[Senate Hearing 113-241]
[From the U.S. Government Publishing Office]
S. Hrg. 113-241
CYBERSECURITY: PREPARING FOR AND RESPONDING TO THE ENDURING THREAT
=======================================================================
HEARING
before the
COMMITTEE ON APPROPRIATIONS UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
SPECIAL HEARING
JUNE 12, 2013--WASHINGTON, DC
__________
Printed for the use of the Committee on Appropriations
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/browse/
committee.action?chamber=senate&committee=appropriations
__________
U.S. GOVERNMENT PUBLISHING OFFICE
81-526 PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON APPROPRIATIONS
BARBARA A. MIKULSKI, Maryland, Chairwoman
PATRICK J. LEAHY, Vermont RICHARD C. SHELBY, Alabama,
TOM HARKIN, Iowa Ranking
PATTY MURRAY, Washington THAD COCHRAN, Mississippi
DIANNE FEINSTEIN, California MITCH McCONNELL, Kentucky
RICHARD J. DURBIN, Illinois LAMAR ALEXANDER, Tennessee
TIM JOHNSON, South Dakota SUSAN M. COLLINS, Maine
MARY L. LANDRIEU, Louisiana LISA MURKOWSKI, Alaska
JACK REED, Rhode Island LINDSEY GRAHAM, South Carolina
FRANK R. LAUTENBERG, New Jersey \1\ MARK KIRK, Illinois
MARK L. PRYOR, Arkansas DANIEL COATS, Indiana
JON TESTER, Montana ROY BLUNT, Missouri
TOM UDALL, New Mexico JERRY MORAN, Kansas
JEANNE SHAHEEN, New Hampshire JOHN HOEVEN, North Dakota
JEFF MERKLEY, Oregon MIKE JOHANNS, Nebraska
MARK BEGICH, Alaska JOHN BOOZMAN, Arkansas
Charles E. Kieffer, Staff Director
William D. Duhnke III, Minority Staff Director
----------
\1\ Died on June 3, 2013.
C O N T E N T S
----------
Page
Opening Statement of Senator Barbara A. Mikulski................. 1
Statement of Senator Richard C. Shelby........................... 4
Statement of Hon. General Keith B. Alexander, Commander, U.S.
Cyber Command; Director, National Security Agency; Chief,
Central Security Service....................................... 5
Prepared Statement........................................... 6
Defending the Nation in Cyberspace............................... 7
The U.S. Federal Cybersecurity Team.............................. 8
Resources........................................................ 9
Guarding Privacy and Civil Liberties............................. 10
Legislation...................................................... 11
Statement of Hon. Rand Beers, Acting Deputy Secretary, Department
of Homeland Security........................................... 11
Prepared Statement........................................... 13
Department of Homeland Security Mission in Protecting Government
Networks and Critical Infrastructure........................... 14
Response to Cyber Events......................................... 14
Combating Cyber Crime............................................ 15
Cooperation Across the Federal Government........................ 17
Presidential Policy Directive 21 and Cyber Executive Order 13636. 17
Budget Priorities................................................ 17
Cyber Legislative Priorities..................................... 19
Statement of Richard A. McFeely, Executive Assistant Director,
Criminal, Cyber, Response, and Services Branch, Federal Bureau
of Investigation, Department of Justice........................ 19
Prepared Statement........................................... 21
The Cyber Threat................................................. 21
Federal Bureau of Investigation Response......................... 21
Recent Successes................................................. 21
Next Generation Cyber............................................ 22
Private Sector Outreach.......................................... 23
Fiscal Year 2014 Budget Request.................................. 23
Statement of Hon. Dr. Patrick D. Gallagher, Acting Deputy
Secretary, Department of Commerce; Director, National Institute
of Standards and Technology.................................... 24
Prepared Statement........................................... 25
The Role of the National Institute of Standards and Technology in
Cybersecurity.................................................. 25
The Role of the National Institute of Standards and Technology in
Protecting Federal Information Systems......................... 26
The National Institute of Standards and Technology's Engagement
with Industry.................................................. 27
The National Institute of Standards and Technology's Role in
Executive Order 13636, ``Improving Critical Infrastructure
Cybersecurity''................................................ 28
National Institute of Standards and Technology Support for Cyber
Research and Development....................................... 30
