[Senate Hearing 113-285] [From the U.S. Government Publishing Office] S. Hrg. 113-285 THE PARTNERSHIP BETWEEN NIST AND THE PRIVATE SECTOR: IMPROVING CYBERSECURITY ======================================================================= HEARING before the COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION __________ JULY 25, 2013 __________ Printed for the use of the Committee on Commerce, Science, and Transportation ______ U.S. GOVERNMENT PRINTING OFFICE 88-081 WASHINGTON : 2014 ____________________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected]. SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION JOHN D. ROCKEFELLER IV, West Virginia, Chairman BARBARA BOXER, California JOHN THUNE, South Dakota, Ranking BILL NELSON, Florida ROGER F. WICKER, Mississippi MARIA CANTWELL, Washington ROY BLUNT, Missouri MARK PRYOR, Arkansas MARCO RUBIO, Florida CLAIRE McCASKILL, Missouri KELLY AYOTTE, New Hampshire AMY KLOBUCHAR, Minnesota DEAN HELLER, Nevada MARK WARNER, Virginia DAN COATS, Indiana MARK BEGICH, Alaska TIM SCOTT, South Carolina RICHARD BLUMENTHAL, Connecticut TED CRUZ, Texas BRIAN SCHATZ, Hawaii DEB FISCHER, Nebraska MARTIN HEINRICH, New Mexico RON JOHNSON, Wisconsin EDWARD MARKEY, Massachusetts JEFF CHIESA, New Jersey Ellen L. Doneski, Staff Director James Reid, Deputy Staff Director John Williams, General Counsel David Schwietert, Republican Staff Director Nick Rossi, Republican Deputy Staff Director Rebecca Seidel, Republican General Counsel and Chief Investigator C O N T E N T S ---------- Page Hearing held on July 25, 2013.................................... 1 Statement of Senator Rockefeller................................. 1 Statement of Senator Thune....................................... 3 Statement of Senator Heinrich.................................... 31 Statement of Senator Klobuchar................................... 32 Statement of Senator Fischer..................................... 39 Statement of Senator Markey...................................... 40 Statement of Senator Blumenthal.................................. 48 Witnesses Dr. Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director, National Institute of Standards and Technology, United States Department of Commerce. 5 Prepared statement........................................... 6 Arthur W. Coviello, Jr., Executive Chairman, RSA, The Security Division of EMC................................................ 10 Prepared statement........................................... 12 Mark G. Clancy, Managing Director, The Depository Trust & Clearing Corporation on behalf of the American Bankers Association, Financial Services Roundtable, and Securities Industry and Financial Markets Association..................... 19 Prepared statement........................................... 21 Dorothy Coleman, Vice President, Tax, Technology and Domestic Economic Policy, National Association of Manufacturers......... 25 Prepared statement........................................... 28 Appendix Hon. Dan Coats, U.S. Senator from Indiana, prepared statement.... 53 Response to written questions submitted by Hon. Mark Warner to: Dr. Patrick D. Gallagher..................................... 54 Arthur W. Coviello, Jr....................................... 56 Mark G. Clancy............................................... 56 Dorothy Coleman.............................................. 57 THE PARTNERSHIP BETWEEN NIST AND THE PRIVATE SECTOR: IMPROVING CYBERSECURITY ---------- THURSDAY, JULY 25, 2013 U.S. Senate, Committee on Commerce, Science, and Transportation, Washington, DC. The Committee met, pursuant to notice, at 2:37 p.m. in room SR-253, Russell Senate Office Building, Hon. John D. Rockefeller IV, Chairman of the Committee, presiding. OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV, U.S. SENATOR FROM WEST VIRGINIA The Chairman. I am going to make a statement, and then Senator Thune is going to make a statement, and then we are going to go right to your testimony because this is a very, very important hearing. We are going to spend a lot of time today talking about a Federal agency most Americans have never heard up, the National Institute of Standards and Technology, or NIST. I can assure you that in this committee we have heard of NIST. And we understand and appreciate the important role that NIST plays in our country's economic success. You are scientists for one thing. You are engineers. You are technical experts all over the world. The whole technical world and increasingly the public policy world, partly because of cybersecurity but just in general, trusts and knows NIST. You are the worldwide gold standard. That is not me talking. That is other people talking, and you will hear that from the Netherlands in just a second. So let me give you an example. A couple of weeks ago, this committee was having a hearing on the very important issue of improving forensic science, which is not all that ``Law and Order'' says that it is. One of our witnesses was the chief of forensic science labs in the Netherlands, which is one of the top forensic science organizations in the world. The Netherlands official proudly announced at the hearing that his agency had just signed a memorandum of agreement with you all at NIST on improving the quality of forensic science standards. When Senator Thune asked him why his agency wanted to partner with NIST, he said it was because when it comes to standards, NIST is, ``absolutely the top-notch organization, the state-of- the-art, worldwide.'' If you look up NIST's authorizing law, you will read that NIST's core mission is to serve as a laboratory, a science, engineering, technology, and measurement laboratory. I really want to stress this point for the members of this committee, those who are here and those who should be, and the business community who may not have worked closely with NIST before, as many of us have. NIST is not a regulatory agency. It is a scientific laboratory to which all sorts and manner of institutions repair to improve themselves. NIST's mission is to help American businesses solve tough technical problems. Whether it is emerging technologies like the Smart Grid or cloud computing or consumer products like flame-retardant mattresses or television screens, NIST's job is to help American industry help itself. With its unrivaled technical expertise and its well-deserved reputation for objectivity, NIST has been working closely with the private sector for many years to help U.S. companies innovate and to compete with their foreign competitors. I was very pleased but, frankly, not totally surprised when President Obama issued an executive order earlier this year instructing NIST to begin looking at how we can protect our critical assets from something called ``cyber attacks'' which, in spite of all we do, Americans seem not to be able to grasp as to their importance and danger. I am looking forward to hearing from Dr. Gallagher and our other witnesses today about how their work on this so-called ``Cybersecurity Framework'' is progressing. Getting NIST involved in cybersecurity makes a lot of sense and may save the day for cybersecurity, that is, passing legislation, because NIST already has decades of experience working with the private sector or on computer security issues. NIST's computer security work goes as far back as 1972 when it started working on the Data Encryption Standard. It also makes sense because we need our country's very best minds in both the public and the private sectors focused on working on this problem. Back in 2009, when Senator Olympia Snowe and I started working on cybersecurity legislation in the Commerce Committee, not everybody appreciated the seriousness of this threat. But today, 4 years later, I believe that we have reached a very broad consensus in this country that cyber attacks present the gravest threats to our national and economic security. The FBI says it. The CIA says it. DOD says it. ODNI says it. Everybody says it. And we just got to drive the point home. And what Senator Thune and I are hoping to do is to do a bill which would actually get this whole process going, the importance of momentum. But anyway, I think people now do understand cybersecurity represents a huge threat. Every new report about stolen intellectual property or disruption of service attacks against a large U.S. company drives this point home. Making progress against our cyber adversaries is going to require a sustained, coordinated effort between the public and the private sectors, and it is going to require the combined resources of many different Government agencies, which is part of the problem, and businesses. Acting alone, this committee cannot make all of the changes needed to give our Government and businesses the tools they need to make real progress in cybersecurity because we come from three different jurisdictions, which is not fun. It is OK but it is not the best way to do something. But there are some important steps that we can and should take such as promoting cybersecurity research and encouraging talented young people to work in cybersecurity, which I think you will agree is a desperate, desperate problem. Probably the most important step we can take as a committee is to make sure that the technical experts at NIST stay engaged and working with the private sector to develop effective cybersecurity standards by which they will stick and do. If this process succeeds, our businesses and the Government agencies will have a powerful new tool to protect ourselves against cybersecurity. I would like to thank Senator Thune for working with me on this very important issue. Since he became Ranking Member of this committee at the beginning of this year, he has devoted a tremendous amount of time to mastering this whole subject of cybersecurity. Yesterday we introduced legislation that we hope will serve as one of the cornerstones to our country's cybersecurity strategy. I look forward to having a good conversation today about our bill, about other things that we can and should be doing to protect our country from this massive threat. I thank you. Senator Thune? STATEMENT OF HON. JOHN THUNE, U.S. SENATOR FROM SOUTH DAKOTA Senator Thune. Thank you, Mr. Chairman, for holding this hearing and for your continued leadership on cybersecurity. You brought this critical issue to the fore, and you have been steadfast in your commitment to addressing the problem. No one can deny the serious threat that we are confronting in cyberspace. Almost daily we learn of new cyber threats and attacks targeting our Government agencies and the companies that drive our economy. We must find solutions that leverage the innovation and know-how of the private sector, as well as the expertise and information held by the Federal Government. And given the escalating nature of the threat, we should look for solutions that will have both an immediate impact and that will remain flexible and agile into the future. In keeping with that task, in March this Committee held a joint hearing with the Homeland Security and Governmental Affairs Committee not long after the President issued his cybersecurity Executive Order in February. Today we are here to examine the National Institute of Standards and Technology's implementation of that portion of the Executive Order pertaining to the cybersecurity partnership between the private sector and the Federal Government to improve best practices in cybersecurity. The feedback we have heard from many in the industry regarding NIST's process has been fairly positive so far. We are also here to examine the legislation that Chairman Rockefeller and I have introduced, after soliciting feedback from industry stakeholders and our colleagues. I think this bill strikes the proper balance to ensure that what develops is industry-led and a true partnership between NIST and the private sector. It also ensures that NIST's involvement and this process are both ongoing in order to maintain the flexibility and continued innovation that is necessary to meet such a dynamic threat. Our proposed legislation also includes needed titles to improve research and development. We should not underestimate the value of R&D. As I have mentioned previously, I am proud to note that South Dakota's own Dakota State University is one of only four schools in the Nation designated by the National Security Agency as a National Center of Academic Excellence in Cyber Operations. Other titles of our bill improve education and work force development, as well as cybersecurity awareness and preparedness. I am pleased that our offices worked with industry, fellow Senate colleagues, and other stakeholders to solicit and incorporate their feedback in crafting this legislation and will continue to do so as we move forward. By following regular order in the committees of jurisdiction, we hope to avoid the legislative impasse from the last Congress and ultimately enact legislation that will make real improvements to our nation's cybersecurity. Our hearing witnesses today include the Director of NIST and representatives from the private sector who can provide this committee with their perspectives on how the current NIST process is developing. I look forward to hearing whether our legislation is a step in the right direction to provide a partnership that is truly voluntary and industry-led. I am also pleased that the Chairman and I both recognize that an essential component of cybersecurity is strong information sharing regarding threats. Such sharing should occur both between Government and industry and among private sector actors with strong liability protections. It is our hope that our colleagues on the Senate Intelligence Committee will be successful in crafting bipartisan consensus legislation that achieves these goals. As the Chair of the House Intelligence Committee has said, according to intelligence officials, allowing the Government to share classified information with private companies could stop up to 90 percent of cyber attacks on U.S. networks. It is also our hope that the Senate Homeland Security Committee can similarly work in a bipartisan fashion to make needed improvements to the Federal Information Security Management Act in order to better secure our Federal networks. If our Committees can work to produce complementary consensus legislation, that would be a significant step forward in this area. Again, I thank the Chairman for holding this hearing. I want to thank our witnesses for being here, and we look forward to hearing your testimony. Thank you, Mr. Chairman. The Chairman. Thank you, Senator Thune. I am tempted to ask if any of our other Senators want to say a word, but I just lost that temptation. [Laughter.] The Chairman. So we will start with the Honorable Patrick D. Gallagher, who has been before us recently and frequently. He is Acting Deputy Secretary, Under Secretary of Commerce--I cannot read this stuff--for Standards and Technology, and Director, National Institute of Standards and Technology, U.S. Department of Commerce. I mean, they put the last thing, which is the important thing, last. We did. So I apologize. Anyway, we welcome your statement. STATEMENT OF DR. PATRICK D. GALLAGHER, UNDER SECRETARY OF COMMERCE FOR STANDARDS AND TECHNOLOGY AND DIRECTOR, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, UNITED STATES DEPARTMENT OF COMMERCE Dr. Gallagher. Thank you very much. Chairman Rockefeller, Ranking Member Thune, it is a real pleasure to be here and to join you and the rest of this committee to talk about this really important issue. It is great to both be able to talk about NIST, but in particular, I want to talk about this partnership with industry and I want to welcome my colleagues at the table today. Let me start by mentioning a few words about NIST itself. As you mentioned, since 1901, NIST has played a rather unique and essential role as the Nation's measurement laboratory, as industry's national lab. And in that capacity, it is a nonregulatory agency with the mission to promote U.S. innovation and competitiveness by advancing measurement science, standards, and technology in ways that enhance our economic security and improve our quality of life. And as you will hear more about today, our work in the area of information security, trusted networks, encryption, software quality is applicable to a wide variety of users from small and medium enterprises to large private and public organizations, including agencies of the Federal Government and critical infrastructure companies. As part of this broader responsibility, on February 13, 2012, the President signed Executive Order 13636 which directed NIST to work with industry to develop a Cybersecurity Framework to improve the cybersecurity of critical infrastructure. We believe that this framework is an important element in addressing the challenges of improving cybersecurity of our critical infrastructure. A NIST-coordinated, but industry-led framework will draw on standards and best practices that industry already develops and uses. NIST will ensure that the process is open and transparent to all stakeholders. We will ensure that there is a robust technical underpinning to the framework, and any effort to better protect critical infrastructure can only work if it is supported and then implemented by the owners and operators of this infrastructure, which are largely in the private sector. This multi-stakeholder approach leverages the respective strengths of the public and private sectors. It helps develop solutions where both sides will be invested. This approach does not dictate solutions to industry but facilitates industry coming together to develop and offer solutions that the private sector is best positioned to embrace. Relying on standards which are the result of industry coming together to develop solutions for market needs we believe will give the framework broad acceptance around the world. Also importantly, the standards have a unique and key attribute of scalability. We can use solutions that are already adopted in industry or if we can readily adopt, then those same solutions, when used by other markets, reduce transactional costs for our businesses. They provide economies of scale which make all of our industries more competitive and make the goal of achieving cybersecurity more doable. It also reflects the reality that many in the private sector are already doing the right things to protect their systems and should not be diverted from these efforts through new standards. NIST is engaging with stakeholders through a series of workshops and events to ensure that we can cover the breadth of considerations that will be needed to make this national priority a success. These sessions are designed to identify existing resources, identify gaps, and prioritize the issues that need to be addressed as part of the framework. The workshops also bring together a broad cross section of participants representing critical infrastructure owner/ operators, industry associations, standards development organizations, individual companies, government agencies, research labs, and so forth. Last week, NIST held its third workshop to present initial considerations for the framework. It built a discussion around the draft outline for the preliminary framework that NIST had presented for public review a few weeks prior. This workshop had a particular emphasis on issues that had been identified from the initial work by the public. NIST has gained a consensus on several elements that the framework will include, allowing it to become adaptable, flexibility, and scalable, and to be put into use. In October, we will have a preliminary framework that builds on these elements. After the yearlong effort envisioned in the Executive Order, once we have developed this initial framework, the effort will continue. For example, NIST will work with the specific sectors in DHS to build strong, voluntary programs to implement the framework in critical infrastructure areas. That work will then inform the needs of critical infrastructure in the next versions of the framework. The goal at the end of this process will be for industry to take ownership of the process and update the Cybersecurity Framework themselves, ensuring that the framework will be dynamic and relevant as it continues to evolve. We have made significant progress. We still have a lot of work to do, and I look forward to working with this committee and with everyone who is participating in the framework process to address the challenges. And I look forward to the questions and discussion that we will have. Thank you. [The prepared statement of Dr. Gallagher follows:] Prepared Statement of Dr. Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director, National Institute of Standards and Technology, United States Department of Commerce Introduction Chairman Rockefeller, Ranking Member Thune, members of the Committee, I am Pat Gallagher, Director of the National Institute of Standards and Technology (NIST), a non-regulatory bureau within the U.S. Department of Commerce. Thank you for this opportunity to testify today on NIST's role under the President's Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity'' and NIST's responsibility to develop a framework to reduce cyber risks to critical infrastructure. I want to acknowledge and thank this Committee for its leadership and support on this issue. The Role of NIST in Cybersecurity NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. Our work in addressing technical challenges related to national priorities has ranged from projects related to the Smart Grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips. In the area of cybersecurity, we have worked with Federal agencies, industry, and academia since 1972 starting with the development of the Data Encryption Standard. Our role to research, develop and deploy information security standards and technology to protect information systems against threats to the confidentiality, integrity and availability of information and services, was strengthened through the Computer Security Act of 1987 and reaffirmed through the Federal Information Security Management Act of 2002. Consistent with this mission, NIST actively engages with industry, academia, and other parts of the Federal Government including the intelligence community, and elements of the law enforcement and national security communities, coordinating and prioritizing cybersecurity research, standards development, standards conformance demonstration and cybersecurity education and outreach. Our broader work in the areas of information security, trusted networks, and software quality is applicable to a wide variety of users, from small and medium enterprises to large private and public organizations, including Federal Government agencies and companies involved with critical infrastructure. Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity'' On February 13, 2013, the President signed Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' which gave NIST the responsibility to develop a framework to reduce cyber risks to critical infrastructure (the Cybersecurity Framework). The Executive Order directed NIST to work with industry and develop the Cybersecurity Framework and the Department of Homeland Security (DHS) will establish performance goals. DHS, in collaboration with sector-specific agencies, will support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and other interested entities through a voluntary program. Our partnership with DHS drives much of our effort. Earlier this year, we signed a Memorandum of Agreement with DHS to ensure that our work on the Cybersecurity Framework and the development of cybersecurity standards, best practices, and metrics, is fully integrated with the information sharing, threat analysis, response, and operational work of DHS. We believe this will enable a more holistic approach to address the complex challenges we face. A Cybersecurity Framework is an important element to address the challenges of improving the cybersecurity of our critical infrastructure. A NIST-coordinated and industry-led Framework will draw on standards and best practices that industry already develops and uses. NIST ensures that the process is open and transparent to all stakeholders including industry, state and local government and academia, and ensures a robust technical underpinning to the Framework. This approach will significantly bolster the Cybersecurity Framework to industry. This multi-stakeholder approach leverages the respective strengths of the public and private sectors, and helps develop solutions in which both sides will be invested. The approach does not dictate solutions to industry, but rather facilitates industry coming together to offer and develop solutions that the private sector is best positioned to embrace. It also ensures the framework is flexible enough to be applicable to small and mid-sized entities. I would also like to note that this is not a new or novel approach for NIST. We have utilized similar approaches in the recent past to address other pressing national priorities. For example, NIST's work in the area of Cloud Computing technologies enabled us to develop important definitions and architectures, and is now enabling broad Federal Government deployment of secure Cloud Computing technologies. The lessons learned from this experience and others inform how we plan for and structure our current effort. Developing the Cybersecurity Framework The Cybersecurity Framework will consist of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks for critical infrastructure. Regulatory agencies will also review the Cybersecurity Framework to determine if current cybersecurity requirements are sufficient, and propose new actions to ensure consistency. Independent regulators are also encouraged to do the same. This approach reflects both the need for enhancing the security of our critical infrastructure and the reality that the bulk of critical infrastructure is owned and operated by the private sector. Any efforts to better protect critical infrastructure must be supported and implemented by the owners and operators of this infrastructure. It also reflects the reality that many in the private sector are already doing the right things to protect their systems and should not be diverted from those efforts through new requirements. Current Status of the Cybersecurity Framework and Partnering with Industry NIST sees its role in developing the Cybersecurity Framework as partnering with industry and other stakeholders to help them develop the Framework. NIST's unique technical expertise in various aspects of cybersecurity related research and technology development, and our established track record of working with a broad cross-section of industry and government agencies in the development of standards and best practices, positions us very well to address this significant national challenge in a timely and effective manner. NIST's initial steps towards implementing the Executive Order included issuing a Request for Information (RFI) this past February to gather relevant input from industry and other stakeholders, and asking stakeholders to participate in the Cybersecurity Framework process. Given the diversity of sectors in critical infrastructure, the initial efforts are designed to help identify existing cross-sector security standards and guidelines that are applicable to critical infrastructure. A total of 244 responses were posted on NIST's website. Responses ranged from individuals to large corporations and trade associations and also included comments as brief as a few sentences on specific topics, as well as so comprehensive that they ran over a hundred pages. We published an analysis of these comments in May. NIST is also engaging with stakeholders through a series of workshops and events to ensure that we can cover the breadth of considerations that will be needed to make this national priority a success. Our first such session--held in April--initiated the process of identifying existing resources and gaps, and prioritized the issues to be addressed as part of the Framework. At the end of May, a second workshop at Carnegie Mellon University brought together a broad cross-section of participants representing critical infrastructure owners and operators, industry associations, standards developing organizations, individual companies, and government agencies. This three-day working session, using the analysis of the RFI comments as input, was designed to identify and achieve consensus on the standards, guidelines, and practices that will be used in the Framework. Based on the responses to the RFI, conclusions from the workshops, and NIST analyses, the preliminary Framework is designed and intended:To be an adaptable, flexible, and scalable tool for voluntary use; To assist in assessing, measuring, evaluating, and improving an organization's readiness to deal with cybersecurity risks; To be actionable across an organization; To be prioritized, flexible, scalable, performance-based, and cost-effective; To rely on standards, guidelines and practices that align with policy, business, and technological approaches to cybersecurity; To complement rather than to conflict with current regulatory authorities; To promote, rather than to constrain, technological innovation in this dynamic arena; To focus on outcomes; To raise awareness and appreciation for the challenges of cybersecurity but also the means for understanding and managing the related risks; To protect individual privacy and civil liberties; and To be built upon national and international standards and other standards, best practices and guidelines that are used globally. Last week, NIST held its third workshop to present initial considerations for the Framework. This workshop had a particular emphasis on issues that have been identified from the initial work-- including the specific needs of different sectors. During the workshop, NIST gained consensus on the elements of the Framework that include: A section for senior executives and others on using this Framework to evaluate an organization's preparation for potential cybersecurity-related impacts on their assets and on the organization's ability to deliver products and services. By using this Framework, senior executives can manage cybersecurity risks within their enterprise's business plans and operations. A User's Guide to help organizations understand how to apply the Framework. Core Sections to address: Five major cybersecurity functions and their categories, subcategories, and informative references; Three Framework Implementation Levels associated with an organization's cybersecurity functions and how well that organization implements the Framework; and A compendium of informative references, existing standards, guidelines, and practices to assist with specific implementation. At eight months, we will have a preliminary Framework that builds on these elements. In a year's time, once we have developed an initial Framework, there will still be much to do. For example, we will work with specific sectors to build strong voluntary programs for specific critical infrastructure areas. Their work will then inform the needs of critical infrastructure and the next versions of the Framework. The goal at the end of this process will be for industry itself to take ``ownership'' and update the Cybersecurity Framework. Conclusion The cybersecurity challenge facing critical infrastructure is greater than it ever has been. The President's Executive Order reflects this reality, and lays out an ambitious agenda focused on collaboration between the public and private sectors. NIST is mindful of the weighty responsibilities with which we have been charged by President Obama, and we are committed to listening to, and working actively with, critical infrastructure owners and operators to develop a Cybersecurity Framework. The approach to the Cybersecurity Framework set out in the Executive Order will allow industry to protect our Nation from the growing cybersecurity threat while enhancing America's ability to innovate and compete in a global market. It also helps grow the market for secure, interoperable, innovative products to be used by consumers anywhere. Thank you for the opportunity to present NIST's views regarding critical infrastructure cybersecurity security challenges. I appreciate the Committee holding this hearing. We have a lot of work ahead of us, and I look forward to working with this Committee and others to help us address these pressing challenges. I will be pleased to answer any questions you may have. ______ Patrick D. Gallagher Dr. Patrick Gallagher was confirmed as the 14th Director of the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) on Nov. 5, 2009. He also serves as Under Secretary of Commerce for Standards and Technology, a new position created in the America COMPETES Reauthorization Act of 2010. Prior to his appointment as NIST Director, Gallagher had served as Deputy Director since 2008. Gallagher provides high-level oversight and direction for NIST. The agency promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. NIST's FY 2013 budget includes $778.0 million in direct and transfer appropriations, an estimated $49.7 million in service fees and $120.6 million from other agencies. The agency employs about 3,000 scientists, engineers, technicians, support staff, and administrative personnel at two main locations in Gaithersburg, Md., and Boulder, Colo. NIST also hosts about 2,700 associates from academia, industry, and other government agencies, who collaborate with NIST staff and access user facilities. In addition, NIST partners with more than 1,300 manufacturing specialists and staff at more than 400 MEP service locations around the country. Under Gallagher, NIST has greatly expanded its participation, often in a leadership role, in collaborative efforts between government and the private sector to address major technical challenges facing the Nation. NIST's participation in these efforts stems from the agency's long history of technical accomplishments and leadership in private- sector led standards-development organizations and in research fields such as manufacturing engineering, cybersecurity and computer science, forensic science, and building and fire science. Currently, he co- chairs the Standards Subcommittee under the White House National Science and Technology Council. Gallagher joined NIST in 1993 as a research physicist and instrument scientist at the NIST Center for Neutron Research (NCNR), a national user facility for neutron scattering on the NIST Gaithersburg campus. In 2000, he became group leader for facility operations, and in 2004 he was appointed NCNR Director. In 2006, the U.S. Department of Commerce awarded Gallagher a Gold Medal, its highest honor, for his leadership in interagency coordination efforts. Gallagher received his Ph.D. in physics at the University of Pittsburgh and a bachelor's degree in physics and philosophy from Benedictine College. The Chairman. Thank you, sir. Thank you very much. Now Mr. Arthur W. Coviello, Jr. Did I get that right? Mr. Coviello. You did. The Chairman. Thank you. Who is Executive Chairman, RSA, The Security Division of EMC. That is a form of encryption. STATEMENT OF ARTHUR W. COVIELLO, JR., EXECUTIVE CHAIRMAN, RSA, THE SECURITY DIVISION OF EMC Mr. Coviello. Yes. We are the gold standard of encryption actually. The Chairman. OK. Mr. Coviello. So thank you, Chairman Rockefeller and Ranking Member Thune and members of the Committee. I am pleased to have the opportunity to address you today regarding NIST's partnership with industry in the area of cybersecurity. RSA is a leading provider of not just encryption technology, but other security compliance and risk management solutions for organizations worldwide. We do help the world's leading organizations succeed in their efforts in IT infrastructure by solving their most complex and sensitive security challenges. Today's hearing topic is one that is close to home for our company. EMC and RSA have already enjoyed a close partnership with NIST. We work closely with Dr. Gallagher and his team on a number of issues that are tightly linked to information security. From our vantage point as a provider of security solutions, RSA's collaboration with NIST is at the heart of our collective goal of safeguarding the world from an advanced and evolving cyber threat. NIST's National Cybersecurity Center of Excellence Lab initiative offers U.S. companies a valuable opportunity to collaborate with NIST to address a range of security risks and privacy protection imperatives. I repeat also ``privacy protection imperatives.'' With the goal of securing critical infrastructure, the center inspires technological innovation to find creative solutions to intractable and growing cybersecurity challenges. Of late, EMC and RSA, along with other private sector companies, have appreciated the opportunity to work closely with NIST on implementing the President's Executive Order. Through a collaborative effort to develop a Cybersecurity Framework for critical infrastructure, we have worked with stakeholders to explore the art of the possible to bring our nation to the cutting edge of cybersecurity. This collaboration between industry and NIST is a great example of what the public and private sectors can do together and represents an important step in the right direction. However, your legislation is still needed to create a more effective, long-term partnership between the public and private sectors. So we applaud the Committee for its work to develop bipartisan legislation based on an industry-driven, voluntary approach. The Cybersecurity Act of 2013 complements the President's executive order by codifying the important steps the administration has already taken to protect critical infrastructure and gives Government and industry additional tools to bolster our cyber defenses. As efforts progress, we urge you to consider three key points. First, any successful cybersecurity effort should be industry-driven, as you have done. With the rapid pace of innovation, owners and operators of critical infrastructure are the ones best positioned to keep pace with the rapidly evolving, and sometimes equally innovative, threat landscape. For this reason, standards and best practices should be nonprescriptive, nonregulatory, and technology neutral. Things move too fast. This legislation achieves those objectives by initiating a voluntary, industry-led standards development process that will build on the great work that is already being done in the private sector. This close and continuous coordination between Government and industry is vital to the ongoing development of best practices to combat these ever- changing threats. A common understanding supported by NIST can enable us collectively to move farther and faster in our race against the threat actors. Second, as we move forward, we must think not only of today's threats but also of the cybersecurity challenges of the future. That is why we are pleased to see that the legislation includes provisions to increase cybersecurity research and to support the development of the cybersecurity workforce. Investments in cybersecurity education and workforce training today will develop the talent we need to strengthen our defenses for years to come. And I can tell you the shortage of skilled people in the industry is one of our most critical problems. I can also tell you with the rapidly evolving pace of technology adoption and all the great productivity that can be derived from implementing information technology, the attack surface is only going to expand dramatically. We will only be able to take advantage of these great technology innovations if people have confidence. That is why the framework that is being developed in cooperation with the private sector and NIST is so important to our future; this will be an ongoing problem. And third, as both Chairman Rockefeller and Ranking Member Thune have pointed out, it is imperative that Congress address other key cybersecurity issues not under this committee's jurisdiction. Removing barriers and promoting the safe and secure sharing of actionable threat intelligence between the public and private sectors will enhance our collective ability to mitigate future threats. Additionally, we must modernize Federal information security management, standardize breach notification, and streamline the acquisition of technology in order to create a positive business climate, while improving our nation's cybersecurity posture. So, once again, we thank Chairman Rockefeller and Ranking Member Thune for their dedication to advancing this important legislation. I strongly believe the actions undertaken by this committee and the bipartisan leadership of its members will set a positive course for others in Congress to realize the urgency in addressing this growing threat. As the Senate confronts the policy challenges of cybersecurity, I have every confidence in industry's ability to leverage its existing relationship with NIST to enhance the cybersecurity of our critical infrastructure. Under this committee's leadership, we sincerely hope that Congress will act quickly to address this urgent threat to our national security. I look forward to working with you and your colleagues in Congress as this proposal advances. And again, I thank you for the opportunity to be here today, and I look forward to your questions. Thank you. [The prepared statement of Mr. Coviello follows:] Prepared Statement of Arthur W. Coviello, Jr., Executive Chairman, RSA, The Security Division of EMC Introduction Chairman Rockefeller, Ranking Member Thune, and Members of the Committee, my name is Art Coviello and I am an Executive Vice President of EMC Corporation and Executive Chairman of RSA, The Security Division of EMC. Thank you for the opportunity to testify today regarding the National Institute of Standards and Technology (NIST)'s work with industry in the area of cybersecurity. Today's hearing topic is one that is close to home for our company. EMC and RSA have enjoyed a partnership with NIST that has spanned decades, and we are pleased to be working with them today to enhance our nation's cybersecurity. RSA provides security, compliance, and risk management solutions for organizations worldwide. We help the world's leading organizations succeed by solving their most complex and sensitive security challenges, making it possible for them to safely benefit from the tremendous opportunities of digital technology and the Internet. EMC Corporation is a global leader in enabling businesses and third-party providers to transform their operations and deliver Information Technology (IT) as a service through innovations in big data, cloud computing and data storage. The United States, like many other nations, is highly dependent upon IT. Everything from national security and intelligence, to commerce and business, to personal communications and social networking depends on networked systems. The dynamic nature of this sector has created millions of jobs and generated significant economic growth. Every day, the Internet is increasing productivity; driving globalization and political change; and fueling every major industry and economy in the world. Unfortunately, that same dynamism has given rise to an ever- evolving cyber threat that threatens every individual, every company, every industry, and every country in the networked world. The recent rise in cyber attacks is nothing short of astounding. According to the Government Accountability Office (GAO), the number of cyber attacks reported by Federal agencies increased by 782 percent from Fiscal Year 2006 to Fiscal Year 2012, from 5,503 to 48,562.\1\ Clearly, our government is under attack, and those statistics do not account for the daily intrusions private sector entities and private citizens are facing from a wide range of threat actors. --------------------------------------------------------------------------- \1\ GAO, Cybersecurity: A Better Defined and Implemented Strategy is Needed to Address Persistent Challenges, GAO 13 462T (Washington, D.C.: March 7, 2013). --------------------------------------------------------------------------- As a provider of security solutions, we are seeing first-hand the rapid evolution of the threat landscape, with more varied targets, and in many cases, more advanced technologies and tactics than ever before. This ever-increasing risk is threatening to erode trust in digital commerce, communication and collaboration on which we have all come to depend. I have been involved in the policy debates regarding information security and privacy for a number of years, and I appreciate this Committee's sustained leadership on these issues. Given its potential for loss and disruption, cybersecurity has become a vital economic and national security issue, and we applaud the Committee for its work to reach a bipartisan solution. Partnership with NIST EMC and RSA have long enjoyed a close partnership with NIST on a number of issues that are closely linked to information security. As a provider of security solutions, RSA's collaboration with NIST is at the heart of our collective goal of safeguarding the networked world from an advanced and evolving cyber threat. NIST's National Cybersecurity Center of Excellence (NCCoE) lab initiative offers U.S. companies a valuable opportunity to collaborate with NIST and the public sector to address a range of security risks and privacy protection imperatives. With a goal of securing critical infrastructure, the Center inspires technological innovation to find creative solutions to intractable cybersecurity challenges. Director Gallagher and the NIST team have been exceptional partners with industry. Since the President announced in February his Executive Order ``Improving Critical Infrastructure Cybersecurity,'' we have been working with other stakeholders and NIST to develop a voluntary framework for reducing cyber risks to critical infrastructure that references standards, guidelines, and best practices to promote the protection of critical infrastructure. We have also partnered with NIST in its NCCoE lab initiative to address a range of security risks in support of the National Cybersecurity Excellence Partnership (NCEP). As a public-private partnership, the NCEP offers U.S. companies the opportunity to form a long-term relationship with the NCCoE. Through a collaborative effort, participating companies work together to explore the ``art of the possible'' and bring our nNation to the cutting edge of cybersecurity. The NCCoE's strategy is focused on and driven by the practical cybersecurity needs of American businesses, which is a secure cyber infrastructure that inspires technological innovation and fosters economic growth. Collaboration among innovators provides real-world cybersecurity capabilities that address business needs and help people secure their data and digital infrastructure by equipping them with practical ways to implement cost-effective, repeatable and scalable cybersecurity solutions. It also enables companies to rapidly adopt commercially- available cybersecurity technologies by reducing their total cost of ownership. Most importantly, it empowers innovators to creatively address businesses' most pressing cybersecurity challenges in a state- of-the-art, collaborative environment.\2\ --------------------------------------------------------------------------- \2\ http://csrc.nist.gov/nccoe/The-Center/Mission/Strategy.html --------------------------------------------------------------------------- RSA's ``Archer'' solution is one example this collaborative effort. Incorporated into the NCCoE's geo-location and security profiling environments, Archer allows adaptation to compliance requirements involving privacy, international safe harbor restrictions and applications in the cloud. As a multinational corporation that operates in over 80 countries around the world, we favor global standards whenever possible. The use of international standards is critical as we seek to meet the broad needs of our user base, but these standards must again be industry-led, voluntary and non-prescriptive. If developed in a transparent, flexible manner, international standards make it possible for global organizations and their customers to continue to make improvements as needs change. Even so, we recognize that in some cases NIST must develop new standards for Federal Government nonclassified information systems. In these cases, we urge NIST to continue to work in an open, transparent process with stakeholder input. Here are a few examples of our ongoing engagement with NIST around standards development and use: RSA's BSAFE product is validated against FIPS 140-2 on a regular basis to ensure our cryptographic implementations. It is our understanding that NIST made a significant contribution from their FIPS 140-2 work to the development of the complementary international standard for cryptographic modules.\3\ --------------------------------------------------------------------------- \3\ ISO/IEC 19790: Information technology--Security techniques-- Security requirements for cryptographic modules NIST cited EMC's contributions to a NIST Interagency Report on supply chain (NIST IR 7622) as we offered detailed, constructive suggestions over several years to improve the document.\4\ --------------------------------------------------------------------------- \4\ http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7622.pdf An RSA employee coauthored a (Draft) NIST Interagency Report: Trusted Geolocation in the Cloud: Proof of Concept Implementation (NIST IR 7904 Draft).\5\ --------------------------------------------------------------------------- \5\ http://csrc.nist.gov/publications/drafts/ir7904/ draft_nistir_7904.pdf EMC works closely with our Federal customers to help them assess the risks of their new proposed information systems following the Federal Information Security Management Act (FISMA) process. The risk-based FISMA process, which itself deserves further updating, is in turn anchored in NIST standards such as the recently updated NIST 800-53 Rev 4 security control catalog.\6\ We appreciate that this new security catalog has a detailed mapping to two key international standards in wide industry use: ISO 27001 \7\ and The Common Criteria.\8\ For the first time, this prominent U.S. Federal standard outlines controls for privacy along with security, a key linkage that we were pleased to see acknowledged in your draft legislation. --------------------------------------------------------------------------- \6\ http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ NIST.SP.800-53r4.pdf \7\ ISO/IEC 27001: Information technology-Security techniques- Information security management systems-Requirements \8\ ISO/IEC 15408: Information technology--Security techniques-- Evaluation criteria for IT security --------------------------------------------------------------------------- EMC/RSA as an Industry Leader In addition to our longstanding history working with NIST, EMC, and RSA have a proven track record as an industry leader in security. RSA has long recognized that cybersecurity is dynamic, and all stakeholders must continue to evolve our collective ability to counter cyber threats. In 1991, we responded to this new challenge by creating one of the largest security thought-leadership conferences in the world, RSA Conference. It is an annual industry event, which seeks to help drive the global information security agenda. Throughout its history, RSA Conference has consistently attracted the best and brightest in the field, creating opportunities for conference attendees to learn about IT security's most important issues through first-hand interactions with peers, luminaries and both established and emerging companies. As the IT security field continues to grow in importance and influence, RSA Conference, in conjunction with our many industry partners, plays an integral role in keeping security professionals across the globe connected and educated. EMC/RSA has demonstrated a longstanding commitment to improving our industry's best practices, particularly in the secure development field. In 2007, EMC, along with other industry leaders, created the Software Assurance Forum for Excellence in Code (SAFECode) to define, promote and share best practices and guidance outlining how to build secure software. SAFECode represents the first coherent, user-friendly collection of industry best practices in the development space. Available to the public free of charge, SAFECode's best practice guidance documents outline realistic approaches to secure development.