimension of NATO and the other allies that brought that to a
successful conclusion, from our point of view.
So, I think this is a global problem, and it will require
interaction and agreement at an international level, probably
starting with the nations that already have alliances, and so
on. But, at some point, it's going to have to--in my view--it
will have to migrate to nations that we currently see as, if
not adversaries, certainly competitors.
Senator Pryor. Dr. Lewis, let me ask you--and this may be
my last question, because I may be out of time--but, just for
the media and for laymen, like myself, can you describe--can
you give us two or three scenarios of what a cyber attack might
look like? I mean, we talk about this, but what does that mean
to the--you know, the average Joe out there in this country?
Tell us what a cyber attack might look like.
Dr. Lewis. Sure. And I think we need to divide it--it's a
great question--need to divide it into two parts. The first is,
then, as you've heard from Scott and from Admiral McConnell and
from everyone else on the panel, we're attacked every day, and
we're successfully attacked, and it's the economic damage that
we have to worry about.
So, what would a cyber attack look like? It would look like
being bled to death and not noticing it. And that's kind of
what's happening now. All right? So, the cyber attack is mainly
espionage, some crime. We've seen a good one. I don't know if
you saw it, but a couple months ago a bank, over a 3-day
weekend, had $9.8 million extracted from its ATMs. That was a
good cyber attack. Caught some of the guys who did it. The
mastermind probably lives in Russia, not under attack.
I don't worry too much about terrorists, and I'll tell you
why. Because terrorists are nuts. If they had the ability to
attack us, they would have used it, right? So, the notion that
they're waiting for Christmas or something--they know how to do
it. Eventually, they will get it, right? Eventually. And they
will not be constrained.
There are people who could attack us now: Russia, China,
some others. Our military--potential military opponents. Sorry.
And we know they've done reconnaissance on the electrical grid.
So, could they turn off the electrical grid in the event of a
conflict over Taiwan or Georgia? Sure. That's what it would
look like. Could they disrupt the financial system? They might,
if they thought that they were either in really desperate
straits or if they thought it wouldn't hurt their own bank
accounts, right? But, I think that's what you want to look for.
Right now, huge losses through espionage, growing losses
through crimes, and the potential of tremendous damage to
critical infrastructure if we get into a fight.
Senator Pryor. Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Pryor.
Senator Begich.
STATEMENT OF HON. MARK BEGICH,
U.S. SENATOR FROM ALASKA
Senator Begich. Thank you very much, Mr. Chairman.
And I'll try to be quick with these, because I have to be
somewhere at 4 o'clock.
But, let me ask Admiral Barnett, if I can. I was listening
to your response to Senator Pryor in regards to, kind of, the
role the FCC is now playing or will play in the future. I sit
on the Armed Services Committee, and we've gotten briefings on
DOD issues around cybersecurity. Can you, from your
perspective--who do you think, within the general government--I
know Homeland Security, to some extent--but, who has the full
authority--for example, if you have recommendations of things
that should be done, who pulls the trigger?
Admiral Barnett. Well, I don't know that we have any
triggers to pull. We're a regulatory agency.
Senator Begich. Right. I understand that.
Admiral Barnett. But, we work very closely with the
National Communications Systems, with DHS, and that's where we
have most of our conversations, our information sharing. The
information that we do get is applied to the National
Communications System, on outages and network problems. We
would see that being extended to other types of problems that
we're talking about today.
So, primarily focused on DHS, although we work with a lot
of our Federal partners, including DOJ. We're a part of the
Joint Telecommunications Resource Board that advises OSTP.
Senator Begich. Do you think, just--in your experience at
this point, do you think they're well coordinated among the
agencies?
Admiral Barnett. Well, as far as I can tell, we have good
communications, we have good relationships and good information
flows. We have--I'm not positive, while I've been in office,
we've been tested on that. And for that reason, we participate
in exercises to make sure that there are good information
flows. Our most recent one was back in January, a tabletop
conducted with----
Senator Begich. Right.
Admiral Barnett.--OSTP and Joint Telecommunications
Resources Board.
Senator Begich. What's the--do you think the agencies that
you're working with have the resources they need to do the work
to make sure--or are there gaps that have been identified, or
you can identify?
Admiral Barnett. You know, Senator, I'm not positive I
could speak for those agencies. I can say that, after Chairman
Genachowski asked us to do our own review, part of the things
that we came up with is that we needed to increase our talent
pool with regard to cybersecurity, and consequently, we
launched a program to do that, to make sure that we have the
talent that we need.
It goes back to the question that the Chairman was talking
about earlier, is that we need to make sure that there's an
educational pool out there. One of the things that I've been,
even before coming to the FCC, concerned about is the
precipitous drop in computer science majors that this country
has been producing since 2000. I mean, I think it's like a drop
of almost 40 percent. It may have ticked up in the last year,
because I haven't looked at it, but it's very concerning.
Senator Begich. Do you have--and let me, if I can, kind of
move into that arena. And anyone can answer this after I make
this question--and that--or ask this question--and that is, Do
you think our ability to buy that talent--pay, compete against
companies like Oracle--do you think we have that capacity?
Admiral Barnett. Once again, I can only speak for the FCC.
One of the amazing things--it's just like when I was Active
Duty in the military--it's amazing to me that Americans are
willing to come forward, because of their belief in the country
and what we're doing. I'm positive that we'll be able to find
those folks, if we can educate them.
Senator Begich. Anyone else want to comment on that?
Admiral McConnell. There--I'm familiar with the current
talent pool, particularly in this area, particularly around
Fort Meade, over in Maryland, and there's just not enough
resources. So, my comments about educational bases--we're going
to have to do that. If I could offer another, sort of,
historical context, what was referred to a moment ago, the
NCS--the National Communications System--resulted from the
Cuban Missile Crisis. The President couldn't communicate with
the Cabinet officer. We had a single carrier--AT&T--so, a--an
arrangement was made. We had guaranteed communications for all
Cabinet officers, under any circumstances. That held until
Judge Greene's famous decision, which broke it up.
At that point--the question was--asked by Senator Pryor,
was exactly the key issue: Can the industry members come
together and have a discussion out of fear of the antitrust
legislation? And they couldn't do that. So, a secondary
organization was created, called NSTAC--National Security
Telecommunications Advisory Council. But, it's only focused on
telecommunications. That served the Nation well for 30 years.
It resided in Defense. It now is over in the Department of
Homeland Security. But, it's a public sector--U.S. Government--
and a private sector, and they collaborate, coordinate for
keeping communications working.
What--DHS, who under law has the authority for this
mission--defense--has proposed a construct patterned after NCS
NSTAC. It's called CPAC--Critical Infrastructure Protection
Advisory Council. Three chairs: Secretary of Defense, the DNI,
and the Secretary of Homeland Security. Three co-chairs. You
pick the largest segments of industry--critical
infrastructures--to come together. You have to have public
meetings, with government participation, with minutes that are
published to the public----
Senator Begich. Sure.
Admiral McConnell.--and you talk about the issues, like
technology or policy or operations, to address these issues.
Now, that has been proposed. My sense, that it hasn't gotten
the traction that it needs. Perhaps that would--may be
something that you could consider, in your bill, to put some
energy behind it.
Senator Begich. Yes, that's a good question.
My time is up, but, Dr. Lewis, I saw you--maybe you could
do a quick response.
Dr. Lewis. Sure. Just--I wanted to come back to the
educational point. And it's not a fluke that we have two
admirals sitting here, because the Navy's paid a lot of
attention to that--to cybersecurity and to cryptology. They're
coming up with a scholarship program. There's something called
U.S. Cyber Challenge, which CSIS has been a little involved in,
and it's an effort to get kids interested in cybersecurity, in
hacking contests. It's really good.
There's a chance to rebuild the university programs. And
Admiral McConnell mentioned the National Defense Education Act
of 1958. And what that did is, we said, ``Hey, the Russians are
ahead of us. We need a lot of engineers and mathematicians and
foreign language specialists.'' Five years later, we had them.
So, yes, you can fix this, with the right sort of investment.
Senator Begich. Thank you very much, Dr. Lewis.
I--my time is up, Mr. Chairman. Thank you for the
opportunity.
The Chairman. I've got to stick with that, Admiral.
Senator Klobuchar.
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. Thank you very much.
And do you have to leave, Admiral McConnell? Is that
correct?
Admiral McConnell. I do, and I want to offer a last
comment. But, I----
The Chairman. Please.
Admiral McConnell.--a little over time--just offer my last
comment.
The Chairman. Yup.
Admiral McConnell. Something that hasn't been mentioned; I
want to make it harder. We've talked about cybercrime and
cyberwar, and on and on. I'm thinking about a new idea, and I
will call it ``Insidia.'' Insidia means that an adversary
builds into our infrastructure. They do what they're doing now,
in terms of taking our intellectual capital, and now they harm
the infrastructure for competitive advantage, if and when they
choose to do so. That is possible today.
So, let's say that a--you pick it--country X is going to
introduce a new product, and they want achieve dominance in a
market. They could cause things to happen in our
infrastructure, that we don't even recognize, that would
disadvantage us in a competitive way.
So, it's early in my thinking, but I'll just leave the
thought with you. Insidia. Just something I made up, but it
could happen today. And the reason I know it could happen today
is, I know we could do it, if we chose to do so.
The Chairman. The great question, ``If we chose to do so.''
Voice. We've been investigating that for the last several
years, so I can give you background, if you'd like.
The Chairman. Great.
Senator Klobuchar. You know, just following up on some of
the issues raised about the lack of expertise and not enough
computer science majors. I'm a former prosecutor, and I always
remember how difficult it was when we even had simple computer
crimes and the police would show up, we didn't--and they'd
press a button, and then all the porn would vanish from the
screen, and we'd lose the computer evidence. And that's a
really tiny example, compared to what we're dealing with here.
What do you think about the ability--just as you're
concerned about computer science degrees--of law enforcement
right now? Because I've always said we need to be as
sophisticated as the crooks we're trying to pursue, whether
it's internationally or whether it's domestically. What do you
think needs to be done there? I'm a member of the Judiciary
Committee, as well.
Mr. Borg?
Mr. Borg. When we were looking at it, we discovered that
actually the law enforcement is getting increasingly
sophisticated about handling their evidence, but, they're not
very sophisticated about their own vulnerabilities. We looked
at the crime labs and discovered that we could, or somebody
could, hack into most of the crime labs that we've looked at,
alter evidence, if they chose, do all kinds of mischief. So,
we've got some huge issues there.
Senator Klobuchar. OK.
Mr. Borg. Think if somebody for hire could tamper with just
the chain of evidence for any prosecution that depended on
physical evidence. That's the situation we're in right now.
Senator Klobuchar. Right. Well, and part of what I think is
just the training, again, and being able to hire people who
have that kind of computer forensics experience.
Yesterday, the Federal Trade Commission issued a report
that revealed widespread data breaches by companies, schools,
and local governments whose employees are engaged in peer-to-
peer file sharing. The software was also implicated in a
security breach involving the President's helicopter, and other
cases. I'm actually working on some legislation along these
lines, that we're going to be introducing soon. But, could you
talk a little bit about how this could be a national security
threat, and what can be done about the human element in all
this, about employees even inadvertently sharing confidential
files?
You want to talk about peer-to-peer?
Dr. Lewis. Well, you know, we're coming to a--sort of a--
we're at the early days of, I think, new thinking about
cybersecurity, and that's where the work of this committee's
been really valuable.
I talk to a lot of companies. What they've--what I've
learned is that some of them have fabulous best practices,
right? Now, usually they've been companies that have already
been hit, right? So, I talk to a giant oil company, they had
a--they were hacked, and lost millions of dollars, and now they
do everything right. One of the things they do is, they
severely limit the ability of employees to use this kind of
software.
We can think of many examples. It's fun, if you think about
some of them, you can type in ``tax return'' and it will, for
systems that are not set up, show you people's tax returns.
But, we now are beginning to identify practices that work in
improving network security, and this is one of them.
So, the question is, How do we populate industry with those
best practices? How do we tell them what they are? How do we
get them all to do the right thing, when it comes to file
sharing?
Senator Klobuchar. Very good.
On February 16, the Bipartisan Policy Center sponsored the
Cyber ShockWave exercise, which brought together former high-
ranking national security officials to evaluate how they acted
when there was a realtime cybersecurity emergency. And one of
the problems the simulation exposed was the lack of clarity
regarding government authority to regulate private-sector-
controlled infrastructure systems, such as telecommunication
networks and the electrical power grid, during such an
emergency. Do you have any views on what steps should be taken
to clarify the ability of government to assume temporary
control of infrastructure during a cybercrisis?
Dr. Lewis. Well, I think, I'm--I don't want to talk too
much; I'll let somebody else jump in, too, but--there's a
provision in the bill that I think could be very helpful. And
one of the things that we need to think about is, In an
emergency, do we want the President to have the things he needs
to do to protect the American people? And I'm not sure the
scenario got it right. I'm not sure that the President wouldn't
scrounge around--they have some very smart lawyers over there--
and maybe under the International Economic Powers Act or--
pardon me--International Economic Emergency Powers Act, or some
other act, we could come up with a solution. But, I think the
ability to intervene in a crisis is essential, and giving the
President that authority clearly is going to be essential for
national defense in what's become a new kind of warfare.
So, in that sense, the provision in the bill, which I
understand has gone through many changes, really could be quite
helpful in making the Nation more secure.
Senator Klobuchar. Mr. Borg, in your testimony, you stated
that cyber attacks have already done damage to the American
economy, much more than is generally recognized, due to massive
thefts of business information. Could you talk about some of
the examples of what you most see with business information
thefts, and what was, or not, done by individual corporations,
what you think they could do better?
Mr. Borg. It's very tricky to talk about this, because
we've been warned by lawyers that if we even hint about an
actual example, we will be sued by everybody involved--the
company----
The Chairman. Could you say that again?
Mr. Borg. Is that--what?
The Chairman. Could you say that again?
Mr. Borg. We've been warned by lawyers that if we even hint
at a real example, so that somebody could begin to identify it,
we will be sued by everybody involved, because the business
leaders who let this happen will face shareholder lawsuits,
they will--their companies will feel obligated to sue the
beneficiaries, who will countersue, claiming libel, and so on.
So, the whole thing is, legally, a mess. As a consequence,
nobody wants to talk about this. This is huge.
Senator Klobuchar. Right.
Mr. Borg. This is just gigantic.
Senator Klobuchar. Well, but there's--sometimes there are
publicly known examples that maybe you could----
Mr. Borg. There aren't for this one.
Senator Klobuchar. OK.
Mr. Borg. We do have companies that had very, very
extensive intrusions that coincided with similar facilities
being built in Southeast Asia. The facilities in Southeast Asia
are ones that nobody is allowed to visit--we think, because
they would suspiciously like the facilities here that they are
replicating. They were, when they opened, able to function very
efficiently, offer very low prices, with no particular strain
on the corporation that was running them. So, we think whole
factories are being replicated in other parts of the world.
Senator Klobuchar. Wow.
Mr. Borg. The economic consequence is that whole industries
are potentially going to be stolen over time. It happens
gradually. It's being slowed down by certain obstacles right
now, the chief one of which is, there aren't enough people in
some of the countries and areas of the world that are receiving
this information to sort it all out; there isn't enough
expertise in American ways of doing business to utilize all the
information they've got. But, potentially, we're looking at the
viability of entire industries being undermined over time. And
the thing is just going abroad.