Critical Infrastructure: Incidents Reporting..................... 45
Qualified Workforce: Recruiting and Retaining.................... 47
Critical Infrastructure: Cybersecurity Improvements.............. 52
Collaboration with State and Local Law Enforcement............... 57
Bank Attacks..................................................... 58
Qualified Workforce: Centers of Excellence....................... 59
Additional Committee Questions................................... 61
Questions Submitted to Hon. General Keith B. Alexander,
Commander, U.S. Cyber Command Director, National Security
Agency Chief, Central Security Service......................... 62
Questions Submitted by Senator Patty Murray...................... 62
Questions Submitted by Senator Richard J. Durbin................. 62
Cyber Executive Order--Role of the Executive Order Versus Cyber
Legislation.................................................... 62
Cyber Executive Order--Protecting Privacy and Civil Liberties.... 63
Questions Submitted by Senator Mary L. Landrieu.................. 63
Cybersecurity Role for the National Guard........................ 63
Cyber Test Beds/Ranges........................................... 64
Questions Submitted by Senator Tom Udall......................... 65
Role of National Laboratories in Promoting Cybersecurity......... 65
Need for International Cooperation for Cybersecurity Standards... 66
China and Theft of Intellectual Property......................... 66
Questions Submitted by Senator Thad Cochran...................... 67
Questions Submitted by Senator Mike Johanns...................... 68
Cyber Command.................................................... 68
Questions Submitted to Hon. Rand Beers, Acting Deputy Secretary,
Department of Homeland Security................................ 69
Questions Submitted by Senator Patty Murray...................... 69
Questions Submitted by Senator Richard J. Durbin................. 70
Cyber Executive Order--Role of the Executive Order Versus Cyber
Legislation.................................................... 70
Cyber Executive Order--Protecting Privacy and Civil Liberties.... 71
Questions Submitted by Senator Mary L. Landrieu.................. 72
Cybersecurity Role for the National Guard........................ 72
Cyber Test Beds/Ranges........................................... 73
Role of the Secret Service in Cyber Investigations............... 74
Role of DHS in Capability Building for Law Enforcement Cyber
Investigations................................................. 76
Questions Submitted by Senator Tom Udall......................... 77
Role of National Laboratories in Promoting Cybersecurity......... 77
Mobile Phones and Cybersecurity Awareness........................ 78
Questions Submitted by Senator Thad Cochran...................... 79
Questions Submitted to Hon. Dr. Patrick D. Gallagher, Acting
Deputy Secretary, Department of Commerce Director, National
Institute of Standards and Technology.......................... 83
Questions Submitted by Senator Patty Murray...................... 83
Questions Submitted by Senator Richard J. Durbin................. 83
Cyber Executive Order--Role of the Executive Order Versus Cyber
Legislation.................................................... 83
Cyber Executive Order--Protecting Privacy and Civil Liberties.... 83
Questions Submitted by Senator Tom Udall......................... 84
Role of National Laboratories in Promoting Cybersecurity......... 84
Engagement with Industry Groups.................................. 84
Federal Cybersecurity Standards and New Computing Trends......... 85
Mobile Phones and Cybersecurity Awareness........................ 85
Questions Submitted by Senator Thad Cochran...................... 86
Questions Submitted to Richard A. McFeely, Executive Assistant
Director, Criminal, Cyber, Response, and Services Branch,
Federal Bureau of Investigation................................ 87
Questions Submitted by Senator Richard J. Durbin................. 87
Cyber Executive Order--Role of the Executive Order Versus Cyber
Legislation.................................................... 87
Cyber Executive Order--Protecting Privacy and Civil Liberties.... 88
Questions Submitted by Senator Mary L. Landrieu.................. 88
Questions Submitted by Senator Tom Udall......................... 88
Role of National Laboratories in Promoting Cybersecurity......... 88
Questions Submitted by Senator Thad Cochran...................... 89
CYBERSECURITY: PREPARING FOR AND RESPONDING TO THE ENDURING THREAT
----------
WEDNESDAY, JUNE 12, 2013
U.S. Senate,
Committee on Appropriations,
Washington, DC.
