[Senate Hearing 113-285]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 113-285

 
    THE PARTNERSHIP BETWEEN NIST AND THE PRIVATE SECTOR: IMPROVING 
                             CYBERSECURITY

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 25, 2013

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation


                                 ______

                   U.S. GOVERNMENT PRINTING OFFICE 
88-081                     WASHINGTON : 2014
____________________________________________________________________________ 
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].  


       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

            JOHN D. ROCKEFELLER IV, West Virginia, Chairman
BARBARA BOXER, California            JOHN THUNE, South Dakota, Ranking
BILL NELSON, Florida                 ROGER F. WICKER, Mississippi
MARIA CANTWELL, Washington           ROY BLUNT, Missouri
MARK PRYOR, Arkansas                 MARCO RUBIO, Florida
CLAIRE McCASKILL, Missouri           KELLY AYOTTE, New Hampshire
AMY KLOBUCHAR, Minnesota             DEAN HELLER, Nevada
MARK WARNER, Virginia                DAN COATS, Indiana
MARK BEGICH, Alaska                  TIM SCOTT, South Carolina
RICHARD BLUMENTHAL, Connecticut      TED CRUZ, Texas
BRIAN SCHATZ, Hawaii                 DEB FISCHER, Nebraska
MARTIN HEINRICH, New Mexico          RON JOHNSON, Wisconsin
EDWARD MARKEY, Massachusetts         JEFF CHIESA, New Jersey
                    Ellen L. Doneski, Staff Director
                   James Reid, Deputy Staff Director
                     John Williams, General Counsel
              David Schwietert, Republican Staff Director
              Nick Rossi, Republican Deputy Staff Director
   Rebecca Seidel, Republican General Counsel and Chief Investigator


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on July 25, 2013....................................     1
Statement of Senator Rockefeller.................................     1
Statement of Senator Thune.......................................     3
Statement of Senator Heinrich....................................    31
Statement of Senator Klobuchar...................................    32
Statement of Senator Fischer.....................................    39
Statement of Senator Markey......................................    40
Statement of Senator Blumenthal..................................    48

                               Witnesses

Dr. Patrick D. Gallagher, Under Secretary of Commerce for 
  Standards and Technology and Director, National Institute of 
  Standards and Technology, United States Department of Commerce.     5
    Prepared statement...........................................     6
Arthur W. Coviello, Jr., Executive Chairman, RSA, The Security 
  Division of EMC................................................    10
    Prepared statement...........................................    12
Mark G. Clancy, Managing Director, The Depository Trust & 
  Clearing Corporation on behalf of the American Bankers 
  Association, Financial Services Roundtable, and Securities 
  Industry and Financial Markets Association.....................    19
    Prepared statement...........................................    21
Dorothy Coleman, Vice President, Tax, Technology and Domestic 
  Economic Policy, National Association of Manufacturers.........    25
    Prepared statement...........................................    28

                                Appendix

Hon. Dan Coats, U.S. Senator from Indiana, prepared statement....    53
Response to written questions submitted by Hon. Mark Warner to:
    Dr. Patrick D. Gallagher.....................................    54
    Arthur W. Coviello, Jr.......................................    56
    Mark G. Clancy...............................................    56
    Dorothy Coleman..............................................    57


                      THE PARTNERSHIP BETWEEN NIST
            AND THE PRIVATE SECTOR: IMPROVING CYBERSECURITY

                              ----------                              


                        THURSDAY, JULY 25, 2013

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:37 p.m. in room 
SR-253, Russell Senate Office Building, Hon. John D. 
Rockefeller IV, Chairman of the Committee, presiding.

       OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 
                U.S. SENATOR FROM WEST VIRGINIA

    The Chairman. I am going to make a statement, and then 
Senator Thune is going to make a statement, and then we are 
going to go right to your testimony because this is a very, 
very important hearing.
    We are going to spend a lot of time today talking about a 
Federal agency most Americans have never heard up, the National 
Institute of Standards and Technology, or NIST. I can assure 
you that in this committee we have heard of NIST. And we 
understand and appreciate the important role that NIST plays in 
our country's economic success. You are scientists for one 
thing. You are engineers. You are technical experts all over 
the world. The whole technical world and increasingly the 
public policy world, partly because of cybersecurity but just 
in general, trusts and knows NIST. You are the worldwide gold 
standard. That is not me talking. That is other people talking, 
and you will hear that from the Netherlands in just a second.
    So let me give you an example. A couple of weeks ago, this 
committee was having a hearing on the very important issue of 
improving forensic science, which is not all that ``Law and 
Order'' says that it is. One of our witnesses was the chief of 
forensic science labs in the Netherlands, which is one of the 
top forensic science organizations in the world. The 
Netherlands official proudly announced at the hearing that his 
agency had just signed a memorandum of agreement with you all 
at NIST on improving the quality of forensic science standards. 
When Senator Thune asked him why his agency wanted to partner 
with NIST, he said it was because when it comes to standards, 
NIST is, ``absolutely the top-notch organization, the state-of-
the-art, worldwide.''
    If you look up NIST's authorizing law, you will read that 
NIST's core mission is to serve as a laboratory, a science, 
engineering, technology, and measurement laboratory. I really 
want to stress this point for the members of this committee, 
those who are here and those who should be, and the business 
community who may not have worked closely with NIST before, as 
many of us have. NIST is not a regulatory agency. It is a 
scientific laboratory to which all sorts and manner of 
institutions repair to improve themselves.
    NIST's mission is to help American businesses solve tough 
technical problems. Whether it is emerging technologies like 
the Smart Grid or cloud computing or consumer products like 
flame-retardant mattresses or television screens, NIST's job is 
to help American industry help itself. With its unrivaled 
technical expertise and its well-deserved reputation for 
objectivity, NIST has been working closely with the private 
sector for many years to help U.S. companies innovate and to 
compete with their foreign competitors.
    I was very pleased but, frankly, not totally surprised when 
President Obama issued an executive order earlier this year 
instructing NIST to begin looking at how we can protect our 
critical assets from something called ``cyber attacks'' which, 
in spite of all we do, Americans seem not to be able to grasp 
as to their importance and danger. I am looking forward to 
hearing from Dr. Gallagher and our other witnesses today about 
how their work on this so-called ``Cybersecurity Framework'' is 
progressing.
    Getting NIST involved in cybersecurity makes a lot of sense 
and may save the day for cybersecurity, that is, passing 
legislation, because NIST already has decades of experience 
working with the private sector or on computer security issues. 
NIST's computer security work goes as far back as 1972 when it 
started working on the Data Encryption Standard.
    It also makes sense because we need our country's very best 
minds in both the public and the private sectors focused on 
working on this problem. Back in 2009, when Senator Olympia 
Snowe and I started working on cybersecurity legislation in the 
Commerce Committee, not everybody appreciated the seriousness 
of this threat. But today, 4 years later, I believe that we 
have reached a very broad consensus in this country that cyber 
attacks present the gravest threats to our national and 
economic security. The FBI says it. The CIA says it. DOD says 
it. ODNI says it. Everybody says it. And we just got to drive 
the point home. And what Senator Thune and I are hoping to do 
is to do a bill which would actually get this whole process 
going, the importance of momentum.
    But anyway, I think people now do understand cybersecurity 
represents a huge threat. Every new report about stolen 
intellectual property or disruption of service attacks against 
a large U.S. company drives this point home.
    Making progress against our cyber adversaries is going to 
require a sustained, coordinated effort between the public and 
the private sectors, and it is going to require the combined 
resources of many different Government agencies, which is part 
of the problem, and businesses. Acting alone, this committee 
cannot make all of the changes needed to give our Government 
and businesses the tools they need to make real progress in 
cybersecurity because we come from three different 
jurisdictions, which is not fun. It is OK but it is not the 
best way to do something.
    But there are some important steps that we can and should 
take such as promoting cybersecurity research and encouraging 
talented young people to work in cybersecurity, which I think 
you will agree is a desperate, desperate problem. Probably the 
most important step we can take as a committee is to make sure 
that the technical experts at NIST stay engaged and working 
with the private sector to develop effective cybersecurity 
standards by which they will stick and do. If this process 
succeeds, our businesses and the Government agencies will have 
a powerful new tool to protect ourselves against cybersecurity.
    I would like to thank Senator Thune for working with me on 
this very important issue. Since he became Ranking Member of 
this committee at the beginning of this year, he has devoted a 
tremendous amount of time to mastering this whole subject of 
cybersecurity. Yesterday we introduced legislation that we hope 
will serve as one of the cornerstones to our country's 
cybersecurity strategy. I look forward to having a good 
conversation today about our bill, about other things that we 
can and should be doing to protect our country from this 
massive threat.
    I thank you.
    Senator Thune?

                 STATEMENT OF HON. JOHN THUNE, 
                 U.S. SENATOR FROM SOUTH DAKOTA

    Senator Thune. Thank you, Mr. Chairman, for holding this 
hearing and for your continued leadership on cybersecurity. You 
brought this critical issue to the fore, and you have been 
steadfast in your commitment to addressing the problem.
    No one can deny the serious threat that we are confronting 
in cyberspace. Almost daily we learn of new cyber threats and 
attacks targeting our Government agencies and the companies 
that drive our economy. We must find solutions that leverage 
the innovation and know-how of the private sector, as well as 
the expertise and information held by the Federal Government. 
And given the escalating nature of the threat, we should look 
for solutions that will have both an immediate impact and that 
will remain flexible and agile into the future.
    In keeping with that task, in March this Committee held a 
joint hearing with the Homeland Security and Governmental 
Affairs Committee not long after the President issued his 
cybersecurity Executive Order in February. Today we are here to 
examine the National Institute of Standards and Technology's 
implementation of that portion of the Executive Order 
pertaining to the cybersecurity partnership between the private 
sector and the Federal Government to improve best practices in 
cybersecurity. The feedback we have heard from many in the 
industry regarding NIST's process has been fairly positive so 
far.
    We are also here to examine the legislation that Chairman 
Rockefeller and I have introduced, after soliciting feedback 
from industry stakeholders and our colleagues. I think this 
bill strikes the proper balance to ensure that what develops is 
industry-led and a true partnership between NIST and the 
private sector. It also ensures that NIST's involvement and 
this process are both ongoing in order to maintain the 
flexibility and continued innovation that is necessary to meet 
such a dynamic threat.
    Our proposed legislation also includes needed titles to 
improve research and development. We should not underestimate 
the value of R&D. As I have mentioned previously, I am proud to 
note that South Dakota's own Dakota State University is one of 
only four schools in the Nation designated by the National 
Security Agency as a National Center of Academic Excellence in 
Cyber Operations. Other titles of our bill improve education 
and work force development, as well as cybersecurity awareness 
and preparedness.
    I am pleased that our offices worked with industry, fellow 
Senate colleagues, and other stakeholders to solicit and 
incorporate their feedback in crafting this legislation and 
will continue to do so as we move forward. By following regular 
order in the committees of jurisdiction, we hope to avoid the 
legislative impasse from the last Congress and ultimately enact 
legislation that will make real improvements to our nation's 
cybersecurity.
    Our hearing witnesses today include the Director of NIST 
and representatives from the private sector who can provide 
this committee with their perspectives on how the current NIST 
process is developing. I look forward to hearing whether our 
legislation is a step in the right direction to provide a 
partnership that is truly voluntary and industry-led.
    I am also pleased that the Chairman and I both recognize 
that an essential component of cybersecurity is strong 
information sharing regarding threats. Such sharing should 
occur both between Government and industry and among private 
sector actors with strong liability protections. It is our hope 
that our colleagues on the Senate Intelligence Committee will 
be successful in crafting bipartisan consensus legislation that 
achieves these goals.
    As the Chair of the House Intelligence Committee has said, 
according to intelligence officials, allowing the Government to 
share classified information with private companies could stop 
up to 90 percent of cyber attacks on U.S. networks.
    It is also our hope that the Senate Homeland Security 
Committee can similarly work in a bipartisan fashion to make 
needed improvements to the Federal Information Security 
Management Act in order to better secure our Federal networks.
    If our Committees can work to produce complementary 
consensus legislation, that would be a significant step forward 
in this area.
    Again, I thank the Chairman for holding this hearing. I 
want to thank our witnesses for being here, and we look forward 
to hearing your testimony. Thank you, Mr. Chairman.
    The Chairman. Thank you, Senator Thune.
    I am tempted to ask if any of our other Senators want to 
say a word, but I just lost that temptation.
    [Laughter.]
    The Chairman. So we will start with the Honorable Patrick 
D. Gallagher, who has been before us recently and frequently. 
He is Acting Deputy Secretary, Under Secretary of Commerce--I 
cannot read this stuff--for Standards and Technology, and 
Director, National Institute of Standards and Technology, U.S. 
Department of Commerce. I mean, they put the last thing, which 
is the important thing, last. We did. So I apologize. Anyway, 
we welcome your statement.

          STATEMENT OF DR. PATRICK D. GALLAGHER, UNDER

            SECRETARY OF COMMERCE FOR STANDARDS AND

         TECHNOLOGY AND DIRECTOR, NATIONAL INSTITUTE OF

 STANDARDS AND TECHNOLOGY, UNITED STATES DEPARTMENT OF COMMERCE

    Dr. Gallagher. Thank you very much. Chairman Rockefeller, 
Ranking Member Thune, it is a real pleasure to be here and to 
join you and the rest of this committee to talk about this 
really important issue. It is great to both be able to talk 
about NIST, but in particular, I want to talk about this 
partnership with industry and I want to welcome my colleagues 
at the table today.
    Let me start by mentioning a few words about NIST itself. 
As you mentioned, since 1901, NIST has played a rather unique 
and essential role as the Nation's measurement laboratory, as 
industry's national lab. And in that capacity, it is a 
nonregulatory agency with the mission to promote U.S. 
innovation and competitiveness by advancing measurement 
science, standards, and technology in ways that enhance our 
economic security and improve our quality of life. And as you 
will hear more about today, our work in the area of information 
security, trusted networks, encryption, software quality is 
applicable to a wide variety of users from small and medium 
enterprises to large private and public organizations, 
including agencies of the Federal Government and critical 
infrastructure companies.
    As part of this broader responsibility, on February 13, 
2012, the President signed Executive Order 13636 which directed 
NIST to work with industry to develop a Cybersecurity Framework 
to improve the cybersecurity of critical infrastructure. We 
believe that this framework is an important element in 
addressing the challenges of improving cybersecurity of our 
critical infrastructure. A NIST-coordinated, but industry-led 
framework will draw on standards and best practices that 
industry already develops and uses. NIST will ensure that the 
process is open and transparent to all stakeholders. We will 
ensure that there is a robust technical underpinning to the 
framework, and any effort to better protect critical 
infrastructure can only work if it is supported and then 
implemented by the owners and operators of this infrastructure, 
which are largely in the private sector.
    This multi-stakeholder approach leverages the respective 
strengths of the public and private sectors. It helps develop 
solutions where both sides will be invested. This approach does 
not dictate solutions to industry but facilitates industry 
coming together to develop and offer solutions that the private 
sector is best positioned to embrace.
    Relying on standards which are the result of industry 
coming together to develop solutions for market needs we 
believe will give the framework broad acceptance around the 
world.
    Also importantly, the standards have a unique and key 
attribute of scalability. We can use solutions that are already 
adopted in industry or if we can readily adopt, then those same 
solutions, when used by other markets, reduce transactional 
costs for our businesses. They provide economies of scale which 
make all of our industries more competitive and make the goal 
of achieving cybersecurity more doable.
    It also reflects the reality that many in the private 
sector are already doing the right things to protect their 
systems and should not be diverted from these efforts through 
new standards.
    NIST is engaging with stakeholders through a series of 
workshops and events to ensure that we can cover the breadth of 
considerations that will be needed to make this national 
priority a success. These sessions are designed to identify 
existing resources, identify gaps, and prioritize the issues 
that need to be addressed as part of the framework. The 
workshops also bring together a broad cross section of 
participants representing critical infrastructure owner/
operators, industry associations, standards development 
organizations, individual companies, government agencies, 
research labs, and so forth.
    Last week, NIST held its third workshop to present initial 
considerations for the framework. It built a discussion around 
the draft outline for the preliminary framework that NIST had 
presented for public review a few weeks prior. This workshop 
had a particular emphasis on issues that had been identified 
from the initial work by the public. NIST has gained a 
consensus on several elements that the framework will include, 
allowing it to become adaptable, flexibility, and scalable, and 
to be put into use.
    In October, we will have a preliminary framework that 
builds on these elements.
    After the yearlong effort envisioned in the Executive 
Order, once we have developed this initial framework, the 
effort will continue. For example, NIST will work with the 
specific sectors in DHS to build strong, voluntary programs to 
implement the framework in critical infrastructure areas. That 
work will then inform the needs of critical infrastructure in 
the next versions of the framework.
    The goal at the end of this process will be for industry to 
take ownership of the process and update the Cybersecurity 
Framework themselves, ensuring that the framework will be 
dynamic and relevant as it continues to evolve.
    We have made significant progress. We still have a lot of 
work to do, and I look forward to working with this committee 
and with everyone who is participating in the framework process 
to address the challenges.
    And I look forward to the questions and discussion that we 
will have. Thank you.
    [The prepared statement of Dr. Gallagher follows:]

  Prepared Statement of Dr. Patrick D. Gallagher, Under Secretary of 
     Commerce for Standards and Technology and Director, National 
  Institute of Standards and Technology, United States Department of 
                                Commerce

Introduction
    Chairman Rockefeller, Ranking Member Thune, members of the 
Committee, I am Pat Gallagher, Director of the National Institute of 
Standards and Technology (NIST), a non-regulatory bureau within the 
U.S. Department of Commerce. Thank you for this opportunity to testify 
today on NIST's role under the President's Executive Order 13636, 
``Improving Critical Infrastructure Cybersecurity'' and NIST's 
responsibility to develop a framework to reduce cyber risks to critical 
infrastructure. I want to acknowledge and thank this Committee for its 
leadership and support on this issue.

The Role of NIST in Cybersecurity
    NIST's mission is to promote U.S. innovation and industrial 
competitiveness by advancing measurement science, standards, and 
technology in ways that enhance economic security and improve our 
quality of life. Our work in addressing technical challenges related to 
national priorities has ranged from projects related to the Smart Grid 
and electronic health records to atomic clocks, advanced nanomaterials, 
and computer chips.
    In the area of cybersecurity, we have worked with Federal agencies, 
industry, and academia since 1972 starting with the development of the 
Data Encryption Standard. Our role to research, develop and deploy 
information security standards and technology to protect information 
systems against threats to the confidentiality, integrity and 
availability of information and services, was strengthened through the 
Computer Security Act of 1987 and reaffirmed through the Federal 
Information Security Management Act of 2002.
    Consistent with this mission, NIST actively engages with industry, 
academia, and other parts of the Federal Government including the 
intelligence community, and elements of the law enforcement and 
national security communities, coordinating and prioritizing 
cybersecurity research, standards development, standards conformance 
demonstration and cybersecurity education and outreach.
    Our broader work in the areas of information security, trusted 
networks, and software quality is applicable to a wide variety of 
users, from small and medium enterprises to large private and public 
organizations, including Federal Government agencies and companies 
involved with critical infrastructure.

Executive Order 13636, ``Improving Critical Infrastructure 
        Cybersecurity''
    On February 13, 2013, the President signed Executive Order 13636, 
``Improving Critical Infrastructure Cybersecurity,'' which gave NIST 
the responsibility to develop a framework to reduce cyber risks to 
critical infrastructure (the Cybersecurity Framework). The Executive 
Order directed NIST to work with industry and develop the Cybersecurity 
Framework and the Department of Homeland Security (DHS) will establish 
performance goals. DHS, in collaboration with sector-specific agencies, 
will support the adoption of the Cybersecurity Framework by owners and 
operators of critical infrastructure and other interested entities 
through a voluntary program.
    Our partnership with DHS drives much of our effort. Earlier this 
year, we signed a Memorandum of Agreement with DHS to ensure that our 
work on the Cybersecurity Framework and the development of 
cybersecurity standards, best practices, and metrics, is fully 
integrated with the information sharing, threat analysis, response, and 
operational work of DHS. We believe this will enable a more holistic 
approach to address the complex challenges we face.
    A Cybersecurity Framework is an important element to address the 
challenges of improving the cybersecurity of our critical 
infrastructure. A NIST-coordinated and industry-led Framework will draw 
on standards and best practices that industry already develops and 
uses. NIST ensures that the process is open and transparent to all 
stakeholders including industry, state and local government and 
academia, and ensures a robust technical underpinning to the Framework. 
This approach will significantly bolster the Cybersecurity Framework to 
industry.
    This multi-stakeholder approach leverages the respective strengths 
of the public and private sectors, and helps develop solutions in which 
both sides will be invested. The approach does not dictate solutions to 
industry, but rather facilitates industry coming together to offer and 
develop solutions that the private sector is best positioned to 
embrace. It also ensures the framework is flexible enough to be 
applicable to small and mid-sized entities.
    I would also like to note that this is not a new or novel approach 
for NIST. We have utilized similar approaches in the recent past to 
address other pressing national priorities. For example, NIST's work in 
the area of Cloud Computing technologies enabled us to develop 
important definitions and architectures, and is now enabling broad 
Federal Government deployment of secure Cloud Computing technologies. 
The lessons learned from this experience and others inform how we plan 
for and structure our current effort.
Developing the Cybersecurity Framework
    The Cybersecurity Framework will consist of standards, 
methodologies, procedures and processes that align policy, business, 
and technological approaches to address cyber risks for critical 
infrastructure. Regulatory agencies will also review the Cybersecurity 
Framework to determine if current cybersecurity requirements are 
sufficient, and propose new actions to ensure consistency. Independent 
regulators are also encouraged to do the same.
    This approach reflects both the need for enhancing the security of 
our critical infrastructure and the reality that the bulk of critical 
infrastructure is owned and operated by the private sector. Any efforts 
to better protect critical infrastructure must be supported and 
implemented by the owners and operators of this infrastructure. It also 
reflects the reality that many in the private sector are already doing 
the right things to protect their systems and should not be diverted 
from those efforts through new requirements.