Senator Klobuchar. And so, if they had the appropriate
people, they would just be able to basically replicate a
company, is what you're saying?
Mr. Borg. Yes, that's right. Except without the expenses of
having to do the R&D, to go through the learning curve, to do
all the other things. You can open a facility, and, on the day
you open, have a level of efficiency that it took the American
market leaders 6 years to get to.
Senator Klobuchar. Anyone else?
Dr. Lewis. Let me give you a real quick example. I don't
care if anybody sues me, but--I heard an example I thought was
astounding. It was about a small furniture company, right? A
couple hundred employees, you know, not a big revenue--they
make wooden furniture. They got hacked, and somebody stole all
the designs for the wooden furniture. Now, you all know that
there are countries in the world that are good at making low-
cost furniture, right? And now they have the designs, the
intellectual property. They have the newest styles, and they
can get it on the market faster--as Scott said, on the market
faster, at a lower price. That American company has really been
hurt, right? And that's what we're looking at.
But, the notion, to me, that it's worth this--how pervasive
is this, if you're going to be hacking small furniture
companies that make wooden furniture? It's amazing. We don't
realize what's happening to our country.
Senator Klobuchar. OK.
Mr. Borg. Something else here that's very important, that's
not understood, is that all of the information for all the
pressures, temperatures, switches for an entire factory, and
all the schematic diagrams, can be stolen. We're not talking
about stealing the formula for Coca-Cola. We're talking about
sucking all of the information out of a company.
Senator Klobuchar. Well, thank you very much. It sounds
like we have a lot of work to do here.
The Chairman. Kind of, yes.
Senator Thune.
STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
Senator Thune. Thank you, Mr. Chairman. And I want to thank
you and the Ranking Member for holding today's hearing on a
very important and oftentimes overlooked subject,
cybersecurity, which, as we've heard, has great consequence for
our security and our economy. And I think we have to remember
that we're under constant attack. Our critical infrastructure
and the Internet backbone of our economy remain extremely
vulnerable to these cyber attacks. And there was a recent GAO
report that states that cyber attacks could cost our economy
$100 billion annually in the near future. And so, I think it's
important that this committee give the appropriate, sufficient
attention to this important subject.
I know some--the questions have been posed--Senator
Klobuchar and I are working on the peer-to-peer issue, and some
legislation with regard to that. But, I--what I'd like to do is
just ask a couple of questions to the panel and whoever would
like to respond to these.
The Wall Street Journal recently reported that hackers in
Europe and China hacked into computers in over 2,500 companies
and government agencies. And what's probably even more shocking
is that they infiltrated these systems for several months
before they were being detected. How do we improve the
identification of these attacks, to stop the activity before
they do additional damage?
Mr. Borg. One of the problems is that we focus so
exclusively on perimeter defense that once somebody has
penetrated the system, we don't have adequate devices to spot
what's going on. One of the things that we urgently need to
develop is industry-specific, sometimes even business-specific,
monitoring capabilities that will set off alarms when these
systems are being misused and when information is being
improperly moved about.
Dr. Lewis. You know, the Journal article was interesting. I
think it's the third or fourth time I've heard of something
like this--massive penetrations; hundreds, if not thousands of
companies. It's an ongoing program. It's a nice program,
because you're not going to get caught. And even if you do get
caught, there are no consequences.
So, one of the things we want to think about is, When we
see people committing a crime, what are the consequences? And
right now, if there's zero consequence, there's almost zero
risk.
I've talked to a few of the big financial companies and
said, ``Do you have trouble telling who is doing bad things to
you?'' And what they usually say is, ``No.'' They can follow
the money, they see where it goes, they know who's doing it to
them. But, right now, we don't have any way to go to these
other countries and say, ``Hey, some of your citizens are
committing crimes in our country. Would you do something about
it?'' And so, whether this is something for the World Trade
Organization, whether it's for the World Intellectual Property
Organization, whether it's for INTERPOL, we need to start going
after people who do these things. And right now, they've gotten
a free ride.
Senator Thune. I'm just trying to think about what our role
is, in terms of a worldwide problem. And if you don't have the
capability of enforcing or imposing some sort of penalty or
punishment on people who do this, you're right, there's no
consequence to it. I don't know what would keep them from
continuing to do it.
The question I have, dealing with the first response, which
said coming up with some industry-specific or even company-
specific mechanisms of dealing with that, Do you see some role
for the Congress in that process? I mean, it seems to me that
the companies that are impacted by this are, maybe, better
positioned to do that.
Mr. Borg. When I've talked about the need for this kind of
tool, this kind of software, to people in the security
industry, they have regularly said, ``Oh, yes, we're really
eager to jump into that market as soon as it's pioneered. We
don't want to be the first mover, we want to be ready to--once
the market is formed.'' So, there's a huge opportunity here for
the government to seed that market, to be a guaranteed
customer, to, in some cases, be an initial supplier, providing
some prototype tools. And then, I think, once that is set up,
the security industry will be ready to move into it. But, it's
another example of a market that's not working properly, that
could be fixed by government intervention.
Ms. Davidson. If I can echo that--and I'm sorry Admiral
McConnell is no longer here, because he was using the railroad
industry as an example. There is a role for the government in
promoting the use of standards. And why do we care about that
in this context? Part of what would make it easier for people
to not only have better situational awareness, but to be able
to connect these types of dots, is having standards around what
type of records or censor records you need to keep in a system,
and the way in which that is expressed. And the reason for
that--why do the railroads tie into that? Because, a long time
ago, the railroads didn't have a standard train gauge. And the
reason it's--I think, 4 feet, 8-and-a-half inches, is because
the government stepped in and said, ``We want to build a
transcontinental railroad--that's a public good--and we're
going to tell you what the train gauge is going to be, so we
can put the pieces together, and you can get on a plane on the
East Coast and go all the way across the West Coast.'' The
government could actually promote the use of standards around
audit records in such a way that would be not only how the--the
nerdy bits and bytes of how they're described, but also what
kind of record you have to keep. And by doing that, and
promoting it through procurement, you could effectively tell
your suppliers, ``We're going to change--we're going to tell
you what kind of train you're going to build and what the train
gauge is going to be.''
NIST is very good at getting industry to participate in
that, and that could actually help make--create the
infrastructure of security which can help secure critical
cyberinfrastructure.
Senator Thune. And there are multiple government agencies
that deal with, and have some role in preventing, cyber
attacks. You've got Defense, Homeland Security, Commerce, FCC,
FBI. And this was actually going to be a question more for
Admiral McConnell, but I'm interested in knowing, from your
observation, how the coordination--level of coordination is
between those various agencies, and is there anything that this
committee could do to ensure that they're working in a more
efficient and coordinated manner to prevent cyber attacks?
Admiral Barnett. Senator, from the FCC's perspective, we--
Chairman Genachowski is focused on making sure that we have
good communications with our Federal partners. And that's not
just for cybersecurity, but emergency management and other
responsibilities that we have. So, there's certainly a focus on
this. I mean, I think there's a desire to make sure that we do
the best. And for that, there's a lot of communication, I would
say, with regard to the exercises that you're seeing. I can't
say that there may need to be some more, and I can't speak to
all agencies, but there certainly is communication going on
about the threat.
Dr. Lewis. You know, we want to recognize that progress has
been made in the last year, or even a bit longer. So, there is
more cooperation than there used to be, and more coordination.
And hopefully the appointment of a new cybercoordinator at the
White House will help that.
But, you're all familiar with what happened on December
25th in Detroit. And that was a--in some ways, a problem with
coordination among Federal agencies. Again, on the
counterterrorism side, we're much better off than we were 9
years ago. But, you can still see problems, and I'd say, in
cyberspace, the coordination is not as good as it is in the
intelligence community and the counterterrorism community.
So, good progress, but still a long ways to go. And that's
where congressional attention, measures like this bill, can
help encourage the Federal Government to move in the right
direction.
The Chairman. Thank you, Senator Thune.
Senator Snowe.
Senator Snowe. Thank you, Mr. Chairman.
Dr. Lewis, I wanted to ask you about the cybercoordinator
position and the appointment of Howard Schmidt, as you
mentioned, being a coordinator, rather than a Senate-confirmed
position. And, for example, he is not able to testify before
this committee on this issue. So, how important is it to have a
Senate-confirmed position on this question?
Dr. Lewis. Well, I think, in the long run--and hopefully
the long run won't be more than a few years--we're going to
need something like USTR, right? Or maybe some of the other
agencies that exist. We're going to need a specific agency that
will be appropriately staffed and have the right authorities to
do this. And that position, just as the USTR positions are
confirmable, would make sense. So, I think, good first step
there, appointing a coordinator. We're on the right path, but
we've got a long ways to go.
Senator Snowe. Yes.
Dr. Lewis. And, you know, when you think about it, this is
a new infrastructure--you've heard that from everyone--that we
depend on. But, we haven't adjusted the government to that. And
moving toward that Senate-confirmable position would probably
be a good idea.
Senator Snowe. Does anybody else have an opinion on that
question?
Ms. Davidson. Well, I can't comment on the structure, but I
can certainly comment on the individual. I think Howard Schmidt
is probably the very best possible person who could have been
chosen for that position, who commands tremendous respect in
industry, and his sole agenda is to make things better. And
because of his--because of who he is, there will--people who
will line up to do things for him because it's Howard asking. I
think it was an outstanding appointment. You just could not
have had found anybody better. It will be a very difficult job,
but if anyone is up to it, it is--he is absolutely the right
person for that.
Senator Snowe. Well, I just think it's--given everything
that we've discussed here today and, obviously, the
significance of this issue and the fact that, as the President
described, it's a strategic national asset, I think it should
be elevated so we have that conversation, and that--more
importantly, that he reports directly to the President of the
United States. I mean, I think that that sends a very critical
message, frankly. And that relationship should be developed at
the outset, as we're beginning this process and, hopefully,
getting legislation in place. That's going to be absolutely
critical in that regard; otherwise, we're not going to have the
benefit, other than in private meetings, to have those kind of
discussions, when, in fact, they should be part of the public
arena.
I would just like to ask you, Are you familiar with the
NetWitness report, by any chance? And how would you
characterize the extent of that attack?
Dr. Lewis. Interesting company. The fellow who runs it is a
guy named Amit Yoran. Like Howard, he has tremendous respect,
long experience. And so, it's good that they came out with
this.
Interesting report, but, for me, it wasn't a big surprise.
I mean, this is sort of the normal business, here. How many
times have we seen this in the past: ``Somewhere in Eurasia,
there's a group of hackers, and they've penetrated hundreds or
thousands of American companies.'' You know, it's just--this
one wasn't particularly sophisticated.
One of the things to bear in mind is that we have more
sophisticated opponents than the fellows we stumbled across
here. The NetWitness report just helps reinforce the kind of
pressure we're facing.
Senator Snowe. Dr. Borg?
Mr. Borg. There were a couple of things about it that were
a little bit interesting. One is just the scale of it, and the
other is that it used two botnets in conjunction. Each time we
have one of these, they're a little more sophisticated, they
have another little new twist, something here or there. So,
it's a sign of an ongoing process of attackers just getting
better and better, more talented.
Senator Snowe. Getting increasingly sophisticated? Yes. And
how do we keep pace with that sophistication?
Mr. Borg. Well, one of the ways we're not keeping pace is
by having departments of cybersecurity where, in the graduate
programs, there are no Americans. A lot of our leading programs
literally have no American students at the Ph.D. level, or
sometimes even the master's level. We're training a lot of the
world in cybersecurity better than we are our own people.
Senator Snowe. What accounts for that? Is there any reason
for that, or does it just happen to be the way it is?
Mr. Borg. If you're Indian----
Senator Snowe. By----
Mr. Borg.--or Chinese----
Senator Snowe. Yes.
Mr. Borg.--or from some other part of the world, there is
greater motivation and a bigger gain from getting a degree in
cybersecurity than if you're American.
Ms. Davidson. Well, and to that point, a lot of the--you
know, how do we keep up with it? I actually have a team of
hackers who work for me. They're ethical hackers; their job is
to break our software before someone else does. They are also
the ones who author our coding standards: How do you write
secure code? And those are in a constant state of revision, not
only for new things that are publicly known, but new, nefarious
ways they find to break our software. And we train all our
developers on that. So, it is constant revision, because there
is always something else malicious coming down the pike.
Admiral Barnett. Senator, of course, I have a son who's in
computer security, so I'm not going to complain about the
American education system; I think we do have the ability to
train the people we need. But, there needs to be an emphasis
on--it has been a concern of mine--I mentioned the precipitous
drop in the number of computer science degrees that we are
producing. I might mention the number of women that we are
producing, and that has dropped even further. There's a good
deal of research of the reasons for that. We need to attack
those directly and reemphasize getting American kids ready to
go into computer science programs--so, we have to start earlier
than college--and then making sure that they're incentivized to
do that, and attack all the various reasons, some of which are
cultural--there are various reasons, too, that we can provide
to you.
Senator Snowe. Well, that's interesting. And that's
something that is part of our legislation that we're focusing
on, on the training and the certification of cybersecurity
personnel. But, that's clearly an emphasis that we have to
make.
So, then would it be very difficult for the Department of
Homeland Security to, you know, hire up to 1,000 cybersecurity
personnel over the next 3 years? Is that ambitious, or is that
doable?
Dr. Lewis. It's probably doable. They came in with only
about a third of their positions filled. They had 1,000 slots,
and I think they had about 300 filled. And in the intervening
year, I think they've moved that up to about 50 or 60 percent;
they've done a good job.
There's three problems. First, the shortfall of trained
personnel means DHS is competing with NSA and with DOD, with
FBI. And, let's face it, it might be more fun to work at NSA or
DOD than DHS, right? So, they've got a competition problem.
Second, a lot of the hiring processes that we have in the
Federal Government don't help. And so, somebody gets hired by
DHS, and then they're told--and this happens at other agencies,
too--``We've hired you, and in another 6 to 8 months we'll be
able to actually bring you on board.'' And, of course, people
can't wait 6 to 8 months for a job. So, a lot of people leave
early.
Finally, there's this--again, this shortfall problem, which
is that somebody comes to DHS, they get good training, they get
some good experience, they get a clearance, and they're
suddenly a lot more attractive to the private sector. So,
you've got an outflow problem, too. And all these things are
not impossible to beat; we've beat them in other agencies. But,
while there has been really good work done at DHS, I think they
could use some help on the recruitment side.
Senator Snowe. Thank you.
Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Snowe.
Let me kind of close up here by saying, you've been a
fabulous panel, all of you. And you, too, Admiral McConnell,
wherever you are. I mean, you really know your stuff. You speak
with the kind of cold clarity which this subject deserves.
Senator Snowe and I are very happy that we've introduced our
bill. And when listening to you, you know, you just ask, Is
it--was it done in time? Can it make a difference? And the
answer has to be yes.
And let me say the things that worry me. One is the whole
question of starting kids out. Right now, there's this
enormous--which was brought on point--emphasis on STEM--
Science, Technology, Engineering, and Mathematics. We
desperately need that. Is there a way that--and the kids are so
good--my son was--two nights ago he called up, and he's really,
really good on computers, and he was doing--he was at war with
a hacker, trying to fight back, and, you know, very, very
sophisticated stuff. He's 30, so that makes it a little easier.