\9\ The SAFECode initiative has produced a wealth of accumulated knowledge and shareable training materials that are being leveraged every day by developers to create software that is more secure than anything we have seen before. --------------------------------------------------------------------------- \9\ SAFECode.org/publications --------------------------------------------------------------------------- RSA knows first hand that no one is immune to the cyber threat. In 2011, RSA detected a targeted cyber attack on our systems. Certain information related to an RSA product had been extracted. We publicly disclosed the breach and immediately began working to develop and publish best practices and remediation steps, so that others could learn from our experience. We proactively reached out to thousands of customers across the public and private sectors to help them mitigate the effects of the breach. Further, we worked with the appropriate U.S. Federal government agencies, including NIST, and several information sharing and analysis centers (ISACs) to ensure broad communication of these best practices and remediation steps, as well as information about the attack. Our experience was not unique. Individuals, governments, and companies deal with threats every day from nation states, criminals, hacktivists, and rogue actors. We have made great strides in the security space, but there is much work left to be done. As Robert Bigman, former CISO of the Central Intelligence Agency (CIA), has stated, the United States is ``exactly where the cyber criminals want us to be. They're very happy with our current situation.'' \10\ --------------------------------------------------------------------------- \10\ http://www.usnews.com/news/articles/2012/12/04/former-cia- officer-united-states-lags-far-behind-in-cyber-security --------------------------------------------------------------------------- The cyber threats we collectively face are real and immediate, and there are a number of steps that must be taken to enhance our economic and national security. Implementing the President's Executive Order Recently, EMC and RSA, along with other private sector companies, have appreciated the opportunity to work closely with NIST on the implementation of the President's Executive Order to Improve Critical Infrastructure Cybersecurity. This collaboration between industry and NIST is a great example of what the public and private sectors can do together and represents an important step in the right direction. However, legislation is still needed to create a more effective partnership between the public and private sectors. Key Elements of the Draft Legislation We applaud the Committee for its work to develop bi-partisan legislation based on an industry-driven, voluntary approach. This legislation complements the President's Executive Order by codifying the important steps the Administration has already taken to protect critical infrastructure and gives government and industry additional tools to bolster our cyber defenses. We are pleased to see that the draft bill requires a voluntary, non-regulatory process, enabling further collaboration between the public and private sectors to leverage non-prescriptive and technology-neutral, global cybersecurity standards for critical infrastructure. We also commend the Committee for including crucial provisions to support cyber research and development; increase awareness of cyber risks; and improve cybersecurity education and workforce training. As efforts progress, we urge you to consider a few key points: (1) Any successful cybersecurity effort must be industry-driven. With the rapid pace of innovation, owners and operators of critical infrastructure need the flexibility to keep pace with the rapidly- evolving and sometimes equally innovative threat landscape. For this reason, standards and best practices should be non-prescriptive, non- regulatory, and technology-neutral. This draft legislation achieves those objectives by initiating a voluntary, industry-led standards development process that will build on the great work that is already being done in the private sector. This close and continuous coordination between government and industry is vital to the ongoing development of best practices to combat the ever-changing threats we all face. Collaborative efforts between government and industry have been similarly successful in addressing supply chain security issues. EMC has been an early adopter of industry best practices to strengthen the security of our supply chain and ensure the global integrity of our software and hardware development processes. EMC shared its experience in two SAFECode whitepapers on software integrity.\11\ As a leader in the security field, RSA has actively engaged with government and industry partners to develop global supply chain security standards. --------------------------------------------------------------------------- \11\ SAFECode.org/publications --------------------------------------------------------------------------- The following are a few examples of industry-led efforts to develop and implement security standards: The Common Criteria: The Common Criteria \12\ are a set of international computer security standards developed by governments that include Canada, France, Germany, the Netherlands, the United Kingdom and the United States through active engagement with industry. EMC/RSA has made substantial investments over many years to certify many of our products against the Common Criteria, which are now recognized by 26 countries. U.S. policy should encourage those countries that do not yet recognize The Common Criteria to follow suit as a baseline assessment and avoid separate, custom national evaluations in order to access their markets. --------------------------------------------------------------------------- \12\ ISO/IEC 15408: Information technology--Security techniques-- Evaluation criteria for IT security--Part 1: Introduction and general model Protection Profiles: Industry has taken the lead to contribute technical content related to supply chain evaluations against standard ``Protection Profiles'' for different classes of technology. This directly supports a strategy by The Common Criteria Development Board and the National Security Agency (NSA)'s National Information Assurance Partnership (NIAP) unit to reorient product evaluations towards protection profiles, --------------------------------------------------------------------------- many of which are also developed by industry. Open Trusted Technology Provider Standard (O-TTPS): In 2009, RSA's Chief Technology Officer worked with the U.S. Department of Defense to launch a joint public-private initiative that led to a published global supply chain standard in April 2013. The resulting standard, The Open Group's O-TTPS Standard for Mitigating Maliciously Tainted and Counterfeit Products \13\ addresses two of our most important threats. Earlier this month at their international conference, The Open Group's Trusted Technology Forum awarded EMC for its ``outstanding contribution'' to this multi-year standard development process. The new, global O-TTPS standard will have a measurable accreditation program by year's end, enabling compliance down into the technology supply chain. This non-prescriptive pilot program focuses on measuring the outcomes of practices, while giving each organization the latitude to determine how best to reach the performance goals. This Open Group industry standards effort also has a formal liaison with ISO/IEC's emerging standard on supplier relationships that has itself been developed with significant industry review and comments.\14\ --------------------------------------------------------------------------- \13\ http://www.opengroup.org/news/press/open-group-releases- global-technology-supply-chain-security-standard \14\ ISO/IEC 27036: Information technology--Security techniques-- Information security for supplier relationships--Part 1: Overview and concepts (2) Public and private sector collaboration is essential to --------------------------------------------------------------------------- bolstering cybersecurity. EMC and RSA strongly support the bill's aim of establishing more effective collaboration between industry and government to address cybersecurity issues. We already participate in two successful initiatives that we believe can serve as a model for future public- private partnerships in the cybersecurity field. At the national level, the Enduring Security Framework (ESF) is a partnership of senior industry and government executives to identify critical cyber vulnerabilities and mobilize experts to address the risks. At the regional level, the New England Advanced Cyber Security Center is a consortium of industry, government, and universities working together to share cyber threats and explore new areas of research required to improve our defenses. (3) Cybersecurity standards should be voluntary, non-prescriptive, and technology-neutral. The voluntary nature of the legislation is of paramount importance. While we support the development of standards and best practices, we firmly believe that companies should have the flexibility to determine for themselves how best to secure their networks. In this highly- innovative sector, companies need the flexibility to explore creative approaches and technologies. Government regulations cannot reasonably keep pace with innovation, and companies must be free to design and build secure products in a global environment as they see fit without government intrusion. This ensures ongoing technology innovation in a global marketplace, resulting in increased productivity, job creation, and economic growth. (4) Both government and the private sector must invest in increasing public awareness of the cyber threat. In today's increasingly interconnected world, every individual has a role to play in enhancing cybersecurity. As we have seen, simple errors such as the use of weak passwords and poor cyber hygiene can have serious consequences. For this reason, we strongly support the legislation's call for NIST to launch a cybersecurity awareness campaign. Increased awareness is our first line of defense against cyber attacks, and we applaud the Committee for recognizing this. As NIST undertakes this effort, there are a number of existing public- private partnerships upon which we can build. The National Cyber Security Alliance (NCSA) is a non-profit organization comprised of captains of industry ranging from defense and IT companies to financial institutions and e-commerce providers to telecommunications companies and ISPs. Founded in 2001, the Alliance works with all levels of government to promote cybersecurity awareness. As one its founding members, EMC/RSA has been involved in this partnership since its inception and as the cybersecurity challenge has grown, so has the Alliance.\15\ --------------------------------------------------------------------------- \15\ www.staysafeonline.org --------------------------------------------------------------------------- In collaboration with its public sector partners, NCSA established National Cyber Security Month in October, which is designed to elevate and expand cybersecurity awareness programs. We appreciate the support of the President of the United States and the U.S. Congress in this effort, and we are pleased to see that the initiative has grown year after year. The U.S. Department of Homeland Security (DHS) is a long- time participant and supporter of this public-private partnership as are multiple other Federal government agencies and many state and local governments. NCSA has also partnered with the Anti-Phishing Working Group (APWG) and DHS to launch the Stop-Think-Connect awareness campaign; an effort we will continue supporting actively to help grow its influence as a nationwide and multi-national public awareness initiative.\16\ --------------------------------------------------------------------------- \16\ http://stopthinkconnect.org/ (5) As we move forward, we must think not only of today's threats, --------------------------------------------------------------------------- but also of the cybersecurity challenges of the future. Today, thousands of cybersecurity positions remain unfilled in both the public and private sectors, simply because of a lack of qualified candidates. We are pleased to see that the draft legislation includes provisions to increase cybersecurity research and to support the development of the cybersecurity workforce. Title II of the draft legislation calls for a national cybersecurity research and development plan to be developed by the Office of Science and Technology Policy (OSTP) and the coordination of research and development activities at the National Science Foundation (NSF), NIST, other Federal agencies, academia, and the private sector. We believe the authorization of coordinated research will address gaps in knowledge that prevent the development of secure technologies. In addition, the Networking and Information Technology Research and Development (NITRD) program has been successful in supporting research on the science of cybersecurity and will enhance the continuation of innovative approaches to new technology. Title III of the draft bill supports efforts to prepare the cybersecurity workforce of tomorrow. Our young people are our greatest asset, but our students are falling behind in the crucial fields of science, technology, engineering and math. Investments in cybersecurity education and workforce training today will develop the talent we need to strengthen our defenses for years to come. As cyber threats continue to escalate at an alarming rate, we need to invest in building the cybersecurity workforce with the requisite skills to defend our systems and drive continued innovation. Two areas of investment are particularly important: Cyber security programs in post-secondary schools: To defend our networks, we will need to graduate more individuals with expertise in computer sciences, risk assessment, data mining, data visualization and analytics, digital forensics, and human behavior. Our colleges and universities must place an emphasis on producing graduates with the technical and cross-functional skills needed to defend against our cyber adversaries. The Federal government should support programs at the college and university levels that graduate qualified cybersecurity professionals. One such example is the Scholarship for Service program, funded by NSF, NSA and DHS, which has produced cybersecurity professionals now working in both the public and private sectors.\17\ This and other successful government- funded scholarship programs should be expanded to continue to grow the cyber workforce. --------------------------------------------------------------------------- \17\ https://www.sfs.opm.gov/ Training, certification and accreditation programs to increase and maintain cybersecurity proficiency: In 2009, SAFECode members outlined a framework around secure engineering training that concluded that they could not sufficiently rely on colleges and universities to deliver graduates that could join the workforce without substantial, advanced company-led training.\18\ Consequently, government and private enterprises should provide increased cybersecurity training opportunities for their IT staff. The SANS Institute and the International Information System Security Certification Consortium (ISC2) and Information Systems Audit and Control Association (ISACA) provide education and certification programs that can be replicated and expanded to further develop the cyber workforce. --------------------------------------------------------------------------- \18\ SAFECode.org/publications In addition, new programs such as the U.S. Cyber Challenge \19\ and the National Initiative for Cybersecurity Education (NICE) should serve as models for future education programs. NICE has evolved from the Comprehensive National Cybersecurity Initiative, and extends its scope beyond the Federal workplace to include civilians and students in kindergarten through post-graduate school. \20\ The goal of NICE is to establish an operational, sustainable and continually improving cybersecurity education program to enhance the Nation's security. These vitally important initiatives are being put into place to identify, recruit and place the next generation of cybersecurity professionals. --------------------------------------------------------------------------- \19\ For more information, go to the U.S. Cyber Challenge Website at: http://workforce .cisecurity.org/. \20\ http://csrc.nist.gov/nice/aboutUs.html --------------------------------------------------------------------------- This effort will require significant investments today, but if these initiatives are implemented properly, our technological future is bright. We look forward to a time when government and industry work as true partners to combat cyber threats. We also look forward to having a skilled and savvy workforce that comes to the table understanding the threat landscape and best practices ready to apply their expertise in a rich economic environment. These cyber professionals will be the brightest and best-trained that we have ever seen, and they will develop innovative ways to combat the cyber threats more quickly and more creatively than we could ever dream of today. For all of the reasons noted above, this draft legislation represents an important step in the right direction, but there is more work yet to be done. Next Steps In order to effectively address cyber threats there must be an ``innovative and cooperative approach between the private sector and the Federal government'' and we need to collectively utilize expertise within both government and industry. As Commander of U.S. Cyber Command General Keith Alexander has said many times, ``securing our nation's network is a team sport.'' \21\ Without strong public-private partnerships and actionable cyber intelligence information sharing between government and industry, we will not be able to make the progress that is so desperately needed. Moving forward, we recommend two key next steps: --------------------------------------------------------------------------- \21\ http://365.rsaconference.com/community/archive/usa/blog/2011/ 02/17/video-rsac-us-2011-keynote-the-department-of-defense-active- cyber-defense-and-the-secure-zone_general-keith-b-alexander (1) Government should explore additional opportunities to leverage --------------------------------------------------------------------------- public-private partnerships. We greatly appreciate NIST's commitment to working with industry, and we believe similar public-private partnerships should be explored. The public sector should further leverage information available from commercial services to paint a fuller picture of the threat landscape. For example, the RSA Anti-Fraud Command Center (AFCC) has worked globally with financial institutions, ISPs, law enforcement and other organizations to detect and shut down hundreds of thousands of phishing attacks since 2007.\22\ --------------------------------------------------------------------------- \22\ For more information on the AFCC, see http://www.emc.com/ collateral/solution-overview/10580-afcc-sb.pdf --------------------------------------------------------------------------- Similarly, we have worked with industry-led Information Sharing Analysis Centers (ISACs) that are partnering with government entities and law enforcement--such as the Financial Services ISAC--to provide timely and actionable information on cyber threats and attacks.\23\ Actionable information gained from these mechanisms and in other processes with industry is often as valuable as information from government sources. --------------------------------------------------------------------------- \23\ For more information on the FS-ISAC's information sharing practices and programs, see ``Testimony of William B. Nelson, The Financial Services Information Sharing & Analysis Center'' before the U.S. House of Representatives Financial Institutions and Consumer Credit Subcommittee, September 14, 2011. (2) It is imperative that Congress addresses other key --------------------------------------------------------------------------- cybersecurity issues not under this Committee's jurisdiction. These include advancing the sharing of cyber threat intelligence between government and industry; establishing liability protections for entities that share threat information; and streamlining acquisition of technology. We urge the Congress to examine ways to break down barriers to information sharing and create incentives for the public and private sectors to work together to safely and securely share real-time, actionable information about cyber threats. Linking the adoption of cybersecurity standards to incentives such as liability protection and streamlined acquisition of technology will create a positive business climate while improving our nation's cybersecurity posture. We also support additional legislative initiatives to update criminal laws and penalties; enact Federal data breach law; modernize FISMA; and develop reasonable and effective policy approaches to supply chain protection that will not stifle innovation and competition. Conclusion We thank Chairman Rockefeller and Ranking Member Thune for their dedication to advancing this important legislation. I strongly believe the action undertaken by this Committee and the bipartisan leadership of its Members will set a positive course for others in Congress to realize the urgency in addressing this growing threat. As the Senate confronts the policy challenges of cybersecurity, I have every confidence in industry's ability to leverage its existing relationship with NIST to enhance the cybersecurity of our critical infrastructure. Under this Committee's leadership, we sincerely hope that Congress will act quickly to address this urgent threat to our national security. Again, I thank you for the opportunity to be here today, and EMC and RSA look forward to working with you and your colleagues in Congress as this proposal advances. The Chairman. Thank you, sir, very much. At 3:15, there will likely be a vote, and I just need to inform members of that because I just found out. That is what happens in the Senate. So we will just disappear. If we can stage it, we will do that so we keep the hearing going. All right. Mark Clancy, Managing Director, Technology Risk Management and Corporate Information Security Officer, The Depository Trust & Clearing Corporation. Please, sir. STATEMENT OF MARK G. CLANCY, MANAGING DIRECTOR, THE DEPOSITORY TRUST & CLEARING CORPORATION ON BEHALF OF THE AMERICAN BANKERS ASSOCIATION, FINANCIAL SERVICES ROUNDTABLE, AND SECURITIES INDUSTRY AND FINANCIAL MARKETS ASSOCIATION Mr. Clancy. Thank you. Chairman Rockefeller, Ranking Member Thune, and members of the Committee, thank you for scheduling today's hearing on improving cybersecurity through the NIST and private sector partnership. My name is Mark Clancy and I am the Corporate Information Security Officer of the Depository Trust & Clearing Corporation, or DTCC. I also have leadership roles in the Financial Services Sector Coordinating Council and the Financial Services Information Sharing Analysis Center, which is the operational hub for information sharing in the financial sector. DTCC is participant-owned, governed, and serves the critical infrastructure for the U.S. and global capital markets. DTCC provides many services to the financial industry, but the easiest way to think about us is with one example. After a trade is executed on a stock exchange, we ensure that the shares move to the people who bought them and the money moves to the people who sold them. We do this across all the major exchanges in the United States, and in the aggregate, DTCC processed last year $1.6 quadrillion in transactions and all of that occurred in cyberspace. Today I am testifying on behalf of the American Bankers Association, the Financial Services Roundtable, the Securities Industry and Financial Markets Association who collectively represent a large segment of the financial services sector. We applaud and support the goals of the bill crafted by the leadership of the Committee. Researchers estimate there is $100 billion in annual loss to the U.S. economy and half a million jobs lost as a result of cyber crime and cyber espionage. The financial sector institutions perform risk assessments based on the types of attacks and threat actors that we are subjected to. We group threat actors into four categories: crime, hacktivism, espionage, and war. The threats from these groups range from theft of customer information or intellectual property through disruptions such as denial of service attacks to the destruction of systems and data. The financial services sector recognizes cybersecurity is a noncompetitive area and is committed to working together to address this issue. A key organization in this partnership is the Financial Services Coordinating Council whose mission is to strengthen the resiliency of the financial services sector against attacks and other threats of the Nation's critical infrastructure. We appreciate and support the goals of S. 1353 for NIST to facilitate the necessary private and public sector collaboration to establish voluntary standards and best practices to better secure our nation from cyber attack. The sector believes strongly that to be successful, the collaboration must include the leadership in the private and public sector, as well as industry practitioners who address cybersecurity-related risks every day. The frameworks and standards that are rooted in the global, real-world, real-time nature of the threat are those that will achieve the objectives of the Nation to reduce risk from cyber threats to critical infrastructure. The sector has participated in a number of NIST initiatives over the years and has found the organization to be ideal for the development of standards and collaboration. Supporting the development of the NIST Cybersecurity Framework has been a major initiative of the sector. We provided comments to NIST with an emphasis on the existing national and international regulatory frameworks that the sector currently complies with. We have actively participated in the workshops and are appreciative of the efforts by NIST to seek the sector's input on specific topics and to understand how the Cybersecurity Framework will be used by our sector. The Committee bill incorporates this collaborative effort, and we hope to see swift passage of the bill. I wanted to highlight four major issues of interest in the bill to the financial services sector. One, NIST as the Government organization with the responsibility to develop standards. Two, increasing research and development for the design and testing of software. Three, educating the workforce and preparing students for future technical roles. And four, promoting a national cybersecurity awareness campaign. There are two additional points Congress should consider as this bill is finalized. First, we strongly encourage the research agenda to include the evaluation of risk management through the supply chain. This will improve the resilience of all sectors by detecting and defending against software and hardware components that have been tampered with during the production, shipment, and through the international supply chain process. Second, in addition to this bill, we encourage the Senate to introduce and pass legislation that would enhance the ability of the private sector and Government to share cyber threat information while providing the necessary privacy protections for individuals. On behalf of the American Bankers Association, the Financial Services Roundtable, the Securities Industry and Financial Markets Association, along with DTCC, I would like to thank you for holding today's hearing to continue to raise awareness on this critical issue and for inviting us to testify. I would be happy to address any questions that you may have. [The prepared statement of Mr. Clancy follows:] Prepared Statement of Mark G. Clancy, Managing Director, The Depository Trust & Clearing Corporation On behalf of the American Bankers Association, Financial Services Roundtable, and Securities Industry and Financial Markets Association Chairman Rockefeller, Ranking Member Thune, and members of the Committee, thank you for scheduling today's hearing on improving cybersecurity through the NIST and private sector partnership. My name is Mark Clancy, and I am the Corporate Information Security Officer at The Depository Trust & Clearing Corporation (``DTCC''). I also serve on the Executive Committee of the Financial Service Sector Coordinating Council and as the Vice Chairman of the Financial Services Information Sharing and Analysis Center (FS-ISAC). DTCC is a participant-owned and governed cooperative that serves as the critical infrastructure for the U.S. capital markets as well as financial markets globally. Through its subsidiaries and affiliates, DTCC provides clearing, settlement and information services for virtually all U.S. transactions in equities, corporate and municipal bonds, U.S. government securities and mortgage-backed securities and money market instruments, mutual funds and annuities. DTCC also provides services for a significant portion of the global over-the- counter (``OTC'') derivatives market. To provide insight into the criticality of DTCC's role in the safe and efficient operation of the U.S. capital markets, in 2012, DTCC's subsidiaries processed more than $1.6 quadrillion in securities transactions. Today, I am testifying on behalf of the American Bankers Association,\1\ Financial Services Roundtable,\2\ and the Securities Industry and Financial Markets Association \3\ who collectively represent a large segment of the financial services sector. --------------------------------------------------------------------------- \1\ The American Bankers Association (ABA) represents banks of all sizes and charters and is the voice for the Nation's $14 trillion banking industry and its two million employees. \2\ The Financial Services Roundtable (FSR) represents 100 of the largest integrated financial services companies providing banking, insurance, and investment products and services to the American consumer. Member companies participate through the Chief Executive Officer and other senior executives nominated by the CEO. Roundtable member companies provide fuel for America's economic engine, accounting directly for $98.4 trillion in managed assets, $1.1 trillion in revenue, and 2.4 million jobs. \3\ The Securities Industry and Financial Markets Association (SIFMA) brings together the shared interests of hundreds of securities firms, banks and asset managers. SIFMA's mission is to support a strong financial industry, investor opportunity, capital formation, job creation and economic growth, while building trust and confidence in the financial markets. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA). --------------------------------------------------------------------------- At the highest level, we applaud and support the goals of S. 1353, The Cybersecurity Act of 2013 introduced by the leadership of this Committee. In my testimony today I will address current cyber threats, the sector-led initiatives to defend against these threats and the ways in which the Committee bill supports those efforts. Finally, I will stress the continued importance of crafting a more robust threat information sharing environment, particularly across our critical infrastructure. Current Cyber Threat According to McAfee and the Center for Strategic and International Studies (CSIS), there is an estimated $100 billion annual loss to the U.S. economy and as many as 508,000 U.S. jobs lost as a result of cybercrime and cyber espionage. For the financial services industry, cyber threats are a constant reality and a potential systemic risk to the industry. Our markets and financial networks are predicated on trust and confidence. The trusted transfers and transactions that occur hundreds of millions of times a day are a fundamental prerequisite for modern capital markets, investors, consumers, and governments to conduct business and drive economic growth. Given the reliance on technology and the importance of for trust in the sector, individual institutions, and the industry as a whole perform risk assessments based on the types of attacks and threat actors they are subject to. The industry groups threat actors into four categories--Crime, Hacktivism, Espionage and War. Crime--The motivation of these groups is financial gain. The threat intensity of these groups varies based on two factors: the capabilities of the actors and the vulnerabilities of the targets. While organizations are continually assessing and addressing potential gaps in their systems, criminals are just as quickly acquiring new technical skills and capabilities through a sophisticated cyber black market Hacktivism--The term hacktivism is applied to groups or individuals who use computer intrusion or ``hacking'' techniques to promote and publicize an often radical political or cultural point of view. The most recent example of hactivism has been the distributed denial of services (DDoS) attacks for which the Cyber Fighters of Izz ad-din Al Qassam have claimed credit. These attacks against large financial institutions began in 2012 allegedly to protest the posting of the ``Innocence of Muslims'' video on YouTube. This group, like virtually all hacktivists, is not motivated by financial gain-- it wants to make a high-profile political statement. The capabilities of hacktivists vary greatly, although it is common to find a few highly-skilled individuals operating in loose confederation with lesser-skilled, but highly-motivated actors. Espionage--The term cyber espionage was coined to reflect the ``spy vs. spy'' activity that has occurred between nations. However, cyber espionage has expanded in recent years beyond attempts to steal national secrets to now include cyber theft of proprietary information from corporations in an effort to gain an economic and competitive advantage over the commercial interests of a country. War--This generally refers to the launch of a cyber-missile or some other cyber weapon of mass destruction to devastate the capabilities of a government or corporation by causing a physical system to fail or to gain control over that system. Today, as many as 30 countries have cyber war units to protect and defend against such an attack, according to former Secretary of Defense Leon Panetta, who also oversaw a cyber- command center comprised of Army, Navy, and Air Force personnel. In addition, some countries are developing units to promote or instigate this type of warfare. The universe of threat actors, regardless of the category into which they fall, pose a significant and growing danger to the sector. These threats range from theft, to disruption and destruction. Theft--Actions resulting in the theft of customer, proprietary, or confidential data or information. The loss of essential account information has the potential to put the public in harm's way for fraud and identity theft. If the crimes happen regularly, confidence in the sector could erode. The theft of a customer's access credentials when stolen via malicious software installed on the individual's computer is particularly dangerous because that customer faces the potential loss of his or her funds and assets. Disruption--Actions intended to cause disruptions to systems and operations, denying authorized users access to the affected systems. For example, in the previously mentioned DDoS attacks against the sector, hacktivists successfully blocked or otherwise limited the availability of certain consumer-facing websites for brief periods, but did not impact any institution's internal or critical functions. In the future, more severe cyber attacks could attempt to target these internal, critical functions. Destruction--Actions intended to compromise the integrity of or cause the destruction of data and systems. Financial firms take extreme precautions to guard against these three main types of incidences that could impact the integrity of customer or institutional data. Not only is this an issue addressed by individual institutions' risk management functions, but also an issue that has interest by executive leadership to increase the investment in this critical space. The Systemic Impact of Cyber Attacks on DTCC As mentioned earlier, DTCC serves as the critical infrastructure for global financial markets. As a result, the organization brings a dual perspective to its view of the cyber risk environment and its impact on critical infrastructure. First, DTCC must examine and plan for cyber attacks that could impact its ability to perform clearance and settlement and other critical post-trade processes that underpin the global financial marketplace. Second, because of the interconnectedness of the financial system, DTCC must also take into account the broader systemic risks that could result from a cyber attack on its systems. The global financial system is an enormous, interconnected ``system of systems.'' In other words, while individual institutions operate different parts of the critical infrastructure, the financial system itself is a product of the interactions of all these discrete actions. Because DTCC is connected to thousands of different market participants spanning the entire financial services industry globally, the organization must look beyond how a cyber attack could harm its own operations to the systemic impact on its members and the broader financial community. For example, if DTCC is unable to complete clearance and settlement due to systems disruptions or outages, buyers and sellers of securities would not know if their trades had completed and, therefore, what securities they own or how much capital they have. DTCC's financial risk and operational assessments must take into account these essential functions and determine how non-performance would impact the markets it serves as well as the firms that utilize its products and services, the investing public and the U.S. economy. In other words, if a cyber attack directed at DTCC, or other critical financial market infrastructure, rendered its systems non-operational, what would that do to the overall functioning of the financial system? If the financial markets could not operate, how would that affect liquidity and access to capital? This systemic view of cyber risk has driven DTCC to broaden its perspective on cybersecurity to include consideration of ways to mitigate low frequency but potentially high- impact scenarios that a monoplane risk assessment would have ignored. DTCC maintains an elaborate and sophisticated information security program to protect against the types of cyber attacks mentioned above. This includes ongoing collaborative efforts with the private and public sectors. The financial services industry is currently engaged in a variety of public-private partnerships with the Federal government to protect against cyber threats and safeguard the Nation's critical market infrastructure. Sector-Led Initiatves The financial services sector recognizes the risks, views cybersecurity as a non-competitive area and works together to identify potential threats and techniques to mitigate them. A key organization to this coordination is the Financial Services Sector Coordinating Council (``Council''), whose mission is to strengthen the resiliency of the financial services sector against cyber attacks and other threats to the Nation's critical infrastructure. The organization's leadership is comprised of industry utilities and operators, as well as industry associations, such as those on whose behalf I am testifying today. The Council is spearheading financial services participation in the discussions surrounding implementation of Presidential Executive Order 13636--Improving Critical Infrastructure Cybersecurity through the involvement of the ABA as co-chair of the FSSCC Policy Committee and SIFMA as lead on the incentives efforts. The FSSCC Threat and Vulnerability Committee, co-chaired by the BITS \4\ division of FSR, discuss the evolving threat to identify sector initiatives for mitigation. The Committee also developed a methodology for identifying core infrastructure for the sector along with the Department of Treasury. --------------------------------------------------------------------------- \4\ BITS, as the technology policy division of the Financial Services Roundtable, addresses issues at the intersection of financial services, technology and public policy, where industry cooperation serves the public good, such as critical infrastructure protection, fraud prevention, and the safety of financial services. --------------------------------------------------------------------------- The ABA, FSR and SIFMA are also collaborating with the U.S. Department of the Treasury, in concert with the Council, the Financial Services Information Sharing and Analysis Center and The Clearing House, in an effort to enhance the industry's cybersecurity ecosystem. The effort has led to the development of an Action Plan of both short- and long-term improvements to the sector's security posture focused on enhancing information sharing, increasing analysis, improving crisis management response and upgrades to core components of the cyber ecosystem. On July 18, the industry participated in Quantum Dawn 2, a cybersecurity exercise organized by SIFMA. Five hundred individuals from over 50 entities throughout the sector and government participated in this opportunity to run through their crisis response procedures, practice information sharing and refine protocols relating to a systemic cyber attack. Quantum Dawn 2 was executed on a simulation platform developed as a result of cybersecurity research funding from the Department of Homeland Security's Science and Technology Directorate and was used in the exercise to simulate the U.S. equities markets. Participants are currently analyzing the findings to identify areas for improvement and best practices that will enable firms and the entire sector to better prepare for and defend against cyber threats. The exercise demonstrates the positive linkage between research and development investments, such as simulation tools, and the ability to reduce cyber related risks through preparedness that could not have been accomplished using real world infrastructures. Lastly, some of these initiatives involve fundamental changes to the cyber ecosystem. In December 2011, the ABA and FSR formed a new entity, fTLD Registry Services, LLC (fTLD), to apply for and run industry-related top-level domains. This decision was predicated upon an announcement by the Internet Corporation for Assigned Names and Numbers (ICANN) to allow for an unlimited number of top-level domains (TLDs) beyond the 23 existing at the time (e.g., .com, .net and .org). fTLD's goal is to represent the financial services community and to help assure that new TLDs related to the banking and insurance communities will reduce industry risk and protect customers and institutions. In addition, fTLD helps develop sound Internet practices and standards and advocates for secure Internet policies. Legislation We appreciate and support the goals of S. 1353, The Cybersecurity Act of 2013 sponsored by Senator Rockefeller and Senator Thune. If made into law, Title 1 of this bill would leverage the National Institute of Standards and Technology (NIST) to facilitate the necessary private and public sector collaboration to establish voluntary standards and best practices to better secure our Nation from cyber attacks. As discussed in detail above, the sector believes strongly in the importance of private sector leadership for responding to this threat. We also recognize the need for a partnership between the private sector and the government. The government plays a unique role in the protection of private sector companies. To be successful the collaboration needs to include the leadership in the private and public sector as well as the practitioners who address cybersecurity related risks every day. The frameworks and standards that are rooted in the global, real world, and real time nature of the threat, are those that will achieve the objectives of the Nation to reduce risk from cyber threats to critical infrastructure. The sector works closely with our government counterpart the Financial and Banking Information Infrastructure Committee (FBIIC). The FBIIC, led by Treasury and chartered under the President's Working Group on Financial Markets, is charged with improving coordination and communication among financial regulators, enhancing the resiliency of the financial sector, and promoting the public/private partnership. Essential to the sector's success is the public sector's commitment to the public/private partnership outside of the already mature regulatory regime. The sector has participated in a number of NIST initiatives over the years and has found the organization to be ideal for the development of standards and collaboration. Most notably, the industry has been involved and continues to participate in the implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC). Participation in the development of the Cybersecurity Framework by NIST has been a major initiative of the sector. We provided comments to NIST from the FSSCC with an emphasis on the existing national and international regulatory frameworks that the sector currently complies with. We have actively participated in the workshops and are appreciative of the specific efforts by NIST to seek the sector's input on specific topics and understand how the Cybersecurity Framework will be used by our sector. In addition to specifying NIST as the government organization with the responsibility to develop standards, the legislation would enable critical steps for increasing research and development for the design and testing of software, educating the workforce, preparing students for future technical jobs and promoting a national cybersecurity awareness campaign. These are all critical issues to the financial services sector. There are two points for consideration as this bill moves forward. In the development of a research agenda, we strongly encourage you to include the evaluation of risk management throughout the supply chain. It is important for all sectors to improve their ability to detect and defend against software and hardware components that have been tampered with during production, shipment and throughout the international supply chain process. This recommendation is based on research and discussion done by the sector in the development of the Council's research and development agenda \5\. --------------------------------------------------------------------------- \5\ http://www.fsscc.org/fsscc/news/2013/ FSSCC%20RD%20Agenda%20April%2024%202013 .pdf --------------------------------------------------------------------------- In addition, as the NIST Director establishes a cybersecurity awareness and preparedness campaign, we encourage the Director to analyze and leverage the work already underway by the National Cyber Security Alliance. This organization, supported by a number of sectors and government partners, developed the Stop. Think. Connect. campaign to encourage a shared responsibility across enterprises and individuals for securing the Internet. Need for Information Sharing Legislation We encourage the passage of the S. 1353, The Cybersecurity Act of 2013. In addition, we encourage the Senate to introduce and pass legislation that would enable increased cyber threat information sharing between the private sector and government, while providing the necessary privacy protections for individuals. Our sector works collaboratively with our government partners to: Prepare for cyber attacks by collecting, analyzing and disseminating threat information to the extent currently feasible, assessing systemic risks, and conducting joint exercises. Stay ahead of adversaries and reduce the number of incidents by anticipating threats, implementing countermeasures and addressing critical vulnerabilities. Identify incidents as they occur by implementing key controls that would improve our ability to detect and block cyber attacks at ``net speed''. Respond to incidents in the manner that will reduce the impact and risk to the financial institution and the sector. Improve security posture, and minimize impact through robust forensics, investigations and learned capability. Given the interconnected nature of cyberspace, institutions recognize that the strongest preparations and responses to cyber attacks require collaboration beyond their own companies. As a result, the sector has engaged in a number of collaborative efforts. Through the FS-ISAC, participants share threat information between financial institutions and the Federal government, law enforcement and other critical infrastructure sectors. The FS-ISAC also has a representative for the sector on the National Cybersecurity and Communications Integration Center floor to provide the Department of Homeland Security (DHS) insight into the financial sectors issues and incidents and provide an additional fan out for information from DHS to the sector. Cyber attacks are not specific to the financial services sector, but are the concern of all targeted sectors, making it essential to be able to share threat information across sectors. Currently, we all experience attacks and work within our sectors as the law allows. Viruses, trojans and other malicious software may be written to target a specific sector, but are often developed or leveraged to attack other sectors for additional purposes. Attackers are looking for methods to increase efficiency, so their ability to reuse these tools in attacks on multiple sectors accomplishes this goal. Our attackers share information related to their attacks. American businesses defending against cyber attacks need that same capability. The ability to share information across sectors and with the government is necessary to effectively prepare, recognize and respond to attacks that hit across sectors. As our adversaries evolve, techniques become more complex, and coordinated attacks become commonplace, we need to advance our ability to respond in a collective, coordinated fashion. The ability to share information more broadly is critical and foundational to our preparation for and response to future attacks. While we constantly review opportunities to improve the information shared within our industry, it is vital that our efforts also include sharing information across sectors and between the government and the private sector. Each company and public sector entity has a piece of the puzzle and an understanding of the threat. Our ability to share this information will greatly increase our ability to prepare and respond to threats. Conclusion On behalf of the DTCC and the financial services industry, I would like to thank you for holding today's hearing to continue to raise awareness on this critical issue and for inviting us to testify. I would be happy to answer any questions. The Chairman. Thank you, sir. Dorothy Coleman is Vice President of Tax, Technology and Domestic Economic Policy of the National Association of Manufacturers. We welcome you. STATEMENT OF DOROTHY COLEMAN, VICE PRESIDENT, TAX, TECHNOLOGY AND DOMESTIC ECONOMIC POLICY, NATIONAL ASSOCIATION OF MANUFACTURERS Ms. Coleman. Chairman Rockefeller, Ranking Member Thune, and members of the Committee, thank you for the opportunity to appear today to testify on behalf of our nation's manufacturers. My name is Dorothy Coleman. I am the Vice President of Tax, Technology and Domestic Economic Policy at the National Association of Manufacturers, the Nation's largest industrial trade association, representing small and large manufacturers in all industry sectors and in all 50 States. The NAM has enjoyed a close working relationship with the Committee for a number of years, and we appreciate your support and leadership on a number of issues that are important to our industry, including cybersecurity. One of NAM's top four goals is to ensure that manufacturers in the United States are the world's leading innovators. Cybersecurity is key to achieving this goal. We support creating a voluntary, industry-led standards development process, strengthening the cybersecurity research and development strategy inside the Federal Government, creating a highly skilled cybersecurity workforce, and raising public awareness of cyber threats. The Cybersecurity Act of 2013 represents a sensible, bipartisan, nonregulatory approach and highlights the importance of moving forward on this issue. Manufacturers are entrusted with vast amounts of data through their relationships with customers, suppliers, and governments. They are responsible for securing the data, the networks on which the data run, and facilities and machinery they control. Manufacturers are the owners, operators, and builders of our nation's critical infrastructure, ranging from energy plants to highways. They rely on technology to design, produce, and deliver products ranging from nanoscale electronic devices to fighter jets. The design, collaboration, and information that helped drive this innovation has moved almost exclusively online, exposing companies to cyber thieves constantly attempting to penetrate networks and steal intellectual property to replicate products and designs and disrupt business activity and critical infrastructure. Manufacturers recognize they have to secure their networks, their controls, and their data. In a recent NAM membership survey, 96 percent of respondents said they have ongoing efforts to strengthen their information technology networks and protect their IP. More than 90 percent of the respondents have upgraded their IT assets, and