Current Status of the Cybersecurity Framework and Partnering with 
        Industry
    NIST sees its role in developing the Cybersecurity Framework as 
partnering with industry and other stakeholders to help them develop 
the Framework. NIST's unique technical expertise in various aspects of 
cybersecurity related research and technology development, and our 
established track record of working with a broad cross-section of 
industry and government agencies in the development of standards and 
best practices, positions us very well to address this significant 
national challenge in a timely and effective manner.
    NIST's initial steps towards implementing the Executive Order 
included issuing a Request for Information (RFI) this past February to 
gather relevant input from industry and other stakeholders, and asking 
stakeholders to participate in the Cybersecurity Framework process. 
Given the diversity of sectors in critical infrastructure, the initial 
efforts are designed to help identify existing cross-sector security 
standards and guidelines that are applicable to critical 
infrastructure.
    A total of 244 responses were posted on NIST's website. Responses 
ranged from individuals to large corporations and trade associations 
and also included comments as brief as a few sentences on specific 
topics, as well as so comprehensive that they ran over a hundred pages. 
We published an analysis of these comments in May.
    NIST is also engaging with stakeholders through a series of 
workshops and events to ensure that we can cover the breadth of 
considerations that will be needed to make this national priority a 
success. Our first such session--held in April--initiated the process 
of identifying existing resources and gaps, and prioritized the issues 
to be addressed as part of the Framework.
    At the end of May, a second workshop at Carnegie Mellon University 
brought together a broad cross-section of participants representing 
critical infrastructure owners and operators, industry associations, 
standards developing organizations, individual companies, and 
government agencies. This three-day working session, using the analysis 
of the RFI comments as input, was designed to identify and achieve 
consensus on the standards, guidelines, and practices that will be used 
in the Framework.
    Based on the responses to the RFI, conclusions from the workshops, 
and NIST analyses, the preliminary Framework is designed and intended:

   To be an adaptable, flexible, and scalable tool for 
        voluntary use;

   To assist in assessing, measuring, evaluating, and improving 
        an organization's readiness to deal with cybersecurity risks;

   To be actionable across an organization;

   To be prioritized, flexible, scalable, performance-based, 
        and cost-effective;

   To rely on standards, guidelines and practices that align 
        with policy, business, and technological approaches to 
        cybersecurity;

   To complement rather than to conflict with current 
        regulatory authorities;

   To promote, rather than to constrain, technological 
        innovation in this dynamic arena;

   To focus on outcomes;

   To raise awareness and appreciation for the challenges of 
        cybersecurity but also the means for understanding and managing 
        the related risks;

   To protect individual privacy and civil liberties; and

   To be built upon national and international standards and 
        other standards, best practices and guidelines that are used 
        globally.

    Last week, NIST held its third workshop to present initial 
considerations for the Framework. This workshop had a particular 
emphasis on issues that have been identified from the initial work--
including the specific needs of different sectors. During the workshop, 
NIST gained consensus on the elements of the Framework that include:

   A section for senior executives and others on using this 
        Framework to evaluate an organization's preparation for 
        potential cybersecurity-related impacts on their assets and on 
        the organization's ability to deliver products and services. By 
        using this Framework, senior executives can manage 
        cybersecurity risks within their enterprise's business plans 
        and operations.

   A User's Guide to help organizations understand how to apply 
        the Framework.

   Core Sections to address:

     Five major cybersecurity functions and their 
            categories, subcategories, and informative references;

     Three Framework Implementation Levels associated with 
            an organization's cybersecurity functions and how well that 
            organization implements the Framework; and

     A compendium of informative references, existing 
            standards, guidelines, and practices to assist with 
            specific implementation.

    At eight months, we will have a preliminary Framework that builds 
on these elements. In a year's time, once we have developed an initial 
Framework, there will still be much to do. For example, we will work 
with specific sectors to build strong voluntary programs for specific 
critical infrastructure areas. Their work will then inform the needs of 
critical infrastructure and the next versions of the Framework. The 
goal at the end of this process will be for industry itself to take 
``ownership'' and update the Cybersecurity Framework.

Conclusion
    The cybersecurity challenge facing critical infrastructure is 
greater than it ever has been. The President's Executive Order reflects 
this reality, and lays out an ambitious agenda focused on collaboration 
between the public and private sectors. NIST is mindful of the weighty 
responsibilities with which we have been charged by President Obama, 
and we are committed to listening to, and working actively with, 
critical infrastructure owners and operators to develop a Cybersecurity 
Framework.
    The approach to the Cybersecurity Framework set out in the 
Executive Order will allow industry to protect our Nation from the 
growing cybersecurity threat while enhancing America's ability to 
innovate and compete in a global market. It also helps grow the market 
for secure, interoperable, innovative products to be used by consumers 
anywhere.
    Thank you for the opportunity to present NIST's views regarding 
critical infrastructure cybersecurity security challenges. I appreciate 
the Committee holding this hearing. We have a lot of work ahead of us, 
and I look forward to working with this Committee and others to help us 
address these pressing challenges. I will be pleased to answer any 
questions you may have.
                                 ______
                                 
                          Patrick D. Gallagher

    Dr. Patrick Gallagher was confirmed as the 14th Director of the 
U.S. Department of Commerce's National Institute of Standards and 
Technology (NIST) on Nov. 5, 2009. He also serves as Under Secretary of 
Commerce for Standards and Technology, a new position created in the 
America COMPETES Reauthorization Act of 2010. Prior to his appointment 
as NIST Director, Gallagher had served as Deputy Director since 2008.
    Gallagher provides high-level oversight and direction for NIST. The 
agency promotes U.S. innovation and industrial competitiveness by 
advancing measurement science, standards, and technology. NIST's FY 
2013 budget includes $778.0 million in direct and transfer 
appropriations, an estimated $49.7 million in service fees and $120.6 
million from other agencies. The agency employs about 3,000 scientists, 
engineers, technicians, support staff, and administrative personnel at 
two main locations in Gaithersburg, Md., and Boulder, Colo. NIST also 
hosts about 2,700 associates from academia, industry, and other 
government agencies, who collaborate with NIST staff and access user 
facilities. In addition, NIST partners with more than 1,300 
manufacturing specialists and staff at more than 400 MEP service 
locations around the country.
    Under Gallagher, NIST has greatly expanded its participation, often 
in a leadership role, in collaborative efforts between government and 
the private sector to address major technical challenges facing the 
Nation. NIST's participation in these efforts stems from the agency's 
long history of technical accomplishments and leadership in private-
sector led standards-development organizations and in research fields 
such as manufacturing engineering, cybersecurity and computer science, 
forensic science, and building and fire science. Currently, he co-
chairs the Standards Subcommittee under the White House National 
Science and Technology Council.
    Gallagher joined NIST in 1993 as a research physicist and 
instrument scientist at the NIST Center for Neutron Research (NCNR), a 
national user facility for neutron scattering on the NIST Gaithersburg 
campus. In 2000, he became group leader for facility operations, and in 
2004 he was appointed NCNR Director. In 2006, the U.S. Department of 
Commerce awarded Gallagher a Gold Medal, its highest honor, for his 
leadership in interagency coordination efforts.
    Gallagher received his Ph.D. in physics at the University of 
Pittsburgh and a bachelor's degree in physics and philosophy from 
Benedictine College.

    The Chairman. Thank you, sir. Thank you very much.
    Now Mr. Arthur W. Coviello, Jr. Did I get that right?
    Mr. Coviello. You did.
    The Chairman. Thank you. Who is Executive Chairman, RSA, 
The Security Division of EMC. That is a form of encryption.

STATEMENT OF ARTHUR W. COVIELLO, JR., EXECUTIVE CHAIRMAN, RSA, 
                  THE SECURITY DIVISION OF EMC

    Mr. Coviello. Yes. We are the gold standard of encryption 
actually.
    The Chairman. OK.
    Mr. Coviello. So thank you, Chairman Rockefeller and 
Ranking Member Thune and members of the Committee. I am pleased 
to have the opportunity to address you today regarding NIST's 
partnership with industry in the area of cybersecurity.
    RSA is a leading provider of not just encryption 
technology, but other security compliance and risk management 
solutions for organizations worldwide. We do help the world's 
leading organizations succeed in their efforts in IT 
infrastructure by solving their most complex and sensitive 
security challenges.
    Today's hearing topic is one that is close to home for our 
company. EMC and RSA have already enjoyed a close partnership 
with NIST. We work closely with Dr. Gallagher and his team on a 
number of issues that are tightly linked to information 
security. From our vantage point as a provider of security 
solutions, RSA's collaboration with NIST is at the heart of our 
collective goal of safeguarding the world from an advanced and 
evolving cyber threat.
    NIST's National Cybersecurity Center of Excellence Lab 
initiative offers U.S. companies a valuable opportunity to 
collaborate with NIST to address a range of security risks and 
privacy protection imperatives. I repeat also ``privacy 
protection imperatives.'' With the goal of securing critical 
infrastructure, the center inspires technological innovation to 
find creative solutions to intractable and growing 
cybersecurity challenges.
    Of late, EMC and RSA, along with other private sector 
companies, have appreciated the opportunity to work closely 
with NIST on implementing the President's Executive Order. 
Through a collaborative effort to develop a Cybersecurity 
Framework for critical infrastructure, we have worked with 
stakeholders to explore the art of the possible to bring our 
nation to the cutting edge of cybersecurity. This collaboration 
between industry and NIST is a great example of what the public 
and private sectors can do together and represents an important 
step in the right direction.
    However, your legislation is still needed to create a more 
effective, long-term partnership between the public and private 
sectors. So we applaud the Committee for its work to develop 
bipartisan legislation based on an industry-driven, voluntary 
approach. The Cybersecurity Act of 2013 complements the 
President's executive order by codifying the important steps 
the administration has already taken to protect critical 
infrastructure and gives Government and industry additional 
tools to bolster our cyber defenses.
    As efforts progress, we urge you to consider three key 
points.
    First, any successful cybersecurity effort should be 
industry-driven, as you have done. With the rapid pace of 
innovation, owners and operators of critical infrastructure are 
the ones best positioned to keep pace with the rapidly 
evolving, and sometimes equally innovative, threat landscape. 
For this reason, standards and best practices should be 
nonprescriptive, nonregulatory, and technology neutral. Things 
move too fast. This legislation achieves those objectives by 
initiating a voluntary, industry-led standards development 
process that will build on the great work that is already being 
done in the private sector. This close and continuous 
coordination between Government and industry is vital to the 
ongoing development of best practices to combat these ever-
changing threats. A common understanding supported by NIST can 
enable us collectively to move farther and faster in our race 
against the threat actors.
    Second, as we move forward, we must think not only of 
today's threats but also of the cybersecurity challenges of the 
future. That is why we are pleased to see that the legislation 
includes provisions to increase cybersecurity research and to 
support the development of the cybersecurity workforce. 
Investments in cybersecurity education and workforce training 
today will develop the talent we need to strengthen our 
defenses for years to come. And I can tell you the shortage of 
skilled people in the industry is one of our most critical 
problems.
    I can also tell you with the rapidly evolving pace of 
technology adoption and all the great productivity that can be 
derived from implementing information technology, the attack 
surface is only going to expand dramatically. We will only be 
able to take advantage of these great technology innovations if 
people have confidence. That is why the framework that is being 
developed in cooperation with the private sector and NIST is so 
important to our future; this will be an ongoing problem.
    And third, as both Chairman Rockefeller and Ranking Member 
Thune have pointed out, it is imperative that Congress address 
other key cybersecurity issues not under this committee's 
jurisdiction. Removing barriers and promoting the safe and 
secure sharing of actionable threat intelligence between the 
public and private sectors will enhance our collective ability 
to mitigate future threats.
    Additionally, we must modernize Federal information 
security management, standardize breach notification, and 
streamline the acquisition of technology in order to create a 
positive business climate, while improving our nation's 
cybersecurity posture.
    So, once again, we thank Chairman Rockefeller and Ranking 
Member Thune for their dedication to advancing this important 
legislation. I strongly believe the actions undertaken by this 
committee and the bipartisan leadership of its members will set 
a positive course for others in Congress to realize the urgency 
in addressing this growing threat. As the Senate confronts the 
policy challenges of cybersecurity, I have every confidence in 
industry's ability to leverage its existing relationship with 
NIST to enhance the cybersecurity of our critical 
infrastructure. Under this committee's leadership, we sincerely 
hope that Congress will act quickly to address this urgent 
threat to our national security.
    I look forward to working with you and your colleagues in 
Congress as this proposal advances. And again, I thank you for 
the opportunity to be here today, and I look forward to your 
questions. Thank you.
    [The prepared statement of Mr. Coviello follows:]

Prepared Statement of Arthur W. Coviello, Jr., Executive Chairman, RSA, 
                      The Security Division of EMC

Introduction
    Chairman Rockefeller, Ranking Member Thune, and Members of the 
Committee, my name is Art Coviello and I am an Executive Vice President 
of EMC Corporation and Executive Chairman of RSA, The Security Division 
of EMC. Thank you for the opportunity to testify today regarding the 
National Institute of Standards and Technology (NIST)'s work with 
industry in the area of cybersecurity. Today's hearing topic is one 
that is close to home for our company. EMC and RSA have enjoyed a 
partnership with NIST that has spanned decades, and we are pleased to 
be working with them today to enhance our nation's cybersecurity.
    RSA provides security, compliance, and risk management solutions 
for organizations worldwide. We help the world's leading organizations 
succeed by solving their most complex and sensitive security 
challenges, making it possible for them to safely benefit from the 
tremendous opportunities of digital technology and the Internet. EMC 
Corporation is a global leader in enabling businesses and third-party 
providers to transform their operations and deliver Information 
Technology (IT) as a service through innovations in big data, cloud 
computing and data storage.
    The United States, like many other nations, is highly dependent 
upon IT. Everything from national security and intelligence, to 
commerce and business, to personal communications and social networking 
depends on networked systems. The dynamic nature of this sector has 
created millions of jobs and generated significant economic growth. 
Every day, the Internet is increasing productivity; driving 
globalization and political change; and fueling every major industry 
and economy in the world.
    Unfortunately, that same dynamism has given rise to an ever-
evolving cyber threat that threatens every individual, every company, 
every industry, and every country in the networked world.
    The recent rise in cyber attacks is nothing short of astounding. 
According to the Government Accountability Office (GAO), the number of 
cyber attacks reported by Federal agencies increased by 782 percent 
from Fiscal Year 2006 to Fiscal Year 2012, from 5,503 to 48,562.\1\ 
Clearly, our government is under attack, and those statistics do not 
account for the daily intrusions private sector entities and private 
citizens are facing from a wide range of threat actors.
---------------------------------------------------------------------------
    \1\ GAO, Cybersecurity: A Better Defined and Implemented Strategy 
is Needed to Address Persistent Challenges, GAO 13 462T (Washington, 
D.C.: March 7, 2013).
---------------------------------------------------------------------------
    As a provider of security solutions, we are seeing first-hand the 
rapid evolution of the threat landscape, with more varied targets, and 
in many cases, more advanced technologies and tactics than ever before. 
This ever-increasing risk is threatening to erode trust in digital 
commerce, communication and collaboration on which we have all come to 
depend.
    I have been involved in the policy debates regarding information 
security and privacy for a number of years, and I appreciate this 
Committee's sustained leadership on these issues. Given its potential 
for loss and disruption, cybersecurity has become a vital economic and 
national security issue, and we applaud the Committee for its work to 
reach a bipartisan solution.

Partnership with NIST
    EMC and RSA have long enjoyed a close partnership with NIST on a 
number of issues that are closely linked to information security. As a 
provider of security solutions, RSA's collaboration with NIST is at the 
heart of our collective goal of safeguarding the networked world from 
an advanced and evolving cyber threat. NIST's National Cybersecurity 
Center of Excellence (NCCoE) lab initiative offers U.S. companies a 
valuable opportunity to collaborate with NIST and the public sector to 
address a range of security risks and privacy protection imperatives. 
With a goal of securing critical infrastructure, the Center inspires 
technological innovation to find creative solutions to intractable 
cybersecurity challenges.
    Director Gallagher and the NIST team have been exceptional partners 
with industry. Since the President announced in February his Executive 
Order ``Improving Critical Infrastructure Cybersecurity,'' we have been 
working with other stakeholders and NIST to develop a voluntary 
framework for reducing cyber risks to critical infrastructure that 
references standards, guidelines, and best practices to promote the 
protection of critical infrastructure. We have also partnered with NIST 
in its NCCoE lab initiative to address a range of security risks in 
support of the National Cybersecurity Excellence Partnership (NCEP). As 
a public-private partnership, the NCEP offers U.S. companies the 
opportunity to form a long-term relationship with the NCCoE. Through a 
collaborative effort, participating companies work together to explore 
the ``art of the possible'' and bring our nNation to the cutting edge 
of cybersecurity. The NCCoE's strategy is focused on and driven by the 
practical cybersecurity needs of American businesses, which is a secure 
cyber infrastructure that inspires technological innovation and fosters 
economic growth.
    Collaboration among innovators provides real-world cybersecurity 
capabilities that address business needs and help people secure their 
data and digital infrastructure by equipping them with practical ways 
to implement cost-effective, repeatable and scalable cybersecurity 
solutions. It also enables companies to rapidly adopt commercially-
available cybersecurity technologies by reducing their total cost of 
ownership. Most importantly, it empowers innovators to creatively 
address businesses' most pressing cybersecurity challenges in a state-
of-the-art, collaborative environment.\2\
---------------------------------------------------------------------------
    \2\ http://csrc.nist.gov/nccoe/The-Center/Mission/Strategy.html
---------------------------------------------------------------------------
    RSA's ``Archer'' solution is one example this collaborative effort. 
Incorporated into the NCCoE's geo-location and security profiling 
environments, Archer allows adaptation to compliance requirements 
involving privacy, international safe harbor restrictions and 
applications in the cloud.
    As a multinational corporation that operates in over 80 countries 
around the world, we favor global standards whenever possible. The use 
of international standards is critical as we seek to meet the broad 
needs of our user base, but these standards must again be industry-led, 
voluntary and non-prescriptive. If developed in a transparent, flexible 
manner, international standards make it possible for global 
organizations and their customers to continue to make improvements as 
needs change.
    Even so, we recognize that in some cases NIST must develop new 
standards for Federal Government nonclassified information systems. In 
these cases, we urge NIST to continue to work in an open, transparent 
process with stakeholder input. Here are a few examples of our ongoing 
engagement with NIST around standards development and use:

   RSA's BSAFE product is validated against FIPS 140-2 on a 
        regular basis to ensure our cryptographic implementations. It 
        is our understanding that NIST made a significant contribution 
        from their FIPS 140-2 work to the development of the 
        complementary international standard for cryptographic 
        modules.\3\
---------------------------------------------------------------------------
    \3\ ISO/IEC 19790: Information technology--Security techniques--
Security requirements for cryptographic modules

   NIST cited EMC's contributions to a NIST Interagency Report 
        on supply chain (NIST IR 7622) as we offered detailed, 
        constructive suggestions over several years to improve the 
        document.\4\
---------------------------------------------------------------------------
    \4\ http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7622.pdf

   An RSA employee coauthored a (Draft) NIST Interagency 
        Report: Trusted Geolocation in the Cloud: Proof of Concept 
        Implementation (NIST IR 7904 Draft).\5\
---------------------------------------------------------------------------
    \5\ http://csrc.nist.gov/publications/drafts/ir7904/
draft_nistir_7904.pdf

   EMC works closely with our Federal customers to help them 
        assess the risks of their new proposed information systems 
        following the Federal Information Security Management Act 
        (FISMA) process. The risk-based FISMA process, which itself 
        deserves further updating, is in turn anchored in NIST 
        standards such as the recently updated NIST 800-53 Rev 4 
        security control catalog.\6\ We appreciate that this new 
        security catalog has a detailed mapping to two key 
        international standards in wide industry use: ISO 27001 \7\ and 
        The Common Criteria.\8\ For the first time, this prominent U.S. 
        Federal standard outlines controls for privacy along with 
        security, a key linkage that we were pleased to see 
        acknowledged in your draft legislation.
---------------------------------------------------------------------------
    \6\ http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-53r4.pdf
    \7\ ISO/IEC 27001: Information technology-Security techniques-
Information security management systems-Requirements
    \8\ ISO/IEC 15408: Information technology--Security techniques--
Evaluation criteria for IT security
---------------------------------------------------------------------------
EMC/RSA as an Industry Leader
    In addition to our longstanding history working with NIST, EMC, and 
RSA have a proven track record as an industry leader in security. RSA 
has long recognized that cybersecurity is dynamic, and all stakeholders 
must continue to evolve our collective ability to counter cyber 
threats. In 1991, we responded to this new challenge by creating one of 
the largest security thought-leadership conferences in the world, RSA 
Conference. It is an annual industry event, which seeks to help drive 
the global information security agenda. Throughout its history, RSA 
Conference has consistently attracted the best and brightest in the 
field, creating opportunities for conference attendees to learn about 
IT security's most important issues through first-hand interactions 
with peers, luminaries and both established and emerging companies. As 
the IT security field continues to grow in importance and influence, 
RSA Conference, in conjunction with our many industry partners, plays 
an integral role in keeping security professionals across the globe 
connected and educated.
    EMC/RSA has demonstrated a longstanding commitment to improving our 
industry's best practices, particularly in the secure development 
field. In 2007, EMC, along with other industry leaders, created the 
Software Assurance Forum for Excellence in Code (SAFECode) to define, 
promote and share best practices and guidance outlining how to build 
secure software. SAFECode represents the first coherent, user-friendly 
collection of industry best practices in the development space. 
Available to the public free of charge, SAFECode's best practice 
guidance documents outline realistic approaches to secure 
development.\9\ The SAFECode initiative has produced a wealth of 
accumulated knowledge and shareable training materials that are being 
leveraged every day by developers to create software that is more 
secure than anything we have seen before.
---------------------------------------------------------------------------
    \9\ SAFECode.org/publications
---------------------------------------------------------------------------
    RSA knows first hand that no one is immune to the cyber threat. In 
2011, RSA detected a targeted cyber attack on our systems. Certain 
information related to an RSA product had been extracted. We publicly 
disclosed the breach and immediately began working to develop and 
publish best practices and remediation steps, so that others could 
learn from our experience. We proactively reached out to thousands of 
customers across the public and private sectors to help them mitigate 
the effects of the breach. Further, we worked with the appropriate U.S. 
Federal government agencies, including NIST, and several information 
sharing and analysis centers (ISACs) to ensure broad communication of 
these best practices and remediation steps, as well as information 
about the attack.
    Our experience was not unique. Individuals, governments, and 
companies deal with threats every day from nation states, criminals, 
hacktivists, and rogue actors. We have made great strides in the 
security space, but there is much work left to be done. As Robert 
Bigman, former CISO of the Central Intelligence Agency (CIA), has 
stated, the United States is ``exactly where the cyber criminals want 
us to be. They're very happy with our current situation.'' \10\
---------------------------------------------------------------------------
    \10\ http://www.usnews.com/news/articles/2012/12/04/former-cia-
officer-united-states-lags-far-behind-in-cyber-security
---------------------------------------------------------------------------
    The cyber threats we collectively face are real and immediate, and 
there are a number of steps that must be taken to enhance our economic 
and national security.