But, the--trying to integrate this somehow--we don't have that
choice, do we?--into early education. We do not have that
choice. And if boards of education say they don't have that
money, we still do not have that choice.
The second thing is that the problem is so pervasive, so
overwhelming. We're talking about the public sector and the
private sector and all the--your 6- to 8-month vetting, you
know, the horrors of the Federal Government and its vetting
process, and people just say, ``You know, I can't wait.'' So,
you lose good people. The salaries involved. The budget
restrictions we're now going through for the next number of
years, because of our deficits. And yet, you know, put it in
comparison to the dangers of these massive cyber attacks, which
are not, you know, unlike another terrorist attack, something
of the future, you know, next week, next month, next year;
they're all day, every day, as I quoted at the beginning, from
a DOD person. I mean, it's just happening all the time, sucking
the blood. I think, forensically, it takes 4 minutes to drain
the blood out of a person, and, you know, that's not a
particularly attractive analysis, but it's a cogent one, that
this is a really serious, desperate problem and that bills at
any--you know, any kind of effort is going to be important, and
we have to, all of us, decide how to do this.
You know, we talk about the Federal Government and the
stovepipes that Olympia Snowe and I have dealt with on the
Intelligence Committee, and the intelligence community has
gotten a lot better since we had a DNI, but they are by no
means cured. People tend to hold on to their territory, and
they don't give it up easily. And I--that has to be true in the
corporate world, for some, you know, very clear and
understandable reasons.
So, how do we make it all work? How do we get people to
together? How do we create the sense of urgency, at a broader
lever, in which we do things we've just never done before as a
country? Which I think is what it amounts to. Yes, we've got to
give the President the right to intervene. And that's
controversial. That's all--that'll always be controversial.
But, Senator Snowe and I believe that needs to be done.
But, let me leave you with one happy thought, just for
practice. Last year and this year and the year before, on the
two sides, let's say, of American young people looking for
careers, one is in the intelligence--the world of
intelligence--the CIA, NSA, et cetera--the applications for
those agencies, in number and in quality, have never been
higher. So, they're swamping these agencies with applications
to work there. And incredible--and I've done this, and I'm sure
that Senator Snowe has, too--you go and meet some of these
young people working for CIA or whatever--they're fantastic.
And so, that's national security.
On the other end is the Peace Corps or Teach for America.
But, just take the Peace Corps for a moment. They have never
had so many applications, ever, and of such high quality.
So, to say, on the one hand, that we don't have enough
Americans doing this, that people from other countries--they
used to get their degrees and stay here, because it was more
profitable. Now, they're being called home, and they're
patriotic, and they're doing--I mean, I can't criticize them
for what they're doing. It's just that it makes our life more
difficult.
So, I think that, with the depth and desperation of the
problem, mixed with this sort of hopeful and positive attitude
to be engaged in serious matters, cerebral matters, of young
people in this country, we've got to find our way out of this.
And we won't do it quickly, but we sure have to do it.
So, thank you very, very much, all of you.
The hearing is adjourned.
[Whereupon, at 4:35 p.m., the hearing was adjourned.]
A P P E N D I X
Prepared Statement of Hon. Tom Udall, U.S. Senator from New Mexico
Thank you, Chairman Rockefeller, for again focusing this
committee's attention on cyber security.
Since this committee met last year to discuss this topic, we have
witnessed a number of alarming cyber attacks and data breaches.
In December, Google announced that they--and probably many other
American companies--had been infiltrated by cyber attacks that
originated in China. Apparently the hackers specifically targeted
Chinese activists who used Google services. However, many other users
and companies could be harmed by this type of cyber attack.
In January, we learned that the National Archives apparently lost a
hard drive that had over 100,000 Social Security numbers for workers
and visitors to the White House.
This month, a cyber war game exercise also illustrated some of the
Nation's vulnerabilities to a sophisticated cyber attack and the need
for a nimble and coordinated response to protect our infrastructure.
So, I welcome the opportunity to ask a few questions today about
how we can do more to protect consumers, companies, and the Nation.
______
Written Questions Submitted by Hon. John D. Rockefeller IV to
Vice Admiral Michael McConnell
Question 1. What are the key elements of public-private teamwork
that are not in place today that should be?
The witness did not respond.
Question 2. Would it make a difference if more senior executives in
the private sector were granted security clearances?
The witness did not respond.
Question 3. What about cybersecurity? Are you confident that the
everyday American citizen knows the threat that we are under, and knows
how to make his or her own home or business safe?
The witness did not respond.
Question 4. Should there be basic cyber awareness and education as
part of the normal curriculum in elementary and secondary school?
The witness did not respond.
Question 5. What can the government and private sector do together
to solve this labor shortage problem?
The witness did not respond.
Question 6. What can we do to inspire young students to aspire to
serve their country by being a cybersecurity professional?
The witness did not respond.
Question 7. What must the government do better? What must the
private sector do better? What responsibilities do both have to the
public at large?
The witness did not respond.
______
Written Questions Submitted by Hon. Tom Udall to
Vice Admiral McConnell
Question 1. Admiral McConnell, your statement sounds the alarm
about threats to our infrastructure. You note that the United States is
not doing enough to promote cybersecurity and that the country needs a
coordinated approach involving the public and private sectors. Our
national labs--which are the crown jewels of our Nation's research
system--are active in efforts to promote cyber security. In my home
state of New Mexico, Sandia National Laboratories is engaged in efforts
to secure the national electrical grid from cyber attack. Los Alamos
National Laboratories is a leader in quantum cryptography. What role
should our National Labs have in the efforts you describe to protect
our Nation from cyber attack?
The witness did not respond.
Question 2. Some experts say the arrival of ``Cloud computing''
could be as important and as disruptive as the advent of the World Wide
Web. Eric Schmidt, the CEO of Google, has written that, ``We're moving
into the era of `cloud' computing, with information and applications
hosted in the diffuse atmosphere of cyberspace rather than on specific
processors and silicon racks. The network will truly be the computer.''
How can we be sure to realize the benefits of cloud computing given
very real cyber security threats?
The witness did not respond.
Question 3. What is the role of government and private industry in
protecting sensitive data as it increasingly moves from desktop devices
to the ``cloud''?
The witness did not respond.
______
Response to Written Questions Submitted by Hon. John D. Rockefeller IV
to Dr. James A. Lewis
Question 1. What are the key elements of public-private teamwork
that are not in place today that should be?
Answer. The most effective partnership models are based on small
permanent groups of senior business leaders from the corporate
headquarters who regularly interact with senior government officials.
Only two or three groups (DOD's ESF, DHS's CIPAC and perhaps NSTAC) now
follow this model. The key elements are trust and authority--trust
comes from regular meetings among the same people and authority comes
from the ability to make binding decisions. Many existing groups are
not designed to provide trust or authority.
Question 2. Would it make a difference if more senior executives in
the private sector were granted security clearances?
Answer. Classified briefings on the nature and extent of the threat
are very effective in alerting corporate CEO's to the problem they
face. Classified briefings have been one of the most effective parts of
the DOD's Defense Intelligence Bases initiative.
Question 3. What about cybersecurity? Are you confident that the
everyday American citizen knows the threat that we are under, and knows
how to make his or her own home or business safe?
Answer. I do not believe we should make citizens responsible for
the national defense. There are some minimal activities (keeping anti-
virus software updated) that citizens now need to perform but we would
be better served by shifting security to service providers. Nobody has
to program their land-line phone or install anti-virus software on it.
The same model should apply to the Internet.
Question 4. Should there be basic cyber awareness and education as
part of the normal curriculum in elementary and secondary school?
Answer. Wouldn't hurt, although we shouldn't expect too much from
it.
Question 5. How can the Federal Government bolster market-based
private sector incentives to drive innovation in cybersecurity and
raise the bar on cybersecurity standards and best practices?
Answer. The same way it drove innovation in automobile safety: by
setting goals and requirements and then letting the companies figure
out how to implement them.
Question 6. Does the American public have the right to expect that
U.S. private sector critical infrastructure companies are looking out
for the safety and security of the American people? Should this
interest in public safety an integral aspect of the private market for
IT products and services?
Answer. In most other areas of public safety we expect critical
infrastructure companies to meet minimal standards. It is time to
extend this to cybersecurity. In many cases, regulatory authorities
also allow companies to impose a small surcharge to cover the
additional cost of safety measures. This too must become part of a
national effort to secure networks.
Question 7. What must the government do better? What must the
private sector do better? What responsibilities do both have to the
public at large? With this in mind, how can we fashion a public-private
partnership, based on trust, that allows for sharing of confidential
and/or classified threat and vulnerability information between the
government and critical private sector networks?
Answer. National security is the responsibility of the government.
We should not assign this function to citizens or companies if we wish
to succeed. Government needs to be better organized and have a clear
strategy for defense. The best analogy might be to city policing: yes,
we want people to lock their cars and doors to buildings, and exercise
a little common sense, but at the end of the day it is the
responsibility of the city authorities to bring crime rates down. Our
current approach to cyber security is like the crime fighting approach
in New York City in the 1970s. We need to change that.
Question 8. Would government and private cybersecurity efforts
benefit from ``vulnerability mapping'' of major U.S. networks, public
and private?
Answer. Only if the mapping was then tied to some action to either
improve defenses or increase resiliency.
Question 9. What are the specific risks to such an activity?
Answer. Since our major opponents have probably already done this,
any additional risk is likely to be small.
______
Response to Written Questions Submitted by Hon. Tom Udall to
Dr. James A. Lewis
Question 1. The recent Bipartisan Policy Center cyber war game
exercise examined a potential attack that first affected wireless cell
phones. As computing and networking technology become integral to all
manner of consumer goods, it seems that new cyber attack
vulnerabilities will only proliferate. In today's business landscape,
supply chains stretch across the globe and companies often acquire
other firms to gain access to new software and technologies for their
products. This makes it more difficult to know whether a product may
contain cybersecurity vulnerabilities from a single component or piece
of software code from an outside supplier or other firm. How is
security of the final assembled product affected in an environment in
which new links are so frequently added to the product's ``chain''?
Answer. Most companies have processes in place for quality control
that provides some level of protection. A skilled adversary could
bypass these, but it would be expensive to do so. The larger problem is
that as manufacturing and invention shift form the U.S. to Asia, our
vulnerability to supply chain corruption may grow.
Question 2. How are leading technology companies bringing the
security of acquired products in line with their own standards for
cybersecurity?
Answer. The most advanced companies buy from trusted suppliers,
engage in testing, and rely on their network defenses to identify
anomalies (such as effort to exfiltrate large amounts of data) after a
new device or program is installed.
Question 3. What is the role of Chief Security Officers or Chief
Technology Officers in assuring best security practices are implemented
in such cases?
Answer. It varies from company to company. The best practice is for
both CSO and CTO to work together to build secure networks.
______
Response to Written Questions Submitted by Hon. John Ensign to
Dr. James A. Lewis
Question 1. Are there any legal restrictions we should focus on
that make it more difficult for industry and government agencies to
share the information needed to protect our critical cyber
infrastructure? Are there any barriers that Congress needs to
eliminate, or any legal flexibility we can provide to foster the
necessary sharing while still protecting sensitive or proprietary
information?
Answer. The main problems are the need to have personnel with
security clearance to receive some information and the perception that
the government does not share fully. It may be possible to streamline
the clearance process for lower classification levels (Secret, for
example).
Question 2. What mechanisms are in place for private companies to
report cyber intrusions (either originating domestically or overseas)
to the Federal Government?
Answer. Different parts of the Federal Government receive reports
of cyber intrusions. DHS, FBI, Secret Service and, in some instance
DOD, all get reporting from companies, but the information is not
always available to other agencies.
Question 3. What is being done to encourage private companies,
particularly those with government contracts, to report cyber
intrusions (either originating domestically or overseas)?
Answer. DHS, FBI, Secret Service and DOD have outreach programs,
such as FBI's Infragard program
Question 4. Do government contractors have an ethical or statutory
obligation to report cyber intrusions (either originating domestically
or overseas)?
Answer. DOD has begun to require reporting from companies in the
Defense industrial base and in some instances companies have reported
breaches in their SEC filings, but there is no consistent requirement.
Question 5. Do government contractors with classified information
on their servers and individuals with security clearances on their
payrolls have a statutory or ethical obligation to report cyber
intrusions (either originating domestically or overseas)?
Answer. This requirement may be part of their contract of part of
DOD acquisitions regulations--the DFAR.
Question 6. When Request For Proposals (RFPs) are put out for
contracts that involve sensitive or classified information do all of
these RFPs require that bids include the number of successful and
unsuccessful cyber intrusions committed by domestic or foreign entities
(either originating domestically or overseas)?
Answer. I do not know of any specific requirement.
Question 7. In your opinion, if a private company believes that it
has been the victim of a cyber intrusion (both originating domestically
or overseas), which is the appropriate agency that it should report
this intrusion to?
Answer. The FBI.
Question 8. In your opinion, if a government contractor believes
that it has been the victim of a cyber intrusion (both origination
domestically or overseas), which is the appropriate agency that it
should report this intrusion to?
Answer. The FBI and the contracting agency.
Question 9. In your opinion, if a government contractor that is
working on a sensitive or classified project and believes that it has
been a victim of a cyber intrusion (both origination domestically or
overseas), which is the appropriate agency that it should report this
intrusion to?
Answer. The FBI and the contracting agency.
______
Response to Written Questions Submitted by Hon. John D. Rockefeller IV
to Scott Borg
Question 1. What are the key elements of public-private teamwork
that are not in place today that should be?
Answer. The public and private sectors should be discussing how to
engender the sort of market environment that will allow the creative
potential of American corporations to be turned loose on our collective
cyber-security problems. This hasn't happened yet.
Instead, our ability to tackle the challenges of cyber security is
being severely limited by established interests and obsolete ways of
thinking. Even the threat of government regulation and the promise of
big profits from government contracts or subsidies are not solutions,
but serious impediments to real cooperation. Both get corporations
thinking in terms of lobbyists and public relations, rather than
problem solving.
Question 2. Would it make a difference if more senior executives in
the private sector were granted security clearances?
Answer. Giving more senior executives security clearances would be
of little help. The population that needs to be reached is much larger
than the group to whom it would be practical to grant clearances. What
is needed, instead, is a set of better incentives for declassifying
information and an improved system for circulating it, while respecting
its sensitivity.
In general, the whole system of government security clearances is
ill-suited to protecting the sort of private-sector-based information
relevant to cyber defense. It has been a serious impediment to
communication, yet does not offer sufficient security.
It is important to understand that the most sensitive and dangerous
information regarding the possibilities of cyber attacks on critical
infrastructures is not possessed by the government. It is generated and
owned by private sector corporations. Much of this information is far
too sensitive to be entrusted to everyone with a given level of
security clearance. This information is seldom shared with the
government, in part, because there is a widespread belief that the
government can't be trusted with it.
Question 3. What about cybersecurity? Are you confident that the
everyday American citizen knows the threat that we are under, and knows
how to make his or her own home or business safe?