more than half have hired outside cybersecurity experts. Thus, the NAM encourages the Federal Government to advance cybersecurity preparedness through increased collaboration and coordination with the private sector. Our top priority is allowing voluntary sharing by the public and private sector of real-time threat information to allow manufacturers to better protect themselves from cyber threats. In addition, any cybersecurity initiative should protect personally identifiable information and civil liberties and not grant the Government new authority in this realm or the ability to monitor or censor private networks. We oppose the creation of a static, regulatory-based government regime. Potential cyber threats change rapidly and manufacturers need the flexibility to pivot quickly and defend against these threats in real time. Time spent complying with outdated and burdensome regulations will negatively impact manufacturers' ability to protect their key assets. Comments by NAM members to NIST reflect their belief that any cybersecurity framework should be voluntary, risk-based, and flexible enough to keep pace with ever-changing cyber threats. Most importantly, any threat information the Government can share with the private sector will be the most effective way to combat cyber threats. The framework also should act more as guidelines for best practices and take into account the global presence of manufacturers and related international standards in place. A major concern is that the creation of any new set of standards, even if they are voluntary, could lead to another regulatory regime and cause even more challenges to manufacturers. We are pleased that your legislation addresses many of these challenges, and we appreciate your balanced, nonregulatory approach to reduce the risk of cyber threats based on a public/private partnership. The National Cybersecurity Research and Development Plan would further secure wireless technology, software systems, and the Internet while guaranteeing individual privacy. We also support the creation of cybersecurity modeling and test beds to examine our capabilities and determine our needs. We appreciate your efforts to raise the priority of cybersecurity through all agencies. At the end of the day, however, the ability to receive real-time threat information remains manufacturers' top priority and will be the most effective way to combat cyber threats. Manufacturers also realize that an ongoing partnership with the Federal Government is important. NAM members generally support establishing NIST as a facilitator of industry-led discussions on standards, guidelines, and best practices. Many NAM members are participating in the NIST Cybersecurity Framework discussions. Those sessions have been productive and our members want the process to continue. At the same time, there are concerns that codifying NIST as the facilitator may somehow negatively impact the process or, even worse, give NIST the authority to recommend binding regulations. As noted before, manufacturers will not support any legislation that creates a new, overly burdensome regulatory regime. Thus, we are pleased that creating new regulations is neither the intent or the goal of your legislation. We appreciate that your bill specifies that any recommended standards will be voluntary and will not prescribe specific technology solutions, products, or services. In conclusion, manufacturers' ability to protect their products, processes, facilities, and customers is critical for their continued success and the broader economic security of the Nation. Your bill represents a good first step in assisting manufacturers in their ongoing efforts to reduce their cyber risk. Thank you for the opportunity today to appear before you. The NAM looks forward to working with the Committee as the process moves forward. Thank you. [The prepared statement of Ms. Coleman follows:] Prepared Statement of Dorothy Coleman, Vice President, Tax, Technology and Domestic Economic Policy, National Association of Manufacturers Chairman Rockefeller, Ranking Member Thune and members of the Committee, thank you for the opportunity to appear today to testify on behalf of our nation's manufacturers on ``The Partnership Between NIST and the Private Sector: Improving Cybersecurity.'' My name is Dorothy Coleman, and I am the Vice President of Tax, Technology and Domestic Economic Policy at the National Association of Manufacturers (NAM), the Nation's largest industrial trade association, representing small and large manufacturers in every industrial sector and in all 50 states. We are the voice of 12 million manufacturers in America. The NAM has enjoyed a close working relationship with the Committee for a number of years. Mr. Chairman, we appreciate your unwavering support for the Hollings Manufacturing Extension Partnership, which has proved invaluable for small manufacturers in West Virginia and around the country working to develop the next breakthrough manufacturing technology. Thank you, too, for your leadership on spectrum issues, which are critically important to the many manufacturers that use wireless technology in their businesses. Ranking Member Thune, the NAM and our members have worked closely with you on multiple issues. You have been a strong advocate for the close to 40,000 manufacturing employees in South Dakota on both tax and trade issues. We look forward to continuing our working relationship with you on cybersecurity and the other legislative priorities for manufacturers. Cybersecurity has been a focus of this committee in recent years. On behalf of our nation's manufacturers and all those who want to ensure the protection of our critical assets and intellectual property (IP) and to work together with the Government to achieve this goal, I am pleased to testify on the Cybersecurity Act of 2013 and to discuss the partnership between the National Institute of Standards and Technology (NIST) and the private sector. Overview Manufacturing remains an important economic force in the United States, representing 12 percent of the U.S. economy. Nonetheless, despite the critical role the industry plays in the economy, taxes, legal costs, energy prices and burdensome regulations make it 20 percent more expensive to manufacture in the United States than in any other country. The NAM's Growth Agenda: Four Goals for a Manufacturing Resurgence in America is a comprehensive plan to address these challenges, unleashing the economy and manufacturing's outsized multiplier effect. The Growth Agenda makes the case for pro-growth polices to ensure that: The United States will be the best place in the world to manufacture and attract foreign direct investment; Manufacturers in the United States will be the world's leading innovators; The United States will expand access to global markets to enable manufacturers to reach the 95 percent of consumers who live outside our borders; and Manufacturers in the United States will have access to the workforce that the 21st century economy demands. Manufacturers recognize that we face very specific challenges in achieving these goals. In particular, in pursuing our goal to be the world's leading innovators, our industry faces constant threats from nefarious actors in cyberspace attempting to access our IP and operations unlawfully. These threats endanger our continued economic growth and safety of our citizens. Thus, the NAM believes that we need to develop appropriate general and industry-specific best practices for improved cybersecurity. In formulating cybersecurity policy, we support a public-private partnership that draws on industry best practices. The cybersecurity debate has moved forward significantly this year, and the business community has the leadership of you, Mr. Chairman, and Ranking Member Thune to thank for that. Your bill represents a sensible, bipartisan, non-regulatory approach to an issue of utmost importance to the manufacturing industry. Manufacturers support creating an industry-led, voluntary standards development process, strengthening the cybersecurity research and development strategy inside the Federal government, creating a high-skilled cybersecurity workforce and raising public awareness of cyber threats. The introduction of this bill has also effectively signaled to the business community and to your Senate colleagues the importance of moving this issue forward. There are a number of additional issues that other committees need to debate, but we are pleased with the steps you have taken. Manufacturers and Cybersecurity Manufacturers are entrusted with vast amounts of data through their comprehensive and connected relationships with customers, vendors, suppliers and governments. They are responsible for securing the data, the networks on which the data run and the facilities and machinery they control at the highest priority level. In addition, manufacturers are the owners, operators and builders of our nation's critical infrastructure. They manufacture and use the temperature controls regulating the grain silos that store our nation's food supplies. They build and manage the systems operating the traffic signals that govern the rules of the road. Manufacturers make technology products ranging from nanoscale electronic devices to fighter jets. They build and run the energy plants that power our homes and businesses and the heavy machinery exploring the oil and gas fields that make America competitive. In addition, manufacturers leverage technology to design, produce and deliver these products. Technology is also used to manage, monitor and secure key facilities and products, including trade secrets and patents. These products, controls, systems, patents, trade secrets and all other tools that differentiate manufacturers in the United States from their competitors are the envy of the world. The movement of design, collaboration and information that helps drive this innovation almost exclusively online has created a new vulnerability: exposure to cyber thieves that are constantly attempting to penetrate networks to steal this IP. This illegal activity allows bad actors to replicate products and designs and disrupt business activity and critical infrastructure. The stakes are high. What was once only the concern of businesses' IT departments has now become an important issue throughout manufacturing facilities, large and small. Leaders of manufacturing enterprises know they have to secure their networks, their controls and their data. In fact, in a recent NAM membership survey, 96 percent of respondents said they have ongoing efforts to strengthen their information technology networks and protect their IP to reduce their risk. More than 90 percent have upgraded their IT assets, and more than half have hired outside cybersecurity experts. Manufacturers know the economic security of the United States is related directly to our cybersecurity. Given that our economic security is critical to our national security, manufacturers are leaders in cyber defense and are working constantly to ensure their companies, products and customers are secure. Cybersecurity Policy During the cybersecurity debate in recent years, the NAM has been clear on what actions we believe the government should take to address current cyber threats most effectively. We have communicated our priorities to leaders in both the House and Senate and to the White House. I am pleased to share those with you again today, and I applaud you for addressing a number of these issues over which your committee has jurisdiction. NAM members value the strong partnership they have with the public sector and believe that partnership should extend to cybersecurity efforts. The NAM encourages the Federal government to advance cybersecurity preparedness through increased collaboration and coordination with the private sector. In particular, manufacturers' top priority is allowing the voluntary sharing by the public and private sector of real-time threat information to allow manufacturers to better protect themselves from cyber threats. In contrast, under current law, the government is prohibited from sharing sensitive cyber threat information with the private sector. Manufacturers are hesitant to share information with the government due to liability uncertainty and exposure. Companies also are not permitted to share information freely with their peers. The NAM supported the Cyber Intelligence Sharing and Protection Act (CISPA) of 2013 (H.R. 624), which the House passed earlier this year. This legislation, if signed into law, will allow the government to share timely and actionable threat and vulnerability information with the private sector. Mr. Chairman, as a member and former chairman of the Senate Intelligence Committee, we encourage you to work with your colleagues on that panel to address the issue of information sharing. Manufacturers value the privacy of individuals and the need to protect personally identifiable information and civil liberties. We believe that any cybersecurity initiative the Federal government undertakes separately or in partnership with the private sector should place a premium on ensuring this information is secure. At the same time, it is important to ensure that any effort does not grant the government any new authority in this realm or give the government the ability to monitor or censor private networks. Developing a Cybersecurity Standards Framework The NAM believes that the public and private sector must partner closely to establish the best way to defend against ever-changing cyber threats manufacturers face. We oppose, however, the creation of a static, regulatory-based regime. This approach will not enhance cybersecurity--it will do just the opposite. The cyber threat that now confronts all entities in both the public and private sector is commonly known as the ``advanced persistent threat'' or APT. Cyber hackers and thieves are changing their tactics every minute. Manufacturers need the flexibility to pivot quickly and defend against these threats in real time. Any mandatory regulations imposed on manufacturers will be obsolete the day they are published. The time spent complying and adjusting to outdated, burdensome and potentially duplicate regulations will negatively impact manufacturers' ability to protect their key assets. Rather than develop mandatory regulations, the government should apply to the cybersecurity challenge the public-private partnership model that has been effective in other areas. While the Federal government has the resources to facilitate industry-led discussions on how best to defend against the APT, industry officials bring real-world expertise and experience unique to their segment. In fact, NAM member companies have been on the record in their comments to NIST and in their participation in the cybersecurity framework discussions around the country that implementing any framework should be on a voluntary company-by-company basis. The framework needs to be risk-based, and it must keep pace with ever- changing cyber threats. Most importantly, any threat information the government can share with the private sector will be the most effective way to combat cyber threats. A one-size-fits-all approach to a standards framework will not be effective. Manufacturers vary in size, come from a cross-section of diverse industry segments, have differing amounts of available resources and are exposed to external actors in different ways. These factors all will play a role in how each manufacturer implements a cybersecurity strategy. Imposing a single regulatory model would result in little or no participation in the framework. Rather, the framework should act more as a guideline and advocate for best practices. The framework must also take into account the global presence of manufacturers and all international markets in which they operate and the related international standards already in place. The most common theme we have heard from our members is that a number of standards already exist. A major concern is that the creation of any new set of standards--even if they are voluntary--could lead to another regulatory regime and cause even more challenges for manufacturers. Any framework NIST may develop must take into account existing standards already being followed by the private sector. Cybersecurity Act of 2013, S. 1353 The Cybersecurity Act of 2013, S. 1353, introduced yesterday addresses many of the challenges described above. Mr. Chairman and Ranking Member Thune, we appreciate your efforts to reach out to all stakeholders to create a balanced approach to reduce the risk of cyber threats to critical infrastructure based on a public-private partnership model. The legislation would create a national cybersecurity research and development plan to further secure wireless technology, software systems and the Internet, while guaranteeing individual privacy. The legislation would also create cybersecurity modeling and test beds to examine our capabilities and determine our needs. It does all of this while ensuring coordination across the government. We appreciate your efforts to raise the priority of cybersecurity throughout all agencies. Your bill also would place a priority on developing a high-skilled cybersecurity workforce. Through competitions, challenges and scholarships, it would create incentives to join this growing workforce at a time when our country needs it most. Most importantly, it would assess current skill sets and help determine what more is needed in curriculum and training to ensure we have the workforce we need. Manufacturers are facing a skills shortage in many disciplines, and any effort to close that gap is one we support strongly. The national cybersecurity awareness and preparedness campaign has been well received by NAM members. Efforts to increase the cyber intelligence and cyber safety of the public and state and local governments will benefit manufacturers as they hire the workers they need and as they operate in their communities. We have heard the most from our member companies on Title I of the bill, Public-Private Collaboration on Cybersecurity. As I stated earlier in my testimony, the ability to receive real-time threat information remains manufacturers' top priority. This will be the most effective way to combat cyber threats. Manufacturers realize that an ongoing partnership with the Federal government--in addition to information sharing--is also important. In addition, NAM members generally support establishing NIST as a facilitator of industry-led discussions on standards, guidelines and best practices among other efforts to reduce cyber risks to critical infrastructure. Many NAM members are participating in the NIST cybersecurity framework discussions underway. Those sessions have been productive, and our members want the process to continue. Nonetheless, they have some concerns about this approach. In particular, some companies are concerned that codifying NIST as the facilitator may somehow negatively impact the process, or even worse, give NIST the authority to recommend binding regulations. It is our understanding that creating new regulations is neither the intent nor the goal of the legislation. We appreciate that this is referenced specifically in the bill, which requires that any recommended standards are voluntary and will not prescribe specific technology solutions, products or services. The legislation is even more specific by citing that any information shared in the standards development process shall not be used to regulate any activity of the sharing entity. On behalf of the NAM's 12,000 members, this is a point I cannot stress strongly enough--manufacturers will not support any legislation that creates a duplicative regulatory regime that puts undue burdens on manufacturers. We are, therefore, pleased that this legislation prohibits that from happening while at the same time solidifies the public-private partnership in efforts to address an issue of critical importance to our nation. Conclusion In our fast-moving, hyper-competitive 21st-century economy, cybersecurity is an issue of increasing importance to the manufacturing industry. The stakes are high for manufacturers and the rest of the business community. Manufacturers' ability to protect their products, processes, facilities and customers is critical for their continued success and the broader economic security of the Nation. The legislation the Committee is examining today represents a good first step in assisting manufacturers in their ongoing efforts to reduce their cyber risk. Manufacturers must and will continue to drive the process, and a partnership with the government is a key component of the effort. The NAM supports the goals of the legislation and appreciates the Committee's efforts to address this important issue. Thank you for the opportunity today to appear before you. The NAM looks forward to working with the Committee as the process moves forward. The Chairman. Thank you. I should inform our colleagues that the vote starts in about 3 or 4 minutes. Senator Thune, I can stay. I will stay, or I will come back if I go vote. But if there are members, Senator Klobuchar or you, sir--if you cannot come back, then you may want to ask a question now. Senator Klobuchar? Senator Klobuchar. I will just ask one question here at the beginning. The Chairman. Actually, Heinrich comes before you. Senator Klobuchar. Well, there we go. [Laughter.] STATEMENT OF HON. MARTIN HEINRICH, U.S. SENATOR FROM NEW MEXICO Senator Heinrich. That rarely happens. Dr. Gallagher, I just wanted to ask you a quick question about how--you have expounded a lot in terms of the collaboration that you have with the private sector and how critical that is. How do you also learn from the other agencies and entities that you work with within the public sector who have specific expertise in this area so that we can make sure that that then has a direct benefit on the private sector? And in particular, I know in my district you are very familiar with what Sandia does. They get about 20,000 to 30,000 attacks an hour. What is the mechanism for making sure that what we learn from some of those things makes it out into the private sector where appropriate? Dr. Gallagher. So thank you. I do not know if you know--my father was a lifelong employee at Sandia National Labs and I have been out there looking at their cybersecurity work. You are exactly right. There are two actual roles of NIST. One is the technical depth, and we have talked about that. And that is so important in terms of providing a venue to work with the private sector and be neutral. But the other role of NIST is coordination of standards in the sense that we are sort of a corporate memory within the Federal Government about how to work with the private sector on various standard setting activities, whether it is Smart Grid in energy or whether it is cloud computing, or health care information systems. One of the other roles we have is a very natural collaboration role with the other Federal agencies. That has been a key part of this effort as well, working with a very broad range of agencies. You can imagine, given the definition of critical infrastructure, it is basically a very large group of agencies: Energy Department, Transportation, Department of Treasury, Homeland Security, our intelligence community, and so forth. So that is a key part. This is an ``all hands on deck'' effort. We want to bring as many smart people as we can into the effort. Senator Heinrich. Thank you. Thank you, Mr. Chairman. The Chairman. That is it? Senator Heinrich. Yes. The Chairman. Are you sure? OK. Senator Klobuchar? STATEMENT OF HON. AMY KLOBUCHAR, U.S. SENATOR FROM MINNESOTA Senator Klobuchar. Mr. Chairman, thank you so much for holding this hearing on this incredibly important topic. I would like to underline the fact that cyber crime and espionage are resulting in major financial losses for American businesses. Last year, General Keith Alexander, the head of Cyber Command and the National Security Agency, said that they represent the largest transfer of wealth in human history. Recent reports by McAfee, the Center for Strategic and International Studies estimate that the toll of cyber crime is about $100 billion per year. Under Secretary Gallagher, what is your best dollar figure estimate of the economic toll on American business due to cyber crime and espionage? Dr. Gallagher. I do not think I can improve on your estimate. So I will not hazard one. Senator Klobuchar. OK, very good. Do you think that there are enough incentives in place for the private sector to participate in NIST's process for establishing standards? Do you think the current incentives are sufficient, or do you think more needs to be done? Dr. Gallagher. So the view I have taken on the incentives question is that it is going to be easier to evaluate that when we are trying to put the framework into place. The framework is designed to be aligned with business. The goal here is to make good cybersecurity performance equivalent to good business practice. Therefore, the right way to look at the incentives question is to look at the friction as companies are trying to put this framework into place. It could be the business-to- business relationship, and we have talked about that. It could be about the risk sharing. It could be about the interaction between the private sector companies and the Government. And I think until we start getting some experience with how this framework of practices starts to go in place, it is going to be difficult to guess which of the incentive issues are going to be most important. But I think the goal is to try to make this equivalent to good business. Senator Klobuchar. Anyone want to add anything else? Mr. Coviello. I would be happy to add to that. I think there is going to be a tremendous incentive to adopt this framework. As I said in my opening remarks, as companies adopt more and more technology to improve the productivity in their business operations, they are going to expose themselves more and more to these cyber threats. So, it will be a business imperative to have the ability to defend themselves. I think the level of not only awareness but understanding of the threat and the problem has risen dramatically in the last several years due to a number of well publicized attacks and the very figures that you quote. So I think it is going to be a matter not only of a priority for businesses but one that could even provide competitive advantage by having the best cybersecurity regime possible. Senator Klobuchar. Well, just along those lines, my last question is--I will put some more in the record. But one of the parts of this bill that