Implementing the President's Executive Order
    Recently, EMC and RSA, along with other private sector companies, 
have appreciated the opportunity to work closely with NIST on the 
implementation of the President's Executive Order to Improve Critical 
Infrastructure Cybersecurity.
    This collaboration between industry and NIST is a great example of 
what the public and private sectors can do together and represents an 
important step in the right direction. However, legislation is still 
needed to create a more effective partnership between the public and 
private sectors.

Key Elements of the Draft Legislation
    We applaud the Committee for its work to develop bi-partisan 
legislation based on an industry-driven, voluntary approach. This 
legislation complements the President's Executive Order by codifying 
the important steps the Administration has already taken to protect 
critical infrastructure and gives government and industry additional 
tools to bolster our cyber defenses. We are pleased to see that the 
draft bill requires a voluntary, non-regulatory process, enabling 
further collaboration between the public and private sectors to 
leverage non-prescriptive and technology-neutral, global cybersecurity 
standards for critical infrastructure. We also commend the Committee 
for including crucial provisions to support cyber research and 
development; increase awareness of cyber risks; and improve 
cybersecurity education and workforce training.
    As efforts progress, we urge you to consider a few key points:

    (1) Any successful cybersecurity effort must be industry-driven.

    With the rapid pace of innovation, owners and operators of critical 
infrastructure need the flexibility to keep pace with the rapidly-
evolving and sometimes equally innovative threat landscape. For this 
reason, standards and best practices should be non-prescriptive, non-
regulatory, and technology-neutral. This draft legislation achieves 
those objectives by initiating a voluntary, industry-led standards 
development process that will build on the great work that is already 
being done in the private sector. This close and continuous 
coordination between government and industry is vital to the ongoing 
development of best practices to combat the ever-changing threats we 
all face.
    Collaborative efforts between government and industry have been 
similarly successful in addressing supply chain security issues. EMC 
has been an early adopter of industry best practices to strengthen the 
security of our supply chain and ensure the global integrity of our 
software and hardware development processes. EMC shared its experience 
in two SAFECode whitepapers on software integrity.\11\ As a leader in 
the security field, RSA has actively engaged with government and 
industry partners to develop global supply chain security standards.
---------------------------------------------------------------------------
    \11\ SAFECode.org/publications
---------------------------------------------------------------------------
    The following are a few examples of industry-led efforts to develop 
and implement security standards:

        The Common Criteria: The Common Criteria \12\ are a set of 
        international computer security standards developed by 
        governments that include Canada, France, Germany, the 
        Netherlands, the United Kingdom and the United States through 
        active engagement with industry. EMC/RSA has made substantial 
        investments over many years to certify many of our products 
        against the Common Criteria, which are now recognized by 26 
        countries. U.S. policy should encourage those countries that do 
        not yet recognize The Common Criteria to follow suit as a 
        baseline assessment and avoid separate, custom national 
        evaluations in order to access their markets.
---------------------------------------------------------------------------
    \12\ ISO/IEC 15408: Information technology--Security techniques--
Evaluation criteria for IT security--Part 1: Introduction and general 
model

        Protection Profiles: Industry has taken the lead to contribute 
        technical content related to supply chain evaluations against 
        standard ``Protection Profiles'' for different classes of 
        technology. This directly supports a strategy by The Common 
        Criteria Development Board and the National Security Agency 
        (NSA)'s National Information Assurance Partnership (NIAP) unit 
        to reorient product evaluations towards protection profiles, 
---------------------------------------------------------------------------
        many of which are also developed by industry.

        Open Trusted Technology Provider Standard (O-TTPS): In 2009, 
        RSA's Chief Technology Officer worked with the U.S. Department 
        of Defense to launch a joint public-private initiative that led 
        to a published global supply chain standard in April 2013. The 
        resulting standard, The Open Group's O-TTPS Standard for 
        Mitigating Maliciously Tainted and Counterfeit Products \13\ 
        addresses two of our most important threats. Earlier this month 
        at their international conference, The Open Group's Trusted 
        Technology Forum awarded EMC for its ``outstanding 
        contribution'' to this multi-year standard development process. 
        The new, global O-TTPS standard will have a measurable 
        accreditation program by year's end, enabling compliance down 
        into the technology supply chain. This non-prescriptive pilot 
        program focuses on measuring the outcomes of practices, while 
        giving each organization the latitude to determine how best to 
        reach the performance goals. This Open Group industry standards 
        effort also has a formal liaison with ISO/IEC's emerging 
        standard on supplier relationships that has itself been 
        developed with significant industry review and comments.\14\
---------------------------------------------------------------------------
    \13\ http://www.opengroup.org/news/press/open-group-releases-
global-technology-supply-chain-security-standard
    \14\ ISO/IEC 27036: Information technology--Security techniques--
Information security for supplier relationships--Part 1: Overview and 
concepts

    (2) Public and private sector collaboration is essential to 
---------------------------------------------------------------------------
bolstering cybersecurity.

    EMC and RSA strongly support the bill's aim of establishing more 
effective collaboration between industry and government to address 
cybersecurity issues. We already participate in two successful 
initiatives that we believe can serve as a model for future public-
private partnerships in the cybersecurity field.
    At the national level, the Enduring Security Framework (ESF) is a 
partnership of senior industry and government executives to identify 
critical cyber vulnerabilities and mobilize experts to address the 
risks. At the regional level, the New England Advanced Cyber Security 
Center is a consortium of industry, government, and universities 
working together to share cyber threats and explore new areas of 
research required to improve our defenses.

    (3) Cybersecurity standards should be voluntary, non-prescriptive, 
and technology-neutral.

    The voluntary nature of the legislation is of paramount importance. 
While we support the development of standards and best practices, we 
firmly believe that companies should have the flexibility to determine 
for themselves how best to secure their networks. In this highly-
innovative sector, companies need the flexibility to explore creative 
approaches and technologies. Government regulations cannot reasonably 
keep pace with innovation, and companies must be free to design and 
build secure products in a global environment as they see fit without 
government intrusion. This ensures ongoing technology innovation in a 
global marketplace, resulting in increased productivity, job creation, 
and economic growth.

    (4) Both government and the private sector must invest in 
increasing public awareness of the cyber threat.

    In today's increasingly interconnected world, every individual has 
a role to play in enhancing cybersecurity. As we have seen, simple 
errors such as the use of weak passwords and poor cyber hygiene can 
have serious consequences. For this reason, we strongly support the 
legislation's call for NIST to launch a cybersecurity awareness 
campaign. Increased awareness is our first line of defense against 
cyber attacks, and we applaud the Committee for recognizing this. As 
NIST undertakes this effort, there are a number of existing public-
private partnerships upon which we can build.
    The National Cyber Security Alliance (NCSA) is a non-profit 
organization comprised of captains of industry ranging from defense and 
IT companies to financial institutions and e-commerce providers to 
telecommunications companies and ISPs. Founded in 2001, the Alliance 
works with all levels of government to promote cybersecurity awareness. 
As one its founding members, EMC/RSA has been involved in this 
partnership since its inception and as the cybersecurity challenge has 
grown, so has the Alliance.\15\
---------------------------------------------------------------------------
    \15\ www.staysafeonline.org
---------------------------------------------------------------------------
    In collaboration with its public sector partners, NCSA established 
National Cyber Security Month in October, which is designed to elevate 
and expand cybersecurity awareness programs. We appreciate the support 
of the President of the United States and the U.S. Congress in this 
effort, and we are pleased to see that the initiative has grown year 
after year. The U.S. Department of Homeland Security (DHS) is a long-
time participant and supporter of this public-private partnership as 
are multiple other Federal government agencies and many state and local 
governments.
    NCSA has also partnered with the Anti-Phishing Working Group (APWG) 
and DHS to launch the Stop-Think-Connect awareness campaign; an effort 
we will continue supporting actively to help grow its influence as a 
nationwide and multi-national public awareness initiative.\16\
---------------------------------------------------------------------------
    \16\ http://stopthinkconnect.org/

    (5) As we move forward, we must think not only of today's threats, 
---------------------------------------------------------------------------
but also of the cybersecurity challenges of the future.

    Today, thousands of cybersecurity positions remain unfilled in both 
the public and private sectors, simply because of a lack of qualified 
candidates. We are pleased to see that the draft legislation includes 
provisions to increase cybersecurity research and to support the 
development of the cybersecurity workforce.
    Title II of the draft legislation calls for a national 
cybersecurity research and development plan to be developed by the 
Office of Science and Technology Policy (OSTP) and the coordination of 
research and development activities at the National Science Foundation 
(NSF), NIST, other Federal agencies, academia, and the private sector. 
We believe the authorization of coordinated research will address gaps 
in knowledge that prevent the development of secure technologies. In 
addition, the Networking and Information Technology Research and 
Development (NITRD) program has been successful in supporting research 
on the science of cybersecurity and will enhance the continuation of 
innovative approaches to new technology.
    Title III of the draft bill supports efforts to prepare the 
cybersecurity workforce of tomorrow. Our young people are our greatest 
asset, but our students are falling behind in the crucial fields of 
science, technology, engineering and math. Investments in cybersecurity 
education and workforce training today will develop the talent we need 
to strengthen our defenses for years to come.
    As cyber threats continue to escalate at an alarming rate, we need 
to invest in building the cybersecurity workforce with the requisite 
skills to defend our systems and drive continued innovation. Two areas 
of investment are particularly important:

        Cyber security programs in post-secondary schools: To defend 
        our networks, we will need to graduate more individuals with 
        expertise in computer sciences, risk assessment, data mining, 
        data visualization and analytics, digital forensics, and human 
        behavior. Our colleges and universities must place an emphasis 
        on producing graduates with the technical and cross-functional 
        skills needed to defend against our cyber adversaries. The 
        Federal government should support programs at the college and 
        university levels that graduate qualified cybersecurity 
        professionals. One such example is the Scholarship for Service 
        program, funded by NSF, NSA and DHS, which has produced 
        cybersecurity professionals now working in both the public and 
        private sectors.\17\ This and other successful government-
        funded scholarship programs should be expanded to continue to 
        grow the cyber workforce.
---------------------------------------------------------------------------
    \17\ https://www.sfs.opm.gov/

        Training, certification and accreditation programs to increase 
        and maintain cybersecurity proficiency: In 2009, SAFECode 
        members outlined a framework around secure engineering training 
        that concluded that they could not sufficiently rely on 
        colleges and universities to deliver graduates that could join 
        the workforce without substantial, advanced company-led 
        training.\18\ Consequently, government and private enterprises 
        should provide increased cybersecurity training opportunities 
        for their IT staff. The SANS Institute and the International 
        Information System Security Certification Consortium (ISC2) and 
        Information Systems Audit and Control Association (ISACA) 
        provide education and certification programs that can be 
        replicated and expanded to further develop the cyber workforce.
---------------------------------------------------------------------------
    \18\ SAFECode.org/publications

    In addition, new programs such as the U.S. Cyber Challenge \19\ and 
the National Initiative for Cybersecurity Education (NICE) should serve 
as models for future education programs. NICE has evolved from the 
Comprehensive National Cybersecurity Initiative, and extends its scope 
beyond the Federal workplace to include civilians and students in 
kindergarten through post-graduate school. \20\ The goal of NICE is to 
establish an operational, sustainable and continually improving 
cybersecurity education program to enhance the Nation's security. These 
vitally important initiatives are being put into place to identify, 
recruit and place the next generation of cybersecurity professionals.
---------------------------------------------------------------------------
    \19\ For more information, go to the U.S. Cyber Challenge Website 
at: http://workforce
.cisecurity.org/.
    \20\ http://csrc.nist.gov/nice/aboutUs.html
---------------------------------------------------------------------------
    This effort will require significant investments today, but if 
these initiatives are implemented properly, our technological future is 
bright. We look forward to a time when government and industry work as 
true partners to combat cyber threats. We also look forward to having a 
skilled and savvy workforce that comes to the table understanding the 
threat landscape and best practices ready to apply their expertise in a 
rich economic environment. These cyber professionals will be the 
brightest and best-trained that we have ever seen, and they will 
develop innovative ways to combat the cyber threats more quickly and 
more creatively than we could ever dream of today.
    For all of the reasons noted above, this draft legislation 
represents an important step in the right direction, but there is more 
work yet to be done.

Next Steps
    In order to effectively address cyber threats there must be an 
``innovative and cooperative approach between the private sector and 
the Federal government'' and we need to collectively utilize expertise 
within both government and industry. As Commander of U.S. Cyber Command 
General Keith Alexander has said many times, ``securing our nation's 
network is a team sport.'' \21\ Without strong public-private 
partnerships and actionable cyber intelligence information sharing 
between government and industry, we will not be able to make the 
progress that is so desperately needed. Moving forward, we recommend 
two key next steps:
---------------------------------------------------------------------------
    \21\ http://365.rsaconference.com/community/archive/usa/blog/2011/
02/17/video-rsac-us-2011-keynote-the-department-of-defense-active-
cyber-defense-and-the-secure-zone_general-keith-b-alexander

    (1) Government should explore additional opportunities to leverage 
---------------------------------------------------------------------------
public-private partnerships.

    We greatly appreciate NIST's commitment to working with industry, 
and we believe similar public-private partnerships should be explored. 
The public sector should further leverage information available from 
commercial services to paint a fuller picture of the threat landscape.
    For example, the RSA Anti-Fraud Command Center (AFCC) has worked 
globally with financial institutions, ISPs, law enforcement and other 
organizations to detect and shut down hundreds of thousands of phishing 
attacks since 2007.\22\
---------------------------------------------------------------------------
    \22\ For more information on the AFCC, see http://www.emc.com/
collateral/solution-overview/10580-afcc-sb.pdf
---------------------------------------------------------------------------
    Similarly, we have worked with industry-led Information Sharing 
Analysis Centers (ISACs) that are partnering with government entities 
and law enforcement--such as the Financial Services ISAC--to provide 
timely and actionable information on cyber threats and attacks.\23\ 
Actionable information gained from these mechanisms and in other 
processes with industry is often as valuable as information from 
government sources.
---------------------------------------------------------------------------
    \23\ For more information on the FS-ISAC's information sharing 
practices and programs, see ``Testimony of William B. Nelson, The 
Financial Services Information Sharing & Analysis Center'' before the 
U.S. House of Representatives Financial Institutions and Consumer 
Credit Subcommittee, September 14, 2011.

    (2) It is imperative that Congress addresses other key 
---------------------------------------------------------------------------
cybersecurity issues not under this Committee's jurisdiction.

    These include advancing the sharing of cyber threat intelligence 
between government and industry; establishing liability protections for 
entities that share threat information; and streamlining acquisition of 
technology. We urge the Congress to examine ways to break down barriers 
to information sharing and create incentives for the public and private 
sectors to work together to safely and securely share real-time, 
actionable information about cyber threats. Linking the adoption of 
cybersecurity standards to incentives such as liability protection and 
streamlined acquisition of technology will create a positive business 
climate while improving our nation's cybersecurity posture.
    We also support additional legislative initiatives to update 
criminal laws and penalties; enact Federal data breach law; modernize 
FISMA; and develop reasonable and effective policy approaches to supply 
chain protection that will not stifle innovation and competition.

Conclusion
    We thank Chairman Rockefeller and Ranking Member Thune for their 
dedication to advancing this important legislation. I strongly believe 
the action undertaken by this Committee and the bipartisan leadership 
of its Members will set a positive course for others in Congress to 
realize the urgency in addressing this growing threat. As the Senate 
confronts the policy challenges of cybersecurity, I have every 
confidence in industry's ability to leverage its existing relationship 
with NIST to enhance the cybersecurity of our critical infrastructure. 
Under this Committee's leadership, we sincerely hope that Congress will 
act quickly to address this urgent threat to our national security.
    Again, I thank you for the opportunity to be here today, and EMC 
and RSA look forward to working with you and your colleagues in 
Congress as this proposal advances.

    The Chairman. Thank you, sir, very much.
    At 3:15, there will likely be a vote, and I just need to 
inform members of that because I just found out. That is what 
happens in the Senate. So we will just disappear. If we can 
stage it, we will do that so we keep the hearing going.
    All right. Mark Clancy, Managing Director, Technology Risk 
Management and Corporate Information Security Officer, The 
Depository Trust & Clearing Corporation. Please, sir.

        STATEMENT OF MARK G. CLANCY, MANAGING DIRECTOR,

          THE DEPOSITORY TRUST & CLEARING CORPORATION

         ON BEHALF OF THE AMERICAN BANKERS ASSOCIATION,

         FINANCIAL SERVICES ROUNDTABLE, AND SECURITIES

           INDUSTRY AND FINANCIAL MARKETS ASSOCIATION

    Mr. Clancy. Thank you. Chairman Rockefeller, Ranking Member 
Thune, and members of the Committee, thank you for scheduling 
today's hearing on improving cybersecurity through the NIST and 
private sector partnership.
    My name is Mark Clancy and I am the Corporate Information 
Security Officer of the Depository Trust & Clearing 
Corporation, or DTCC. I also have leadership roles in the 
Financial Services Sector Coordinating Council and the 
Financial Services Information Sharing Analysis Center, which 
is the operational hub for information sharing in the financial 
sector.
    DTCC is participant-owned, governed, and serves the 
critical infrastructure for the U.S. and global capital 
markets. DTCC provides many services to the financial industry, 
but the easiest way to think about us is with one example. 
After a trade is executed on a stock exchange, we ensure that 
the shares move to the people who bought them and the money 
moves to the people who sold them. We do this across all the 
major exchanges in the United States, and in the aggregate, 
DTCC processed last year $1.6 quadrillion in transactions and 
all of that occurred in cyberspace.
    Today I am testifying on behalf of the American Bankers 
Association, the Financial Services Roundtable, the Securities 
Industry and Financial Markets Association who collectively 
represent a large segment of the financial services sector. We 
applaud and support the goals of the bill crafted by the 
leadership of the Committee.
    Researchers estimate there is $100 billion in annual loss 
to the U.S. economy and half a million jobs lost as a result of 
cyber crime and cyber espionage.
    The financial sector institutions perform risk assessments 
based on the types of attacks and threat actors that we are 
subjected to. We group threat actors into four categories: 
crime, hacktivism, espionage, and war. The threats from these 
groups range from theft of customer information or intellectual 
property through disruptions such as denial of service attacks 
to the destruction of systems and data.
    The financial services sector recognizes cybersecurity is a 
noncompetitive area and is committed to working together to 
address this issue. A key organization in this partnership is 
the Financial Services Coordinating Council whose mission is to 
strengthen the resiliency of the financial services sector 
against attacks and other threats of the Nation's critical 
infrastructure.
    We appreciate and support the goals of S. 1353 for NIST to 
facilitate the necessary private and public sector 
collaboration to establish voluntary standards and best 
practices to better secure our nation from cyber attack. The 
sector believes strongly that to be successful, the 
collaboration must include the leadership in the private and 
public sector, as well as industry practitioners who address 
cybersecurity-related risks every day. The frameworks and 
standards that are rooted in the global, real-world, real-time 
nature of the threat are those that will achieve the objectives 
of the Nation to reduce risk from cyber threats to critical 
infrastructure.
    The sector has participated in a number of NIST initiatives 
over the years and has found the organization to be ideal for 
the development of standards and collaboration. Supporting the 
development of the NIST Cybersecurity Framework has been a 
major initiative of the sector. We provided comments to NIST 
with an emphasis on the existing national and international 
regulatory frameworks that the sector currently complies with. 
We have actively participated in the workshops and are 
appreciative of the efforts by NIST to seek the sector's input 
on specific topics and to understand how the Cybersecurity 
Framework will be used by our sector.
    The Committee bill incorporates this collaborative effort, 
and we hope to see swift passage of the bill. I wanted to 
highlight four major issues of interest in the bill to the 
financial services sector.
    One, NIST as the Government organization with the 
responsibility to develop standards.
    Two, increasing research and development for the design and 
testing of software.
    Three, educating the workforce and preparing students for 
future technical roles.
    And four, promoting a national cybersecurity awareness 
campaign.
    There are two additional points Congress should consider as 
this bill is finalized.
    First, we strongly encourage the research agenda to include 
the evaluation of risk management through the supply chain. 
This will improve the resilience of all sectors by detecting 
and defending against software and hardware components that 
have been tampered with during the production, shipment, and 
through the international supply chain process.
    Second, in addition to this bill, we encourage the Senate 
to introduce and pass legislation that would enhance the 
ability of the private sector and Government to share cyber 
threat information while providing the necessary privacy 
protections for individuals.
    On behalf of the American Bankers Association, the 
Financial Services Roundtable, the Securities Industry and 
Financial Markets Association, along with DTCC, I would like to 
thank you for holding today's hearing to continue to raise 
awareness on this critical issue and for inviting us to 
testify. I would be happy to address any questions that you may 
have.
    [The prepared statement of Mr. Clancy follows:]