Answer. It is obvious to virtually all cyber-security experts that
most Americans have no idea of the threat we are under and little idea
of how to make their home and business computers safe.
Question 4. Should there be basic cyber awareness and education as
part of the normal curriculum in elementary and secondary school?
Answer. Yes, cyber-security education is essential, but it should
not be used as an excuse for failing to create more secure information
products and services. When systems are badly designed, there is a
great temptation to blame the users. But systems that make great
demands on users are simply badly designed systems. In addition to
education, it is urgently important to address the question of why
information systems are so badly designed from a security standpoint.
Question 5. How can the Federal Government bolster market-based
private sector incentives to drive innovation in cybersecurity and
raise the bar on cybersecurity standards and best practices?
Answer. I have offered a list of six basic reasons why markets are
not delivering the needed levels of cyber security: (1) Companies are
not being charged for the increased risks they cause or paid for the
risks they reduce; (2) Individual executives are not being motivated to
act in the long term interests of their companies where cyber security
is concerned; (3) People don't have adequate information to take
account of cyber security in their market choices; (4) Markets for many
urgently needed cyber-security products and services haven't been
created yet; (5) Switching costs are too great to allow companies to
shift readily to more secure choices; and (6) Entry barriers have kept
out alternative products and services that would be better from a
security standpoint.
For each of these six market problems, there are several market
remedies that should be considered. One of the possibilities, for
example, for remedying the lack of information needed for market
choices is a government-facilitated system for rating the cyber
security of software products. If people don't have any reliable
information on which software products are safer, they can't choose the
safer products. Putting rating labels on software, the way we put
already rating labels on everything from cars to cookies, would make it
possible for the markets to deliver safer software.
Talk of ``raising the bar'' and ``bolstering incentives'' misses
the point. The markets that determine cyber security are broken and
need to be fixed. Government mandates and subsidies won't do the job.
The government measures that are needed are actually less heavy-handed
and less expensive, but they need to affect the mechanisms that allow
markets to function.
Question 6. Does the American public have the right to expect that
U.S. private sector critical infrastructure companies are looking out
for the safety and security of the American people? Should this
interest in public safety an integral aspect of the private market for
IT products and services?
Answer. The American public should be able to assume that its
interests are being safeguarded, especially where monopolies like
electric power are concerned. But government intervention in these
areas needs to handled very carefully, because the technology is
changing so rapidly. If the government tries to dictate security
measures to the critical infrastructure industries, these measures will
probably be out of date and counter-productive before they are finished
being officially formulated.
Question 7. What must the government do better? What must the
private sector do better? What responsibilities do both have to the
public at large?
Answer. The government needs to get over the idea that its choices
are to throw out the market and dictate what should be done or,
alternatively, to do nothing and hope some market will somehow solve
things. Instead, the government needs to understand that properly
functioning markets need attention and engagement.
For its part, the private sector needs to recognize that properly
functioning markets provide better opportunities to make money for any
companies that are delivering real value. They should work with the
government to make these markets happen.
______
Response to Written Questions Submitted by Hon. John D. Rockefeller IV
to Mary Ann Davidson
Question 1. What are the key elements of public-private teamwork
that are not in place today that should be?
Answer. The information flow still seems to be one way. With the
exception of the UK government (through CPNI, a part of MI5), industry
almost never hears of threats the government--or some in the
government--know about. In some cases, there may be legal restrictions
that prevent this information sharing. It is (obviously) not the case
that everyone should know everything, but if there is a material threat
that affects national security--where that definition also includes
economic security--then I think that some of that information should be
shared more broadly.
Question 2. Would it make a difference if more senior executives in
the private sector were granted security clearances?
Answer. Generally, yes. I still think there is a general lack of
awareness among some executives about the extent to which critical
systems are vulnerable and the degree to which their data--including
intellectual property--is vulnerable. This affects not only national
security in the traditional sense but also our national economic
security.
Question 3. What about cybersecurity? Are you confident that the
everyday American citizen knows the threat that we are under, and knows
how to make his or her own home or business safe?
Answer. Absolutely not; that is, I have no confidence that the
average person knows how severe of the risks are and what they can do
to protect themselves. I am a security professional, yet I still learn
new things every day about how technology can be broken, corrupted or
used by bad guys against us.
Question 4. Should there be basic cyber awareness and education as
part of the normal curriculum in elementary and secondary school?
Answer. It may sound strange to say Yes, but I am old enough to
remember the cold war, and how elementary school children would do
``duck and cover'' drills in schools. We accepted that at the time,
because we lived under the threat of a nuclear war. We now live in a
world in which there are new threats and--especially given the degree
to which schools seem hell bent on using computers at an early age as
``educational tools''--they need to emphasize both ``responsible use''
and ``safe use'' of those tools.
Question 5. How can the Federal Government bolster market-based
private sector incentives to drive innovation in cybersecurity and
raise the bar on cybersecurity standards and best practices?
Answer. I do not think innovation is the problem--there are lots of
security startups and more all the time. (Of course, there are other
disincentives in the sense that Sarbanes-Oxley, for all that it was
well intended, has resulted in the curtailment of the market for
initial public offerings (IPOS) in the U.S. The ``compliance overhead''
for becoming a public company is so high and so expensive that a lot of
companies will not IPO anymore--their only exit strategy for investors
is to be acquired. This was a (clearly) unintended consequence of the
legislation but it has nonetheless curtailed innovation.)
I note that there are ways to bolster innovation by helping small
innovative security startups tap into the larger market that the
Federal Government represents, such as the IT Security Entrepreneur's
Forum which is sponsored, in part, by the Defense Department and the
Department of Homeland Security. (See http://www.security-
innovation.org/).
As far as raising the bar on standards and best practices, I have
been an advocate for a long time of using procurement power to do that.
And the procurement power need not only be the Federal Government but
could include other sectors. For example, the multi-state information
sharing and analysis center (MS-ISAC) has come up with common
procurement language on software development practice. Is it binding on
the states? No. Is it a common resource that they can use to
contractually ``signal'' their suppliers that they need to provide
better security? Yes.
A no-brainer as far as I am concerned is that any piece of software
sold to the government should: (a) provide a secure configuration guide
(attorneys frown on the term ``best practice''), (b) enable the product
to be installed in that configuration (make it easy and cheap for
customers to be ``secure out of the gate'') and (c) either provide a
tool to maintain the configuration or support a standard (such as those
provided via the Security Content Automation Protocol) that enables the
configuration to be monitored automatically and re-configured
automatically.
The Air Force realized that something like 80 percent of their
security vulnerabilities were a result of weak/poor configuration
practice. If vendors can do something once that helps secure all their
customers, at a lower lifecycle cost, they ought to do it. Procurement
can force them to do it.
Question 6. Does the American public have the right to expect that
U.S. private sector critical infrastructure companies are looking out
for the safety and security of the American people? Should this
interest in public safety an integral aspect of the private market for
IT products and services?
Answer. The two items are different. Why are they different?
Because in the case of critical infrastructure companies, most know
they are ``critical'' and in fact are already regulated (financial
services and utilities, to name two). So, there is already awareness
that there is a ``duty of care'' to the public (or they wouldn't be
regulated in the first place).
In the case of the private market for IT products and services,
realize that while some products are created for vertical markets that
may be regulated (e.g., a piece of software that is used in the
utilities industry), a lot of software is general purpose (e.g.,
accounting software). Trying to impose a ``worst case'' duty of care on
all purpose software would be like trying to ensure that, say, any
laptop would be required to comply with the battlefield ruggedness the
military demands. The Defense Science Board, in considering the foreign
influence over the supply chain of software, realized that, while
raising the overall assurance of commercial software was necessary,
raising it to the level required for all national security applications
was unfeasible because the commercial marketplace will not support such
high levels of assurance. I think it is a similar argument for general
purpose software used in ``critical sectors''--it's not clear whether
the market will support high assurance to the extent that's what those
sectors require.
Now what should happen is that critical sectors use their (perhaps
collective) purchasing demands to push their suppliers to higher levels
of assurance. In fact, we are already seeing many regulated sectors or
customers tied to those sectors (as suppliers) demanding more
transparency in development practice and higher accountability in
software development practice because their customers (e.g.,
pharmaceuticals, defense) are demanding it. And I am all in favor of
that push since I think customers' being more demanding purchasers
(within reason) absolutely is an effective agent of change.
Question 7. What can the government and private sector do together
to solve this labor shortage problem?
Answer. Unfortunately, there isn't a simple solution for this.
Nobody can major in ``cybersecurity'' and in fact, security needs to be
embedded in a lot of places if we want to change the dynamic. (E.g., we
don't use traffic cops to enforce secure driving--drivers all have to
take drivers' ed and be licensed to drive or we wouldn't have a prayer
of having reasonably safe highways).
As I have noted in my testimony, I think curricula change in
universities is a Must Do or we do not have a prayer of changing the
battlefield, so to speak. Perhaps the government can bring some
pressure on the accreditation bodies for computer and computer-related
degree programs? There is a group called ABET which accredits
engineering, computer science and technology programs (see http://
www.abet.org/) and within that there is a group called Computing
Sciences Accreditation Board, see http://www.csab.org/) which appears
to be the sub-group of ABET that accredits computer science,
information systems, software engineering and information technology
degree programs. I do not know who accredits industrial control systems
degree programs (if it is not within one of the above groups).
Question 8. What can we do to inspire young students to aspire to
serve their country by being a cybersecurity professional?
Answer. Making being a good guy more glamorous than being a bad
guy, as trivial as that sounds. Currently, the press tends to
``glamorize'' the hacking community. Vendors are almost universally
portrayed as evil slugs that deliberately build crummy software because
they do not care about their customers (!). Hackers (including those
who release exploit code before a vendor can fix a problem) are often
given a pass--regardless of the amount of damage they do. One well-
known hacker released ``proof of concept code'' that several months
later was the genesis of the Slammer word, which did BILLIONS in
damages. He got a pass from the press for that and there were no legal
repercussions, either, since releasing proof of concept code is not
illegal.
Finding a way to change the dynamic so kids use their technical
skills as defenders and securers can be done (I suspect the Marines'--
The Few, the Proud, the Marines--is one of the more successful
``service-oriented'' advertising campaigns there is).
We have a broader societal problem (in my opinion) in that we have
generations raised to be very aware of their rights and what is due
them, but few are aware of or seem to care about their
responsibilities. Serving your country is a responsibility of
citizenship and I think diversifying that message to emphasize other
kinds of service (than just using a rifle) could work (e.g., ``Uncle
Sam is looking for a few good geeks'').
I don't think appealing to the wallet is necessarily the first
thing to pitch but quite honestly; there is a lot of demand for
cybersecurity professionals--and not nearly the supply. This creates
scarcity that increases wages, all things being equal. So yes,
cybersecurity is also a good career move because the skills are
marketable.
Question 9. What must the government do better? What must the
private sector do better? What responsibilities do both have to the
public at large?
Answer. I think the government can do a number of things better.
For one thing, while the military is busy standing up cyber commands,
not all the services actually have career paths for plain old
information technology let alone cyber-expertise. I note that
traditionally, logistics, though not a war fighter discipline, is still
a valued career skill and in fact you can make flag rank (general or
admiral) in a logistics specialty. Why does it matter? Because Patton
understood what would happen if his 3rd Army ran out of oil. Today's
information centric armies run on bits and bytes, just as much as oil.
Without a clear, recognized and rewarded career path in both
``defensive'' information technology and offensive cyber war, the
military is sending a signal that information smarts is not valued and
is not important.
Obviously, the government also needs to lead by example by securing
their own networks.
As far as the private sector goes, I do advocate greater emphasis
and ``governance'' around security for private enterprises. Governance
is not about being perfect, it is about understanding the threats to
your business, prioritizing them in terms of ``what do we, as a
company, adhere to in terms of security practices to mitigate those
risks?'' and ensuring that you are doing those things broadly and
consistently. Where you are not doing them, you have a reasonably
aggressive remediation plan in place to, as they say, ``get with the
program.'' If you do not manage risks appropriately, you are not
running your business well.
______
Response to Written Questions Submitted by Hon. Tom Udall to
Mary Ann Davidson
Question 1. Ms. Davidson, in your statement, you note that many of
the commercial software components used to build a new ``smart grid''
probably are not designed for such for the level of cyber attack
threats that our Nation's electric grid may face. But ensuring that
commercial software, or even government computer systems, are safe from
cyber attack is a real challenge. The National Institute of Standards
and Technology (NIST) maintains a standard for data encryption, the
FIPS 140 standard. What other government or industry standards exist
for cyber security?
Answer. There are lots of standards--some of them are technical
standards that ensure interoperability of components (e.g., public key
encryption standards like PKCS (public key cryptography standards) 11,
or standards created by consortia such as the payment card industry
(PCI) data security standard (DSS) that addresses securing information
related to payment transactions. There are some emerging standards that
would specifically facilitate higher ``situational awareness'' for
networks, such as the security content automation protocol (SCAP), a
cornucopia of standards that enable things like determining what
product is running on a network (and what version), what it's secure
configuration is, and so on. These standards were developed by NIST or,
in some cases, Mitre under contract to NIST.
There are also international software assurance standards (such as
the Common Criteria--International Standards Organization (ISO)-15408)
to which the U.S. subscribes. The Common Criteria is focused on
describing the nature of threats, what technical measures a product
needs to address those threats, and how well it does meet them. I note
that in many cases an international standard is really better than a
market-specific one, because: (a) a lot of security needs are not
country specific and (b) if each country (and in some cases if each
industry) starts specifying a similar but slightly different way to do
X, companies will--ironically--potentially end up with worse security
as they spend money not on actual improvement but on meeting hundreds
of only slightly different regulatory requirements. For example, if
local, city, county, state and Federal bodies all required separate
termite inspections for houses, you'd have to pay for four inspections.
Your house would arguably not be four times as termite-free as if you
just did one pretty good inspection.
In some cases (by industry) there might be legitimate differences.
For example, the Defense Department has (legitimately) different
requirements for, say, smart phones that are going to be used in
sensitive environments than the average consumer does for his or her
smart phones.
Question 2. Should Congress encourage companies and government
agencies to develop and use more cyber security standards?
Answer. I think technical interoperability-type security standards
the market will take care of--government tends to be too slow to drive
those and entities tend to cooperate when there is a common problem
(or, where cooperation will actually increase the market size because
there can be more uptake of technology with a single standard than
would be the case if there are dueling standards).
But there are ``underserved'' markets or areas in which industry is
unlikely to develop common standards where government--specifically,
NIST--can have an important role. One such area has been SCAP--being
able to determine, quickly, what products are on a network, what their
configurations are, to what they might be susceptible, and to be able
to reconfigure them automatically--is helping to automate defenses.
Considering attacks are automated, automating defenses is important.
Another such area (as unglamorous as it sounds) is auditing and
auditability. There are a plethora of products in the sector called SIM
(security information management) or SIEM (security information and
event management) that claim to be able to analyze ``events'' on
networks (by data mining audit logs) and correlate them (e.g., to see
attack patterns). However, that assumes a) that events are recorded at
all--not all products have robust enough auditing to even record
interesting events--and that the events can be expressed in a common
format (so they can be more easily correlated). There is an emerging
standard (called CEE--Common Event Expression, see http://
cee.mitre.org/) in this sector but quite honestly, the government could
help create the capacity for better ``situational awareness on
networks'' by fostering a standard adoption through procurement
policies. Any software product the government buys could be expected to
a) have basic auditability as defined by a standard (possibly CEE,
assuming it is actually published by NIST and industry is allowed to
comment on it) and b) express their audit records in a common format.