I think is really important is the National Cybersecurity Awareness Campaign. Frameworks and voluntary standards are useless if our citizens do not practice cybersecurity at home, at school, at work, and I think without the public understanding and understanding the significance of the challenge, we are going to continue to be vulnerable. Does anyone want to talk about that? Mr. Clancy? Mr. Clancy. I would be happy to. So I have used a lot in my conversations metaphors because most people do not understand the technical world that I live in. The one I use in that case is around seat belts. So we have NIST that gives us a good set of specifications of what a seat belt should do, what its action should be, how you install it in the car. We also need to make sure that people are wearing them. And we are in the early days. This is cars in the 1950s where we did not have seat belts. Right? That is where we are with cybersecurity. So the combination of the good standard and the education for the public at large, as well as people who are the ones who install and fabricate seat belts--that is kind of what we need for this ecosystem that will change the physics of the problem that we suffer through today. Senator Klobuchar. Very good. And I think also I would just add that I think higher education institutions could play a role in this as well. I happen to know a few that are pretty good in my State. But I think that that would make a difference as well. So thank you very much for your work, and I look forward to working with you, Mr. Chairman, on this bill. Thank you for your leadership. The Chairman. Well, thank you. Do you wish to name each of those institutions? Senator Klobuchar. They know who they are. The Chairman. You are from Minnesota. You might as well do it. Senator Klobuchar. Well, like the University of Minnesota, a small Big 10 school, or St. Cloud State. The Chairman. OK. I have heard of it, yes. [Laughter.] Senator Klobuchar. The Golden Gophers. [Laughter.] The Chairman. Mr. Gallagher, NIST and your computer security division in particular has taken on the job of establishing some very technical and complex standards over the years. I am not sure everybody on the Committee or elsewhere understands the extreme difficulty of your mission or the scientific rigor with which you approach your standards work. Now, one of the witnesses just made a very important thing when he was talking about seat belts. He said it is one thing to develop seat belts. It is another thing to use them. And that I think trails generally along in this whole conversation. The representative of NAM said we could not support anything where you were required to wear your seat belt, I mean, in allegory terms. And that is troubling because all of you have been hacked into. All of us have been hacked into. I even got so desperate that I got the SEC--and now it is law--to say that every time anybody is hacked into, they have to report that to the SEC and the SEC has to put it on its Web site as a way of informing their shareholders that they better be doing something about this. So the question of doing something about it but then actually finding out what is the best possible standard and somehow adhering to that is not inconsequential. That is not a part of what we are doing here. It is not a part of our bill. But it is something I think we have to keep in mind. Anyway, a lot of your most complex standards are adopted worldwide, like algorithms for search engines. Could you just kind of give me a walk through, before I have to race out of here and to come back, on how do you facilitate with the private sector consensus on standards that are essential like this? How do you get it? Dr. Gallagher. So the NIST role in supporting the technical side of standards setting is really derived from our measurement science roots, and they tend to have two characters to them. In some cases, a standard, a common practice, a desired practice is by its very nature very technical. It may be based in science. A good example is encryption where you need an ability to write a code using a public key infrastructure that works and has a certain resistance to attack. The answer to that is actually answered through a lot of mathematics, very complicated mathematics, to take a look and prove that performance. So this is a case where there are technically better answers and worse answers, and the job at NIST is for those scientists and mathematicians to work with the world's experts in these algorithms to look at the features of these codes and to see which ones work. The other type of standard is actually a case where there could be several right answers, let us say, interoperability where in a certain type of transmission standard or data standard there could be one type of file format or another type of file format, and if we do not come to agreement, the systems would not be able to talk to each other and that would be a problem. In that case, it is not that the science or technology is dictating that one answer is necessarily better than the other, and it is more about getting the community of practice, the companies, together and having a discussion about which one we are going to settle on. And in some cases, what that boils down to is how will we know that we are complying with the standard, and that could be a measurement, a test. And what the NIST role will be is supporting the test that works. So it is interesting that---- The Chairman. I am panicking a little bit here. You just used the words ``settle on'' and you used the word ``standard.'' So my question is supposing everybody again being hacked into and lots of them not knowing it, doing something about it, maybe not. You get some big companies or some semi- big companies in there and you are discussing with them what could be the best approach for them. And they come very close to agreeing with each other but do not entirely agree with each other. There is a scientific sort of a miscommunication of some sort or a difference of opinion. How do you resolve that if you want to see this put in practice? Dr. Gallagher. So the most straightforward way to resolve that is through a test. So I think the point that you care about in this case is the overall security performance of that system is what matters. And so what you want to do is have a testable level of performance. So in the middle of this discussion between companies, if they have different options about how to achieve that performance, the role of NIST will often be in finding out which one works better and then coming up with a test, a rigorous test that can be used to demonstrate that the standard works. And that is often what our role is in supporting that type of activity. The Chairman. What do you do if one test works and the other company's test does not work but they both think that is what they should be doing? Dr. Gallagher. It depends on the use. So if the standard is completely commercial, if this is a VHS versus BetaMax discussion and there is no public consequence, we may not do anything. Most standards in this country are in the private sector. That is what the National Technology Transfer and Advancement Act tells us to do is depend on that private sector infrastructure. But if the performance is safety or security or something where there is a strong public sector interest, then in fact we do not have to adopt it. We do not have to use it. We do not have to recognize it. And that is one of the reasons why it is so important in these efforts, particularly in something like cybersecurity, that the public sector agencies, Federal, State, and local, are participating in this process because there is clearly a public interest here in the integrity of these systems. They would not be critical infrastructure otherwise. The Chairman. OK. I have got 3 minutes to go 10 minutes. So I am just going to sort of recess this for a moment, and then I will be right back. And John Thune will be right back. So we are in recess. [Recess.] Senator Thune [presiding]. The hearing will reconvene. That was a very short break. I got a feeling you guys did not get an opportunity to do much during that break. But we will try and keep it rolling so we can keep this thing on schedule and wrap up at a reasonable hour. But we do appreciate your indulgence and patience around what inevitably happens here in terms of votes. I will direct this to you, Mr. Gallagher. I want to commend you for NIST's efforts thus far in working collaboratively with industry to address the cyber threat. We have received positive feedback from industry regarding the workshops that you have hosted and the transparency of your process. The legislation that Chairman Rockefeller and I have introduced authorizes NIST on an ongoing basis to facilitate and support the development of an industry-led and voluntary set of standards to improve security, as we mentioned in the opening statements. In your testimony today and previously, you have also stressed the importance of the process being industry-led. And I am wondering if perhaps you could elaborate on why an industry-led process will be successful and create, in the end, a better product. Dr. Gallagher. So thank you. I think there are three major reasons why the industry leadership is essential. The first one Art Coviello actually touched on in his opening statement, which is the know-how and the capacity are largely in industry, and embracing that is the best way to have an agile process that in fact keeps up with this technology. It is evolving very, very quickly. The other reason is that having an industry-led process vastly increases the chances that the answer is compatible with business. And since the goal here is to put this into use-- having a standard on a shelf is not going to help anyone--then the more we can align these practices with good business practices, the types of risk management that companies do anyway, the better off this will work. And the third reason is it can operate at the scale of markets. The Internet information technology is global, and if this is a Government-led effort, the answer we come up with is not going to be acceptable around the world probably because it was Government developed. But if industry develops it, it can be internationally used and it can harmonize efforts across markets all around the globe. And so I think from a trade and competitiveness perspective, the technologies, the solutions, the software work around the world, and that is something that would not happen unless industry led the effort. Senator Thune. And could you describe a little bit how you are working with industry stakeholders to ensure that the framework that you are developing with industry will be flexible, performance-based, and also cost effective? Dr. Gallagher. So we are working as aggressively as we can to pull in existing practices where many of those features have been demonstrated already. And the issue of scalability--that almost forces you to have a performance-based system because the things you do in a very large, multinational corporation are going to be very different than the things you would do in a company with 5 to 10 employees. But the types of things, the performance you are trying to achieve in fact had the same goals. And the other thing that I think is quite interesting with the evolving framework is that in addition to embracing sort of risk management--in other words, this is as much about what you do as it is about the specific technical controls or things that you do to protect systems. The other thing that is coming up is implementation levels, in other words, a maturity model, the notion that your thinking evolves. In the very beginning of the process, if you do not have a lot of experience, you may have a very rule-based or control-based scheme where these are the top things I am going to do. These are the core behaviors we are going to enforce within our company. We are going to check passwords. But as you evolve, in fact, what happens is almost a security culture takes hold. It is about continuous improvement. It is about having the capacity to look at what is happening in your system to adjust to that, and it becomes much less about a rule following type culture and more about a continuous improvement. And that is being incorporated into this framework, which I think will really support implementation because it tells a company at the beginning of the process what they need to do and that is a different set of things than a very mature company would be looking at. Senator Thune. Let me just direct this question, if I can, to our industry witnesses. And I will repeat what I said. The feedback in terms of the NIST process under the EO has been generally positive. And I am curious to know what has been your involvement or your sector's involvement in the NIST process and if there is anything that you could suggest to the Committee or to NIST, for that matter, to improve that process. Mr. Coviello. I would be happy to start, Senator. First and foremost, to your point about it being industry- led, just to give you an idea of the resources that can be brought to bear, RSA hosts the largest security conference in the world. We have over 300 vendors that come to our conference every year. So you think about the scale of capability from 300 vendors that attend our conference to have an impact in terms of developing this framework with the latest and greatest, most innovative technologies. I would also add I have never seen a period where there was more investment from venture capital and others in the space, because it is such a tough problem to solve. So you have got that weight of knowledge. Combined with that, you have the vertical industry knowledge of their being able to evaluate the risk in their environments, how to go about implementing the right technologies in a fashion that gives you true defense and depth. Now, on the other side of the equation, you have NIST, which has an excellent technical capability, bringing together those resources and drawing the best of it to build that framework and not doing it in a vacuum, but doing it collaboratively with both industry verticals as well as the technology companies that provide the solutions. So this bill I think is so important because it sets the right direction to get the best results. As to your specific question, RSA has already been working with NIST to help develop this framework. We have expertise in the areas of identity management, in big data security analytics, in encryption technology, and in building out the framework. We bring our expertise in these specific technology areas to NIST and to the body of work that is being done. Senator Thune. Mr. Clancy? Mr. Clancy. I would add to that--and I pretty much agree with all the things that Art said--that the financial sector is very invested in this process for two reasons. One, we want to make sure there is a good and productive outcome and, two, because we want to improve the capability of the other infrastructures that we depend on. And I think the key--and I mentioned this in my testimony-- is this stuff for us has to be grounded in the real world. One of the challenges with some of the standards process, not so much the way that NIST works, but other organizations is they have people who are professional developers of standards who do not live in the real world. And so from the financial sector, we had to invest our experts who know this space because we want to get productive outcomes. And NIST has been very good at taking that input from our expertise and others they have brought to bear because we want this framework to work because we want to use it to improve our cybersecurity and improve the maturity--that was another thing that was mentioned--the maturity scale of the various players in the industry. So you have large institutions operating on large scales like mine that need to be very mature. We also have a lot of small institutions who do not actually run most of their own infrastructure. We need to get the service providers that provide them the capabilities to have this level of maturity to protect the sector overall and the Nation's critical infrastructure. The Chairman. Ms. Coleman? Ms. Coleman. Senator, from the NAM point of view, this issue, cybersecurity, has become increasingly important, and it has moved up the corporate ladder, so to speak, and it is now a boardroom issue for many of our members. A lot of our members are participating in the NIST forum and find these discussions very helpful and want to see the process continue. And I think from our perspective, the fact that we are talking about industry-led, voluntary standards in a public/private partnership are really key to our support. Senator Thune. Thank you. I am well over my time, and I would be happy to yield to my colleague and neighbor from the State of Nebraska for any questions she might have. STATEMENT OF HON. DEB FISCHER, U.S. SENATOR FROM NEBRASKA Senator Fischer. Thank you, Senator Thune, and thank all of you for being here today. I appreciate it. Mr. Gallagher, how will the NIST framework relate to DHS's implementation program? Dr. Gallagher. Well, we hope that the implementation program that DHS adopts is all about promoting adoption of this framework. This is industry's work. We think industry will come up with something that is quite effective. And the purpose of that program should be to support those companies adopting it making it useful, whether that is through education, and the incentives and other activities in the program. Senator Fischer. Will NIST have any input into that process? Dr. Gallagher. Yes. It has been a very collaborative activity already, both on the performance goals of the program--we have been working extremely closely with DHS. I have a weekly call with them, and at the working level, I think it is daily. That is also true on the implementation, and it is also true in the framework process because the framework process needs to be designed from the perspective of being implemented. So a lot of this discussion is already being done not just between the two agencies but in the broader effort as well. Senator Fischer. And I know that NIST has worked with private industry quite a bit on this. Is that correct? Dr. Gallagher. That is correct. Senator Fischer. And do you believe there are some essential elements in there that need to be included to make this a success? Dr. Gallagher. In terms of any particular area, it is actually a long list of areas that have been talked about. In fact, a big part of the framework effort is just organizing those areas into a structure and a language that everyone can collaborate under. So it talks about identification of threats. It talks about protection. It talks about response capability and recovery. And there are key activities in all of those areas. So they are all important. I think the proof in the pudding here is when you put this all into practice, does it make a difference in the overall performance of this very complicated system that is comprised of technology people and processes. Senator Fischer. Do you see any specific issues that need to be prioritized within that framework? What would you suggest? Dr. Gallagher. Well, we have actually turned the question around to the industry that is putting this together. So this is an industry-led effort. This is really their document. That is for us a key measure of the success. I think that the initial framework will have sort of two characteristics. One will be a body of existing work, existing best practice that has come out of all the participating companies that become a common set of practices. The other thing that I expect to see in the framework is a set of areas that are gaps that everyone agrees needs to be addressed, but there may not be a body of existing best practices to implement. And so the final framework will have two pieces to it: a set of best practices and I think a road map for improvement. And that is one of the reasons why the framework process cannot be a once-through. It is really important then to turn back and start working on those gap areas and use it as a road map for continuous improvement because this technology is just that dynamic. Senator Fischer. The framework is due in October. Is that correct? Dr. Gallagher. That is correct. Senator Fischer. You said there will be gaps. So do you anticipate that there is going to be something written into this to acknowledge that there will be gaps and that it needs to be updated and filled in as those become more, I guess, recognized as time moves on and what is needed and working with the industry and hopefully continuing to listen to their input? Dr. Gallagher. So an explicit part of the ongoing process has been identifying areas where there is broad consensus that it is a critical area but maybe that the actual technical standards that would form the basis of a response are not considered sufficiently mature. And so that is already happening. And I think the framework needs to be an honest document, and I think it needs to showcase those areas. And if it generates a prioritization--remember, you have got all of these companies working across the sectors. If they can agree that this is a priority to address, I think that is a very powerful outcome of the framework itself. Senator Fischer. So we all like to talk about being flexible and having flexibility no matter what the topic. In this case, then you would certainly encourage that there would be flexibility with regard to this? Dr. Gallagher. I actually would go further. I would say this cannot work if there is not flexibility. The threat environment that is facing and the pace of technological change is so rapid that there has to be a dynamic environment--that is really the goal of embracing industry. It knows how to keep up with this. And that is why it is so important that they take this process and take it to scale so that it keeps up. Senator Fischer. Thank you very much. Thank you, Senator. Senator Thune. I thank the Senator from Nebraska. The Senator from Massachusetts, Senator Markey? STATEMENT OF HON. EDWARD MARKEY, U.S. SENATOR FROM MASSACHUSETTS Senator Markey. Thank you very much. I appreciate it. Mr. Coviello, good to see you again. Welcome. Mr. Coviello. Thank you, Senator. Senator Markey. You are a preeminent leader in the cybersecurity field, and I have always appreciated your insights and we are fortunate to have you here with us today. From Hanscom to all of the companies up in Massachusetts led by EMC, we are a leader from Massachusetts on the issue of cybersecurity, and I thank you for all the work that you have done. When we talk about this issue, the electricity grid comes to mind. And back in 2010, I was able to author with Fred Upton a piece of legislation, informed by expert testimony from our national security experts, to put in place a set of protective policies so that our electricity grid would be difficult to attack successfully. As we all know, Thomas Alva Edison would recognize our electricity grid today. It has not been modernized the way our telecommunications system has been modernized since the 1996 Telecommunications Act. It just has not seen the kind of change. So my question to you is since so many experts felt that the electricity grid was so vulnerable--and that can cause catastrophic damage because that affects every industry not just one--what is your feeling about that in terms of the vulnerability of the electricity system, the grid in our country today? Mr. Coviello, Mr. Gallagher, whoever? Mr. Coviello. I will be happy to start, Senator. And thank you for your kind remarks. As I think Chairman Rockefeller pointed out, there is no industry and no part of our critical infrastructure that is not in some form or fashion vulnerable to cyber attack. And why we are so positive on this legislation is the fact that it calls for industry, including the public utility industry, to bring forward their ideas on how to understand and evaluate risk and how to implement not only policies but technology to mitigate that risk. And that includes the use of technology. What we need to do, and what should be part of this framework, is to develop a system that allows us to not just try to prevent intrusions--because they will occur, they will inevitably occur--but to be able to detect them more quickly and respond quickly enough to mitigate any potential harm. Senator Markey. Can I just ask you a question? Mr. Coviello. Sure. Senator Markey. Because my time is going to run out here. I released a report about 2 months ago on the electric grid's vulnerability to a cyber attack, and about 100 utilities responded to Mr. Waxman and myself. What their responses revealed was that there is ongoing attempts to go after our electricity grid. But the responses revealed something else which is that the utilities were almost all fully compliant with the mandatory standards that the industry develops and the Federal Energy Regulatory Commission enforces but none of them reported compliance with the voluntary recommendations made by the North American Electricity Reliability Corporation, an industry group that develops these measures. So I know that the utility sector is not the same as the industrial sectors that we are talking about today, but the utilities are already subject to mandatory reliability standards, and keeping the lights on in the face of a cyber attack is fundamental reliability. So I would be interested in your views on this tension between carrots and sticks because it is pretty clear that in the utility sector, they do not respond to voluntary, only to mandatory. Could you give me your insight in terms of what you think we have to put on the books to get that kind of a response? Mr. Coviello. Well, again, I think the bill that is before this committee--I do think is the right approach. I think you would have to speak directly to them about their ability to volunteer. But I think, again, what we are trying to accomplish here is to give them the means and the capability in the form of this framework to be able to defend themselves. And I cannot emphasize enough the fact that the technology is moving so quickly that having a framework that is flexible and adaptable that keeps pace with not only the threat, but the expansion of the attack surfaces is going to be critically important. I will also state that the problem is likely to get worse before it gets better. As we create what we call the ``Internet of things''--in other words connecting more and more physical devices to the Internet--then the attack surface is going to expand even more dramatically. And we have to have capability to address that. So my role here today is to comment on this legislation and how effective I think it would be in giving the private sector the means to protect the critical infrastructure. And I think it is the right path. Senator Markey. Do you see any additional incentives that we could include to encourage adoption of voluntary standards? Mr. Coviello. I think that there could be other considerations. I cannot, off the top of my head, give you examples today, but it would be something that you could consider. Senator Markey. So in other words, a backup capacity. So we have learned that the electric utility industry does not, in fact, implement voluntary standards, only the mandatory. So would you support some backup standard that if there was no compliance and it has been identified as a critical area that needs protection, that there has to then be some mechanism to ensure that there is an adoption? Mr. Coviello. Well, again, I do not speak specifically for the industry, but I think if they were given the right framework--and that is what we are attempting to do with the executive order and with this bill--I think it will go a long way to having them see the light to adopt this framework. Senator Markey. But if there is no adoption, in other words, should there be--because of the critical nature of this threat to our country, should there be a mechanism to ensure that there is compliance because we are only passing this because we have identified a threat? Mr. Coviello. Well, it is always in the purview of Government to do what is right in the public interest. So under that scenario, I would not rule anything out. Senator Markey. OK. Mr. Chairman, thank you. I appreciate it. The Chairman [presiding]. Thank you, Senator Markey. I understand exactly what your thrust is there. I have to say as chairman, I share some of that, but that is not actually within our jurisdiction and we have to sort of live with that. I mean, this is the voluntary, working with industry. The questions you asked are completely understandable and I think in the long run necessary, but that is what Homeland Security does. Senator Markey. I see. The Chairman. You see? Senator Markey. I was operating under the misimpression that you were chairman over everything that comes under the purview of private commerce in the United States. [Laughter.] Senator Thune. I would say to the Senator from Massachusetts the Chairman likes people to think that. [Laughter.] Senator Markey. Thank you, Mr. Chairman. The Chairman. Oh my God. [Laughter.] The Chairman. Dr. Gallagher, you negotiate with world groups on standards. So now, we have been talking here about-- let us say we have got standards on American cybersecurity and what do we do about all of that. You negotiate with world organizations, and you do it over the same kind of thing. What do you do when you arrive at differences, substantial differences? If you do not understand my question---- Dr. Gallagher. I think so. The Chairman.