Prepared Statement of Mark G. Clancy, Managing Director, The Depository 
    Trust & Clearing Corporation On behalf of the American Bankers 
Association, Financial Services Roundtable, and Securities Industry and 
                     Financial Markets Association

    Chairman Rockefeller, Ranking Member Thune, and members of the 
Committee, thank you for scheduling today's hearing on improving 
cybersecurity through the NIST and private sector partnership.
    My name is Mark Clancy, and I am the Corporate Information Security 
Officer at The Depository Trust & Clearing Corporation (``DTCC''). I 
also serve on the Executive Committee of the Financial Service Sector 
Coordinating Council and as the Vice Chairman of the Financial Services 
Information Sharing and Analysis Center (FS-ISAC).
    DTCC is a participant-owned and governed cooperative that serves as 
the critical infrastructure for the U.S. capital markets as well as 
financial markets globally. Through its subsidiaries and affiliates, 
DTCC provides clearing, settlement and information services for 
virtually all U.S. transactions in equities, corporate and municipal 
bonds, U.S. government securities and mortgage-backed securities and 
money market instruments, mutual funds and annuities. DTCC also 
provides services for a significant portion of the global over-the-
counter (``OTC'') derivatives market. To provide insight into the 
criticality of DTCC's role in the safe and efficient operation of the 
U.S. capital markets, in 2012, DTCC's subsidiaries processed more than 
$1.6 quadrillion in securities transactions.
    Today, I am testifying on behalf of the American Bankers 
Association,\1\ Financial Services Roundtable,\2\ and the Securities 
Industry and Financial Markets Association \3\ who collectively 
represent a large segment of the financial services sector.
---------------------------------------------------------------------------
    \1\ The American Bankers Association (ABA) represents banks of all 
sizes and charters and is the voice for the Nation's $14 trillion 
banking industry and its two million employees.
    \2\ The Financial Services Roundtable (FSR) represents 100 of the 
largest integrated financial services companies providing banking, 
insurance, and investment products and services to the American 
consumer. Member companies participate through the Chief Executive 
Officer and other senior executives nominated by the CEO. Roundtable 
member companies provide fuel for America's economic engine, accounting 
directly for $98.4 trillion in managed assets, $1.1 trillion in 
revenue, and 2.4 million jobs.
    \3\ The Securities Industry and Financial Markets Association 
(SIFMA) brings together the shared interests of hundreds of securities 
firms, banks and asset managers. SIFMA's mission is to support a strong 
financial industry, investor opportunity, capital formation, job 
creation and economic growth, while building trust and confidence in 
the financial markets. SIFMA, with offices in New York and Washington, 
D.C., is the U.S. regional member of the Global Financial Markets 
Association (GFMA).
---------------------------------------------------------------------------
    At the highest level, we applaud and support the goals of S. 1353, 
The Cybersecurity Act of 2013 introduced by the leadership of this 
Committee. In my testimony today I will address current cyber threats, 
the sector-led initiatives to defend against these threats and the ways 
in which the Committee bill supports those efforts. Finally, I will 
stress the continued importance of crafting a more robust threat 
information sharing environment, particularly across our critical 
infrastructure.

Current Cyber Threat
    According to McAfee and the Center for Strategic and International 
Studies (CSIS), there is an estimated $100 billion annual loss to the 
U.S. economy and as many as 508,000 U.S. jobs lost as a result of 
cybercrime and cyber espionage.
    For the financial services industry, cyber threats are a constant 
reality and a potential systemic risk to the industry. Our markets and 
financial networks are predicated on trust and confidence. The trusted 
transfers and transactions that occur hundreds of millions of times a 
day are a fundamental prerequisite for modern capital markets, 
investors, consumers, and governments to conduct business and drive 
economic growth.
    Given the reliance on technology and the importance of for trust in 
the sector, individual institutions, and the industry as a whole 
perform risk assessments based on the types of attacks and threat 
actors they are subject to. The industry groups threat actors into four 
categories--Crime, Hacktivism, Espionage and War.

        Crime--The motivation of these groups is financial gain. The 
        threat intensity of these groups varies based on two factors: 
        the capabilities of the actors and the vulnerabilities of the 
        targets. While organizations are continually assessing and 
        addressing potential gaps in their systems, criminals are just 
        as quickly acquiring new technical skills and capabilities 
        through a sophisticated cyber black market

        Hacktivism--The term hacktivism is applied to groups or 
        individuals who use computer intrusion or ``hacking'' 
        techniques to promote and publicize an often radical political 
        or cultural point of view. The most recent example of hactivism 
        has been the distributed denial of services (DDoS) attacks for 
        which the Cyber Fighters of Izz ad-din Al Qassam have claimed 
        credit. These attacks against large financial institutions 
        began in 2012 allegedly to protest the posting of the 
        ``Innocence of Muslims'' video on YouTube. This group, like 
        virtually all hacktivists, is not motivated by financial gain--
        it wants to make a high-profile political statement. The 
        capabilities of hacktivists vary greatly, although it is common 
        to find a few highly-skilled individuals operating in loose 
        confederation with lesser-skilled, but highly-motivated actors.

        Espionage--The term cyber espionage was coined to reflect the 
        ``spy vs. spy'' activity that has occurred between nations. 
        However, cyber espionage has expanded in recent years beyond 
        attempts to steal national secrets to now include cyber theft 
        of proprietary information from corporations in an effort to 
        gain an economic and competitive advantage over the commercial 
        interests of a country.

        War--This generally refers to the launch of a cyber-missile or 
        some other cyber weapon of mass destruction to devastate the 
        capabilities of a government or corporation by causing a 
        physical system to fail or to gain control over that system. 
        Today, as many as 30 countries have cyber war units to protect 
        and defend against such an attack, according to former 
        Secretary of Defense Leon Panetta, who also oversaw a cyber-
        command center comprised of Army, Navy, and Air Force 
        personnel. In addition, some countries are developing units to 
        promote or instigate this type of warfare.

    The universe of threat actors, regardless of the category into 
which they fall, pose a significant and growing danger to the sector. 
These threats range from theft, to disruption and destruction.

        Theft--Actions resulting in the theft of customer, proprietary, 
        or confidential data or information. The loss of essential 
        account information has the potential to put the public in 
        harm's way for fraud and identity theft. If the crimes happen 
        regularly, confidence in the sector could erode. The theft of a 
        customer's access credentials when stolen via malicious 
        software installed on the individual's computer is particularly 
        dangerous because that customer faces the potential loss of his 
        or her funds and assets.

        Disruption--Actions intended to cause disruptions to systems 
        and operations, denying authorized users access to the affected 
        systems. For example, in the previously mentioned DDoS attacks 
        against the sector, hacktivists successfully blocked or 
        otherwise limited the availability of certain consumer-facing 
        websites for brief periods, but did not impact any 
        institution's internal or critical functions. In the future, 
        more severe cyber attacks could attempt to target these 
        internal, critical functions.

        Destruction--Actions intended to compromise the integrity of or 
        cause the destruction of data and systems.

    Financial firms take extreme precautions to guard against these 
three main types of incidences that could impact the integrity of 
customer or institutional data. Not only is this an issue addressed by 
individual institutions' risk management functions, but also an issue 
that has interest by executive leadership to increase the investment in 
this critical space.

The Systemic Impact of Cyber Attacks on DTCC
    As mentioned earlier, DTCC serves as the critical infrastructure 
for global financial markets. As a result, the organization brings a 
dual perspective to its view of the cyber risk environment and its 
impact on critical infrastructure. First, DTCC must examine and plan 
for cyber attacks that could impact its ability to perform clearance 
and settlement and other critical post-trade processes that underpin 
the global financial marketplace. Second, because of the 
interconnectedness of the financial system, DTCC must also take into 
account the broader systemic risks that could result from a cyber 
attack on its systems.
    The global financial system is an enormous, interconnected ``system 
of systems.'' In other words, while individual institutions operate 
different parts of the critical infrastructure, the financial system 
itself is a product of the interactions of all these discrete actions. 
Because DTCC is connected to thousands of different market participants 
spanning the entire financial services industry globally, the 
organization must look beyond how a cyber attack could harm its own 
operations to the systemic impact on its members and the broader 
financial community. For example, if DTCC is unable to complete 
clearance and settlement due to systems disruptions or outages, buyers 
and sellers of securities would not know if their trades had completed 
and, therefore, what securities they own or how much capital they have.
    DTCC's financial risk and operational assessments must take into 
account these essential functions and determine how non-performance 
would impact the markets it serves as well as the firms that utilize 
its products and services, the investing public and the U.S. economy. 
In other words, if a cyber attack directed at DTCC, or other critical 
financial market infrastructure, rendered its systems non-operational, 
what would that do to the overall functioning of the financial system? 
If the financial markets could not operate, how would that affect 
liquidity and access to capital? This systemic view of cyber risk has 
driven DTCC to broaden its perspective on cybersecurity to include 
consideration of ways to mitigate low frequency but potentially high-
impact scenarios that a monoplane risk assessment would have ignored.
    DTCC maintains an elaborate and sophisticated information security 
program to protect against the types of cyber attacks mentioned above. 
This includes ongoing collaborative efforts with the private and public 
sectors. The financial services industry is currently engaged in a 
variety of public-private partnerships with the Federal government to 
protect against cyber threats and safeguard the Nation's critical 
market infrastructure.

Sector-Led Initiatves
    The financial services sector recognizes the risks, views 
cybersecurity as a non-competitive area and works together to identify 
potential threats and techniques to mitigate them. A key organization 
to this coordination is the Financial Services Sector Coordinating 
Council (``Council''), whose mission is to strengthen the resiliency of 
the financial services sector against cyber attacks and other threats 
to the Nation's critical infrastructure. The organization's leadership 
is comprised of industry utilities and operators, as well as industry 
associations, such as those on whose behalf I am testifying today.
    The Council is spearheading financial services participation in the 
discussions surrounding implementation of Presidential Executive Order 
13636--Improving Critical Infrastructure Cybersecurity through the 
involvement of the ABA as co-chair of the FSSCC Policy Committee and 
SIFMA as lead on the incentives efforts.
    The FSSCC Threat and Vulnerability Committee, co-chaired by the 
BITS \4\ division of FSR, discuss the evolving threat to identify 
sector initiatives for mitigation. The Committee also developed a 
methodology for identifying core infrastructure for the sector along 
with the Department of Treasury.
---------------------------------------------------------------------------
    \4\ BITS, as the technology policy division of the Financial 
Services Roundtable, addresses issues at the intersection of financial 
services, technology and public policy, where industry cooperation 
serves the public good, such as critical infrastructure protection, 
fraud prevention, and the safety of financial services.
---------------------------------------------------------------------------
    The ABA, FSR and SIFMA are also collaborating with the U.S. 
Department of the Treasury, in concert with the Council, the Financial 
Services Information Sharing and Analysis Center and The Clearing 
House, in an effort to enhance the industry's cybersecurity ecosystem. 
The effort has led to the development of an Action Plan of both short-
and long-term improvements to the sector's security posture focused on 
enhancing information sharing, increasing analysis, improving crisis 
management response and upgrades to core components of the cyber 
ecosystem.
    On July 18, the industry participated in Quantum Dawn 2, a 
cybersecurity exercise organized by SIFMA. Five hundred individuals 
from over 50 entities throughout the sector and government participated 
in this opportunity to run through their crisis response procedures, 
practice information sharing and refine protocols relating to a 
systemic cyber attack. Quantum Dawn 2 was executed on a simulation 
platform developed as a result of cybersecurity research funding from 
the Department of Homeland Security's Science and Technology 
Directorate and was used in the exercise to simulate the U.S. equities 
markets. Participants are currently analyzing the findings to identify 
areas for improvement and best practices that will enable firms and the 
entire sector to better prepare for and defend against cyber threats. 
The exercise demonstrates the positive linkage between research and 
development investments, such as simulation tools, and the ability to 
reduce cyber related risks through preparedness that could not have 
been accomplished using real world infrastructures.
    Lastly, some of these initiatives involve fundamental changes to 
the cyber ecosystem. In December 2011, the ABA and FSR formed a new 
entity, fTLD Registry Services, LLC (fTLD), to apply for and run 
industry-related top-level domains. This decision was predicated upon 
an announcement by the Internet Corporation for Assigned Names and 
Numbers (ICANN) to allow for an unlimited number of top-level domains 
(TLDs) beyond the 23 existing at the time (e.g., .com, .net and .org). 
fTLD's goal is to represent the financial services community and to 
help assure that new TLDs related to the banking and insurance 
communities will reduce industry risk and protect customers and 
institutions. In addition, fTLD helps develop sound Internet practices 
and standards and advocates for secure Internet policies.

Legislation
    We appreciate and support the goals of S. 1353, The Cybersecurity 
Act of 2013 sponsored by Senator Rockefeller and Senator Thune. If made 
into law, Title 1 of this bill would leverage the National Institute of 
Standards and Technology (NIST) to facilitate the necessary private and 
public sector collaboration to establish voluntary standards and best 
practices to better secure our Nation from cyber attacks.
    As discussed in detail above, the sector believes strongly in the 
importance of private sector leadership for responding to this threat. 
We also recognize the need for a partnership between the private sector 
and the government. The government plays a unique role in the 
protection of private sector companies. To be successful the 
collaboration needs to include the leadership in the private and public 
sector as well as the practitioners who address cybersecurity related 
risks every day. The frameworks and standards that are rooted in the 
global, real world, and real time nature of the threat, are those that 
will achieve the objectives of the Nation to reduce risk from cyber 
threats to critical infrastructure.
    The sector works closely with our government counterpart the 
Financial and Banking Information Infrastructure Committee (FBIIC). The 
FBIIC, led by Treasury and chartered under the President's Working 
Group on Financial Markets, is charged with improving coordination and 
communication among financial regulators, enhancing the resiliency of 
the financial sector, and promoting the public/private partnership. 
Essential to the sector's success is the public sector's commitment to 
the public/private partnership outside of the already mature regulatory 
regime.
    The sector has participated in a number of NIST initiatives over 
the years and has found the organization to be ideal for the 
development of standards and collaboration. Most notably, the industry 
has been involved and continues to participate in the implementation of 
the National Strategy for Trusted Identities in Cyberspace (NSTIC).
    Participation in the development of the Cybersecurity Framework by 
NIST has been a major initiative of the sector. We provided comments to 
NIST from the FSSCC with an emphasis on the existing national and 
international regulatory frameworks that the sector currently complies 
with. We have actively participated in the workshops and are 
appreciative of the specific efforts by NIST to seek the sector's input 
on specific topics and understand how the Cybersecurity Framework will 
be used by our sector.
    In addition to specifying NIST as the government organization with 
the responsibility to develop standards, the legislation would enable 
critical steps for increasing research and development for the design 
and testing of software, educating the workforce, preparing students 
for future technical jobs and promoting a national cybersecurity 
awareness campaign. These are all critical issues to the financial 
services sector.
    There are two points for consideration as this bill moves forward.
    In the development of a research agenda, we strongly encourage you 
to include the evaluation of risk management throughout the supply 
chain. It is important for all sectors to improve their ability to 
detect and defend against software and hardware components that have 
been tampered with during production, shipment and throughout the 
international supply chain process. This recommendation is based on 
research and discussion done by the sector in the development of the 
Council's research and development agenda \5\.
---------------------------------------------------------------------------
    \5\ http://www.fsscc.org/fsscc/news/2013/
FSSCC%20RD%20Agenda%20April%2024%202013
.pdf
---------------------------------------------------------------------------
    In addition, as the NIST Director establishes a cybersecurity 
awareness and preparedness campaign, we encourage the Director to 
analyze and leverage the work already underway by the National Cyber 
Security Alliance. This organization, supported by a number of sectors 
and government partners, developed the Stop. Think. Connect. campaign 
to encourage a shared responsibility across enterprises and individuals 
for securing the Internet.

Need for Information Sharing Legislation
    We encourage the passage of the S. 1353, The Cybersecurity Act of 
2013. In addition, we encourage the Senate to introduce and pass 
legislation that would enable increased cyber threat information 
sharing between the private sector and government, while providing the 
necessary privacy protections for individuals.
    Our sector works collaboratively with our government partners to:

   Prepare for cyber attacks by collecting, analyzing and 
        disseminating threat information to the extent currently 
        feasible, assessing systemic risks, and conducting joint 
        exercises.

   Stay ahead of adversaries and reduce the number of incidents 
        by anticipating threats, implementing countermeasures and 
        addressing critical vulnerabilities.

   Identify incidents as they occur by implementing key 
        controls that would improve our ability to detect and block 
        cyber attacks at ``net speed''.

   Respond to incidents in the manner that will reduce the 
        impact and risk to the financial institution and the sector.

   Improve security posture, and minimize impact through robust 
        forensics, investigations and learned capability.

    Given the interconnected nature of cyberspace, institutions 
recognize that the strongest preparations and responses to cyber 
attacks require collaboration beyond their own companies. As a result, 
the sector has engaged in a number of collaborative efforts. Through 
the FS-ISAC, participants share threat information between financial 
institutions and the Federal government, law enforcement and other 
critical infrastructure sectors. The FS-ISAC also has a representative 
for the sector on the National Cybersecurity and Communications 
Integration Center floor to provide the Department of Homeland Security 
(DHS) insight into the financial sectors issues and incidents and 
provide an additional fan out for information from DHS to the sector.
    Cyber attacks are not specific to the financial services sector, 
but are the concern of all targeted sectors, making it essential to be 
able to share threat information across sectors. Currently, we all 
experience attacks and work within our sectors as the law allows. 
Viruses, trojans and other malicious software may be written to target 
a specific sector, but are often developed or leveraged to attack other 
sectors for additional purposes. Attackers are looking for methods to 
increase efficiency, so their ability to reuse these tools in attacks 
on multiple sectors accomplishes this goal. Our attackers share 
information related to their attacks. American businesses defending 
against cyber attacks need that same capability. The ability to share 
information across sectors and with the government is necessary to 
effectively prepare, recognize and respond to attacks that hit across 
sectors. As our adversaries evolve, techniques become more complex, and 
coordinated attacks become commonplace, we need to advance our ability 
to respond in a collective, coordinated fashion.
    The ability to share information more broadly is critical and 
foundational to our preparation for and response to future attacks. 
While we constantly review opportunities to improve the information 
shared within our industry, it is vital that our efforts also include 
sharing information across sectors and between the government and the 
private sector. Each company and public sector entity has a piece of 
the puzzle and an understanding of the threat. Our ability to share 
this information will greatly increase our ability to prepare and 
respond to threats.

Conclusion
    On behalf of the DTCC and the financial services industry, I would 
like to thank you for holding today's hearing to continue to raise 
awareness on this critical issue and for inviting us to testify. I 
would be happy to answer any questions.

    The Chairman. Thank you, sir.
    Dorothy Coleman is Vice President of Tax, Technology and 
Domestic Economic Policy of the National Association of 
Manufacturers. We welcome you.