Question 3. The recent Bipartisan Policy Center cyber war game
exercise examined a potential attack that first affected wireless cell
phones. As computing and networking technology become integral to all
manner of consumer goods, it seems that new cyber attack
vulnerabilities will only proliferate.
In today's business landscape, supply chains stretch across the
globe and companies often acquire other firms to gain access to new
software and technologies for their products. This makes it more
difficult to know whether a product may contain cybersecurity
vulnerabilities from a single component or piece of software code from
an outside supplier or other firm. How is security of the final
assembled product affected in an environment in which new links are so
frequently added to the product's ``chain''?
Answer. Keep in mind, there are many supply chain risks businesses
need to consider that directly affect their business. These are not
necessarily the same concerns that their customers have (but are
nonetheless important). For example, some software carries so-called
``viral licensing'' provisions in that, if the software is embedded
within another product, the product comes under the same licensing
terms (which in many cases, effectively makes it freeware). No vendor
wants to embed such third party code that ``taints'' their code base in
such a way that they can no longer sell the resulting product--their
revenue model is destroyed. Second, realize that it is impossible to
detect all vulnerabilities in software even using the best commercially
available tools and it is--in particular (emphasis added) it is
impossible to absolutely prevent someone from putting something bad in
code that would be undetectable.
What is reasonable and feasible is that a company should have
reasonable practices around their supply chain risk (because it is in
their business interests to do that, anyway). Note again that many of
these risks will go directly to their ability to operate and will not
necessarily be the same risks that a purchaser worries about. A company
should also have a reasonable governance structure in place to ensure
that they are doing the same things across their lines of business.
Having done that, they could disclose their practices to interested
purchasers--who were, for example, concerned over how a company takes
reasonable measures to prevent someone from corrupting their code base.
Reasonable means that, for example, changes to code have attribution,
and there are restrictions on access (e.g., not just anybody in the
company can make a change to code--and certainly not in a way that
cannot be attributed).
I have done a paper for the House Homeland Security Subcommittee on
Cybersecurity, Emerging Threats and Science and Technology on supply
chain risk that speaks to the above in more detail and I would be happy
to provide that, as well, if it is of interest and of use.
Question 4. How are leading technology companies bringing the
security of acquired products in line with their own standards for
cybersecurity?
Answer. I cannot (obviously) speak for other companies, but Oracle
has a structured process for integrating acquired companies into Oracle
business practices. My team has the remit for integration of acquired
entities into our secure development practices. As part of that, we
rapidly ascertain their current practices, use the review to create a
compliance plan going forward, and--as with all lines of business--
periodically report progress against compliance requirements to
executive management via a security oversight committee. The compliance
measurement covers the entirety of our secure development practices. In
cases where an entity struggles to make compliance we highlight them
for special attention and guidance (and the accountability that goes
with it). There are other groups that look after integration of our
networks, the security policies that go with our business practices,
and so forth.
Question 5. What is the role of Chief Security Officers or Chief
Technology Officers in assuring best security practices are implemented
in such cases?
Answer. There can be several roles. One of them is that to the
extent a CTO or CSO is an influencer or purchaser of technology, they
can enforce better procurement transparency on their suppliers. That
could include specific ``disclosure'' requirements on their suppliers
related to development practice if not compliance with standards (like
FIPS-140, or ISO 15408).
Second, to the extent a company develops their own software, they
should have internal standards for development practice that at least
reflect or include consensus good practice. That can reference
``standards''--I use the term loosely--such as BSIMM (Build Security In
Maturity Model), or the Build Security In guidance issued by the
Department of Homeland Security, or things like the SANS Top 25 coding
errors (i.e., to at least ensure that a developer has considered these
issues and attempted to avoid them), and so forth. There actually is a
lot of material out on what constitutes good, secure development
practice, and what common vulnerabilities are (and how to avoid them).
It's unconscionable that universities do not educate people who design
and build systems on these matters, but that does not mean people who
build systems in industry should accept that ``educational deficiency''
without making every effort to rectify it in their own practice.
Attachment
Supply Chain Risk
The purpose of this document is to outline risk management concerns
pertaining to the supply chain of software and hardware. This document
may serve as a blueprint for suppliers seeking to ensure they've
adequately addressed hardware- and software-related supply chain risk,
and for purchasers in the procurement of software. That is, suppliers
that want to protect their supply chain should be able to address these
questions for their own risk management purposes. Secondarily,
suppliers should be able to disclose their supply chain risk management
practices so that a purchaser can make better risk-based acquisition
decisions.
While supply chain transparency alone will not ameliorate risk, it
will level the playing field to the extent that supply chain assurance
``disclosure'' becomes the norm, and thus customers have the ability to
use supply chain risk mitigation as a--but not necessarily the only--
purchasing criterion. Furthermore, it is likely that disclosure will
lead to some upleveling of security practices to the extent vendors are
not already addressing supply chain risk and more customers evaluate
supply chain risk prior to purchasing. That is, to the extent more
purchasers demand transparency around supply chain risk mitigation,
suppliers not already addressing this risk will be compelled by market
forces to do so.
Scope
The scope of this paper is supply chain risk for commercial off-
the-shelf (COTS) software and hardware, not custom code or government
off-the-shelf (GOTS) software and hardware, which may be a combination
of COTS components and either government-developed or third party
custom code. GOTS could include custom applications (built by cleared
individuals) that run on COTS components, for example. This document
does not address supply chain risk related to industrial policy (i.e.,
a country may wish to ensure that they have one or more domestic
suppliers of a critical component--such as microprocessors la the
Trusted Foundry Program--to avoid supply chain disruption caused by war
or other geopolitical upheaval).
Constraints
There are a number of practical constraints that bound the ``supply
chain risk assessment'' problem as it pertains to COTS software and
hardware. These constraints are important because they set the
framework for what can reasonably and feasibly be asserted about the
supply chain of commercial software and hardware. Any such
``reasonability'' discussion must of necessity bound efforts to reduce
or mitigate supply chain risk for COTS. In particular, COTS is not
GOTS: it is no more reasonable to purchase commercial, general purpose
software and hardware and expect it to have the assurance (e.g.,
extensive third party validation, ``cleared'' personnel, robustness in
threat environments it was not designed for) of custom, single purpose
software and hardware as it is to purchase a Gulfstream V and expect it
to perform to the specifications of an F-22 Raptor.
Constraint 1: In the general case--and certainly for multi-purpose
infrastructure and applications software and hardware--there are no
COTS products without global development and manufacturing.
Discussion: The explosion in COTS software and hardware of the past
20 years has occurred precisely because companies are able to gain
access to global talent by developing products around the world. For
example, a development effort may include personnel on a single
``virtual team'' who work across the United States and in the United
Kingdom and India. COTS suppliers also need access to global resources
to support their global customers. For example, COTS suppliers often
offer 7x24 support in which responsibility for addressing a critical
customer service request migrates around the globe, from support center
to support center (often referred to as a ``follow the sun'' model).
Furthermore, the more effective and available (that is, 7x24 and
global) support is, the more likely problems will be reported and
resolved more quickly for the benefit of all customers. Even smaller
firms that produce niche COTS products (e.g., cryptographic or security
software and hardware) may use global talent to produce it.
Note that global development may include outsourcing of development
staff resource (use of contracted third parties to develop code modules
that are sold separately, or integrated into larger product suites), as
well in-house developers (employees) of a global enterprise that are
located in development centers around the globe. For example, some
enterprise software providers build some modules in-house while being
an open source distributor for other modules. In addition to including
development groups in multiple countries, global development may also
include H1B visa holders or green card holders working in the United
States.
Hardware suppliers are typically no longer ``soup to nuts''
manufacturers. That is, a hardware supplier may use a global supply
network in which components--sourced from multiple entities worldwide--
are assembled by another entity. Software is loaded onto the finished
hardware in yet another manufacturing step. Global manufacturing and
assembly helps hardware suppliers focus on production of the elements
for which they can best add value and keeps overall manufacturing and
distribution costs low. We take it for granted that we can buy
serviceable and powerful personal computers for under $1000, but it was
not that long ago that the computing power in the average PC was out of
reach for all but highly capitalized entities and special purpose
applications. Global manufacturing and distribution has helped make
this happen.
In summary, many organizations that would have deployed custom
software and hardware in the past have now ``bet the farm'' on the use
of COTS products because they are cheaper, more feature rich, and more
supportable than custom software and hardware. As a result, COTS
products are being embedded in many systems--or used in many deployment
scenarios--that they were not necessarily designed for. Supply chain
risk is by no means the only risk of deploying commercial products in
non-commercial threat environments.
Constraint 2: It is not possible to prevent someone from putting
something in code that is undetectable and potentially malicious, no
matter how much you tighten geographic parameters.
Discussion: One of the main expressions of concern over supply
chain risk is the ``malware boogeyman,'' most often associated with the
fear that a malicious employee with authorized access to code will put
a backdoor or malware in code that is eventually sold to a critical
infrastructure provider (e.g., financial services, utilities) or a
defense or intelligence agency. Such code, it is feared, could enable
an adversary to alter (i.e., change) data or exfiltrate data (e.g.,
remove copies of data surreptitiously) or make use of a planted ``kill
switch'' to prevent the software or hardware from functioning.
Typically, the fear is expressed as ``a foreigner'' could do this.
However, it is unclear precisely what ``foreigner'' is in this context:
There are many H1B visa holders (and green card holders) who
work for companies located in the United States. Are these
``foreigners?''
There are U.S. citizens who live in countries other than the
U.S. and work on code there. Are these ``foreigners?'' That is,
is the fear of code corruption based on geography or national
origin of the developer?
There are developers who are naturalized U.S. citizens (or
dual passport holders). Are these ``foreigners?''
It is unclear whether the concern is geographic locale, national
origin of a developer or overall development practice and the
consistency by which it is applied worldwide. For example, non-US staff
working outside the U.S. would appear by definition to be
``foreigners,'' yet they are often subject to U.S. management oversight
and their work on code may be peer and manager reviewed before it is
accepted. In the sense that a U.S. manager ``accepts'' responsibility
for a ``foreigner's'' code work, is this still a concern?
Similarly, there are presumably different levels of concern for
different foreign countries. How is a COTS vendor expected to know
which countries are of more concern than others? Should work by staff
working in or citizens of traditional U.S. allies be accepted as
similar to that of U.S. staff?
COTS software, particularly infrastructure software (operating
systems, databases, middleware) or packaged applications (customer
relationship management (CRM), enterprise resource planning (ERP))
typically has multiple millions of lines of code (e.g., the Oracle
database has about 70 million lines of code). Also typically,
commercial software is in near-constant state of development: there is
always a new version under development or old versions undergoing
maintenance. While there are automated tools on the market that can
scan source code for exploitable security defects (so-called static
analysis tools), such tools find only a portion of exploitable defects
and these are typically of the ``coding error'' variety. They do not
find most design defects and they would be unlikely to find
deliberately introduced backdoors or malware.\1\
---------------------------------------------------------------------------
\1\ For example, a trivial way to introduce a backdoor in a way
that would be undetectable by automated tools would be to create a
package or function (that is, a piece of code that does something
specific) that is ``called'' within a piece of software but that does--
nothing. Nothing that is, unless the package is called with a specific
argument--that is, a piece of data (e.g., an input string) that
triggers the package to do something very specific and malevolent.
While some automated tools scan for ``dead code''--code that is never
executed--this package would be executed in the sense it is called by
many other pieces of code--but doesn't do anything, or doesn't do
anything bad, except when called with a particular ``triggering''
input. Manual code review might catch this, but as noted earlier,
manual code review is unlikely for every change to a large code base
that changes constantly.
---------------------------------------------------------------------------
Given the size of COTS code bases, the fact they are in a near
constant state of flux, and the limits of automated tools, there is no
way to absolutely prevent the insertion of bad code that would have
unintended consequences and would not be detectable. (As a proof point,
a security expert in command and control systems once put ``bad code''
in a specific 100 lines of code and challenged code reviewers to find
it within the specific 100 lines of code. They couldn't. In other
words, even if you know where to look, malware can be and often is
undetectable.) \2\
---------------------------------------------------------------------------
\2\ The expert related the story while serving on the Defense
Science Board task force analyzing the mission impact of foreign
influence on DOD software, referenced later in this paper.
---------------------------------------------------------------------------
Constraint 3: Commercial assurance is not ``high assurance.''
Note that there are existing, internationally recognized assurance
measures such as the Common Criteria (ISO-15408) that validate that
software meets specific (stated) threats it was designed to meet. The
Common Criteria supports a sliding scale of assurance (i.e., levels 1
through 7) with different levels of software development rigor required
at each level: the higher the assurance level, the more development
rigor required to substantiate the higher assurance level. Most
commercial software can be evaluated up to Evaluation Assurance Level
(EAL) 4 (which, under the Common Criteria Recognition Arrangement
(CCRA), is also accepted by other countries that subscribe to the
Common Criteria).
Regarding the supply chain issue at hand, what is achievable and
commercially feasible is for a supplier to have reasonable controls on
access to source code during its development cycle and reasonable use
of commercial tools and processes that will find routine ``bad code''
(such as exploitable coding errors that lead to security
vulnerabilities). Such a ``raise the bar'' exercise may have a
deterrent affect to the extent that it removes the plausible
deniability of a malefactor inserting a common coding error that leads
to a security exploit. That is, in the absence of using these tools, a
malefactor could insert a back door implemented as a common coding
error. If the error is found, the malefactor has plausible deniability
that, after all, he made a coding error that many other developers
make, such as a buffer overflow. Using automated vulnerability finding
tools, in addition to improving code hygiene, makes it harder for
someone to deliberately insert a backdoor masquerading as a common
coding error because the tools find many such coding errors. Thus, a
malefactor may, at least, have to work harder. (A side benefit is the
overall lower cost of ownership of software to the extent code quality
improves and customers do not have to apply so many after-the-fact
security patches.)
That said, and to Constraint 1, the COTS marketplace will not
support significantly higher software assurance levels such as manual
code review of 70 million lines of code, or extensive third party
``validation'' of large bodies of code beyond existing mechanisms
(i.e., the Common Criteria) nor will it support a ``custom code''
development model where all developers are U.S. citizens, anymore than
the marketplace will support U.S.-only components and U.S.-only
assembly in hardware manufacturing. This was, in fact, a conclusion
reached by the Defense Science Board in their report on foreign
influence on the supply chain of software.\3\ And in fact, supply chain
risk is not about the citizenship of developers or their geographic
locale but about the lifecycle of software, how it can be corrupted,
and taking reasonable and commercially feasible precautions to prevent
code corruption.
---------------------------------------------------------------------------
\3\ Report of the Defense Science Board Task Force on the Mission
Impact of Foreign Influence on DOD Software (http://www.acq.osd.mil/
dsb/reports/2007-09-Mission_Impact_of_Foreign
_Influence_on_DoD_Software.pdf).