--please say so and I will try again. Dr. Gallagher. So the international standards process is actually one where NIST does not represent the United States. Again, since we have an industry-based standard setting process in this country, our presence in international standard setting is set by those private sector standards organizations. What we try to do is facilitate that process. And a lot of that has to do with making sure that the best technical answer is supported. You know, we would prefer effective standards over ineffective standards. But I have to say the most effective role in international standard setting is the role of companies, particularly international companies, because they have a stake already in these multiple areas. And in fact, it is that desire to have as common a market as possible that is a big influence in those areas. So the key to international standard setting--it is always a complex issue--is participation, and it is one of the reasons why I think this framework process is so important. By coming together and developing a common set of practices, we will shape what international standards look like. That tyranny of the first draft and shaping what this looks like really matter. And I think we already see signs of other countries, other areas. Whether they are going to be voluntary or whether those countries decide to go into a regulatory approach, they are already interested in basing whatever they do on what is already happening here in this framework process. And I think that is a good thing because the more we get common behavior and common practices, the more compatible this enterprise is with the way business works. The Chairman. In a sense what we are doing is we are asking you to develop standards that are effective standards that will really improve our country's cybersecurity in a voluntary fashion. We are not asking you for window dressing or for a proposal to make every single stakeholder happy. That was sort of a dumb last sentence. But it is a very big responsibility because you want to be effective. You do not want to be sort of a United Nations between competing ideas and people come to this point and then they stop, so they cannot close, so they do not do. Are you and the rest of the NIST staff committed to the goal of developing effective standards, and how would you answer that differently than I asked you a previous question? How do you come to agreement? The word ``effective,'' as Senator Markey indicates, is important. Dr. Gallagher. I think it is absolutely critical. The way I think about this question is we are talking about a set of activities owned and operated by the private sector that if they were to fail through a cyber attack would have catastrophic impact to the country. That is the definition of critical infrastructure that is in the Executive Order. So there is clearly a national interest in that not happening. And so effectiveness is actually the starting point. This has got to work. I think the position we take is that if we can make this work, working through industry in a market-centric way, in a way that adapts all of the capacity they have, all of the adaptability they have and aligns with business practice--and that is an ``if.'' If that works, that is the best answer because it can scale internationally. It can keep up with the technology, and there is this little sort of counter-market things that we have to do. If it does not work, I think the question before Congress will be what do we do about that because you still have a national impact. So the position of NIST has been this has got to be effective. It has got to address lowering the overall risk of these types of failures. And it has to be measured by being put into practice and it has to continually get better because both the threats are going up and the technology is changing, and the nature of the vulnerabilities are shifting. So it has to be continuous. The Chairman. Yes. Senator Thune, can I ask one more question? Senator Thune. Yes, sir. The Chairman. OK, because I am over my time limit. I mentioned before that because you could not get anything done in legislation--we were not getting anything done in legislation and that this in fact--even national security--I mean, so much braid and stars you cannot even believe it. Masses of it, acres of it begging us to pass legislation that will make cybersecurity attacks much more hard or that we can stop them. Now, you suggested one way, but you did not suggest it in the way I am going to say it. But if you have a catastrophic attack, it is sort of like a 9/11 effect. People perk up and say, oh, gee, we should have prevented that. And then we pass, to the everlasting shame of the U.S. Congress, a bill. The first thing we did after 9/11 was pass a bill which allowed the FBI and the CIA to talk to each other. I voted for the bill and then I went and blushed. I mean, it was so embarrassing we would have to do that. But that is the way it is. People do not talk to each other. They do not talk. There are stovepipes in Government, stovepipes in industry, people not wanting to get an advantage taken of them. So I came up with this idea--Mary Schapiro was in charge at the time at the SEC--in two areas. In the matter of hacking, that the companies by definition are probably not going to say, hey, guess what, we were hacked and then send that announcement out to all their shareholders. But in an era of transparency and for the betterment of that company, their shareholders have a right, I would think, to know that their company had been hacked into. I wrote to Mary Schapiro and asked her to work on this. And it works. Now people are startomg tp report. Shareholders are seeing. I did the same thing with coal mines. You cannot get coal mine safety legislation through this Congress with a red State. It just will not happen. Extremely frustrating. And then you live in a coal State and you see people getting killed. And, you know, coal companies like others are sort of distant and hidden and they have their own world, their own ways. And so I got her to do the same thing. If you had a coal mine accident, you were required to report that on the SEC website. And I am not saying it had a startling effect, but it had a good effect because people, in a sense, in a raw way that did not require law, were informing their shareholders that safety problems were extant and no more than that. No more authority to do anything than that, just transparency, which I think we generally are trying to believe in. Now, I do not know how to make a question out of what I just told you. But I think you understand what I am saying. I am implying that companies sometimes have to be caused to do what they would really want to do. But I do not want the people of West Virginia to know bad things about me, which of course do not exist. [Laughter.] The Chairman. But should they, I do not want them to know about it. Right? Senator Thune is the same way. Well, he is more perfect. [Laughter.] The Chairman. But you understand what I am saying. I mean, this is a serious problem that we are getting at, and we have unclear jurisdiction over it, just like I told the Senator. But my mind just forces me to put that question to you. Dr. Gallagher. So I certainly appreciate the important role that disclosure has in this environment, but since I am not an expert on those types of incentives, let me answer the question a little bit more generally. You are exactly right that this will not do any good if it is not put into practice. And so the crux of the issue--and I think this will be--and the administration believes this is going to be the essence of the discussion we want to have with Congress as this unfolds. As the framework is put into practice, what are the reasons why it does not go into practice? Is it the motivation of the boards? Is it business- to-business transactions, where there are barriers to information in transactions? There are dependencies between companies as well. There are dependencies between the private and public sector. I believe that there is a lot of self- interest to doing this well. I think that these technology systems actually cut right to the heart of the competitiveness and viability of the companies themselves. So I think a lot of self-interest is already there. But the extent to which we identify friction, that really should be what informs all of the subsequent discussion about incentives. And our view is that this will become very natural as we start to implement the framework, and it really becomes about an implementation question. The Chairman. Peer pressure evolves in various ways. Is that what you are saying? Dr. Gallagher. Yes. The Chairman. OK. Senator Thune. Mr. Chairman, I just appreciate very much the testimony of these folks today, and I think that it helps inform our process going forward. And I guess if there is a takeaway for me--and perhaps if you all want to, just in the form of a closing comment--is that the only way that this works is if the framework really is good business and makes sense. So that is kind of what I have derived from what I have heard you say today. I think that our bill is headed in the right direction based on what I have heard you say today. And there are other committees, as the Chairman said, that have other jurisdictions who will have to be heard from on this. And we hope that the work that they do can complement what we have done here. But we appreciate very much your being here, and if anybody has anything they would like to close with--it is just down to us. But thank you so much for your time and for your expertise. The Chairman. Any closing thoughts? Mr. Clancy. So, again, I would like to thank you for having this hearing. I look at this as an important first step. There are more steps to follow. And I think, Chairman Rockefeller, what you were getting at in terms of disclosure is a way to inform the debate about the risks that we face. The other side of that equation, as I mentioned earlier in my testimony, is around information sharing. And I think there is work for other committees in the Senate to push that forward. And the two together will be stronger than either one of those things on their own. And I thank you again for the opportunity to speak on behalf of the American Bankers Association, the Financial Services Roundtable, and the Securities Industry and Financial Markets Association. Thank you. The Chairman. Thank you. Ma'am, do you have anything? Ms. Coleman. Yes. Just in conclusion, I just want to reiterate that the NAM supports your legislation as introduced. We certainly very much appreciate the industry-led, voluntary standards nonregulatory approach and the public partnership that is incorporated into the legislation. And we look forward to working with you to advance this legislation. And thank you for the opportunity to testify today. The Chairman. Thank you. Now, I want to point out that Senator Thune, who is a smooth operator, just almost took the legs out from under me there in sort of bringing this to a close because Senator Richard Blumenthal aggressively approached me on the Senate floor on an absolutely ridiculous vote--absolutely ridiculous vote, but it was very close so it was not ridiculous--and said that he was going to be here in 2 or 3 minutes and I am so informed. So it is a question of your tolerance of the whole concept of the legislative branch of Government, if you can stand it for 2 more minutes. He is very, very smart. He was Attorney General of Connecticut for 29 years. And he wants to be here. And so if you are willing to stay, he would be very happy and I would be very happy. I mean, 2 minutes. I mean, you can handle that. You are all young. Mr. Coviello. Mr. Chairman, I did not get an opportunity to make a closing comment. So maybe I can bridge the gap a little bit here while we are waiting. The Chairman. OK. Mr. Coviello. So, first of all, RSA was attacked in 2011 by two separate advanced persistent threat groups that we believe to have come from a nation state. Without the requirement of SEC disclosure, because it had not been put through as yet, our parent company, EMC, once we realized we had a loss, which was within hours of the actual exfiltration of information, we filed an 8-K report to the SEC. I also wrote an open letter to all of our customers informing them, as we had a moral obligation. So we take no credit for doing the right, moral thing to inform our customers that because of our breach, that they might have been in danger. As a result not only of our internal capability to see the attack and being a whisker from stopping it altogether, we were able to give remedial advice to our customers. And as a result, no customer suffered a loss as a result of our breach. The point I guess I would like to make is that, first and foremost, focusing on outcomes should be an important element of our cybersecurity strategy. I think Senate bill 1386 in California about notification of breaches of personally identifiable information has caused a significant shift in how the retail industry approaches cyber. But it is not about regulating specific action about how industries go about protecting themselves. If you focused on an outcome, very often you will get industry to do the right thing. I think your legislation is very important because it gives industry the tool to do that right thing. And I think this is a tremendous start. And, again, I want to thank you and Ranking Member Thune for your leadership because this is I think a tremendous start and an important element of protecting our critical infrastructure. The Chairman. Good. And I agree with you incidentally. Please, Senator Blumenthal, get here. I agree with you because it starts with the proper framework. This is not regulatory. NIST is not regulatory. NIST brings people together, public and private. It has been brilliantly successful at that. One of the most agencies in all of the Federal Government. So it puts that forward as the ideal. In that we are going to, hopefully, get our bill passed, it will allow that to proceed. But you are probably already proceeding on that. Are you not? Dr. Gallagher. Yes. We are proceeding under the framework. But from our perspective, we also appreciate this bill because it clarifies what are existing, but very broad authorities to do this. And in particular in light of the fact that we believe this effort needs to be ongoing and continuous, that clarification support I think is very helpful in helping to ensure that this evolves toward an industry-led program that has these features we have talked about of being agile and keeping up. The Chairman. Our prayers have been answered and the good Senator from Connecticut has arrived. STATEMENT OF HON. RICHARD BLUMENTHAL, U.S. SENATOR FROM CONNECTICUT Senator Blumenthal. Thank you, Mr. Chairman. I am going to tell my wife that she can say that when I come home tonight whether she thinks it or not. [Laughter.] Senator Blumenthal. But thank you very much for giving me this opportunity--I really appreciate it--on a topic that is supremely important. I just came from the floor and I apologize for anyone who has been delayed. First of all, my thanks to the chairman and the ranking member for remaining committed to finding solutions to this very real and urgent threat. Often when the legislative process fails to function properly or breaks down, people walk away and ignore the problems that still need solving, and that has not happened here fortunately. So I am heartened that the leadership of this committee has found a way to work together, and I want to pledge that I will continue to stay engaged and involved and help in whatever way I can. I continue to be concerned with ensuring that civil liberties and personal privacy are protected and safeguarded throughout this process. My colleague, Senator Markey, has been very much focused on this issue, and I want to thank him for his work on it before he came here. And I am also focused on making sure that we have the right incentives, the proper incentives to ensure that companies are complying with the standards. I have a question that has perplexed me as a representative of a State which has some of the greatest companies in the world. Under Secretary Gallagher, why has the market not better dealt with the cybersecurity threat? During the financial crash, we learned about systematic risk and banks that believe they were too big to fail, to use a somewhat hackneyed, overused term. Do you think the infrastructure companies believe that the Federal Government will bail them out in the event of a catastrophe? Is that why they are not taking steps on their own? Dr. Gallagher. So I would actually start by challenging the premise a little bit. I think the evidence that I have observed with companies from the various sectors coming into the process is that in fact there is a lot of actually quite outstanding activity going on. The financial services sector is a good example of one which has been under extreme duress with extremely high levels of targeted attacks to that sector and yet has really been quite good at working across company lines, sharing technical information, working with Internet service providers, working with the public sector in crafting and adapting to that pretty dynamic response. Senator Blumenthal. And I apologize, first, for interrupting you, second, because my question was unclear. I was really talking about insurance. I come from a State that has been engaged in trying to combat the cyber threat. I have talked to a number of the CEO's and lower ranking executives about their concern. But insurance does not seem to be a commonly used option. And in the normal situation in the marketplace, insurance would be a measure of how grave the threat is, everything from hurricanes and flooding to theft to--well, I do not need to tell you. Why not in this area? Dr. Gallagher. So I apologize for---- Senator Blumenthal. No. It was my---- Dr. Gallagher. So I think you are right. Certainly one of the incentive discussions is around insurance and why that market--what could be done to develop that. One of the possible reasons has to do with the fact that you need to monetize the risk. And so this comes down to measuring and understanding and sort of developing an actuarial basis where this risk can be sort of embedded in the market. This discussion has come up actually quite frequently in the framework process, and I think as part of the metrics discussion, this is something that is being looked at as something that would be quite helpful. Senator Blumenthal. And why has it not happened? The threat has been here. And I invite any of the other panelists to weigh in. But the threat has been here for well long enough to monetize and do the actuarial accounting. And in fact, in other areas I am familiar with some of the work done on climate disruption and the threat of hurricanes. Actually the insurance companies are very mindful about potential threats of hurricanes in the Northeast which are about as difficult to monetize as I would guess cyber threats are, in fact, more so because we know the cyber threat is there. We know some of the damage that can be caused. So maybe others can enlighten us. Mr. Coviello. Actually, Senator, I would disagree. I actually think the cyber threat is harder to create an actuarial table or an algorithm around. And the problem is twofold. It is not just the threat environment which continues to escalate every single day in terms of capabilities of the attacker, it is the attack surface. I get asked all the time why can you guys not do a better job. Well, we could do a better job if IT infrastructures were static. They are not. Just think about the following facts. The iPhone did not even exist until 2007. Six years later, we now have full mobile ubiquity. We use very few Web applications to run our businesses as recently as 2005 to 2007. Now a common refrain is ``there is an app for that.'' In another 6 or 7 years, we will be using big data applications to monitor everything about us and the world around us, hopefully for productive reasons. The amount of digital content being created every year is absolutely astounding. There was a quarter of a zettabyte--and I will explain what a zettabyte is in a moment--of digital content being created in 2007. This year there will be two zettabytes. By 2020, there will be 40 to 60. One zettabyte is the equivalent of 4.9 quadrillion books. That is the amount of content that needs to be sorted through to figure out what exactly needs to be protected, as opposed to what is a picture of your family dog. So the complexity of protecting this fast changing IT environment is overwhelming. That is why this framework is so important. We need a security model that has legs. We need a security model that is future-proof. That model consists of starting with a thorough understanding of risk that is an ongoing process. It includes technologies that can react to facts and circumstances that are not static. It includes a management system that uses capabilities that are only just coming to market now that can spot the faint signal of an attacker. The one thing we have going for us in defending against cyber attacks is, ultimately, the attacker will have to do something anomalous. We are developing the capabilities to be able to spot that in progress. So, again, Senator, as you suggest, it is not a question of whether or if we will be breached. It is our ability to respond and detect the attacks and respond timely enough to quarantine the element of our infrastructure that has been attacked or to prevent the movement of critical information or a transaction. Mr. Clancy. And if I could add to that. As you know, insurance at its core is about risk transfer. So I transfer the risk that I have to somebody else who can absorb the risk. And in order to do that, you have to have two things. You have to have an understanding of the risk and the purchaser of the policy and the issuer of the policy both have to be able to value it. And I would argue that one of the challenges you have particularly in cybersecurity is that many of the people who face the risk do not have a good estimation of what it really means to them and what the consequences could be and the likelihood or frequency of those events occurring. And that is one of the reasons why I believe the information sharing component, which is not addressed in this bill, is another tool in the toolbox to help us understand that risk better. We use cyber risk insurance, but we use that cyber risk insurance at DTCC for the risks that are smaller. The catastrophic risks that we could face if these issues escalate to a point where they become manifest are really beyond the ability of the insurance industry to absorb right now. And so we have to look at making sure that those things do not occur. Senator Blumenthal. You know, I understand what you have said, and I do not disagree with it, that it is a moving target, so to speak, that it is not a static threat with sort of inert, chess-like moves that are fully visible and are played according to the same rules all the time forever. But that is the nature of insurance to try to look forward and put numbers on risks that may vary and may change over time. So I am still perplexed. I do understand what you are saying, and I wonder, if I can ask a question, whether it is the fact that the insurance would be too costly because of the factors that you mentioned or because the insurers simply do not want to be in that market. They just do not want to even engaged or be involved in offering that product. Mr. Coviello. Again, Chairman Rockefeller said it at the outset, that almost