         STATEMENT OF DOROTHY COLEMAN, VICE PRESIDENT,

         TAX, TECHNOLOGY AND DOMESTIC ECONOMIC POLICY,

             NATIONAL ASSOCIATION OF MANUFACTURERS

    Ms. Coleman. Chairman Rockefeller, Ranking Member Thune, 
and members of the Committee, thank you for the opportunity to 
appear today to testify on behalf of our nation's 
manufacturers.
    My name is Dorothy Coleman. I am the Vice President of Tax, 
Technology and Domestic Economic Policy at the National 
Association of Manufacturers, the Nation's largest industrial 
trade association, representing small and large manufacturers 
in all industry sectors and in all 50 States.
    The NAM has enjoyed a close working relationship with the 
Committee for a number of years, and we appreciate your support 
and leadership on a number of issues that are important to our 
industry, including cybersecurity.
    One of NAM's top four goals is to ensure that manufacturers 
in the United States are the world's leading innovators. 
Cybersecurity is key to achieving this goal.
    We support creating a voluntary, industry-led standards 
development process, strengthening the cybersecurity research 
and development strategy inside the Federal Government, 
creating a highly skilled cybersecurity workforce, and raising 
public awareness of cyber threats. The Cybersecurity Act of 
2013 represents a sensible, bipartisan, nonregulatory approach 
and highlights the importance of moving forward on this issue.
    Manufacturers are entrusted with vast amounts of data 
through their relationships with customers, suppliers, and 
governments. They are responsible for securing the data, the 
networks on which the data run, and facilities and machinery 
they control. Manufacturers are the owners, operators, and 
builders of our nation's critical infrastructure, ranging from 
energy plants to highways. They rely on technology to design, 
produce, and deliver products ranging from nanoscale electronic 
devices to fighter jets.
    The design, collaboration, and information that helped 
drive this innovation has moved almost exclusively online, 
exposing companies to cyber thieves constantly attempting to 
penetrate networks and steal intellectual property to replicate 
products and designs and disrupt business activity and critical 
infrastructure.
    Manufacturers recognize they have to secure their networks, 
their controls, and their data. In a recent NAM membership 
survey, 96 percent of respondents said they have ongoing 
efforts to strengthen their information technology networks and 
protect their IP. More than 90 percent of the respondents have 
upgraded their IT assets, and more than half have hired outside 
cybersecurity experts.
    Thus, the NAM encourages the Federal Government to advance 
cybersecurity preparedness through increased collaboration and 
coordination with the private sector. Our top priority is 
allowing voluntary sharing by the public and private sector of 
real-time threat information to allow manufacturers to better 
protect themselves from cyber threats.
    In addition, any cybersecurity initiative should protect 
personally identifiable information and civil liberties and not 
grant the Government new authority in this realm or the ability 
to monitor or censor private networks.
    We oppose the creation of a static, regulatory-based 
government regime. Potential cyber threats change rapidly and 
manufacturers need the flexibility to pivot quickly and defend 
against these threats in real time. Time spent complying with 
outdated and burdensome regulations will negatively impact 
manufacturers' ability to protect their key assets.
    Comments by NAM members to NIST reflect their belief that 
any cybersecurity framework should be voluntary, risk-based, 
and flexible enough to keep pace with ever-changing cyber 
threats. Most importantly, any threat information the 
Government can share with the private sector will be the most 
effective way to combat cyber threats.
    The framework also should act more as guidelines for best 
practices and take into account the global presence of 
manufacturers and related international standards in place. A 
major concern is that the creation of any new set of standards, 
even if they are voluntary, could lead to another regulatory 
regime and cause even more challenges to manufacturers.
    We are pleased that your legislation addresses many of 
these challenges, and we appreciate your balanced, 
nonregulatory approach to reduce the risk of cyber threats 
based on a public/private partnership. The National 
Cybersecurity Research and Development Plan would further 
secure wireless technology, software systems, and the Internet 
while guaranteeing individual privacy.
    We also support the creation of cybersecurity modeling and 
test beds to examine our capabilities and determine our needs.
    We appreciate your efforts to raise the priority of 
cybersecurity through all agencies.
    At the end of the day, however, the ability to receive 
real-time threat information remains manufacturers' top 
priority and will be the most effective way to combat cyber 
threats.
    Manufacturers also realize that an ongoing partnership with 
the Federal Government is important. NAM members generally 
support establishing NIST as a facilitator of industry-led 
discussions on standards, guidelines, and best practices. Many 
NAM members are participating in the NIST Cybersecurity 
Framework discussions. Those sessions have been productive and 
our members want the process to continue.
    At the same time, there are concerns that codifying NIST as 
the facilitator may somehow negatively impact the process or, 
even worse, give NIST the authority to recommend binding 
regulations. As noted before, manufacturers will not support 
any legislation that creates a new, overly burdensome 
regulatory regime.
    Thus, we are pleased that creating new regulations is 
neither the intent or the goal of your legislation. We 
appreciate that your bill specifies that any recommended 
standards will be voluntary and will not prescribe specific 
technology solutions, products, or services.
    In conclusion, manufacturers' ability to protect their 
products, processes, facilities, and customers is critical for 
their continued success and the broader economic security of 
the Nation. Your bill represents a good first step in assisting 
manufacturers in their ongoing efforts to reduce their cyber 
risk.
    Thank you for the opportunity today to appear before you. 
The NAM looks forward to working with the Committee as the 
process moves forward. Thank you.
    [The prepared statement of Ms. Coleman follows:]

Prepared Statement of Dorothy Coleman, Vice President, Tax, Technology 
  and Domestic Economic Policy, National Association of Manufacturers

    Chairman Rockefeller, Ranking Member Thune and members of the 
Committee, thank you for the opportunity to appear today to testify on 
behalf of our nation's manufacturers on ``The Partnership Between NIST 
and the Private Sector: Improving Cybersecurity.''
    My name is Dorothy Coleman, and I am the Vice President of Tax, 
Technology and Domestic Economic Policy at the National Association of 
Manufacturers (NAM), the Nation's largest industrial trade association, 
representing small and large manufacturers in every industrial sector 
and in all 50 states. We are the voice of 12 million manufacturers in 
America.
    The NAM has enjoyed a close working relationship with the Committee 
for a number of years. Mr. Chairman, we appreciate your unwavering 
support for the Hollings Manufacturing Extension Partnership, which has 
proved invaluable for small manufacturers in West Virginia and around 
the country working to develop the next breakthrough manufacturing 
technology. Thank you, too, for your leadership on spectrum issues, 
which are critically important to the many manufacturers that use 
wireless technology in their businesses.
    Ranking Member Thune, the NAM and our members have worked closely 
with you on multiple issues. You have been a strong advocate for the 
close to 40,000 manufacturing employees in South Dakota on both tax and 
trade issues. We look forward to continuing our working relationship 
with you on cybersecurity and the other legislative priorities for 
manufacturers.
    Cybersecurity has been a focus of this committee in recent years. 
On behalf of our nation's manufacturers and all those who want to 
ensure the protection of our critical assets and intellectual property 
(IP) and to work together with the Government to achieve this goal, I 
am pleased to testify on the Cybersecurity Act of 2013 and to discuss 
the partnership between the National Institute of Standards and 
Technology (NIST) and the private sector.

Overview
    Manufacturing remains an important economic force in the United 
States, representing 12 percent of the U.S. economy. Nonetheless, 
despite the critical role the industry plays in the economy, taxes, 
legal costs, energy prices and burdensome regulations make it 20 
percent more expensive to manufacture in the United States than in any 
other country.
    The NAM's Growth Agenda: Four Goals for a Manufacturing Resurgence 
in America is a comprehensive plan to address these challenges, 
unleashing the economy and manufacturing's outsized multiplier effect. 
The Growth Agenda makes the case for pro-growth polices to ensure that:

   The United States will be the best place in the world to 
        manufacture and attract foreign direct investment;

   Manufacturers in the United States will be the world's 
        leading innovators;

   The United States will expand access to global markets to 
        enable manufacturers to reach the 95 percent of consumers who 
        live outside our borders; and

   Manufacturers in the United States will have access to the 
        workforce that the 21st century economy demands.

    Manufacturers recognize that we face very specific challenges in 
achieving these goals. In particular, in pursuing our goal to be the 
world's leading innovators, our industry faces constant threats from 
nefarious actors in cyberspace attempting to access our IP and 
operations unlawfully. These threats endanger our continued economic 
growth and safety of our citizens.
    Thus, the NAM believes that we need to develop appropriate general 
and industry-specific best practices for improved cybersecurity. In 
formulating cybersecurity policy, we support a public-private 
partnership that draws on industry best practices.
    The cybersecurity debate has moved forward significantly this year, 
and the business community has the leadership of you, Mr. Chairman, and 
Ranking Member Thune to thank for that. Your bill represents a 
sensible, bipartisan, non-regulatory approach to an issue of utmost 
importance to the manufacturing industry. Manufacturers support 
creating an industry-led, voluntary standards development process, 
strengthening the cybersecurity research and development strategy 
inside the Federal government, creating a high-skilled cybersecurity 
workforce and raising public awareness of cyber threats.
    The introduction of this bill has also effectively signaled to the 
business community and to your Senate colleagues the importance of 
moving this issue forward. There are a number of additional issues that 
other committees need to debate, but we are pleased with the steps you 
have taken.

Manufacturers and Cybersecurity
    Manufacturers are entrusted with vast amounts of data through their 
comprehensive and connected relationships with customers, vendors, 
suppliers and governments. They are responsible for securing the data, 
the networks on which the data run and the facilities and machinery 
they control at the highest priority level.
    In addition, manufacturers are the owners, operators and builders 
of our nation's critical infrastructure. They manufacture and use the 
temperature controls regulating the grain silos that store our nation's 
food supplies. They build and manage the systems operating the traffic 
signals that govern the rules of the road. Manufacturers make 
technology products ranging from nanoscale electronic devices to 
fighter jets. They build and run the energy plants that power our homes 
and businesses and the heavy machinery exploring the oil and gas fields 
that make America competitive.
    In addition, manufacturers leverage technology to design, produce 
and deliver these products. Technology is also used to manage, monitor 
and secure key facilities and products, including trade secrets and 
patents.
    These products, controls, systems, patents, trade secrets and all 
other tools that differentiate manufacturers in the United States from 
their competitors are the envy of the world. The movement of design, 
collaboration and information that helps drive this innovation almost 
exclusively online has created a new vulnerability: exposure to cyber 
thieves that are constantly attempting to penetrate networks to steal 
this IP. This illegal activity allows bad actors to replicate products 
and designs and disrupt business activity and critical infrastructure.
    The stakes are high. What was once only the concern of businesses' 
IT departments has now become an important issue throughout 
manufacturing facilities, large and small. Leaders of manufacturing 
enterprises know they have to secure their networks, their controls and 
their data. In fact, in a recent NAM membership survey, 96 percent of 
respondents said they have ongoing efforts to strengthen their 
information technology networks and protect their IP to reduce their 
risk. More than 90 percent have upgraded their IT assets, and more than 
half have hired outside cybersecurity experts.
    Manufacturers know the economic security of the United States is 
related directly to our cybersecurity. Given that our economic security 
is critical to our national security, manufacturers are leaders in 
cyber defense and are working constantly to ensure their companies, 
products and customers are secure.

Cybersecurity Policy
    During the cybersecurity debate in recent years, the NAM has been 
clear on what actions we believe the government should take to address 
current cyber threats most effectively. We have communicated our 
priorities to leaders in both the House and Senate and to the White 
House. I am pleased to share those with you again today, and I applaud 
you for addressing a number of these issues over which your committee 
has jurisdiction.
    NAM members value the strong partnership they have with the public 
sector and believe that partnership should extend to cybersecurity 
efforts. The NAM encourages the Federal government to advance 
cybersecurity preparedness through increased collaboration and 
coordination with the private sector.
    In particular, manufacturers' top priority is allowing the 
voluntary sharing by the public and private sector of real-time threat 
information to allow manufacturers to better protect themselves from 
cyber threats. In contrast, under current law, the government is 
prohibited from sharing sensitive cyber threat information with the 
private sector. Manufacturers are hesitant to share information with 
the government due to liability uncertainty and exposure. Companies 
also are not permitted to share information freely with their peers.
    The NAM supported the Cyber Intelligence Sharing and Protection Act 
(CISPA) of 2013 (H.R. 624), which the House passed earlier this year. 
This legislation, if signed into law, will allow the government to 
share timely and actionable threat and vulnerability information with 
the private sector. Mr. Chairman, as a member and former chairman of 
the Senate Intelligence Committee, we encourage you to work with your 
colleagues on that panel to address the issue of information sharing.
    Manufacturers value the privacy of individuals and the need to 
protect personally identifiable information and civil liberties. We 
believe that any cybersecurity initiative the Federal government 
undertakes separately or in partnership with the private sector should 
place a premium on ensuring this information is secure. At the same 
time, it is important to ensure that any effort does not grant the 
government any new authority in this realm or give the government the 
ability to monitor or censor private networks.

Developing a Cybersecurity Standards Framework
    The NAM believes that the public and private sector must partner 
closely to establish the best way to defend against ever-changing cyber 
threats manufacturers face. We oppose, however, the creation of a 
static, regulatory-based regime. This approach will not enhance 
cybersecurity--it will do just the opposite.
    The cyber threat that now confronts all entities in both the public 
and private sector is commonly known as the ``advanced persistent 
threat'' or APT. Cyber hackers and thieves are changing their tactics 
every minute. Manufacturers need the flexibility to pivot quickly and 
defend against these threats in real time. Any mandatory regulations 
imposed on manufacturers will be obsolete the day they are published. 
The time spent complying and adjusting to outdated, burdensome and 
potentially duplicate regulations will negatively impact manufacturers' 
ability to protect their key assets.
    Rather than develop mandatory regulations, the government should 
apply to the cybersecurity challenge the public-private partnership 
model that has been effective in other areas. While the Federal 
government has the resources to facilitate industry-led discussions on 
how best to defend against the APT, industry officials bring real-world 
expertise and experience unique to their segment.
    In fact, NAM member companies have been on the record in their 
comments to NIST and in their participation in the cybersecurity 
framework discussions around the country that implementing any 
framework should be on a voluntary company-by-company basis. The 
framework needs to be risk-based, and it must keep pace with ever-
changing cyber threats. Most importantly, any threat information the 
government can share with the private sector will be the most effective 
way to combat cyber threats.
    A one-size-fits-all approach to a standards framework will not be 
effective. Manufacturers vary in size, come from a cross-section of 
diverse industry segments, have differing amounts of available 
resources and are exposed to external actors in different ways. These 
factors all will play a role in how each manufacturer implements a 
cybersecurity strategy. Imposing a single regulatory model would result 
in little or no participation in the framework. Rather, the framework 
should act more as a guideline and advocate for best practices. The 
framework must also take into account the global presence of 
manufacturers and all international markets in which they operate and 
the related international standards already in place.
    The most common theme we have heard from our members is that a 
number of standards already exist. A major concern is that the creation 
of any new set of standards--even if they are voluntary--could lead to 
another regulatory regime and cause even more challenges for 
manufacturers. Any framework NIST may develop must take into account 
existing standards already being followed by the private sector.

Cybersecurity Act of 2013, S. 1353
    The Cybersecurity Act of 2013, S. 1353, introduced yesterday 
addresses many of the challenges described above. Mr. Chairman and 
Ranking Member Thune, we appreciate your efforts to reach out to all 
stakeholders to create a balanced approach to reduce the risk of cyber 
threats to critical infrastructure based on a public-private 
partnership model.
    The legislation would create a national cybersecurity research and 
development plan to further secure wireless technology, software 
systems and the Internet, while guaranteeing individual privacy. The 
legislation would also create cybersecurity modeling and test beds to 
examine our capabilities and determine our needs. It does all of this 
while ensuring coordination across the government. We appreciate your 
efforts to raise the priority of cybersecurity throughout all agencies.
    Your bill also would place a priority on developing a high-skilled 
cybersecurity workforce. Through competitions, challenges and 
scholarships, it would create incentives to join this growing workforce 
at a time when our country needs it most. Most importantly, it would 
assess current skill sets and help determine what more is needed in 
curriculum and training to ensure we have the workforce we need. 
Manufacturers are facing a skills shortage in many disciplines, and any 
effort to close that gap is one we support strongly.
    The national cybersecurity awareness and preparedness campaign has 
been well received by NAM members. Efforts to increase the cyber 
intelligence and cyber safety of the public and state and local 
governments will benefit manufacturers as they hire the workers they 
need and as they operate in their communities.
    We have heard the most from our member companies on Title I of the 
bill, Public-Private Collaboration on Cybersecurity. As I stated 
earlier in my testimony, the ability to receive real-time threat 
information remains manufacturers' top priority. This will be the most 
effective way to combat cyber threats. Manufacturers realize that an 
ongoing partnership with the Federal government--in addition to 
information sharing--is also important.
    In addition, NAM members generally support establishing NIST as a 
facilitator of industry-led discussions on standards, guidelines and 
best practices among other efforts to reduce cyber risks to critical 
infrastructure. Many NAM members are participating in the NIST 
cybersecurity framework discussions underway. Those sessions have been 
productive, and our members want the process to continue.
    Nonetheless, they have some concerns about this approach. In 
particular, some companies are concerned that codifying NIST as the 
facilitator may somehow negatively impact the process, or even worse, 
give NIST the authority to recommend binding regulations.
    It is our understanding that creating new regulations is neither 
the intent nor the goal of the legislation. We appreciate that this is 
referenced specifically in the bill, which requires that any 
recommended standards are voluntary and will not prescribe specific 
technology solutions, products or services. The legislation is even 
more specific by citing that any information shared in the standards 
development process shall not be used to regulate any activity of the 
sharing entity.
    On behalf of the NAM's 12,000 members, this is a point I cannot 
stress strongly enough--manufacturers will not support any legislation 
that creates a duplicative regulatory regime that puts undue burdens on 
manufacturers. We are, therefore, pleased that this legislation 
prohibits that from happening while at the same time solidifies the 
public-private partnership in efforts to address an issue of critical 
importance to our nation.

Conclusion
    In our fast-moving, hyper-competitive 21st-century economy, 
cybersecurity is an issue of increasing importance to the manufacturing 
industry. The stakes are high for manufacturers and the rest of the 
business community. Manufacturers' ability to protect their products, 
processes, facilities and customers is critical for their continued 
success and the broader economic security of the Nation. The 
legislation the Committee is examining today represents a good first 
step in assisting manufacturers in their ongoing efforts to reduce 
their cyber risk. Manufacturers must and will continue to drive the 
process, and a partnership with the government is a key component of 
the effort. The NAM supports the goals of the legislation and 
appreciates the Committee's efforts to address this important issue. 
Thank you for the opportunity today to appear before you. The NAM looks 
forward to working with the Committee as the process moves forward.

    The Chairman. Thank you.
    I should inform our colleagues that the vote starts in 
about 3 or 4 minutes. Senator Thune, I can stay. I will stay, 
or I will come back if I go vote. But if there are members, 
Senator Klobuchar or you, sir--if you cannot come back, then 
you may want to ask a question now.
    Senator Klobuchar?
    Senator Klobuchar. I will just ask one question here at the 
beginning.
    The Chairman. Actually, Heinrich comes before you.
    Senator Klobuchar. Well, there we go.
    [Laughter.]

              STATEMENT OF HON. MARTIN HEINRICH, 
                  U.S. SENATOR FROM NEW MEXICO

    Senator Heinrich. That rarely happens.
    Dr. Gallagher, I just wanted to ask you a quick question 
about how--you have expounded a lot in terms of the 
collaboration that you have with the private sector and how 
critical that is. How do you also learn from the other agencies 
and entities that you work with within the public sector who 
have specific expertise in this area so that we can make sure 
that that then has a direct benefit on the private sector? And 
in particular, I know in my district you are very familiar with 
what Sandia does. They get about 20,000 to 30,000 attacks an 
hour. What is the mechanism for making sure that what we learn 
from some of those things makes it out into the private sector 
where appropriate?
    Dr. Gallagher. So thank you. I do not know if you know--my 
father was a lifelong employee at Sandia National Labs and I 
have been out there looking at their cybersecurity work.
    You are exactly right. There are two actual roles of NIST. 
One is the technical depth, and we have talked about that. And 
that is so important in terms of providing a venue to work with 
the private sector and be neutral.
    But the other role of NIST is coordination of standards in 
the sense that we are sort of a corporate memory within the 
Federal Government about how to work with the private sector on 
various standard setting activities, whether it is Smart Grid 
in energy or whether it is cloud computing, or health care 
information systems.
    One of the other roles we have is a very natural 
collaboration role with the other Federal agencies. That has 
been a key part of this effort as well, working with a very 
broad range of agencies. You can imagine, given the definition 
of critical infrastructure, it is basically a very large group 
of agencies: Energy Department, Transportation, Department of 
Treasury, Homeland Security, our intelligence community, and so 
forth. So that is a key part. This is an ``all hands on deck'' 
effort. We want to bring as many smart people as we can into 
the effort.
    Senator Heinrich. Thank you.
    Thank you, Mr. Chairman.
    The Chairman. That is it?
    Senator Heinrich. Yes.
    The Chairman. Are you sure? OK.
    Senator Klobuchar?