---------------------------------------------------------------------------
The lack of market support for ``higher assurance commercial
software'' is particularly ironic given the recent policy change \4\ by
the National Information Assurance Partnership (NIAP) that negates much
of the value of existing assurance mechanisms (i.e., Common Criteria
evaluations). While they are not perfect, Common Criteria evaluations
do establish the assurance of commercial software and--at commercial
assurance levels--includes an assessment of the security of the
software development environment. In other words, it is ironic that
there seems to be increased interest in software assurance (or, the
supply chain aspects of assurance) at the very time the U.S. government
is undercutting the market for evaluated products.
---------------------------------------------------------------------------
\4\ See http://www.niap-ccevs.org/ Prior to October 2009,
procurement policy as it related to software assurance was governed by
Department of Defense (DOD) 8500, which stated that national security
systems must have an international Common Criteria (ISO 15408)
evaluation or, for cryptographic modules, Federal Information
Processing Standard (FIPS) 140-2 cryptographic module validation.
(Note: DoD 8500 and NSTISSP #11 are due to be modified to reflect the
new NIAP policy.) As of October 2009, the NIAP policy has been changed
such that only products for which the U.S. government has an approved
``protection profile'' (a description of the threats a specific class
of product faces and the technical remedies for these threats) must be
evaluated. (The only other ``exception'' is in the case where an agency
indicates to NSA by letter that they need another class of product--
without a protection profile--evaluated.) While the intent of the
policy is to make evaluation more ``relevant'' to the stated needs of
the U.S. Government, as a practical matter it has undercut the market
for evaluated products. Vendors are already reassigning their
evaluation personnel in response to this ``market signaling.''
---------------------------------------------------------------------------
Constraint 4: Any supply chain assurance exercise--whether improved
assurance or improved disclosure--must be done under the auspices of a
single global standard, such as the Common Criteria.
This document is proposed as a potential ``disclosure
questionnaire'' for both suppliers and purchasers of software and
hardware. Any such disclosure requirement needs to ensure that the
value of information--to purchasers--is greater than the cost to
suppliers of providing such information. That is, the information needs
to result in significantly more ``informed'' purchasing behavior than
would otherwise be the case. To that end, disclosure should be
something that is standardized, not customized. Even a large vendor
would not be able to complete per-customer or per-industry
questionnaires on supply chain risk for each release of each product
they produce. The cost of completing such ``per-customer, per-
industry'' questionnaires would be considerable, and far more so for
small, niche vendors or innovative start-ups.
For example, a draft questionnaire by the Department of Homeland
Security as part of their software assurance efforts asked, for each
development project, for each phase of development (requirement,
design, code, and test) how many ``foreigners'' worked on each project?
A large product may have hundreds of projects, and collating how many
``foreigners'' worked on each of them provides little value (and says
nothing about the assurance of the software development process) while
being extremely expensive to collect. (The question was dropped from
the final document.)
More specifically, given that the major supply chain concerns seem
to be centered on assurance, we should use international assurance
standards (specifically the Common Criteria) to address them. Were
someone to institute a separate, expensive, non-international ``supply
chain assurance certification,'' not only would software assurance not
improve, it would likely get worse, because the same resources that
companies today spend on improving their product would be spent on
secondary or tertiary ``certifications'' that are expensive,
inconsistent and non-leverageable. A new ``regulatory regime''--
particularly one that largely overlaps with an existing scheme--would
be expensive and ``crowd out'' better uses of time, people, and money.
To the extent some supply chain issues are not already addressed in
Common Criteria evaluations, the Common Criteria could be modified to
address them, using an existing structure that already speaks to
assurance in the international realm.
Terms
Like the Indian fable of the six blind men and the elephant, each
of whom described a totally different animal based on what part of it
they were touching, the definition of ``supply chain risk'' often
varies depending on who is describing it. The assurance that
stakeholders may wish to have around supply chain risk may vary
depending on their perspectives. For example, vendor concerns may
include a heavy emphasis on intellectual property (IP) protection since
IP is typically one's ``corporate crown jewels'' and, should it be
compromised (e.g., stolen or tainted) the firm may be out of business
or crippled in some markets. For customers, the concern tends to focus
on the aforementioned ``malware boogeyman'' which is a subset of a
larger discipline known as software assurance.
Counterfeiting is a risk that is perceptually greater for hardware
than for software. The concern from a supplier's side goes to both
their brand and their intellectual property since a hardware component
has to both look like and perform like the genuine article but may not
be as good a quality as the genuine article. The customer concerns over
counterfeiting include getting what you pay for in terms of performance
characteristics (i.e., not failing at a critical juncture) and the
customer ability to service the product.
Software assurance (SwA) is defined by the Department of Homeland
Security as ``the level of confidence that software is free from
vulnerabilities, either intentionally designed into the software or
accidentally inserted at anytime during its lifecycle, and that the
software functions in the intended manner.''
Source code is raw computer code in uncompiled form. Typically,
vendors deliver compiled code (also known as binaries or executables)
to customers, so that all the customer can do is execute--``run''--the
code. While much software is configurable, the executable typically
limits the amount of customization or configuration a customer can do
to what is designed in (e.g., a customer of an ERP application can
typically configure approval hierarchies or the chart of accounts, but
cannot change the basic logic of the application). Therefore, most
threats to the supply chain are threats to source code to the extent
that it is source code that must actually be modified (maliciously).
There is another risk to the extent that some code allows execution
of other binaries that are ``linked in''--allowed to run with the
executable. That is, a software developer that downloads or purchases
binaries to run with their code without an understanding or vetting of
what that code does could be allowing ``bad code'' to execute with or
within their product. Much software (such as browsers or wiki software)
is explicitly designed to allow such third party ``plug-ins.'' Despite
the fact that the basic software usually ``warns'' users of the dangers
of allowing unvalidated plug-ins to run, most users just ``click
through'' such warnings because they want the features of the ``cool''
plug-in.
Supply Chain/Source Code Questions
The following questions outline concerns that a software or
hardware manufacturer should address in regards to protection of source
code throughout its lifecycle. It also includes questions related to
hardware-related intellectual property and assembly. By addressing
these concerns, a software or hardware manufacturer should be able to:
Identify the ways in which they are addressing risks (and
the ``owners'' for those areas).
Document what is being done--and not done--to protect their
source code throughout its lifecycle.
Identify remaining unmitigated risk and propose ways to
reduce that risk.
Create a governance structure around the protection of
source code--and other intellectual property, such as hardware
designs--to ensure that policies are followed consistently
across lines of business, and consistently over time.
Note: many below questions that are geared toward intellectual
property protection of source code may be equally applicable to the
intellectual property associated with hardware designs (i.e., limiting
access to source code or hardware designs to ensure employees--with or
without ``need to know''--do not commit IP theft).
Acquisition
Many companies grow by acquisition and incorporate code sets from
those acquisitions into other products. Ultimately, the processes and
policies that a company implements around supply chain risk need to be
reasonably consistent (that is, if there is an exception or a policy
``difference,'' there should be a reason for it and an explicit
approval of that difference).
A1. Do you do any pre-acquisition screening of source code prior to
an acquisition (e.g., to ascertain what it does, the ``content'' or
other characteristics of the code)? The general concern is, ``Do you
know what you are getting in an acquisition?'' \5\
---------------------------------------------------------------------------
\5\ One reason to do such pre-acquisition screening is to identify
so-called ``viral licenses'' wherein inclusion of the code in a larger
code base changes the licensing terms, potentially ``tainting'' the
larger code base and one's ability to generate revenue from it. There
are automated tools (e.g., from Black Duck) that can scan code bases
looking for such ``viral license'' code.
---------------------------------------------------------------------------
A2. Are you consistent across all acquisitions, or do you do
different ``source code due diligence'' depending on the acquisition?
A3. Are acquired code bases integrated into your other software
development practices? How quickly, and how often is this progress
measured?
Development
Software development encompasses much of the lifecycle of code.
This may include incorporation of third party code (e.g., open source,
licensed libraries), the core development of new code, the ability to
maintain it through its lifecycle, granting access to source code to
third parties (e.g., for a security assessment or for other reasons)
and escrowing the code.
Personnel
D1. What screening or background check do you do of employees who
get access to source code throughout its life cycle?
D2. Is the screening consistent (in terms of quality) across
employees, geographic areas and product divisions?
D3. Do you differentiate among some products or product areas that
are deemed more critical (and thus do more stringent checks)? Which
ones?
Third Party Code (not Open Source Code)
D4. What controls do you have around third party code incorporation
into the code base (to ensure, for example, that a random piece of code
without approval, appropriate licensing and oversight is not introduced
into source code)?
D5. In cases where you do incorporate third party code, are you
incorporating source code in all cases, or are there some object
libraries?
D6. What if any security checks do you do on third party code, and
is it consistent across product lines and across ``homegrown'' and
``third party'' libraries? (That is, any code shipped with a product
should in general comply with the same standards of quality, testing,
and so on.)
D7. Are the security checks done via manual code review, static
analysis or other analytic tool, or via another means?
D8. Are the same checks done on patches and updates? That is, if a
third party provider gives you a ``patch'' to a problem in their
libraries, are there any security checks done on the patch?
D9. How consistently are the above checks done across third party
libraries and across lines of business?
Open Source Code
D10. What processes and policies do you have around incorporation
of open source code into your product (to ensure, for example, that you
do not incorporate viral licenses, or ``back-doored code'' or an
otherwise ``tainted'' open source code into your code base)?
D11. Are the same checks done on patches and updates? That is, if a
third party provider gives you a ``patch'' to a problem in their
libraries, are there any security checks done on the patch?
D12. How consistently are the above checks done across open source
libraries and across lines of business?
Development Access Control
D13. Have you identified all employees who get access to source
code throughout its life cycle (e.g., developers, quality assurance
(QA), support personnel) as apropos? (That is, access to source code
should be reasonably restricted to those with a need to access it, not
open to all. While the ability to modify code (write) is one concern,
the ability to read code (that is read but not modify) may also be a
concern for purposes of intellectual property protection.)
D14. Do you deploy source control systems to govern access to and
modification of source code?
D15. What is the granularity of access? (That is, can a developer
get access to, say, an entire product's code base or a much smaller
subset?)
D16. How often is this access control reverified? For example, if
an employee is transferred, how quickly is source code access modified
or restricted accordingly?
D17. How consistent are your access controls? (That is, are these
controls implemented consistently across all product areas, or is there
a lot of disparity on granularity depending on product access?)
D18. Are the servers on which source code is stored regularly
maintained (e.g., do you apply critical patches--especially security
patches--in a timely manner?)
D19. Are there baseline secure configurations enforced on the
servers on which source code is stored and how often are these checked?
(The concern is whether someone can bypass source code controls by
breaking into the source code server through, say, a poor configuration
or an unpatched system.)
D20. Do you have any special carve outs on source code access
beyond ``by product/by developer''--for example, are there greater
restrictions on accessing security functionality like encryption
technologies (e.g., for Export Administration Regulations (EAR)
reasons) or other geographic restrictions?
D21. Do you review, validate (or ``pen test'') your source code
access controls to ensure that your controls are adequate? How often?
D22. Do you do any proactive checking (e.g., through a data loss
prevention tool) to look for source code leaving your corporate network
(e.g., through someone e-mailing it)?
D23. What if any auditing do you have on who accesses source code
in development and does anyone ever review those logs? How often?
D24. What if any native logs are there in the source control system
itself and how far back can you attribute changes to code?
D25. Are code changes attributable to individual developers?
Security Testing
T1. Do you use automated (or other) tools--such as static
analysis--to actively look for security vulnerabilities in code?
T2. How broadly is the tool deployed within a product? (E.g., is it
run against all libraries associated with a product, just a few, or
something in between?)
T3. How broad is the code coverage of such tools across all
products and lines of business?
T4. Are defects found via such tools logged and tracked?
T5. What policies do you have around fixing defects you find either
during development or afterwards? Do you keep metrics around how
quickly issues are fixed?
T6. What kind of access control or restrictions do you have on
access to information about unfixed security vulnerabilities? (The
concern is that a malefactor could find information about exploitable
defects by accessing a record or database of such information if access
is not suitably restricted to those with ``need to know.'')
Manufacturing and Distribution
M1. What processes do you have to ensure that your code is not
corrupted in between development and delivery to customers or external
parties (e.g., escrow agents)? For example, do you use checksums or
other mechanisms to ensure that the code ``as developed and released to
manufacturing'' is what is delivered to customers?
M2. Are these processes consistent across product divisions and
products?
M3. What are your processes regarding backing up (that is, secure
storage) of source code, to include length of time for which you store
it (e.g., escrowing), security controls around the secure storage
(e.g., encryption) and any auditing or ``spot checking'' of these
controls?
M4. Do you use a third party to escrow source code? If so, what
controls are there on source code as it is transmitted to the firm
(e.g., is it encrypted and/or sent by trusted courier, other?)
Third Party Access to Source Code
P1. What policies do you have around providing access to source
code to third parties and how are they enforced? (There are many
reasons an entity might provide such access: for example, a third party
might be doing a ``port'' of the code to an operating system that the
company does not have in-house resources to do.) What kind of access is
provided and how is it provided? (Does the third party have access to
corporate networks for purposes of accessing code, or other?)
P2. Is there any ``master list'' of where such access has been
approved and provided, to whom, for what products and so forth?
P3. What policies and processes do you have in place to ensure, for
example, that random third parties (to include customers and third
party research firms acting on their behalf) do not get access to
source code for purposes of security analysis? (While companies may
wish to contract with third parties for such purposes, allowing a third
party to access source code for security analysis purposes allows that
third party to amass a database of unfixed security vulnerabilities
which, if compromised or sold, could put all customers at risk.)
Hardware
The following section addresses hardware-specific supply chain
risks.
Manufacturing
HM1. To what degree is your manufacturing outsourced?
HM2. If all or part of your manufacturing is outsourced, what steps
have you taken to mitigate intellectual property theft (i.e., by not
having a turnkey ``outsourcer'' that provides all components to
specifications and that also does final assembly, or by selecting
locales based on ``country risk?'') \6\
---------------------------------------------------------------------------
\6\ The degree to which manufacturing can be outsourced in sections
is a function of the amount of expertise one wants to retain in-house
and also an assessment of risk of putting all one's eggs in one basket,
in particular, country-specific risk. Some locales have not only a
higher reputation for intellectual property theft but much less legal
protection of IP.
---------------------------------------------------------------------------
Testing
HT1. What kind of testing do conduct of a) components during
manufacturing and b) final component assembly?
HT2. Is testing done by the outsourcer or is there a ``check and
balance?'' wherein testing is done by an entity other than the
manufacturer?
HT3. How broad and deep is the testing (Each component? Each final
assembly?)
HT4. Does testing \7\ include verification that there are no
components or functions that should not be there?
---------------------------------------------------------------------------
\7\ Note: as with software, hardware testing can establish that
hardware performs to specifications but cannot necessarily establish
what it does not do.
---------------------------------------------------------------------------
Counterfeiting/Fraud
HC1. What procedures do you have in place to ensure that components
used in hardware manufacture are authentic (that is, not
counterfeited)? How broad (i.e., against the spectrum of components)
and deep (i.e., frequency) is your verification?