every agency of the Federal Government says how strategically important the nature of this threat is to the U.S. economy and our defense. So I would say that over time, if we are as effective as I think we will be, I think we can get to a point where we can reach an equilibrium, where we are not playing the attackers are one up against us and we are trying to catch up and react to the threat, that we are able to develop a system that is resilient enough to not necessarily stop any loss, but to respond quickly enough. And at that point, I think the cost curve will come down sufficiently that you will be able to insure against this problem. Senator Blumenthal. I think your points are very well made. And in my view, they are great evidence for the need for this legislation. Mr. Coviello. No question. Senator Blumenthal. Because here is an area where normally the private sector would say we will take care of it. We know you are the Federal Government and you are here to help, but we can do it on our own. Here the markets, or the insurance market at least, cannot really satisfactorily address the incalculable threats, the magnitude of the harm, and other factors that you have put so well. Mr. Coviello. Thank you. Senator Blumenthal. My time has expired, but I want to just say on the issue of privacy and civil liberties that I think that the draft legislation from Senator Rockefeller and Senator Thune includes language that instructs the director of NIST to--and I am quoting--include methodologies to protect individual privacy and civil liberties. I hope if I can direct questions in writing to you on this area, we can get some responses from you. Again, my thanks for being here today. Thank you, Mr. Chairman. The Chairman. Thank you, Senator Blumenthal. And now I have really got to say a heartfelt thank you for your patience. I mean, we had this incredible sort of Broadway- like performance--an art form of waiting for Senator Blumenthal. [Laughter.] The Chairman. And Jay Rockefeller tried to ask an intelligent question and then keeping my ear open to was that door opening or not and you were coming through to save us all. And you did, indeed. But most importantly, I think some of the best testimony came within the last 10 minutes. Senator Blumenthal. Well, thank you, Mr. Chairman. and thank you for making your rebuke so soft. [Laughter.] The Chairman. No, no. All right. With all certainty, this hearing is adjourned. [Whereupon, at 4:29 p.m., the hearing was adjourned.] A P P E N D I X Prepared Statement of Hon. Dan Coats, U.S. Senator from Indiana Thank you, Mr. Chairman, and let me start by commending you and Senator Thune for your bipartisan leadership on the cybersecurity issue, and by congratulating you on the introduction of S. 1353, the Cybersecurity Act of 2013. In a post-September 11 world, Americans have learned to be more vigilant. We've learned that in a second--the act of one terrorist--or a group of terrorists--can wipe away life as we once knew it and change our world forever. And so since that fateful day in September almost 12 years ago, our Nation has made great strides to be ever more vigilant and more prepared to prevent or respond to another terrorist attack. Local law enforcement, TSA, FBI, Homeland Security and the intelligence community, among many others, must work every second of the day to anticipate, prevent and disrupt potential plots by terrorists. But these threats are changing form. It is not only a potential hijacked plane or a bomb plot that threatens our country; we now face another type of warfare that could have a deep and widespread impact on Americans--a cyber attack. As a member of the Senate Intelligence Committee, Senate Commerce Committee and Ranking Member of the Senate Appropriations Subcommittee on Homeland Security, I know that the threat of a cyber attack is real and far-reaching. A major attack on our cyber systems could shut down the critical infrastructure that allows us to run our economy and protect the safety of Americans--transportation and financial systems, communications systems, electric grids, power plants, water treatment centers and refineries. The threat of a cyber attack is growing, but neither industry nor government alone can broadly improve our nation's cybersecurity. This potentially devastating vulnerability requires all stakeholders to work together to develop an enduring legislative solution. Protecting Americans from cyber attacks should not be a partisan issue. That is why I believe it is imperative that Congress pass cybersecurity legislation this year given the grave threat of these attacks against our government and key sectors of our economy. An Executive Order from the White House simply cannot provide the statutory authorities and protections needed to address the serious danger posed by cyber attacks. The Commerce Committee will have the opportunity soon to set the tone for the cybersecurity debate by moving the ball forward in a business friendly, bipartisan way by passing the Cybersecurity Act of 2013. Although only a narrow approach, this legislation is a good step in the right direction. It strikes the appropriate balance and preserves the private sector's leadership in the development of innovative technologies to respond to cybersecurity threats. Bipartisan support for this legislation provides a path forward and sets an example for the other relevant committees. I am confident, for instance, that the Chair and Vice Chair of the Intelligence Committee will soon finish work on legislation to break down legal barriers and incentivize information sharing, an essential component of improved cybersecurity. There is broad, bipartisan consensus on the Committee to do just that, and I trust the leadership and flexibility demonstrated by Senator Rockefeller will be repeated by Senator Feinstein. This legislation also provides the Senate Majority Leader guidance on how NOT to repeat the mistakes of last Congress. We really hit a low point last summer when the Senate Majority Leader rushed a cybersecurity bill to the floor under strained circumstances. One-fifth of the U.S. Senate--both Republicans and Democrats--met every day for nearly two weeks to iron out our differences on cybersecurity legislation. And with the active participation of 20 Senators representing both parties and key committees of jurisdiction, we came close. Several Republican and Democratic Senators had an understanding on how to best move forward on cybersecurity, and a shared commitment to work through last August toward a compromise legislation that could pass the support of both parties. This agreement was important because throughout the consideration of this bill, the Majority Leader circumvented the legislative process and refused to allow any amendments. Unfortunately, rather than allowing the process to advance and amendments to be considered, the Majority Leader and the White House shut down debate, forced a vote they knew they would lose and blamed Republicans for the failure. This was completely disingenuous and poisoned the well last year for progress on this critical national security issue. The Senate should address cybersecurity this year, but not in the ``take it or leave it'' manner the Majority Leader has pursued in the past. Instead, it should be done in a manner that ensures our security, encourages the voluntary participation of the most innovative aspects of the private sector and the government, and does not harm our economy. This legislation starts us down that path. As a member of the Senate Commerce Committee and the Senate Intelligence Committee, I remain committed to working on legislation that strikes the right balance between strengthening security and respecting the privacy rights of Americans. The responsibility falls on all of us. We know this threat is ongoing and real. We know we need to act. We must cast aside partisanship and put the security of our country above political expediency. ______ Response to Written Questions Submitted by Hon. Mark Warner to Dr. Patrick D. Gallagher Question 1. On February 13, 2013, President Obama signed Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' and the and the White House released a related Presidential Policy Directive (PPD-21), both of which work to strengthen the cybersecurity of critical infrastructure in the U.S. The Executive Order directed NIST to work with industry and develop the Cybersecurity Framework, and the Department of Homeland Security (DHS) to establish performance goals. DHS, in collaboration with sector-specific agencies, is charged with supporting the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and other interested entities through a voluntary program. Legislation recently introduced by Senators Rockefeller and Thune reinforce these executive directions, tasking the National Institute of Standards and Technology (NIST), in coordination with the industry, with developing a set of standards and best practices to reduce cyber risks to critical infrastructure. What does NIST see as the biggest challenge in developing standards for sectors in cybersecurity. Is each sector progressing to meet the targets outlined in the President's timeline, and if not which sectors are most at risk? Answer. NIST did not develop standards as part of its work under Executive Order 13636. Rather, NIST was directed in the Executive Order to work collaboratively with stakeholders to develop a voluntary framework--based on existing standards, guidelines, and practices--for reducing cybersecurity risks to critical infrastructure. As part of the framework development process, NIST sought public input to develop a compendium of existing sector-independent and sector-specific standards, guidelines, practices, and other informative references to assist with cybersecurity implementations. The Executive Order specified that adoption of the Cybersecurity Framework is voluntary. As such, NIST is not working to assess sector progress. However, NIST is working collaboratively with the Department of Homeland Security to promote wide adoption. Section 9 of the Executive Order directed the Department of Homeland Security (DHS), in consultation with sector-specific agencies, to identify critical infrastructure at greatest risk. DHS would be pleased to provide a briefing on the entities identified through implementation of Executive Order 13636. Question 2. The standards and best practices developed through this process, as outlined by the Executive Branch and Senators Rockefeller and Thune, must be voluntary. Do you agree that the standards set by NIST should be voluntary? If not, please explain why. Answer. NIST agrees that use of the Cybersecurity Framework and any associated Standards should be voluntary. Question 3. How will these voluntary standards be implemented? For covered industries that already have a regulator, how does NIST assess the progress of their efforts to create standards for those sectors? Answer. The Cybersecurity Framework will identify areas for improvement that should be addressed through future collaboration with particular sectors and standards developing organizations. As part of this process, NIST will continue to work with industries and sectors in existing standards developing organizations to address any identified needed areas. Because implementation of the Framework is voluntary, the process by which standards may be adopted by participants will vary. The Framework is intended to be a resource, not a regulation. Sector- Specific Agencies coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if appropriate, develop implementation guidance or supplemental materials to address sector- specific risks and operating environments. Question 4. How has NIST increased staffing and experience to be able to handle a large and complex project? Have government furloughs due to sequester delayed the timeline or made it more difficult to achieve the intended result? Answer. NIST has achieved the objectives and goals assigned in the Executive Order. NIST is continuing to work with the private sector to evolve future framework versions and ways to identify and address key areas for cybersecurity development, alignment and collaboration. Question 5. While the actions of the Executive Branch are a step in the right direction, there are still regulatory gaps that leave our Nation vulnerable to cyberattacks. Do you believe that the Cybersecurity Act of 2013 (S. 1353), recently introduced by Senators Rockefeller and Thune is effective in filling these gaps? If not, what are your recommendations for legislative action that should be taken to strengthen America's cybersecurity? Answer. NIST is encouraged by the attention, interest, and concern within both the executive and legislative branches of government to address pressing cybersecurity challenges. Question 6. NIST's initial steps towards implementing the Executive Order included issuing a Request for Information (RFI) this past February to gather relevant input from industry and other stakeholders, and asking stakeholders to participate in the Cybersecurity Framework process. Given the diversity of sectors in critical infrastructure, the initial efforts are designed to help identify existing cross-sector security standards and guidelines that are applicable to critical infrastructure. How will NIST ensure that we are working across sectors to promote information sharing? I know that you held a workshop, but will there be some type of clearinghouse where information sharing can take place across sectors? Answer. NIST works with Federal agencies and private sector companies to develop underlying standards and best practices that are used to support a wide array of information sharing activities. These standards and best practices are a fundamental component of providing interoperability between organizations, allowing for rapid and accurate sharing of information between government and industry, and industry to industry. The collaborative development approach ensures that the needs of all sectors are adequately addressed, leading to an information sharing ecosystem that benefits all organizations. Question 7. The Department of Defense (DoD) has led a successful voluntary information sharing program that allows participating entities to gain access to cybersecurity solutions. Has NIST engaged DoD and other agencies in the National Security space to gain lessons learned to implement during their establishment of voluntary standards? Answer. NIST works with the Department of Defense and other Federal agencies to share information, experiences, and lessons learned relating to the development of and use of voluntary standards. Question 8. As NIST is contemplating a new cybersecurity framework for all critical infrastructure industries, the energy sector has significant questions about how this will be implemented. Cybersecurity in the power sector has been regulated by the North American Electric Reliability Corporation (NERC) for a long time. NERC administers Critical Infrastructure Protection (CIP) Reliability Standards. CIP requires implementation of specific cybersecurity protections, and subjects industry to penalties for noncompliance. Regulators are also trying out new ways of preserving cybersecurity. NERC and FERC--the Federal Energy Regulatory Commission--are supplementing their role as enforcement agencies and taking on more voluntary outreach activities, including the sharing of cyber threat information. The Executive Order requires NIST to develop a ``cybersecurity framework'' for all critical infrastructure industries, but it seems unclear as to how NIST will interact with the NERC's existing standards. How will you ensure that the new standards complement existing cyber protections for the electricity sector and do not add new regulations or rules that would contravene existing programs? Answer. The Executive Order directed the National Institute of Standards and Technology (NIST), a non-regulatory agency, to lead the development of a framework to reduce cyber risks to critical infrastructure. NIST worked closely with stakeholders from all critical infrastructure sectors including the Energy Sector, NERC, the Federal Energy Regulatory Commission (FERC) and the Department of Energy (DoE). Regulatory agencies will use the Cybersecurity Framework to assess whether existing requirements are sufficient to protect against cyber attack. If existing regulations are insufficient or ineffective, then agencies must propose new, cost-effective actions based upon the Cybersecurity Framework. Regulatory agencies will use their existing process to consult with their regulated companies to develop and propose any new regulations, allowing for a collaborative process. ______ Response to Written Question Submitted by Hon. Mark Warner to Arthur W. Coviello, Jr. Question. On February 13, 2013, President Obama signed Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' and the and the White House released a related Presidential Policy Directive (PPD-21), both of which work to strengthen the cybersecurity of critical infrastructure in the U.S. The Executive Order directed NIST to work with industry and develop the Cybersecurity Framework, and the Department of Homeland Security (DHS) to establish performance goals. DHS, in collaboration with sector-specific agencies, is charged with supporting the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and other interested entities through a voluntary program. Legislation recently introduced by Senators Rockefeller and Thune reinforce these executive directions, tasking the National Institute of Standards and Technology (NIST), in coordination with the industry, with developing a set of standards and best practices to reduce cyber risks to critical infrastructure. While the actions of the Executive Branch are a step in the right direction, there are still regulatory gaps that leave our Nation vulnerable to cyber attacks. Do you believe that the Cybersecurity Act of 2013 (S. 1353), recently introduced by Senators Rockefeller and Thune is effective in filling these gaps? If not, what are your recommendations for legislative action that should be taken to strengthen America's cybersecurity? Answer. This legislation complements the President's Executive Order by codifying the important steps the Administration has already taken to protect critical infrastructure and gives government and industry additional tools to bolster our cyber defenses. We are pleased to see that S. 1353 requires a voluntary, non-regulatory process, enabling further collaboration between the public and private sectors to leverage non-prescriptive and technology-neutral, global cybersecurity standards for critical infrastructure. We also commend the Committee for including crucial provisions to support cyber research and development; increase awareness of cyber risks; and improve cybersecurity education and workforce training. It is imperative that Congress addresses other key cybersecurity issues not under this Committee's jurisdiction. These include advancing the sharing of cyber threat intelligence between government and industry; establishing liability protections for entities that share threat information; and streamlining acquisition of technology. We urge the Congress to examine ways to break down barriers to information sharing and create incentives for the public and private sectors to work together to safely and securely share real-time, actionable information about cyber threats. Linking the adoption of cybersecurity standards to incentives such as liability protection and streamlined acquisition of technology will create a positive business climate while improving our Nation's cybersecurity posture. We also support additional legislative initiatives to update criminal laws and penalties; enact Federal data breach law; modernize Federal Network Security continuous monitoring efforts; and develop reasonable and effective policy approaches to supply chain protection that will not stifle innovation and competition. ______ Response to Written Question Submitted by Hon. Mark Warner to Mark G. Clancy Question. On February 13, 2013, President Obama signed Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' and the and the White House released a related Presidential Policy Directive (PPD-21), both of which work to strengthen the cybersecurity of critical infrastructure in the U.S. The Executive Order directed NIST to work with industry and develop the Cybersecurity Framework, and the Department of Homeland Security (DHS) to establish performance goals. DHS, in collaboration with sector-specific agencies, is charged with supporting the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and other interested entities through a voluntary program. Legislation recently introduced by Senators Rockefeller and Thune reinforce these executive directions, tasking the National Institute of Standards and Technology (NIST), in coordination with the industry, with developing a set of standards and best practices to reduce cyber risks to critical infrastructure. While the actions of the Executive Branch are a step in the right direction, there are still regulatory gaps that leave our Nation vulnerable to cyber attacks. Do you believe that the Cybersecurity Act of 2013 (S. 1353), recently introduced by Senators Rockefeller and Thune is effective in filling these gaps? If not, what are your recommendations for legislative action that should be taken to strengthen America's cybersecurity? Answer. S. 1353, the Cybersecurity Act of 2013 provides some of the needed legislation for protecting our Nation's critical infrastructure and complements the February 2013 executive pronouncements. To continue to protect our nation's infrastructure, we must pass cyber threat information sharing legislation. This legislation must provide liability protection for the sharing of threat information, allow for sharing among the private sector and from the government to the private sector, build upon existing relationships and protect personal privacy. While the financial sector has been engaged in information sharing for a long time there are still many institutions in our sector and other critical infrastructure sectors who are constrained in their ability to share due to liability concerns. Given the interconnected nature of cyberspace, institutions recognize that the strongest preparations and responses to cyber attacks require collaboration beyond their own companies. As a result, the sector has engaged in a number of collaborative efforts, which would be enhanced with the passage of information sharing legislation. Through the Financial Services Information Sharing and Analysis Center (FS-ISAC), participants share threat information between financial institutions and the Federal government, law enforcement and other critical infrastructure sectors. The FS-ISAC also has a representative for the sector on the National Cybersecurity and Communications Integration Center floor to provide the Department of Homeland Security (DHS) insight into the financial sectors issues and incidents and provide an additional fan out for information from DHS to the sector. The ability to share information more broadly is critical and foundational to our preparation for and response to future attacks. While we constantly review opportunities to improve the information shared within our industry, it is vital that our efforts also include sharing information across sectors and between the government and the private sector. Each company and public sector entity has a piece of the puzzle and an understanding of the threat. Our ability to share this information will greatly increase our ability to prepare and respond to threats. ______ Response to Written Question Submitted by Hon. Mark Warner to Dorothy Coleman Question. On February 13, 2013, President Obama signed Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' and the and the White House released a related Presidential Policy Directive (PPD-21), both of which work to strengthen the cybersecurity of critical infrastructure in the U.S. The Executive Order directed NIST to work with industry and develop the Cybersecurity Framework, and the Department of Homeland Security (DHS) to establish performance goals. DHS, in collaboration with sector-specific agencies, is charged with supporting the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and other interested entities through a voluntary program. Legislation recently introduced by Senators Rockefeller and Thune reinforce these executive directions, tasking the National Institute of Standards and Technology (NIST), in coordination with the industry, with developing a set of standards and best practices to reduce cyber risks to critical infrastructure. While the actions of the Executive Branch are a step in the right direction, there are still regulatory gaps that leave our Nation vulnerable to cyber attacks. Do you believe that the Cybersecurity Act of 2013 (S. 1353), recently introduced by Senators Rockefeller and Thune is effective in filling these gaps? If not, what are your recommendations for legislative action that should be taken to strengthen America's cybersecurity? Answer. The Cybersecurity Act of 2013 (S. 1353) represents a sensible, bipartisan, non-regulatory approach to an issue of utmost importance to the manufacturing industry. Manufacturers support creating an industry-led, voluntary standards development process, strengthening the cybersecurity research and development strategy inside the Federal government, creating a high-skilled cybersecurity workforce and raising public awareness of cyber threats. The NAM is pleased that this legislation prohibits the creation of a duplicative regulatory regime that would put undue burdens on manufacturers while at the same time solidifies the public-private partnership to address an issue of critical importance to our nation. The top priority of manufacturers is allowing the voluntary sharing by the public and private sector of real-time threat information to allow manufacturers to better protect themselves from cyber threats. In contrast, under current law, the government is prohibited from sharing sensitive cyber-threat information with the private sector. Companies also are not permitted to share information freely with their peers. The NAM encourages the Senate to consider legislation similar to the Cyber Intelligence Sharing and Protection Act (CISPA) of 2013 (H.R. 624), which the House passed earlier this year and was supported by the NAM. This legislation, if signed into law, will allow the government to share timely and actionable threat and vulnerability information with the private sector.