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Mr. Chairman, thank you so much for 
holding this hearing on this incredibly important topic.
    I would like to underline the fact that cyber crime and 
espionage are resulting in major financial losses for American 
businesses. Last year, General Keith Alexander, the head of 
Cyber Command and the National Security Agency, said that they 
represent the largest transfer of wealth in human history.
    Recent reports by McAfee, the Center for Strategic and 
International Studies estimate that the toll of cyber crime is 
about $100 billion per year.
    Under Secretary Gallagher, what is your best dollar figure 
estimate of the economic toll on American business due to cyber 
crime and espionage?
    Dr. Gallagher. I do not think I can improve on your 
estimate. So I will not hazard one.
    Senator Klobuchar. OK, very good.
    Do you think that there are enough incentives in place for 
the private sector to participate in NIST's process for 
establishing standards? Do you think the current incentives are 
sufficient, or do you think more needs to be done?
    Dr. Gallagher. So the view I have taken on the incentives 
question is that it is going to be easier to evaluate that when 
we are trying to put the framework into place. The framework is 
designed to be aligned with business. The goal here is to make 
good cybersecurity performance equivalent to good business 
practice. Therefore, the right way to look at the incentives 
question is to look at the friction as companies are trying to 
put this framework into place. It could be the business-to-
business relationship, and we have talked about that. It could 
be about the risk sharing. It could be about the interaction 
between the private sector companies and the Government. And I 
think until we start getting some experience with how this 
framework of practices starts to go in place, it is going to be 
difficult to guess which of the incentive issues are going to 
be most important. But I think the goal is to try to make this 
equivalent to good business.
    Senator Klobuchar. Anyone want to add anything else?
    Mr. Coviello. I would be happy to add to that.
    I think there is going to be a tremendous incentive to 
adopt this framework. As I said in my opening remarks, as 
companies adopt more and more technology to improve the 
productivity in their business operations, they are going to 
expose themselves more and more to these cyber threats. So, it 
will be a business imperative to have the ability to defend 
themselves.
    I think the level of not only awareness but understanding 
of the threat and the problem has risen dramatically in the 
last several years due to a number of well publicized attacks 
and the very figures that you quote. So I think it is going to 
be a matter not only of a priority for businesses but one that 
could even provide competitive advantage by having the best 
cybersecurity regime possible.
    Senator Klobuchar. Well, just along those lines, my last 
question is--I will put some more in the record. But one of the 
parts of this bill that I think is really important is the 
National Cybersecurity Awareness Campaign. Frameworks and 
voluntary standards are useless if our citizens do not practice 
cybersecurity at home, at school, at work, and I think without 
the public understanding and understanding the significance of 
the challenge, we are going to continue to be vulnerable.
    Does anyone want to talk about that? Mr. Clancy?
    Mr. Clancy. I would be happy to.
    So I have used a lot in my conversations metaphors because 
most people do not understand the technical world that I live 
in. The one I use in that case is around seat belts. So we have 
NIST that gives us a good set of specifications of what a seat 
belt should do, what its action should be, how you install it 
in the car. We also need to make sure that people are wearing 
them. And we are in the early days. This is cars in the 1950s 
where we did not have seat belts. Right? That is where we are 
with cybersecurity. So the combination of the good standard and 
the education for the public at large, as well as people who 
are the ones who install and fabricate seat belts--that is kind 
of what we need for this ecosystem that will change the physics 
of the problem that we suffer through today.
    Senator Klobuchar. Very good. And I think also I would just 
add that I think higher education institutions could play a 
role in this as well. I happen to know a few that are pretty 
good in my State. But I think that that would make a difference 
as well.
    So thank you very much for your work, and I look forward to 
working with you, Mr. Chairman, on this bill. Thank you for 
your leadership.
    The Chairman. Well, thank you. Do you wish to name each of 
those institutions?
    Senator Klobuchar. They know who they are.
    The Chairman. You are from Minnesota. You might as well do 
it.
    Senator Klobuchar. Well, like the University of Minnesota, 
a small Big 10 school, or St. Cloud State.
    The Chairman. OK. I have heard of it, yes.
    [Laughter.]
    Senator Klobuchar. The Golden Gophers.
    [Laughter.]
    The Chairman. Mr. Gallagher, NIST and your computer 
security division in particular has taken on the job of 
establishing some very technical and complex standards over the 
years. I am not sure everybody on the Committee or elsewhere 
understands the extreme difficulty of your mission or the 
scientific rigor with which you approach your standards work.
    Now, one of the witnesses just made a very important thing 
when he was talking about seat belts. He said it is one thing 
to develop seat belts. It is another thing to use them. And 
that I think trails generally along in this whole conversation.
    The representative of NAM said we could not support 
anything where you were required to wear your seat belt, I 
mean, in allegory terms.
    And that is troubling because all of you have been hacked 
into. All of us have been hacked into. I even got so desperate 
that I got the SEC--and now it is law--to say that every time 
anybody is hacked into, they have to report that to the SEC and 
the SEC has to put it on its Web site as a way of informing 
their shareholders that they better be doing something about 
this.
    So the question of doing something about it but then 
actually finding out what is the best possible standard and 
somehow adhering to that is not inconsequential. That is not a 
part of what we are doing here. It is not a part of our bill. 
But it is something I think we have to keep in mind.
    Anyway, a lot of your most complex standards are adopted 
worldwide, like algorithms for search engines. Could you just 
kind of give me a walk through, before I have to race out of 
here and to come back, on how do you facilitate with the 
private sector consensus on standards that are essential like 
this? How do you get it?
    Dr. Gallagher. So the NIST role in supporting the technical 
side of standards setting is really derived from our 
measurement science roots, and they tend to have two characters 
to them. In some cases, a standard, a common practice, a 
desired practice is by its very nature very technical. It may 
be based in science. A good example is encryption where you 
need an ability to write a code using a public key 
infrastructure that works and has a certain resistance to 
attack. The answer to that is actually answered through a lot 
of mathematics, very complicated mathematics, to take a look 
and prove that performance. So this is a case where there are 
technically better answers and worse answers, and the job at 
NIST is for those scientists and mathematicians to work with 
the world's experts in these algorithms to look at the features 
of these codes and to see which ones work.
    The other type of standard is actually a case where there 
could be several right answers, let us say, interoperability 
where in a certain type of transmission standard or data 
standard there could be one type of file format or another type 
of file format, and if we do not come to agreement, the systems 
would not be able to talk to each other and that would be a 
problem. In that case, it is not that the science or technology 
is dictating that one answer is necessarily better than the 
other, and it is more about getting the community of practice, 
the companies, together and having a discussion about which one 
we are going to settle on. And in some cases, what that boils 
down to is how will we know that we are complying with the 
standard, and that could be a measurement, a test. And what the 
NIST role will be is supporting the test that works.
    So it is interesting that----
    The Chairman. I am panicking a little bit here. You just 
used the words ``settle on'' and you used the word 
``standard.'' So my question is supposing everybody again being 
hacked into and lots of them not knowing it, doing something 
about it, maybe not. You get some big companies or some semi-
big companies in there and you are discussing with them what 
could be the best approach for them. And they come very close 
to agreeing with each other but do not entirely agree with each 
other. There is a scientific sort of a miscommunication of some 
sort or a difference of opinion. How do you resolve that if you 
want to see this put in practice?
    Dr. Gallagher. So the most straightforward way to resolve 
that is through a test. So I think the point that you care 
about in this case is the overall security performance of that 
system is what matters. And so what you want to do is have a 
testable level of performance. So in the middle of this 
discussion between companies, if they have different options 
about how to achieve that performance, the role of NIST will 
often be in finding out which one works better and then coming 
up with a test, a rigorous test that can be used to demonstrate 
that the standard works. And that is often what our role is in 
supporting that type of activity.
    The Chairman. What do you do if one test works and the 
other company's test does not work but they both think that is 
what they should be doing?
    Dr. Gallagher. It depends on the use. So if the standard is 
completely commercial, if this is a VHS versus BetaMax 
discussion and there is no public consequence, we may not do 
anything. Most standards in this country are in the private 
sector. That is what the National Technology Transfer and 
Advancement Act tells us to do is depend on that private sector 
infrastructure.
    But if the performance is safety or security or something 
where there is a strong public sector interest, then in fact we 
do not have to adopt it. We do not have to use it. We do not 
have to recognize it. And that is one of the reasons why it is 
so important in these efforts, particularly in something like 
cybersecurity, that the public sector agencies, Federal, State, 
and local, are participating in this process because there is 
clearly a public interest here in the integrity of these 
systems. They would not be critical infrastructure otherwise.
    The Chairman. OK.
    I have got 3 minutes to go 10 minutes. So I am just going 
to sort of recess this for a moment, and then I will be right 
back. And John Thune will be right back. So we are in recess.
    [Recess.]
    Senator Thune [presiding]. The hearing will reconvene.
    That was a very short break. I got a feeling you guys did 
not get an opportunity to do much during that break. But we 
will try and keep it rolling so we can keep this thing on 
schedule and wrap up at a reasonable hour. But we do appreciate 
your indulgence and patience around what inevitably happens 
here in terms of votes.
    I will direct this to you, Mr. Gallagher. I want to commend 
you for NIST's efforts thus far in working collaboratively with 
industry to address the cyber threat. We have received positive 
feedback from industry regarding the workshops that you have 
hosted and the transparency of your process.
    The legislation that Chairman Rockefeller and I have 
introduced authorizes NIST on an ongoing basis to facilitate 
and support the development of an industry-led and voluntary 
set of standards to improve security, as we mentioned in the 
opening statements.
    In your testimony today and previously, you have also 
stressed the importance of the process being industry-led. And 
I am wondering if perhaps you could elaborate on why an 
industry-led process will be successful and create, in the end, 
a better product.
    Dr. Gallagher. So thank you.
    I think there are three major reasons why the industry 
leadership is essential.
    The first one Art Coviello actually touched on in his 
opening statement, which is the know-how and the capacity are 
largely in industry, and embracing that is the best way to have 
an agile process that in fact keeps up with this technology. It 
is evolving very, very quickly.
    The other reason is that having an industry-led process 
vastly increases the chances that the answer is compatible with 
business. And since the goal here is to put this into use--
having a standard on a shelf is not going to help anyone--then 
the more we can align these practices with good business 
practices, the types of risk management that companies do 
anyway, the better off this will work.
    And the third reason is it can operate at the scale of 
markets. The Internet information technology is global, and if 
this is a Government-led effort, the answer we come up with is 
not going to be acceptable around the world probably because it 
was Government developed. But if industry develops it, it can 
be internationally used and it can harmonize efforts across 
markets all around the globe. And so I think from a trade and 
competitiveness perspective, the technologies, the solutions, 
the software work around the world, and that is something that 
would not happen unless industry led the effort.
    Senator Thune. And could you describe a little bit how you 
are working with industry stakeholders to ensure that the 
framework that you are developing with industry will be 
flexible, performance-based, and also cost effective?
    Dr. Gallagher. So we are working as aggressively as we can 
to pull in existing practices where many of those features have 
been demonstrated already. And the issue of scalability--that 
almost forces you to have a performance-based system because 
the things you do in a very large, multinational corporation 
are going to be very different than the things you would do in 
a company with 5 to 10 employees. But the types of things, the 
performance you are trying to achieve in fact had the same 
goals.
    And the other thing that I think is quite interesting with 
the evolving framework is that in addition to embracing sort of 
risk management--in other words, this is as much about what you 
do as it is about the specific technical controls or things 
that you do to protect systems. The other thing that is coming 
up is implementation levels, in other words, a maturity model, 
the notion that your thinking evolves. In the very beginning of 
the process, if you do not have a lot of experience, you may 
have a very rule-based or control-based scheme where these are 
the top things I am going to do. These are the core behaviors 
we are going to enforce within our company. We are going to 
check passwords.
    But as you evolve, in fact, what happens is almost a 
security culture takes hold. It is about continuous 
improvement. It is about having the capacity to look at what is 
happening in your system to adjust to that, and it becomes much 
less about a rule following type culture and more about a 
continuous improvement. And that is being incorporated into 
this framework, which I think will really support 
implementation because it tells a company at the beginning of 
the process what they need to do and that is a different set of 
things than a very mature company would be looking at.
    Senator Thune. Let me just direct this question, if I can, 
to our industry witnesses. And I will repeat what I said. The 
feedback in terms of the NIST process under the EO has been 
generally positive. And I am curious to know what has been your 
involvement or your sector's involvement in the NIST process 
and if there is anything that you could suggest to the 
Committee or to NIST, for that matter, to improve that process.
    Mr. Coviello. I would be happy to start, Senator.
    First and foremost, to your point about it being industry-
led, just to give you an idea of the resources that can be 
brought to bear, RSA hosts the largest security conference in 
the world. We have over 300 vendors that come to our conference 
every year. So you think about the scale of capability from 300 
vendors that attend our conference to have an impact in terms 
of developing this framework with the latest and greatest, most 
innovative technologies.
    I would also add I have never seen a period where there was 
more investment from venture capital and others in the space, 
because it is such a tough problem to solve.
    So you have got that weight of knowledge. Combined with 
that, you have the vertical industry knowledge of their being 
able to evaluate the risk in their environments, how to go 
about implementing the right technologies in a fashion that 
gives you true defense and depth.
    Now, on the other side of the equation, you have NIST, 
which has an excellent technical capability, bringing together 
those resources and drawing the best of it to build that 
framework and not doing it in a vacuum, but doing it 
collaboratively with both industry verticals as well as the 
technology companies that provide the solutions.
    So this bill I think is so important because it sets the 
right direction to get the best results.
    As to your specific question, RSA has already been working 
with NIST to help develop this framework. We have expertise in 
the areas of identity management, in big data security 
analytics, in encryption technology, and in building out the 
framework. We bring our expertise in these specific technology 
areas to NIST and to the body of work that is being done.
    Senator Thune. Mr. Clancy?
    Mr. Clancy. I would add to that--and I pretty much agree 
with all the things that Art said--that the financial sector is 
very invested in this process for two reasons. One, we want to 
make sure there is a good and productive outcome and, two, 
because we want to improve the capability of the other 
infrastructures that we depend on.
    And I think the key--and I mentioned this in my testimony--
is this stuff for us has to be grounded in the real world. One 
of the challenges with some of the standards process, not so 
much the way that NIST works, but other organizations is they 
have people who are professional developers of standards who do 
not live in the real world. And so from the financial sector, 
we had to invest our experts who know this space because we 
want to get productive outcomes. And NIST has been very good at 
taking that input from our expertise and others they have 
brought to bear because we want this framework to work because 
we want to use it to improve our cybersecurity and improve the 
maturity--that was another thing that was mentioned--the 
maturity scale of the various players in the industry. So you 
have large institutions operating on large scales like mine 
that need to be very mature. We also have a lot of small 
institutions who do not actually run most of their own 
infrastructure. We need to get the service providers that 
provide them the capabilities to have this level of maturity to 
protect the sector overall and the Nation's critical 
infrastructure.
    The Chairman. Ms. Coleman?
    Ms. Coleman. Senator, from the NAM point of view, this 
issue, cybersecurity, has become increasingly important, and it 
has moved up the corporate ladder, so to speak, and it is now a 
boardroom issue for many of our members. A lot of our members 
are participating in the NIST forum and find these discussions 
very helpful and want to see the process continue. And I think 
from our perspective, the fact that we are talking about 
industry-led, voluntary standards in a public/private 
partnership are really key to our support.
    Senator Thune. Thank you. I am well over my time, and I 
would be happy to yield to my colleague and neighbor from the 
State of Nebraska for any questions she might have.

                STATEMENT OF HON. DEB FISCHER, 
                   U.S. SENATOR FROM NEBRASKA

    Senator Fischer. Thank you, Senator Thune, and thank all of 
you for being here today. I appreciate it.
    Mr. Gallagher, how will the NIST framework relate to DHS's 
implementation program?
    Dr. Gallagher. Well, we hope that the implementation 
program that DHS adopts is all about promoting adoption of this 
framework. This is industry's work. We think industry will come 
up with something that is quite effective. And the purpose of 
that program should be to support those companies adopting it 
making it useful, whether that is through education, and the 
incentives and other activities in the program.
    Senator Fischer. Will NIST have any input into that 
process?
    Dr. Gallagher. Yes. It has been a very collaborative 
activity already, both on the performance goals of the 
program--we have been working extremely closely with DHS. I 
have a weekly call with them, and at the working level, I think 
it is daily. That is also true on the implementation, and it is 
also true in the framework process because the framework 
process needs to be designed from the perspective of being 
implemented. So a lot of this discussion is already being done 
not just between the two agencies but in the broader effort as 
well.
    Senator Fischer. And I know that NIST has worked with 
private industry quite a bit on this. Is that correct?
    Dr. Gallagher. That is correct.
    Senator Fischer. And do you believe there are some 
essential elements in there that need to be included to make 
this a success?
    Dr. Gallagher. In terms of any particular area, it is 
actually a long list of areas that have been talked about. In 
fact, a big part of the framework effort is just organizing 
those areas into a structure and a language that everyone can 
collaborate under. So it talks about identification of threats. 
It talks about protection. It talks about response capability 
and recovery. And there are key activities in all of those 
areas. So they are all important.
    I think the proof in the pudding here is when you put this 
all into practice, does it make a difference in the overall 
performance of this very complicated system that is comprised 
of technology people and processes.
    Senator Fischer. Do you see any specific issues that need 
to be prioritized within that framework? What would you 
suggest?
    Dr. Gallagher. Well, we have actually turned the question 
around to the industry that is putting this together. So this 
is an industry-led effort. This is really their document. That 
is for us a key measure of the success.
    I think that the initial framework will have sort of two 
characteristics. One will be a body of existing work, existing 
best practice that has come out of all the participating 
companies that become a common set of practices. The other 
thing that I expect to see in the framework is a set of areas 
that are gaps that everyone agrees needs to be addressed, but 
there may not be a body of existing best practices to 
implement.
    And so the final framework will have two pieces to it: a 
set of best practices and I think a road map for improvement. 
And that is one of the reasons why the framework process cannot 
be a once-through. It is really important then to turn back and 
start working on those gap areas and use it as a road map for 
continuous improvement because this technology is just that 
dynamic.
    Senator Fischer. The framework is due in October. Is that 
correct?
    Dr. Gallagher. That is correct.
    Senator Fischer. You said there will be gaps. So do you 
anticipate that there is going to be something written into 
this to acknowledge that there will be gaps and that it needs 
to be updated and filled in as those become more, I guess, 
recognized as time moves on and what is needed and working with 
the industry and hopefully continuing to listen to their input?
    Dr. Gallagher. So an explicit part of the ongoing process 
has been identifying areas where there is broad consensus that 
it is a critical area but maybe that the actual technical 
standards that would form the basis of a response are not 
considered sufficiently mature. And so that is already 
happening. And I think the framework needs to be an honest 
document, and I think it needs to showcase those areas. And if 
it generates a prioritization--remember, you have got all of 
these companies working across the sectors. If they can agree 
that this is a priority to address, I think that is a very 
powerful outcome of the framework itself.
    Senator Fischer. So we all like to talk about being 
flexible and having flexibility no matter what the topic. In 
this case, then you would certainly encourage that there would 
be flexibility with regard to this?
    Dr. Gallagher. I actually would go further. I would say 
this cannot work if there is not flexibility. The threat 
environment that is facing and the pace of technological change 
is so rapid that there has to be a dynamic environment--that is 
really the goal of embracing industry. It knows how to keep up 
with this. And that is why it is so important that they take 
this process and take it to scale so that it keeps up.
    Senator Fischer. Thank you very much.
    Thank you, Senator.
    Senator Thune. I thank the Senator from Nebraska.
    The Senator from Massachusetts, Senator Markey?