HC2. What procedures do you have in place to provide component
verification for customers (that is, to establish that hardware
ostensibly of your manufacture actually is authentic and not a
knockoff?)
HC3. Do you actively look for fraudulent ``suppliers'' of your
product?
Other
HO1. Are any hardware components used and resold \8\ wiped to
ensure that no data--or non-standard programs--are installed when they
are delivered to customers?
---------------------------------------------------------------------------
\8\ Some companies use their own hardware components for testing or
development purposes for a period of 90 days or less and then sell them
to customers (tax laws allow this). It's critical to ensure that there
is no data or non-standard programs on the hardware for the protection
of both the supplier and customers. This is a different issue than
wiping corporate data (or intellectual property) prior to disposition.
---------------------------------------------------------------------------
HO2. Is this verified to ensure that data is truly non-recoverable?
HO3. Are hardware components used operationally wiped before being
scrapped or resold to ensure that data is non-recoverable?
______
Response to Written Questions Submitted by Hon. John Ensign to
Mary Ann Davidson
Question 1. Ms. Davidson, Mr. Lewis of the Center for Strategic and
International Studies states in his testimony that public-private
partnerships, information-sharing, self-regulation, and market-based
solutions in the cybersecurity space are ``well past their sell-by
date'' and have not been successful. He argues that strong government
mandates are required to spur the cybersecurity innovation that our
country needs. As the only witness on the panel who has any hands-on
cybersecurity experience in the private sector, do you agree with Mr.
Lewis that we have exhausted the potential of market-based solutions to
improve cybersecurity? If not, what specific steps can we take to
improve cooperation and coordination between industry and the
government?
Answer. With all respect to my esteemed colleague, Mr. Lewis, I do
not agree with him on this issue. To take these points separately, I do
not think that market based solutions have been fully explored in areas
where they could help harvest low hanging security fruit. To give one
such example, the Air Force (under then-CIO John Gilligan) realized
that some 80 percent of their serious security vulnerabilities (as
identified by NSA) were the result of poor desktop configurations. They
worked with one of their major suppliers (Microsoft) and NSA to craft a
more secure desktop configuration and then--as a condition of
procurement--required Microsoft to ship products to them in the secure
default configuration. They estimated they saved millions of dollars
over the life of their contract and dramatically improved their
security posture. That configuration became the basis of the Federal
Desktop Core Configuration (FDCC), which the Office of Management and
Budget (OMB) required all suppliers to be able to comply with (that is,
suppliers who ran on a Microsoft desktop needed to assert that they
supported /could run on an FDCC-compliant Windows desktop).
While the way the program was implemented can and should be
improved, as a general construct, it was an important and needed
effort. The U.S. government could help themselves--and other market
sectors--by requiring any product sold to them to: (a) deliver a secure
configuration guide, (b) allow the product to be installed by default
in the secure configuration, and (c) provide either tools to maintain
the configuration OR make the security-specific configuration
parameters machine readable in a standard format (such as Security
Content Automation Protocol (SCAP)). It is a ``no brainer'' to require
suppliers to do something once that enables all customers to: (a) be
more secure out of the box, (b) maintain their security posture easily,
and (c) lower their lifecycle security costs. Yet, it has never been
broadly adopted as a procurement requirement. There is a lot of low
hanging fruit like that that has never been planted, let alone
harvested. (Note: Oracle, like many large vendors, has instituted
``secure by default'' as part of their development process. We do this
because we, like many vendors, run our own company on our own software
and thus it lowers our own IT security costs and improves our IT
security posture as a company, not to mention that of all other
customers. Providing good security at an attractive price point is also
a competitive advantage for us. In short, we have market incentives
(lower cost of operations) to deliver secure configurations.)
No vendor can or should argue that doing something once as a
vendor, that improves security for all customers, and lowers their
lifecycle costs, ``can't be done'' or ``shouldn't be done.'' It does
work, it can work, it must work. It makes too much economic sense not
to work (and does, indeed, correct a market inefficiency).
I am leery of ``information sharing'' being thrown out as a
security cure-all, because information sharing is a technique, or a
tactic; it is not a strategy. Specifically, it is not always easy to
ascertain what information is useful, with whom it should be shared,
what the desired result would be of such information sharing, and so
on. Absent some concrete ``for instances,'' it's ineffective for
everyone to share everything with everybody as a cure for cybersecurity
problems. Furthermore, information sharing (in the general sense)
typically imposes costs on those sharing the information that may
``crowd out'' other--more useful--security activity. Not to mention,
many businesses are global entities, so it is difficult to share
information with one entity (the U.S. government) and not others (e.g.,
other governments).
Back to the procurement idea, what would actually facilitate
information sharing, and enable better situational awareness as well as
more automated defenses is continuing to push the elements of SCAP
through the standards process (ideally, as an international standards
organization (ISO) standard) and then requiring suppliers to support
SCAP as a condition of Federal procurement. Why? Because currently,
nobody can answer the following questions real time: what is on my
network? who is on my network? what is my state of (security)
readiness? and what is happening that I should be concerned about? SCAP
does not speak to all of these, but absent being able to automate
discovery of what's on the network--what products, what versions--what
is the security configuration of those elements--what vulnerabilities
are present? and so on, there is no way that defenses can be automated.
And, being able to have a common language to express the above would
take the scarce resources we now employ in purchasing and deploying
multiple one-off tools--which cannot communicate with all networks
elements, which cannot express ``readiness'' in any way that is
actionable--and apply them to other areas of network defense. Better
intelligence at a lower cost: voila!
Automated and actionable information sharing for which the
information has a specific purpose and distinct benefit is more
effective than ``give us all your information.''
In short, the government can and does change the market through
their procurement policies. ``You don't ask; you don't get'' is not,
perhaps, enshrined in the Federal Acquisition Regulations, but it
should be. And, working with industry in a public private partnership
to talk about how rapidly those requirements can be implemented, what
kind of timelines, and so on, could help make procurement an effective
instrument of change.
Another example: the Defense Department claims they want to do
better risk based acquisitions. One way to accomplish this would be for
the U.S. Government to come up with a standard (i.e., ``single'' ) set
of reasonable questions around software development practices that
would help a customer know what was and was not done in the area of
security. They should be questions for which the answers: (a) have
value, (b) would materially affect the customers' decision to procure
and (c) have a specific purpose in mind that (d) should be readily
answerable by both large and small suppliers. A vendor could answer
these questions once (per product) and the results could be reused by a
number of procurement offices. Better information, at lower cost, and
more transparency. Transparency also reduces market inefficiencies
(i.e., where the seller has more information than the purchaser). This
is also a better approach than having multiple, agency-specific or
country specific ``assessments'' that actually crowd out security
improvements (just as having 12 termite inspections will not results in
a house with \1/12\th the number of termites, but it will
result in a more expensive house). I already have had customers asking
for such transparency and, where a product group is not doing as well
as I would like, I have used the ``transparency requirement'' to push
the problems to a senior level of management. (That is, if you don't
want to publicly say you don't do A, B, and C, because you think you
will look bad vis a vis your competitors, then the remedy is to start
doing A, B and C. This assumes A, B and C are worth doing and
materially improve security which, in the case of our company and
others who have such software assurance programs, they are.) If it is
true that everybody cannot do everything perfectly in security (and it
is true), it is also true that most of us can do some things better
that are also economically feasible to do better.
Question 2. Ms. Davidson, in your testimony you discuss the need to
change our educational system and to slow our country's exposure to
systemic cybersecurity risk. You raise a lot of good points, but do you
have any other specific recommendations on what this committee can do
to harden and protect our critical infrastructure?
Answer. What about starting to require self defending products as
part of procurement? The Marine Corps ethos is ``every Marine a
rifleman.'' That is, every Marine can fight, and they don't outsource
individual defense to the next Marine down the line. They do not assume
their perimeters will not be breached, nor that they will never take
casualties.
Given the threat environment (and the fact that our perimeters are
so porous), we should change our mindset away from ``build stronger
firewalls'' to realizing that: (a) perimeters will be breached and thus
(b) we need both ``redoubts''--ideally dynamic redoubts--and for each
product to be able to defend itself. That is, products already know
what good input look likes, how to handle bad input gracefully, It
ought also to anticipate ``evil input'' and be able to share real time
information (e.g., events of interest) via a common auditing protocol
and format (something NIST could develop and, apparently is developing
via a standard called CEE (Common Event Expression). A fire team pinned
down by enemies will not last long if it cannot tell the command post
they are under fire in language the command post can understand.
Systems under attack will not be able to survive if they cannot
digitally do the same thing.
Procurement could be used to start ``signaling'' the marketplace
that DOD expects products to natively defend themselves instead of
assuming ``nobody would ever do that,'' and ``the firewall will save us
all'' as is the case now.
Networks are--like it or not--battlefields now and we ought to take
the lessons we have learned from warfare and apply them to general
network defense (and by that I do not necessarily mean ``cyberwar'').
By way of example, the late Maj. John Boyd's theories on the importance
of maneuverability to air combat (popularized as the so-called observe-
orient-decide-act (OODA) loop) found later application to ground combat
(i.e., in the first Gulf War) and also in business strategy.
Question 3. Ms. Davidson, in his testimony, Admiral McConnell
recommends establishing a National Cybersecurity Center (modeled after
the National Counter Terrorism Center) that would integrate private
sector participation with interagency cooperation. What are your
thoughts about such a center? In your opinion, would the private sector
view this as a positive development or just one more layer of
government bureaucracy?
Answer. Before undertaking such an activity, I'd want to consider
what existing organizations do (and how well) and what the ``mission
statement'' is for such a new organization. We already have industry
specific information sharing and analysis centers (ISACs) which are
natural focal points for both industry sectors to share information
among themselves and to serve as a focal point for interactions with
government (e.g., I have been told--but have no way to verify--that the
Heartland Payment Systems data breach used techniques that were known
and discussed in the financial services industry ISAC (of which
Heartland was not a member at the time)).
Question 4. What mechanisms are in place for private companies to
report cyber intrusions (either originating domestically or overseas)
to the Federal Government?
Answer. As a general comment, I think we need to choose words
carefully in terms of what constitutes an intrusion. That is, there may
be ``general patterns of traffic'' that could be of interest, that do
not constitute an intrusion. Also, there are ``incidents'' that, upon
investigation, are found not to have merit. For example, if a company
has poor processes for terminating the accounts of employees who have
left, and a (former) employee accesses their network, should that be
reported to the government? I would think ``no,'' in the general case.
Now, if the company had evidence that their industrial designs for,
say, a new hardware encryption device being built for the Defense
Department were exfiltrated by that employee, the answer would likely
be ``yes.''
Question 5. What is being done to encourage private companies,
particularly those with government contracts, to report cyber
intrusions (either originating domestically or overseas)?
Answer. With all respect, this discussion, doubtless coming on the
heels of the Google-China incident, reminds me of the discussions of 8
or 9 years ago, when the Federal Government wanted information about
non-public security vulnerabilities in software products (the
discussion was typically, ``vendors, give us all your vulnerability
information''). Leaving aside the fact that a) there is often no
remediation for such issues until the vendor issues a patch, b) sharing
that information inevitably results in data leaks, which puts everyone
at risk. Famously, CPNI (part of MI-5) ``shared'' such information on a
``need to know'' basis only (with other UK intelligence or Ministry of
Defence entities) and yet it leaked to U.S. COMMERCIAL customers, which
led to the actual vulnerability being reported to the vendor who built
the software. The vendor, of course, was the only one actually able to
remediate the defect. In the meantime, the risk to the vendors'
customer base materially increased and the trust of the vendor
community toward this particular government materially decreased. (CPNI
have since implemented much better information sharing protocols.)
There is a difference between a cyber intrusion where the entity
has determined is limited and did no damage and one in which there was
material harm. The next question ought to be a consideration of the
benefit of sharing that information, the cost of obtaining it, and the
positive results that would accrue from it. Just asking people to throw
audit logs over the wall to a third party, for example, does not have a
clear benefit (and could, if the information were not handled properly,
render the intruded upon entity MORE vulnerable in the future).
Question 6. Do government contractors have an ethical or statutory
obligation to report cyber intrusions (either originating domestically
or overseas)?
Answer. In my opinion, it depends upon the nature of the intrusion.
Question 7. Do government contractors with classified information
on their servers and individuals with security clearances on their
payrolls have a statutory or ethical obligation to report cyber
intrusions (either originating domestically or overseas)?
Answer. See earlier comments. Note that I am not arguing against
reporting anything; my concern is that any organization on either the
originating or receiving end of information can drown in it if the
information is not targeted for a specific purpose. And, if a system is
vulnerable, and the vulnerability had not been remediated (which may
require an architectural change or operational change), if the
information about HOW the breach occurred is not protected, the company
will be more vulnerable.
Clearly, there are occasions in which an intrusion would have
larger ramifications than just the effect on the intruded upon entity.
For example, if a contractor is developing a new weapons program, and
the designs are exfiltrated to a hostile nation state, which renders
the value of the weaponry potentially much lower to the Defense
Department. You can't have a technical advantage if the technology is
used by everybody.
In short, I think ``incident reporting'' to be successful would
need some clear ground rules for both asker and askee to include what
types of incidents or intrusions are material and germane.
Question 8. When Request For Proposals (RFPs) are put out for
contracts that involve sensitive or classified information do all of
these RFPs require that bids include the number of successful and
unsuccessful cyber intrusions committed by domestic or foreign entities
(either originating domestically or overseas)?
Answer. I am unaware of any such requirements in RFPs.
At the risk of stating the obvious, you can't count unsuccessful
intrusions because there are a lot of attempts you cannot necessarily
capture. Also, you cannot count the successful intrusions you haven't
found yet, either. What would be unproductive is reporting something
like ``number of port scans'' as a proxy for ``unsuccessful
intrusions'' Firewalls get scanned all the time. Having to collect that
data and report it doesn't really accomplish anything besides taking a
scarce resource (a good security person) and putting them on a
reporting function.
By way of example, about 9 or 10 years ago, after Oracle started
running an ad campaign entitled ``Unbreakable''--the port scans on our
firewall (that is, an attempt to look for open ports, perhaps through
which to mount an attack) increased by an order of magnitude in just
one week. We can pretty confidently conclude that the increase in port
scans was from hackers who wanted to be the first to break
``Unbreakable.'' Now, there were no actual intrusions but, in the
absence of a precise definition, someone could require these port scans
to be reported as an ``incident.'' That would not be a productive use
of either a reporter's time or the time of an entity on the receiving
end, either.
Question 9. In your opinion, if a private company believes that it
has been the victim of a cyber intrusion (both originating domestically
or overseas), which is the appropriate agency that it should report
this intrusion to?
Answer. The FBI. And in fact the FBI does reach out to local
businesses in Silicon Valley (and for all I know in other locations) to
engage in dialogue. Dong this proactively is better than hoping a
company knows to call the FBI.
Question 10. In your opinion, if a government contractor believes
that it has been the victim of a cyber intrusion (both origination
domestically or overseas), which is the appropriate agency that it
should report this intrusion to?
Answer. The FBI.
Question 11. In your opinion, if a government contractor that is
working on a sensitive or classified project and believes that it has
been a victim of a cyber intrusion (both origination domestically or
overseas), which is the appropriate agency that it should report this
intrusion to?