               STATEMENT OF HON. EDWARD MARKEY, 
                U.S. SENATOR FROM MASSACHUSETTS

    Senator Markey. Thank you very much. I appreciate it.
    Mr. Coviello, good to see you again. Welcome.
    Mr. Coviello. Thank you, Senator.
    Senator Markey. You are a preeminent leader in the 
cybersecurity field, and I have always appreciated your 
insights and we are fortunate to have you here with us today.
    From Hanscom to all of the companies up in Massachusetts 
led by EMC, we are a leader from Massachusetts on the issue of 
cybersecurity, and I thank you for all the work that you have 
done.
    When we talk about this issue, the electricity grid comes 
to mind. And back in 2010, I was able to author with Fred Upton 
a piece of legislation, informed by expert testimony from our 
national security experts, to put in place a set of protective 
policies so that our electricity grid would be difficult to 
attack successfully. As we all know, Thomas Alva Edison would 
recognize our electricity grid today. It has not been 
modernized the way our telecommunications system has been 
modernized since the 1996 Telecommunications Act. It just has 
not seen the kind of change.
    So my question to you is since so many experts felt that 
the electricity grid was so vulnerable--and that can cause 
catastrophic damage because that affects every industry not 
just one--what is your feeling about that in terms of the 
vulnerability of the electricity system, the grid in our 
country today? Mr. Coviello, Mr. Gallagher, whoever?
    Mr. Coviello. I will be happy to start, Senator. And thank 
you for your kind remarks.
    As I think Chairman Rockefeller pointed out, there is no 
industry and no part of our critical infrastructure that is not 
in some form or fashion vulnerable to cyber attack. And why we 
are so positive on this legislation is the fact that it calls 
for industry, including the public utility industry, to bring 
forward their ideas on how to understand and evaluate risk and 
how to implement not only policies but technology to mitigate 
that risk. And that includes the use of technology.
    What we need to do, and what should be part of this 
framework, is to develop a system that allows us to not just 
try to prevent intrusions--because they will occur, they will 
inevitably occur--but to be able to detect them more quickly 
and respond quickly enough to mitigate any potential harm.
    Senator Markey. Can I just ask you a question?
    Mr. Coviello. Sure.
    Senator Markey. Because my time is going to run out here.
    I released a report about 2 months ago on the electric 
grid's vulnerability to a cyber attack, and about 100 utilities 
responded to Mr. Waxman and myself. What their responses 
revealed was that there is ongoing attempts to go after our 
electricity grid. But the responses revealed something else 
which is that the utilities were almost all fully compliant 
with the mandatory standards that the industry develops and the 
Federal Energy Regulatory Commission enforces but none of them 
reported compliance with the voluntary recommendations made by 
the North American Electricity Reliability Corporation, an 
industry group that develops these measures.
    So I know that the utility sector is not the same as the 
industrial sectors that we are talking about today, but the 
utilities are already subject to mandatory reliability 
standards, and keeping the lights on in the face of a cyber 
attack is fundamental reliability.
    So I would be interested in your views on this tension 
between carrots and sticks because it is pretty clear that in 
the utility sector, they do not respond to voluntary, only to 
mandatory. Could you give me your insight in terms of what you 
think we have to put on the books to get that kind of a 
response?
    Mr. Coviello. Well, again, I think the bill that is before 
this committee--I do think is the right approach. I think you 
would have to speak directly to them about their ability to 
volunteer.
    But I think, again, what we are trying to accomplish here 
is to give them the means and the capability in the form of 
this framework to be able to defend themselves. And I cannot 
emphasize enough the fact that the technology is moving so 
quickly that having a framework that is flexible and adaptable 
that keeps pace with not only the threat, but the expansion of 
the attack surfaces is going to be critically important.
    I will also state that the problem is likely to get worse 
before it gets better. As we create what we call the ``Internet 
of things''--in other words connecting more and more physical 
devices to the Internet--then the attack surface is going to 
expand even more dramatically. And we have to have capability 
to address that.
    So my role here today is to comment on this legislation and 
how effective I think it would be in giving the private sector 
the means to protect the critical infrastructure. And I think 
it is the right path.
    Senator Markey. Do you see any additional incentives that 
we could include to encourage adoption of voluntary standards?
    Mr. Coviello. I think that there could be other 
considerations. I cannot, off the top of my head, give you 
examples today, but it would be something that you could 
consider.
    Senator Markey. So in other words, a backup capacity. So we 
have learned that the electric utility industry does not, in 
fact, implement voluntary standards, only the mandatory. So 
would you support some backup standard that if there was no 
compliance and it has been identified as a critical area that 
needs protection, that there has to then be some mechanism to 
ensure that there is an adoption?
    Mr. Coviello. Well, again, I do not speak specifically for 
the industry, but I think if they were given the right 
framework--and that is what we are attempting to do with the 
executive order and with this bill--I think it will go a long 
way to having them see the light to adopt this framework.
    Senator Markey. But if there is no adoption, in other 
words, should there be--because of the critical nature of this 
threat to our country, should there be a mechanism to ensure 
that there is compliance because we are only passing this 
because we have identified a threat?
    Mr. Coviello. Well, it is always in the purview of 
Government to do what is right in the public interest. So under 
that scenario, I would not rule anything out.
    Senator Markey. OK.
    Mr. Chairman, thank you. I appreciate it.
    The Chairman [presiding]. Thank you, Senator Markey. I 
understand exactly what your thrust is there. I have to say as 
chairman, I share some of that, but that is not actually within 
our jurisdiction and we have to sort of live with that. I mean, 
this is the voluntary, working with industry. The questions you 
asked are completely understandable and I think in the long run 
necessary, but that is what Homeland Security does.
    Senator Markey. I see.
    The Chairman. You see?
    Senator Markey. I was operating under the misimpression 
that you were chairman over everything that comes under the 
purview of private commerce in the United States.
    [Laughter.]
    Senator Thune. I would say to the Senator from 
Massachusetts the Chairman likes people to think that.
    [Laughter.]
    Senator Markey. Thank you, Mr. Chairman.
    The Chairman. Oh my God.
    [Laughter.]
    The Chairman. Dr. Gallagher, you negotiate with world 
groups on standards. So now, we have been talking here about--
let us say we have got standards on American cybersecurity and 
what do we do about all of that. You negotiate with world 
organizations, and you do it over the same kind of thing. What 
do you do when you arrive at differences, substantial 
differences? If you do not understand my question----
    Dr. Gallagher. I think so.
    The Chairman.--please say so and I will try again.
    Dr. Gallagher. So the international standards process is 
actually one where NIST does not represent the United States. 
Again, since we have an industry-based standard setting process 
in this country, our presence in international standard setting 
is set by those private sector standards organizations. What we 
try to do is facilitate that process. And a lot of that has to 
do with making sure that the best technical answer is 
supported. You know, we would prefer effective standards over 
ineffective standards.
    But I have to say the most effective role in international 
standard setting is the role of companies, particularly 
international companies, because they have a stake already in 
these multiple areas. And in fact, it is that desire to have as 
common a market as possible that is a big influence in those 
areas. So the key to international standard setting--it is 
always a complex issue--is participation, and it is one of the 
reasons why I think this framework process is so important. By 
coming together and developing a common set of practices, we 
will shape what international standards look like. That tyranny 
of the first draft and shaping what this looks like really 
matter. And I think we already see signs of other countries, 
other areas. Whether they are going to be voluntary or whether 
those countries decide to go into a regulatory approach, they 
are already interested in basing whatever they do on what is 
already happening here in this framework process. And I think 
that is a good thing because the more we get common behavior 
and common practices, the more compatible this enterprise is 
with the way business works.
    The Chairman. In a sense what we are doing is we are asking 
you to develop standards that are effective standards that will 
really improve our country's cybersecurity in a voluntary 
fashion. We are not asking you for window dressing or for a 
proposal to make every single stakeholder happy. That was sort 
of a dumb last sentence. But it is a very big responsibility 
because you want to be effective. You do not want to be sort of 
a United Nations between competing ideas and people come to 
this point and then they stop, so they cannot close, so they do 
not do.
    Are you and the rest of the NIST staff committed to the 
goal of developing effective standards, and how would you 
answer that differently than I asked you a previous question? 
How do you come to agreement? The word ``effective,'' as 
Senator Markey indicates, is important.
    Dr. Gallagher. I think it is absolutely critical.
    The way I think about this question is we are talking about 
a set of activities owned and operated by the private sector 
that if they were to fail through a cyber attack would have 
catastrophic impact to the country. That is the definition of 
critical infrastructure that is in the Executive Order. So 
there is clearly a national interest in that not happening. And 
so effectiveness is actually the starting point. This has got 
to work.
    I think the position we take is that if we can make this 
work, working through industry in a market-centric way, in a 
way that adapts all of the capacity they have, all of the 
adaptability they have and aligns with business practice--and 
that is an ``if.'' If that works, that is the best answer 
because it can scale internationally. It can keep up with the 
technology, and there is this little sort of counter-market 
things that we have to do. If it does not work, I think the 
question before Congress will be what do we do about that 
because you still have a national impact.
    So the position of NIST has been this has got to be 
effective. It has got to address lowering the overall risk of 
these types of failures. And it has to be measured by being put 
into practice and it has to continually get better because both 
the threats are going up and the technology is changing, and 
the nature of the vulnerabilities are shifting. So it has to be 
continuous.
    The Chairman. Yes.
    Senator Thune, can I ask one more question?
    Senator Thune. Yes, sir.
    The Chairman. OK, because I am over my time limit.
    I mentioned before that because you could not get anything 
done in legislation--we were not getting anything done in 
legislation and that this in fact--even national security--I 
mean, so much braid and stars you cannot even believe it. 
Masses of it, acres of it begging us to pass legislation that 
will make cybersecurity attacks much more hard or that we can 
stop them. Now, you suggested one way, but you did not suggest 
it in the way I am going to say it. But if you have a 
catastrophic attack, it is sort of like a 9/11 effect. People 
perk up and say, oh, gee, we should have prevented that. And 
then we pass, to the everlasting shame of the U.S. Congress, a 
bill.
    The first thing we did after 9/11 was pass a bill which 
allowed the FBI and the CIA to talk to each other. I voted for 
the bill and then I went and blushed. I mean, it was so 
embarrassing we would have to do that. But that is the way it 
is. People do not talk to each other. They do not talk. There 
are stovepipes in Government, stovepipes in industry, people 
not wanting to get an advantage taken of them.
    So I came up with this idea--Mary Schapiro was in charge at 
the time at the SEC--in two areas. In the matter of hacking, 
that the companies by definition are probably not going to say, 
hey, guess what, we were hacked and then send that announcement 
out to all their shareholders. But in an era of transparency 
and for the betterment of that company, their shareholders have 
a right, I would think, to know that their company had been 
hacked into. I wrote to Mary Schapiro and asked her to work on 
this. And it works. Now people are startomg tp report. 
Shareholders are seeing.
    I did the same thing with coal mines. You cannot get coal 
mine safety legislation through this Congress with a red State. 
It just will not happen. Extremely frustrating. And then you 
live in a coal State and you see people getting killed. And, 
you know, coal companies like others are sort of distant and 
hidden and they have their own world, their own ways. And so I 
got her to do the same thing. If you had a coal mine accident, 
you were required to report that on the SEC website. And I am 
not saying it had a startling effect, but it had a good effect 
because people, in a sense, in a raw way that did not require 
law, were informing their shareholders that safety problems 
were extant and no more than that. No more authority to do 
anything than that, just transparency, which I think we 
generally are trying to believe in.
    Now, I do not know how to make a question out of what I 
just told you. But I think you understand what I am saying. I 
am implying that companies sometimes have to be caused to do 
what they would really want to do. But I do not want the people 
of West Virginia to know bad things about me, which of course 
do not exist.
    [Laughter.]
    The Chairman. But should they, I do not want them to know 
about it. Right? Senator Thune is the same way. Well, he is 
more perfect.
    [Laughter.]
    The Chairman. But you understand what I am saying. I mean, 
this is a serious problem that we are getting at, and we have 
unclear jurisdiction over it, just like I told the Senator. But 
my mind just forces me to put that question to you.
    Dr. Gallagher. So I certainly appreciate the important role 
that disclosure has in this environment, but since I am not an 
expert on those types of incentives, let me answer the question 
a little bit more generally.
    You are exactly right that this will not do any good if it 
is not put into practice. And so the crux of the issue--and I 
think this will be--and the administration believes this is 
going to be the essence of the discussion we want to have with 
Congress as this unfolds. As the framework is put into 
practice, what are the reasons why it does not go into 
practice? Is it the motivation of the boards? Is it business-
to-business transactions, where there are barriers to 
information in transactions? There are dependencies between 
companies as well. There are dependencies between the private 
and public sector. I believe that there is a lot of self-
interest to doing this well. I think that these technology 
systems actually cut right to the heart of the competitiveness 
and viability of the companies themselves. So I think a lot of 
self-interest is already there.
    But the extent to which we identify friction, that really 
should be what informs all of the subsequent discussion about 
incentives. And our view is that this will become very natural 
as we start to implement the framework, and it really becomes 
about an implementation question.
    The Chairman. Peer pressure evolves in various ways. Is 
that what you are saying?
    Dr. Gallagher. Yes.
    The Chairman. OK.
    Senator Thune. Mr. Chairman, I just appreciate very much 
the testimony of these folks today, and I think that it helps 
inform our process going forward. And I guess if there is a 
takeaway for me--and perhaps if you all want to, just in the 
form of a closing comment--is that the only way that this works 
is if the framework really is good business and makes sense. So 
that is kind of what I have derived from what I have heard you 
say today.
    I think that our bill is headed in the right direction 
based on what I have heard you say today. And there are other 
committees, as the Chairman said, that have other jurisdictions 
who will have to be heard from on this. And we hope that the 
work that they do can complement what we have done here.
    But we appreciate very much your being here, and if anybody 
has anything they would like to close with--it is just down to 
us. But thank you so much for your time and for your expertise.
    The Chairman. Any closing thoughts?
    Mr. Clancy. So, again, I would like to thank you for having 
this hearing. I look at this as an important first step. There 
are more steps to follow. And I think, Chairman Rockefeller, 
what you were getting at in terms of disclosure is a way to 
inform the debate about the risks that we face. The other side 
of that equation, as I mentioned earlier in my testimony, is 
around information sharing. And I think there is work for other 
committees in the Senate to push that forward. And the two 
together will be stronger than either one of those things on 
their own.
    And I thank you again for the opportunity to speak on 
behalf of the American Bankers Association, the Financial 
Services Roundtable, and the Securities Industry and Financial 
Markets Association. Thank you.
    The Chairman. Thank you.
    Ma'am, do you have anything?
    Ms. Coleman. Yes. Just in conclusion, I just want to 
reiterate that the NAM supports your legislation as introduced. 
We certainly very much appreciate the industry-led, voluntary 
standards nonregulatory approach and the public partnership 
that is incorporated into the legislation. And we look forward 
to working with you to advance this legislation. And thank you 
for the opportunity to testify today.
    The Chairman. Thank you.
    Now, I want to point out that Senator Thune, who is a 
smooth operator, just almost took the legs out from under me 
there in sort of bringing this to a close because Senator 
Richard Blumenthal aggressively approached me on the Senate 
floor on an absolutely ridiculous vote--absolutely ridiculous 
vote, but it was very close so it was not ridiculous--and said 
that he was going to be here in 2 or 3 minutes and I am so 
informed. So it is a question of your tolerance of the whole 
concept of the legislative branch of Government, if you can 
stand it for 2 more minutes. He is very, very smart. He was 
Attorney General of Connecticut for 29 years. And he wants to 
be here. And so if you are willing to stay, he would be very 
happy and I would be very happy. I mean, 2 minutes. I mean, you 
can handle that. You are all young.
    Mr. Coviello. Mr. Chairman, I did not get an opportunity to 
make a closing comment. So maybe I can bridge the gap a little 
bit here while we are waiting.
    The Chairman. OK.
    Mr. Coviello. So, first of all, RSA was attacked in 2011 by 
two separate advanced persistent threat groups that we believe 
to have come from a nation state. Without the requirement of 
SEC disclosure, because it had not been put through as yet, our 
parent company, EMC, once we realized we had a loss, which was 
within hours of the actual exfiltration of information, we 
filed an 8-K report to the SEC. I also wrote an open letter to 
all of our customers informing them, as we had a moral 
obligation. So we take no credit for doing the right, moral 
thing to inform our customers that because of our breach, that 
they might have been in danger. As a result not only of our 
internal capability to see the attack and being a whisker from 
stopping it altogether, we were able to give remedial advice to 
our customers. And as a result, no customer suffered a loss as 
a result of our breach.
    The point I guess I would like to make is that, first and 
foremost, focusing on outcomes should be an important element 
of our cybersecurity strategy. I think Senate bill 1386 in 
California about notification of breaches of personally 
identifiable information has caused a significant shift in how 
the retail industry approaches cyber. But it is not about 
regulating specific action about how industries go about 
protecting themselves. If you focused on an outcome, very often 
you will get industry to do the right thing.
    I think your legislation is very important because it gives 
industry the tool to do that right thing. And I think this is a 
tremendous start. And, again, I want to thank you and Ranking 
Member Thune for your leadership because this is I think a 
tremendous start and an important element of protecting our 
critical infrastructure.
    The Chairman. Good. And I agree with you incidentally.
    Please, Senator Blumenthal, get here.
    I agree with you because it starts with the proper 
framework. This is not regulatory. NIST is not regulatory. NIST 
brings people together, public and private. It has been 
brilliantly successful at that. One of the most agencies in all 
of the Federal Government. So it puts that forward as the 
ideal. In that we are going to, hopefully, get our bill passed, 
it will allow that to proceed.
    But you are probably already proceeding on that. Are you 
not?
    Dr. Gallagher. Yes. We are proceeding under the framework.
    But from our perspective, we also appreciate this bill 
because it clarifies what are existing, but very broad 
authorities to do this. And in particular in light of the fact 
that we believe this effort needs to be ongoing and continuous, 
that clarification support I think is very helpful in helping 
to ensure that this evolves toward an industry-led program that 
has these features we have talked about of being agile and 
keeping up.
    The Chairman. Our prayers have been answered and the good 
Senator from Connecticut has arrived.

             STATEMENT OF HON. RICHARD BLUMENTHAL, 
                 U.S. SENATOR FROM CONNECTICUT

    Senator Blumenthal. Thank you, Mr. Chairman. I am going to 
tell my wife that she can say that when I come home tonight 
whether she thinks it or not.
    [Laughter.]
    Senator Blumenthal. But thank you very much for giving me 
this opportunity--I really appreciate it--on a topic that is 
supremely important. I just came from the floor and I apologize 
for anyone who has been delayed.
    First of all, my thanks to the chairman and the ranking 
member for remaining committed to finding solutions to this 
very real and urgent threat. Often when the legislative process 
fails to function properly or breaks down, people walk away and 
ignore the problems that still need solving, and that has not 
happened here fortunately. So I am heartened that the 
leadership of this committee has found a way to work together, 
and I want to pledge that I will continue to stay engaged and 
involved and help in whatever way I can.
    I continue to be concerned with ensuring that civil 
liberties and personal privacy are protected and safeguarded 
throughout this process. My colleague, Senator Markey, has been 
very much focused on this issue, and I want to thank him for 
his work on it before he came here.
    And I am also focused on making sure that we have the right 
incentives, the proper incentives to ensure that companies are 
complying with the standards.
    I have a question that has perplexed me as a representative 
of a State which has some of the greatest companies in the 
world. Under Secretary Gallagher, why has the market not better 
dealt with the cybersecurity threat? During the financial 
crash, we learned about systematic risk and banks that believe 
they were too big to fail, to use a somewhat hackneyed, 
overused term. Do you think the infrastructure companies 
believe that the Federal Government will bail them out in the 
event of a catastrophe? Is that why they are not taking steps 
on their own?
    Dr. Gallagher. So I would actually start by challenging the 
premise a little bit. I think the evidence that I have observed 
with companies from the various sectors coming into the process 
is that in fact there is a lot of actually quite outstanding 
activity going on. The financial services sector is a good 
example of one which has been under extreme duress with 
extremely high levels of targeted attacks to that sector and 
yet has really been quite good at working across company lines, 
sharing technical information, working with Internet service 
providers, working with the public sector in crafting and 
adapting to that pretty dynamic response.
    Senator Blumenthal. And I apologize, first, for 
interrupting you, second, because my question was unclear. I 
was really talking about insurance. I come from a State that 
has been engaged in trying to combat the cyber threat. I have 
talked to a number of the CEO's and lower ranking executives 
about their concern. But insurance does not seem to be a 
commonly used option. And in the normal situation in the 
marketplace, insurance would be a measure of how grave the 
threat is, everything from hurricanes and flooding to theft 
to--well, I do not need to tell you. Why not in this area?
    Dr. Gallagher. So I apologize for----
    Senator Blumenthal. No. It was my----
    Dr. Gallagher. So I think you are right. Certainly one of 
the incentive discussions is around insurance and why that 
market--what could be done to develop that. One of the possible 
reasons has to do with the fact that you need to monetize the 
risk. And so this comes down to measuring and understanding and 
sort of developing an actuarial basis where this risk can be 
sort of embedded in the market. This discussion has come up 
actually quite frequently in the framework process, and I think 
as part of the metrics discussion, this is something that is 
being looked at as something that would be quite helpful.
    Senator Blumenthal. And why has it not happened? The threat 
has been here. And I invite any of the other panelists to weigh 
in. But the threat has been here for well long enough to 
monetize and do the actuarial accounting. And in fact, in other 
areas I am familiar with some of the work done on climate 
disruption and the threat of hurricanes. Actually the insurance 
companies are very mindful about potential threats of 
hurricanes in the Northeast which are about as difficult to 
monetize as I would guess cyber threats are, in fact, more so 
because we know the cyber threat is there. We know some of the 
damage that can be caused. So maybe others can enlighten us.
    Mr. Coviello. Actually, Senator, I would disagree. I 
actually think the cyber threat is harder to create an 
actuarial table or an algorithm around. And the problem is 
twofold. It is not just the threat environment which continues 
to escalate every single day in terms of capabilities of the 
attacker, it is the attack surface. I get asked all the time 
why can you guys not do a better job. Well, we could do a 
better job if IT infrastructures were static. They are not.
    Just think about the following facts. The iPhone did not 
even exist until 2007. Six years later, we now have full mobile 
ubiquity. We use very few Web applications to run our 
businesses as recently as 2005 to 2007. Now a common refrain is 
``there is an app for that.'' In another 6 or 7 years, we will 
be using big data applications to monitor everything about us 
and the world around us, hopefully for productive reasons.
    The amount of digital content being created every year is 
absolutely astounding. There was a quarter of a zettabyte--and 
I will explain what a zettabyte is in a moment--of digital 
content being created in 2007. This year there will be two 
zettabytes. By 2020, there will be 40 to 60. One zettabyte is 
the equivalent of 4.9 quadrillion books. That is the amount of 
content that needs to be sorted through to figure out what 
exactly needs to be protected, as opposed to what is a picture 
of your family dog.
    So the complexity of protecting this fast changing IT 
environment is overwhelming. That is why this framework is so 
important. We need a security model that has legs. We need a 
security model that is future-proof. That model consists of 
starting with a thorough understanding of risk that is an 
ongoing process. It includes technologies that can react to 
facts and circumstances that are not static. It includes a 
management system that uses capabilities that are only just 
coming to market now that can spot the faint signal of an 
attacker. The one thing we have going for us in defending 
against cyber attacks is, ultimately, the attacker will have to 
do something anomalous. We are developing the capabilities to 
be able to spot that in progress. So, again, Senator, as you 
suggest, it is not a question of whether or if we will be 
breached. It is our ability to respond and detect the attacks 
and respond timely enough to quarantine the element of our 
infrastructure that has been attacked or to prevent the 
movement of critical information or a transaction.
    Mr. Clancy. And if I could add to that. As you know, 
insurance at its core is about risk transfer. So I transfer the 
risk that I have to somebody else who can absorb the risk. And 
in order to do that, you have to have two things. You have to 
have an understanding of the risk and the purchaser of the 
policy and the issuer of the policy both have to be able to 
value it. And I would argue that one of the challenges you have 
particularly in cybersecurity is that many of the people who 
face the risk do not have a good estimation of what it really 
means to them and what the consequences could be and the 
likelihood or frequency of those events occurring. And that is 
one of the reasons why I believe the information sharing 
component, which is not addressed in this bill, is another tool 
in the toolbox to help us understand that risk better.
    We use cyber risk insurance, but we use that cyber risk 
insurance at DTCC for the risks that are smaller. The 
catastrophic risks that we could face if these issues escalate 
to a point where they become manifest are really beyond the 
ability of the insurance industry to absorb right now. And so 
we have to look at making sure that those things do not occur.
    Senator Blumenthal. You know, I understand what you have 
said, and I do not disagree with it, that it is a moving 
target, so to speak, that it is not a static threat with sort 
of inert, chess-like moves that are fully visible and are 
played according to the same rules all the time forever. But 
that is the nature of insurance to try to look forward and put 
numbers on risks that may vary and may change over time.
    So I am still perplexed. I do understand what you are 
saying, and I wonder, if I can ask a question, whether it is 
the fact that the insurance would be too costly because of the 
factors that you mentioned or because the insurers simply do 
not want to be in that market. They just do not want to even 
engaged or be involved in offering that product.
    Mr. Coviello. Again, Chairman Rockefeller said it at the 
outset, that almost every agency of the Federal Government says 
how strategically important the nature of this threat is to the 
U.S. economy and our defense.
    So I would say that over time, if we are as effective as I 
think we will be, I think we can get to a point where we can 
reach an equilibrium, where we are not playing the attackers 
are one up against us and we are trying to catch up and react 
to the threat, that we are able to develop a system that is 
resilient enough to not necessarily stop any loss, but to 
respond quickly enough. And at that point, I think the cost 
curve will come down sufficiently that you will be able to 
insure against this problem.
    Senator Blumenthal. I think your points are very well made. 
And in my view, they are great evidence for the need for this 
legislation.
    Mr. Coviello. No question.
    Senator Blumenthal. Because here is an area where normally 
the private sector would say we will take care of it. We know 
you are the Federal Government and you are here to help, but we 
can do it on our own. Here the markets, or the insurance market 
at least, cannot really satisfactorily address the incalculable 
threats, the magnitude of the harm, and other factors that you 
have put so well.
    Mr. Coviello. Thank you.
    Senator Blumenthal. My time has expired, but I want to just 
say on the issue of privacy and civil liberties that I think 
that the draft legislation from Senator Rockefeller and Senator 
Thune includes language that instructs the director of NIST 
to--and I am quoting--include methodologies to protect 
individual privacy and civil liberties. I hope if I can direct 
questions in writing to you on this area, we can get some 
responses from you.
    Again, my thanks for being here today.
    Thank you, Mr. Chairman.
    The Chairman. Thank you, Senator Blumenthal.
    And now I have really got to say a heartfelt thank you for 
your patience. I mean, we had this incredible sort of Broadway-
like performance--an art form of waiting for Senator 
Blumenthal.
    [Laughter.]
    The Chairman. And Jay Rockefeller tried to ask an 
intelligent question and then keeping my ear open to was that 
door opening or not and you were coming through to save us all. 
And you did, indeed. But most importantly, I think some of the 
best testimony came within the last 10 minutes.
    Senator Blumenthal. Well, thank you, Mr. Chairman. and 
thank you for making your rebuke so soft.
    [Laughter.]
    The Chairman. No, no.
    All right. With all certainty, this hearing is adjourned.
    [Whereupon, at 4:29 p.m., the hearing was adjourned.]

                            A P P E N D I X

    Prepared Statement of Hon. Dan Coats, U.S. Senator from Indiana

    Thank you, Mr. Chairman, and let me start by commending you and 
Senator Thune for your bipartisan leadership on the cybersecurity 
issue, and by congratulating you on the introduction of S. 1353, the 
Cybersecurity Act of 2013.
    In a post-September 11 world, Americans have learned to be more 
vigilant. We've learned that in a second--the act of one terrorist--or 
a group of terrorists--can wipe away life as we once knew it and change 
our world forever. And so since that fateful day in September almost 12 
years ago, our Nation has made great strides to be ever more vigilant 
and more prepared to prevent or respond to another terrorist attack.
    Local law enforcement, TSA, FBI, Homeland Security and the 
intelligence community, among many others, must work every second of 
the day to anticipate, prevent and disrupt potential plots by 
terrorists. But these threats are changing form. It is not only a 
potential hijacked plane or a bomb plot that threatens our country; we 
now face another type of warfare that could have a deep and widespread 
impact on Americans--a cyber attack.
    As a member of the Senate Intelligence Committee, Senate Commerce 
Committee and Ranking Member of the Senate Appropriations Subcommittee 
on Homeland Security, I know that the threat of a cyber attack is real 
and far-reaching. A major attack on our cyber systems could shut down 
the critical infrastructure that allows us to run our economy and 
protect the safety of Americans--transportation and financial systems, 
communications systems, electric grids, power plants, water treatment 
centers and refineries.
    The threat of a cyber attack is growing, but neither industry nor 
government alone can broadly improve our nation's cybersecurity. This 
potentially devastating vulnerability requires all stakeholders to work 
together to develop an enduring legislative solution. Protecting 
Americans from cyber attacks should not be a partisan issue.
    That is why I believe it is imperative that Congress pass 
cybersecurity legislation this year given the grave threat of these 
attacks against our government and key sectors of our economy. An 
Executive Order from the White House simply cannot provide the 
statutory authorities and protections needed to address the serious 
danger posed by cyber attacks.
    The Commerce Committee will have the opportunity soon to set the 
tone for the cybersecurity debate by moving the ball forward in a 
business friendly, bipartisan way by passing the Cybersecurity Act of 
2013.
    Although only a narrow approach, this legislation is a good step in 
the right direction. It strikes the appropriate balance and preserves 
the private sector's leadership in the development of innovative 
technologies to respond to cybersecurity threats.
    Bipartisan support for this legislation provides a path forward and 
sets an example for the other relevant committees. I am confident, for 
instance, that the Chair and Vice Chair of the Intelligence Committee 
will soon finish work on legislation to break down legal barriers and 
incentivize information sharing, an essential component of improved 
cybersecurity. There is broad, bipartisan consensus on the Committee to 
do just that, and I trust the leadership and flexibility demonstrated 
by Senator Rockefeller will be repeated by Senator Feinstein.
    This legislation also provides the Senate Majority Leader guidance 
on how NOT to repeat the mistakes of last Congress. We really hit a low 
point last summer when the Senate Majority Leader rushed a 
cybersecurity bill to the floor under strained circumstances.
    One-fifth of the U.S. Senate--both Republicans and Democrats--met 
every day for nearly two weeks to iron out our differences on 
cybersecurity legislation. And with the active participation of 20 
Senators representing both parties and key committees of jurisdiction, 
we came close.
    Several Republican and Democratic Senators had an understanding on 
how to best move forward on cybersecurity, and a shared commitment to 
work through last August toward a compromise legislation that could 
pass the support of both parties.
    This agreement was important because throughout the consideration 
of this bill, the Majority Leader circumvented the legislative process 
and refused to allow any amendments.
    Unfortunately, rather than allowing the process to advance and 
amendments to be considered, the Majority Leader and the White House 
shut down debate, forced a vote they knew they would lose and blamed 
Republicans for the failure. This was completely disingenuous and 
poisoned the well last year for progress on this critical national 
security issue.
    The Senate should address cybersecurity this year, but not in the 
``take it or leave it'' manner the Majority Leader has pursued in the 
past.
    Instead, it should be done in a manner that ensures our security, 
encourages the voluntary participation of the most innovative aspects 
of the private sector and the government, and does not harm our 
economy.
    This legislation starts us down that path. As a member of the 
Senate Commerce Committee and the Senate Intelligence Committee, I 
remain committed to working on legislation that strikes the right 
balance between strengthening security and respecting the privacy 
rights of Americans.
    The responsibility falls on all of us. We know this threat is 
ongoing and real. We know we need to act. We must cast aside 
partisanship and put the security of our country above political 
expediency.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Mark Warner to 
                        Dr. Patrick D. Gallagher

    Question 1. On February 13, 2013, President Obama signed Executive 
Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' and 
the and the White House released a related Presidential Policy 
Directive (PPD-21), both of which work to strengthen the cybersecurity 
of critical infrastructure in the U.S.
    The Executive Order directed NIST to work with industry and develop 
the Cybersecurity Framework, and the Department of Homeland Security 
(DHS) to establish performance goals. DHS, in collaboration with 
sector-specific agencies, is charged with supporting the adoption of 
the Cybersecurity Framework by owners and operators of critical 
infrastructure and other interested entities through a voluntary 
program.
    Legislation recently introduced by Senators Rockefeller and Thune 
reinforce these executive directions, tasking the National Institute of 
Standards and Technology (NIST), in coordination with the industry, 
with developing a set of standards and best practices to reduce cyber 
risks to critical infrastructure.
    What does NIST see as the biggest challenge in developing standards 
for sectors in cybersecurity. Is each sector progressing to meet the 
targets outlined in the President's timeline, and if not which sectors 
are most at risk?
    Answer. NIST did not develop standards as part of its work under 
Executive Order 13636. Rather, NIST was directed in the Executive Order 
to work collaboratively with stakeholders to develop a voluntary 
framework--based on existing standards, guidelines, and practices--for 
reducing cybersecurity risks to critical infrastructure. As part of the 
framework development process, NIST sought public input to develop a 
compendium of existing sector-independent and sector-specific 
standards, guidelines, practices, and other informative references to 
assist with cybersecurity implementations.
    The Executive Order specified that adoption of the Cybersecurity 
Framework is voluntary. As such, NIST is not working to assess sector 
progress. However, NIST is working collaboratively with the Department 
of Homeland Security to promote wide adoption.
    Section 9 of the Executive Order directed the Department of 
Homeland Security (DHS), in consultation with sector-specific agencies, 
to identify critical infrastructure at greatest risk. DHS would be 
pleased to provide a briefing on the entities identified through 
implementation of Executive Order 13636.

    Question 2. The standards and best practices developed through this 
process, as outlined by the Executive Branch and Senators Rockefeller 
and Thune, must be voluntary. Do you agree that the standards set by 
NIST should be voluntary? If not, please explain why.
    Answer. NIST agrees that use of the Cybersecurity Framework and any 
associated Standards should be voluntary.

    Question 3. How will these voluntary standards be implemented? For 
covered industries that already have a regulator, how does NIST assess 
the progress of their efforts to create standards for those sectors?
    Answer. The Cybersecurity Framework will identify areas for 
improvement that should be addressed through future collaboration with 
particular sectors and standards developing organizations. As part of 
this process, NIST will continue to work with industries and sectors in 
existing standards developing organizations to address any identified 
needed areas.
    Because implementation of the Framework is voluntary, the process 
by which standards may be adopted by participants will vary. The 
Framework is intended to be a resource, not a regulation. Sector-
Specific Agencies coordinate with the Sector Coordinating Councils to 
review the Cybersecurity Framework and, if appropriate, develop 
implementation guidance or supplemental materials to address sector-
specific risks and operating environments.

    Question 4. How has NIST increased staffing and experience to be 
able to handle a large and complex project? Have government furloughs 
due to sequester delayed the timeline or made it more difficult to 
achieve the intended result?
    Answer. NIST has achieved the objectives and goals assigned in the 
Executive Order. NIST is continuing to work with the private sector to 
evolve future framework versions and ways to identify and address key 
areas for cybersecurity development, alignment and collaboration.

    Question 5. While the actions of the Executive Branch are a step in 
the right direction, there are still regulatory gaps that leave our 
Nation vulnerable to cyberattacks. Do you believe that the 
Cybersecurity Act of 2013 (S. 1353), recently introduced by Senators 
Rockefeller and Thune is effective in filling these gaps? If not, what 
are your recommendations for legislative action that should be taken to 
strengthen America's cybersecurity?
    Answer. NIST is encouraged by the attention, interest, and concern 
within both the executive and legislative branches of government to 
address pressing cybersecurity challenges.

    Question 6. NIST's initial steps towards implementing the Executive 
Order included issuing a Request for Information (RFI) this past 
February to gather relevant input from industry and other stakeholders, 
and asking stakeholders to participate in the Cybersecurity Framework 
process. Given the diversity of sectors in critical infrastructure, the 
initial efforts are designed to help identify existing cross-sector 
security standards and guidelines that are applicable to critical 
infrastructure.
    How will NIST ensure that we are working across sectors to promote 
information sharing? I know that you held a workshop, but will there be 
some type of clearinghouse where information sharing can take place 
across sectors?
     Answer. NIST works with Federal agencies and private sector 
companies to develop underlying standards and best practices that are 
used to support a wide array of information sharing activities. These 
standards and best practices are a fundamental component of providing 
interoperability between organizations, allowing for rapid and accurate 
sharing of information between government and industry, and industry to 
industry. The collaborative development approach ensures that the needs 
of all sectors are adequately addressed, leading to an information 
sharing ecosystem that benefits all organizations.

    Question 7. The Department of Defense (DoD) has led a successful 
voluntary information sharing program that allows participating 
entities to gain access to cybersecurity solutions. Has NIST engaged 
DoD and other agencies in the National Security space to gain lessons 
learned to implement during their establishment of voluntary standards?
    Answer. NIST works with the Department of Defense and other Federal 
agencies to share information, experiences, and lessons learned 
relating to the development of and use of voluntary standards.

    Question 8. As NIST is contemplating a new cybersecurity framework 
for all critical infrastructure industries, the energy sector has 
significant questions about how this will be implemented. Cybersecurity 
in the power sector has been regulated by the North American Electric 
Reliability Corporation (NERC) for a long time. NERC administers 
Critical Infrastructure Protection (CIP) Reliability Standards. CIP 
requires implementation of specific cybersecurity protections, and 
subjects industry to penalties for noncompliance. Regulators are also 
trying out new ways of preserving cybersecurity. NERC and FERC--the 
Federal Energy Regulatory Commission--are supplementing their role as 
enforcement agencies and taking on more voluntary outreach activities, 
including the sharing of cyber threat information.
    The Executive Order requires NIST to develop a ``cybersecurity 
framework'' for all critical infrastructure industries, but it seems 
unclear as to how NIST will interact with the NERC's existing 
standards. How will you ensure that the new standards complement 
existing cyber protections for the electricity sector and do not add 
new regulations or rules that would contravene existing programs?
    Answer. The Executive Order directed the National Institute of 
Standards and Technology (NIST), a non-regulatory agency, to lead the 
development of a framework to reduce cyber risks to critical 
infrastructure. NIST worked closely with stakeholders from all critical 
infrastructure sectors including the Energy Sector, NERC, the Federal 
Energy Regulatory Commission (FERC) and the Department of Energy (DoE). 
Regulatory agencies will use the Cybersecurity Framework to assess 
whether existing requirements are sufficient to protect against cyber 
attack. If existing regulations are insufficient or ineffective, then 
agencies must propose new, cost-effective actions based upon the 
Cybersecurity Framework. Regulatory agencies will use their existing 
process to consult with their regulated companies to develop and 
propose any new regulations, allowing for a collaborative process.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Mark Warner to 
                        Arthur W. Coviello, Jr.

    Question. On February 13, 2013, President Obama signed Executive 
Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' and 
the and the White House released a related Presidential Policy 
Directive (PPD-21), both of which work to strengthen the cybersecurity 
of critical infrastructure in the U.S.
    The Executive Order directed NIST to work with industry and develop 
the Cybersecurity Framework, and the Department of Homeland Security 
(DHS) to establish performance goals. DHS, in collaboration with 
sector-specific agencies, is charged with supporting the adoption of 
the Cybersecurity Framework by owners and operators of critical 
infrastructure and other interested entities through a voluntary 
program.
    Legislation recently introduced by Senators Rockefeller and Thune 
reinforce these executive directions, tasking the National Institute of 
Standards and Technology (NIST), in coordination with the industry, 
with developing a set of standards and best practices to reduce cyber 
risks to critical infrastructure.
    While the actions of the Executive Branch are a step in the right 
direction, there are still regulatory gaps that leave our Nation 
vulnerable to cyber attacks. Do you believe that the Cybersecurity Act 
of 2013 (S. 1353), recently introduced by Senators Rockefeller and 
Thune is effective in filling these gaps? If not, what are your 
recommendations for legislative action that should be taken to 
strengthen America's cybersecurity?
    Answer. This legislation complements the President's Executive 
Order by codifying the important steps the Administration has already 
taken to protect critical infrastructure and gives government and 
industry additional tools to bolster our cyber defenses. We are pleased 
to see that S. 1353 requires a voluntary, non-regulatory process, 
enabling further collaboration between the public and private sectors 
to leverage non-prescriptive and technology-neutral, global 
cybersecurity standards for critical infrastructure. We also commend 
the Committee for including crucial provisions to support cyber 
research and development; increase awareness of cyber risks; and 
improve cybersecurity education and workforce training.
    It is imperative that Congress addresses other key cybersecurity 
issues not under this Committee's jurisdiction. These include advancing 
the sharing of cyber threat intelligence between government and 
industry; establishing liability protections for entities that share 
threat information; and streamlining acquisition of technology. We urge 
the Congress to examine ways to break down barriers to information 
sharing and create incentives for the public and private sectors to 
work together to safely and securely share real-time, actionable 
information about cyber threats. Linking the adoption of cybersecurity 
standards to incentives such as liability protection and streamlined 
acquisition of technology will create a positive business climate while 
improving our Nation's cybersecurity posture. We also support 
additional legislative initiatives to update criminal laws and 
penalties; enact Federal data breach law; modernize Federal Network 
Security continuous monitoring efforts; and develop reasonable and 
effective policy approaches to supply chain protection that will not 
stifle innovation and competition.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Mark Warner to 
                             Mark G. Clancy

    Question. On February 13, 2013, President Obama signed Executive 
Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' and 
the and the White House released a related Presidential Policy 
Directive (PPD-21), both of which work to strengthen the cybersecurity 
of critical infrastructure in the U.S.
    The Executive Order directed NIST to work with industry and develop 
the Cybersecurity Framework, and the Department of Homeland Security 
(DHS) to establish performance goals. DHS, in collaboration with 
sector-specific agencies, is charged with supporting the adoption of 
the Cybersecurity Framework by owners and operators of critical 
infrastructure and other interested entities through a voluntary 
program.
    Legislation recently introduced by Senators Rockefeller and Thune 
reinforce these executive directions, tasking the National Institute of 
Standards and Technology (NIST), in coordination with the industry, 
with developing a set of standards and best practices to reduce cyber 
risks to critical infrastructure.
    While the actions of the Executive Branch are a step in the right 
direction, there are still regulatory gaps that leave our Nation 
vulnerable to cyber attacks. Do you believe that the Cybersecurity Act 
of 2013 (S. 1353), recently introduced by Senators Rockefeller and 
Thune is effective in filling these gaps? If not, what are your 
recommendations for legislative action that should be taken to 
strengthen America's cybersecurity?
    Answer. S. 1353, the Cybersecurity Act of 2013 provides some of the 
needed legislation for protecting our Nation's critical infrastructure 
and complements the February 2013 executive pronouncements.
    To continue to protect our nation's infrastructure, we must pass 
cyber threat information sharing legislation. This legislation must 
provide liability protection for the sharing of threat information, 
allow for sharing among the private sector and from the government to 
the private sector, build upon existing relationships and protect 
personal privacy. While the financial sector has been engaged in 
information sharing for a long time there are still many institutions 
in our sector and other critical infrastructure sectors who are 
constrained in their ability to share due to liability concerns.
    Given the interconnected nature of cyberspace, institutions 
recognize that the strongest preparations and responses to cyber 
attacks require collaboration beyond their own companies. As a result, 
the sector has engaged in a number of collaborative efforts, which 
would be enhanced with the passage of information sharing legislation.
    Through the Financial Services Information Sharing and Analysis 
Center (FS-ISAC), participants share threat information between 
financial institutions and the Federal government, law enforcement and 
other critical infrastructure sectors. The FS-ISAC also has a 
representative for the sector on the National Cybersecurity and 
Communications Integration Center floor to provide the Department of 
Homeland Security (DHS) insight into the financial sectors issues and 
incidents and provide an additional fan out for information from DHS to 
the sector.
    The ability to share information more broadly is critical and 
foundational to our preparation for and response to future attacks. 
While we constantly review opportunities to improve the information 
shared within our industry, it is vital that our efforts also include 
sharing information across sectors and between the government and the 
private sector. Each company and public sector entity has a piece of 
the puzzle and an understanding of the threat. Our ability to share 
this information will greatly increase our ability to prepare and 
respond to threats.
                                 ______
                                 
     Response to Written Question Submitted by Hon. Mark Warner to 
                            Dorothy Coleman

    Question. On February 13, 2013, President Obama signed Executive 
Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' and 
the and the White House released a related Presidential Policy 
Directive (PPD-21), both of which work to strengthen the cybersecurity 
of critical infrastructure in the U.S.
    The Executive Order directed NIST to work with industry and develop 
the Cybersecurity Framework, and the Department of Homeland Security 
(DHS) to establish performance goals. DHS, in collaboration with 
sector-specific agencies, is charged with supporting the adoption of 
the Cybersecurity Framework by owners and operators of critical 
infrastructure and other interested entities through a voluntary 
program.
    Legislation recently introduced by Senators Rockefeller and Thune 
reinforce these executive directions, tasking the National Institute of 
Standards and Technology (NIST), in coordination with the industry, 
with developing a set of standards and best practices to reduce cyber 
risks to critical infrastructure.
    While the actions of the Executive Branch are a step in the right 
direction, there are still regulatory gaps that leave our Nation 
vulnerable to cyber attacks. Do you believe that the Cybersecurity Act 
of 2013 (S. 1353), recently introduced by Senators Rockefeller and 
Thune is effective in filling these gaps? If not, what are your 
recommendations for legislative action that should be taken to 
strengthen America's cybersecurity?
    Answer. The Cybersecurity Act of 2013 (S. 1353) represents a 
sensible, bipartisan, non-regulatory approach to an issue of utmost 
importance to the manufacturing industry. Manufacturers support 
creating an industry-led, voluntary standards development process, 
strengthening the cybersecurity research and development strategy 
inside the Federal government, creating a high-skilled cybersecurity 
workforce and raising public awareness of cyber threats.
    The NAM is pleased that this legislation prohibits the creation of 
a duplicative regulatory regime that would put undue burdens on 
manufacturers while at the same time solidifies the public-private 
partnership to address an issue of critical importance to our nation.
    The top priority of manufacturers is allowing the voluntary sharing 
by the public and private sector of real-time threat information to 
allow manufacturers to better protect themselves from cyber threats. In 
contrast, under current law, the government is prohibited from sharing 
sensitive cyber-threat information with the private sector. Companies 
also are not permitted to share information freely with their peers.
    The NAM encourages the Senate to consider legislation similar to 
the Cyber Intelligence Sharing and Protection Act (CISPA) of 2013 (H.R. 
624), which the House passed earlier this year and was supported by the 
NAM. This legislation, if signed into law, will allow the government to 
share timely and actionable threat and vulnerability information with 
the private sector.