Answer. I think the company ought to be doing an investigation on
their own first and in fact, most organizations of size DO have (or
should have) an incident response protocol which includes a series of
decisions as to whether law enforcement should be contacted (regarding
an incident) and under what conditions. For example, if a government
contractor experienced a website defacement (which is an ``incident''
under most definitions), does any Federal Government entity really want
that reported to them? (Note that a web page for the company as a whole
is likely a different area of the network than a classified program.)
This would actually be a good area for industry-government
dialogue--under what circumstances would the government want to know of
``incidents?''
______
Response to Written Questions Submitted by Hon. John D. Rockefeller IV
to Rear Admiral James Barnett Jr.
Question 1. What about cybersecurity? Are you confident that the
everyday American citizen knows the threat that we are under, and knows
how to make his or her own home or business safe?
Answer. I believe that the consumers, on the whole, are becoming
more aware of the threats that exist when they use the Internet, but
there continues to be room for improved education in this area. Polling
data, for example, indicates that citizen awareness is improving. A
March 2009 poll conducted by Harris Interactive indicates that online
security awareness among adults 18 and over had ``grown tremendously in
the past 2 years. The study found that 62 percent are more concerned
about their online security.''
Nevertheless earlier studies identified significant gaps between
perceptions and the realities of America's cyber security and are cause
for continuing concern. For example whereas 81 percent said they were
using a firewall, expert analysis indicated that in reality only 42
percent had a firewall installed on their computer.\1\
---------------------------------------------------------------------------
\1\ 2008 NCSA/Symantec Home User Study, October 2008, http://
staysafeonline.mediaroom
.com/index.php?s=67&item=46.
Question 2. Should there be basic cyber awareness and education as
part of the normal curriculum in elementary and secondary school?
Answer. Yes. Regardless of the environment in which it is taught,
our youngest generation needs instruction at the appropriate time by
responsible adults who are knowledgeable on these subjects. According
to a poll released February 25, ``more than 90 percent of technology
coordinators school administrators and teachers support teaching
cyberethics, cybersafety and cybersecurity in schools. However, only 35
percent of teachers and just over half of school administrators report
that their school districts require cyberethics, cybersafety, and
cybersecurity in their curriculum.'' \2\ There are also differing
opinions ``as to who is or should be responsible (parents vs. teachers)
for educating students about cyberethics, cybersafety, and
cybersecurity. For example, while 72 percent of teachers indicated that
parents bear the primary responsibility for teaching these topics, 51
percent of school administrators indicate that teachers are
responsible.'' \3\
---------------------------------------------------------------------------
\2\ Cybersecurity, Safety and Ethics Education Falls Short in U.S.
Schools, February 2010. http://staysafeonline.mediaroom.com/
index.php?s=43&item=57.
\3\ Ibid.
Question 3. What must the government do better? What must the
private sector do better? What responsibilities do both have to the
public at large?
Answer. Concerning educating the everyday American citizen on
cybersecurity issues, the government must speak with a single, clear
voice. Hence the FCC is committed to working with other Federal
agencies to deliver a coordinated message. The Commission has a unique
role on the Federal team protecting the critical communications
infrastructure against cyber attacks. Thus, the Commission must
coordinate its own focus on the cybersecurity of the communications
infrastructure with the end-system and standardization cybersecurity
responsibilities that have been delegated to DHS, FTC, NIST, and other
Federal agencies. Many broadband service providers are to be commended
for making ``anti-virus'' software and services available to their
subscribers, frequently free of charge. These providers should take
steps to ensure that their subscribers not only are aware of the
availability of such software and services, but, through appropriate
communications to them, also take steps to ensure that they understand
the perils of not taking advantage of these offerings or ones that
offer similar protections.
The government and the private sector must also work together to
ensure the cyber security of our Nation's critical infrastructures. For
example, they must work together to identify and encourage the
implementation of standards and best practices that will enhance the
security of our systems. In this regard, the Commission's National
Broadband Plan recommended that the Commission explore creation of a
voluntary cyber security certification program as a mechanism to
encourage the implementation of cyber security best practices by
communications service providers. The government and the private sector
must also develop a partnership that allows for sharing of threat and
vulnerability information.
Question 4. With this in mind, how can we fashion a public-private
partnership, based on trust, that allows for sharing of confidential
and/or classified threat and vulnerability information between the
government and critical private sector networks?
Answer. Our experience working with telecommunications carriers on
communications outage reporting and vulnerability analysis suggests
that this is possible. The recently released National Broadband Plan
recommended that the Commission and the Department of Homeland
Security's Office of Cybersecurity and Communications should
collaboratively develop an IP network Cyber Information Reporting
System (CIRS). As envisioned, CIRS would serve as a mechanism by which
the Commission could collect situational awareness information from
communications service providers and ISPs, during cyber events as
opposed to hurricanes and other types of emergencies. Under CIRS, the
Commission would act as a trusted facilitator to ensure that any
information sharing is reciprocated and structured in such a fashion
that ISP proprietary information remains confidential. CIRS filers may
be in a position to report about downstream attacks, i.e., attacks on
customers. Accordingly, relevant privacy issues and other details would
need to be addressed.
Question 5. Would government and private cybersecurity efforts
benefit from ``vulnerability mapping'' of major U.S. networks, public
and private?
Answer. Yes. Vulnerability mapping typically involves identifying
weaknesses in the targeted network infrastructure components and their
communications protocols. Many of these weaknesses are already well
understood and a greater benefit would come from ubiquitous deployment
of known fixes and best practices. Naturally, steps would have to be
taken to secure this sensitive information.
Question 6. What are the specific risks to such an activity?
Answer. The most obvious risk of vulnerability mapping is a breach
in information security whereby an adversary obtains sensitive
information about vulnerabilities in our critical communications
infrastructure. I believe this risk can be mitigated with proper
safeguards, and I further believe that the benefits of vulnerability
mapping outweigh the risks. There's little real security to be achieved
through obscurity. Any effort relying on security through obscurity--
the idea of not drawing attention to a security problem lessens the
potential for a security event--assumes that if flaws are not known,
that attackers are unlikely to find them. While this notion may be
theoretically attractive as a defense in-depth measure, in the real
world where we are dealing with multiple vulnerabilities spread across
a substantial infrastructure, which is currently the case, this is not
a reasonable assumption. Rather, achieving security by design--where
concerted efforts are brought to bear on solving a set of vulnerability
risks--would make us more secure.
______
Response to Written Questions Submitted by Hon. John Ensign to
Rear Admiral James Barnett Jr.
Question 1. Are there any legal restrictions we should focus on
that make it more difficult for industry and government agencies to
share the information needed to protect our critical cyber
infrastructure? Are there any bathers that Congress needs to eliminate,
or any legal flexibility we can provide to foster the necessary sharing
while still protecting sensitive or proprietary information?
Answer. I believe that the Administration's recent Cyberspace
Policy Review--Assuring a Trusted and Resilient Information and
Communications Infrastructure, to which the FCC contributed, captures
well the current state of information sharing between and among
industry and government agencies:
``Some members of the private sector continue to express concern
that certain Federal laws might impede full collaborative partnerships
and operational information sharing between the private sector and
government. For example, some in industry are concerned that the
information sharing and collective planning that occurs among members
of the same sector under existing partnership models might be viewed as
``collusive'' or contrary to laws forbidding restraints on trade. [For
example, the Sherman Antitrust Act, 15 U.S.C. �� 1-7 (2004)]. Industry
has also expressed reservations about disclosing to the Federal
Government sensitive or proprietary business information, such as
vulnerabilities and data or network breaches. This concern has
persisted notwithstanding the protections afforded by statutes such as
the Trade Secrets Act and the Critical Infrastructure Information Act,
which was enacted specifically to address industry concerns with
respect to the Freedom of Information Act (FOIA). Beyond these issues,
industry may still have concerns about reputational harm, liability, or
regulatory consequences of sharing information. Conversely, the Federal
Government sometimes limits the information it will share with the
private sector because of the legitimate need to protect sensitive
intelligence sources and methods or the privacy rights of individuals.
These concerns do not exist in isolation. Antitrust laws provide
important safeguards against unfair competition, and FOIA helps ensure
transparency in government that is essential to maintain public
confidence. The civil liberties and privacy community has expressed
concern that extending protections would only serve as a legal shield
against liability. In addition, the challenges of information sharing
can be further complicated by the global nature of the information and
communications marketplace. When members of industry operating in the
United States are foreign-owned, mandatory information sharing, or
exclusion of such companies from information sharing regimes, can
present trade implications.''
[Obama Administration, Cyberspace Policy Review--Assuring a Trusted
and Resilient Information and Communications Infrastructure, May 29,
2009, p.18]
Question 2. What mechanisms are in place for private companies to
report cyber intrusions (either originating domestically or overseas)
to the Federal Government?
Answer. The FCC currently has rules that require communications
providers to report disruptions to circuit-oriented infrastructure and
wireline and wireless switched-voice services. Thus, if a cyber
intrusion resulted in a circuit-oriented or switched-voice
communications service outage that meets certain thresholds, the
communications provider must report the outage and the root cause to
the FCC. These rules generally cover legacy communications systems and
do not cover Internet Protocol (IP)-based communications
infrastructure. To address this, the National Broadband Plan proposed
that the Commission initiate a proceeding to expand these outage
reporting rules to broadband Internet service providers and to
interconnected voice over 1P service providers.
In addition, the National Broadband Plan recommended that the
Commission and the Department of Homeland Security's Office of
Cybersecurity and Communications collaboratively develop an lP network
Cyber Information Reporting System (CIRS) somewhat as an analog of the
FCC's Disaster Information Reporting System (DIRS). Specifically, the
National Broadband Plan states that ``CIRS will be an invaluable tool
for monitoring cybersecurity and providing decisive responses to cyber
attacks.
ORS should be designed to disseminate information rapidly to
participating providers during major cyber events. CIRS should be
crafted as a real-time voluntary monitoring system for cyber events
affecting the communications infrastructure. The FCC should act as a
trusted facilitator to ensure any sharing is reciprocated and that the
system is structured so ISP proprietary information remains
confidential.'' National Broadband Plan, Recommendation 16.8 (available
at http://www.broad
band.gov/plan/16-public-safetyntr16-1).
Question 3. What is being done to encourage private companies,
particularly those with government contracts, to report cyber
intrusions (either originating domestically or overseas)?
Answer. The packet-oriented infrastructure and packet-switched
services such as Internet access are much more susceptible to outages
caused by cyber incidents. The FCC has engaged in collaborative efforts
with industry, including Internet Service Providers, to enhance
industry's own ability to prevent and respond to cyber events through
Federal advisory committees, which include private sector
representatives. There are currently no requirements for reporting
packet-switched service outages or their causes, which would include
cyber incident causes.
The FCC's National Broadband Plan has recommended that the
Commission's Part 4 outage reporting rules be expanded through a
rulemaking proceeding to include ISPs and interconnected VoIP service
providers. The Commission would seek comment about reported ``causes''
and thresholds for reportable events. As with the data received
pursuant to the Commission's circuit-oriented outage reporting rules,
ISP and VoIP outage data would be analyzed and used to support
cooperative efforts with industry to improve security and reliability.
Question 4. Do government contractors have an ethical or statutory
obligation to report cyber intrusions (either originating domestically
or overseas)?
Answer. We are not aware of any code of ethics or statutory
obligation that requires government contractors to report cyber
intrusions. Although the Federal Acquisition Regulation (FAR) requires
contracts over $5 million to include a clause requiring the contractor
to establish a written code of business ethics and conduct, there is no
FAR requirement that such codes address the subject of cyber
intrusions. FCC Directive 1479.3 (mentioned in the response to question
5), which is included in a small number of FCC IT contracts, requires
reporting of ``security incidents'' regarding FCC IT systems.
Question 5. Do government contractors with classified information
on their servers and individuals with security clearances on their
payrolls have a statutory or ethical obligation to report cyber
intrusions (either originating domestically or overseas)?
Answer. Under the National Security Act, government contractors and
their employees with security clearances have a statutory obligation to
protect the classified information that comes into their possession.
This requires the same reporting of cyber intrusions into systems that
involve sensitive information as fall to government employees.
Question 6. When Request For Proposals (RFPs) are put out for
contracts that involve sensitive or classified information do all of
these RFPs require that bids include the number of successful and
unsuccessful cyber intrusions committed by domestic or foreign entities
(either originating domestically or overseas)?
Answer. The FCC's information technology contracting procedures
require contractors to comply with the security matters addressed in
FCC Directive 1479, which ``establishes policy and assigns
responsibilities for assuring that there are adequate levels of
protection for all FCC information systems, the FCC Network,
applications and databases, and information created, stored, or
processed therein.''
A requirement that the vendor report the number of successful and
unsuccessful cyber intrusions is not a standard feature of FCC
contracts for information technology systems. However, under current
procedures this requirement could be included in the language for those
contracts for systems that involve sensitive information at the
discretion of the Contracting Officer. The nature of Internet-based
cyber attacks is such that careful attention would have to be given to
specifying definitions, thresholds and suspected origination of cyber
intrusions.
Question 7. In your opinion, if a private company believes that it
has been the victim of a cyber intrusion (both originating domestically
or overseas), which is the appropriate agency that it should report
this intrusion to?
Answer. If a cyber intrusion results in circuit-oriented or
switched-voice communications service outages that meet certain
thresholds, then the communications provider must report the outage and
the root cause (i.e., the cyber incident) to the FCC in accordance with
Part 4 of our regulations. As noted above, the FCC's National Broadband
Plan has recommended that outage reporting rules be expanded to include
ISPs and interconnected VoIP services through a rulemaking proceeding.
More generally, as the GAO has noted, where criminal activity is
involved ``the Departments of Justice (DOA Homeland Security (DHS), and
Defense (DOD), and the Federal Trade Commission (FTC) have prominent
roles in addressing cybercrime within the Federal Government. DOD's FBI
and DHS's U.S. Secret Service (Secret Service) are key Federal
organizations with responsibility for investigating cybercrime. State
and local law enforcement organizations also have key responsibilities
in addressing cybercrime.''
[Cybercrime--Public and Private Entities Face Challenges in
Addressing Cyber Threats, June 2007, GAO-07-705, p.1]
Question 8. In your opinion, if a government contractor believes
that it has been the victim of a cyber intrusion (both origination
domestically or overseas), which is the appropriate agency that it
should report this intrusion to?
Answer. In my opinion a government contractor should--unless the
applicable contract otherwise provides--first report a cyber intrusion
to the contracting agency; for example an FCC contractor should report
a cyber intrusion to the FCC. If criminal activity is suspected, then
the FCC will report the intrusion to the agency or agencies that
investigate cyber crime within the Federal Government, such as the
Departments of Justice and Homeland Security.
Question 9. In your opinion, if a government contractor that is
working on a sensitive or classified project and believes that it has
been a victim of a cyber intrusion (both origination domestically or
overseas), which is the appropriate agency that it should report this
intrusion to?
Answer. Unless the governing contract otherwise provides, a
government contractor should first report a cyber intrusion involving
sensitive or classified information to the contracting agency. If
criminal activity is suspected, then the agency should report the
intrusion to the agency or agencies that investigate cyber crime within
the Federal Government, such as the Departments of Justice and Homeland
Security.