The committee met at 2:02 p.m., in room SD-G50, Dirksen
Senate Office Building, Hon. Barbara A. Mikulski (chairwoman)
presiding.
Present: Senators Mikulski, Leahy, Murray, Feinstein,
Durbin, Landrieu, Pryor, Tester, Udall, Merkley, Shelby,
Cochran, Collins, Coats, Johanns, and Boozman.
opening statement of senator barbara a. mikulski
Chairwoman Mikulski. This afternoon I am opening a hearing
on cybersecurity. We are going to examine the efforts to
protect the American people from cyber threats, to protect our
domains of dot-mil, dot-gov, and dot-com. We need to make sure
that the American people know what our programs are, know what
we are spending our money for, and also to make sure that we
make wise use of taxpayer dollars so that there are no techno-
boondoggles. We hope to make sure we know how to help the
private sector and to protect dot-com by real-time information-
sharing about threats and helping the private sector develop
the secure technologies we need. We need to prevent hackers,
nation-states, and criminals from stealing our cyber
identities, cyber espionage, cyber sabotage against our online
commerce or our critical infrastructure, track and disrupt the
hackers, and prosecute them when possible.
I have two goals for this hearing.
First, I want to make sure that we protect the American
people from cyber threats by working together across the
Government to protect, as I said, the domains of dot-mil, dot-
gov, and dot-com.
Second, I want to examine how agencies will use
cybersecurity funding in the budget. The administration is
requesting more than $13 billion for fiscal year 2014. In this
very stringent environment, we are concerned about techno-
boondoggles. The Government is often very good at spending
money, but we need to make sure we spend the money well. Over
the years, there have been failures and inefficiencies in
Government IT programs, and we do not want that to happen as we
move forward in this cyber domain.
I called this hearing as the full committee chairwoman to
work across the subcommittees to make sure there are not
stovepipes, to make sure, as we look at this, the questions
that we have related to governance, are we developing the right
technologies to protect us, are we investing in the workforce
we need, and how do we protect our civil liberties.
I am so proud of my subcommittee chairs. I want to
acknowledge the work of Senator Durbin and the Ranking Member
Cochran on Defense. I want to acknowledge the work of
Chairwoman Landrieu and her ranking member, Senator Coats, both
with a great deal of expertise. For me, we will have the
Federal Bureau of Investigation (FBI) and National Institute of
Science and Technology (NIST), and my great vice chairman,
Senator Shelby.
This is a committee that is loaded with talent in this
area, coming with enormous expertise from the authorizing
committee. We have Senator Leahy from the Judiciary Committee,
well versed on the issues of law on cybersecurity and a staunch
protector of our civil liberties. We have Chairwoman Feinstein
on the Intelligence Committee. From Armed Services, we have
Reed, Shaheen, Graham, and Blunt. We have the former Chair of
the Homeland Security Committee, Senator Collins, herself now a
member of the Intelligence Committee. Rarely has a committee
had so much talent coming together from both those of us from
appropriations as well as the authorizers.
I hope that our country has a sense of urgency. We are
already under attack. This is the new, enduring war. We are in
a cyber war every day. Every time someone steals our identity,
steals our State secrets or our trade secrets, we are at war.
We now see the growing nexus between cyber criminals and nation
states hacking our networks, planning disruptions of our
business operations. Director Mueller of the FBI said that
cyber crime will eventually surpass terrorism as our number one
threat to America. Secretary Hagel and General Dempsey continue
to warn us against cyber as an insidious threat. These are such
critical concerns that President Obama, in his recent meeting
with the Chinese President, raised cybersecurity as one of our
great, great international tensions between both countries.
Now, last year, we tried to pass cybersecurity legislation.
We all worked on a bipartisan basis. It was actually under the
Collins-Lieberman bill. But it did not happen. The President
has issued an Executive order. But just because authorizing has
not happened does not mean that nothing is happening.
So in February, the President signed his Executive order,
and it improves real-time information sharing, protects
critical infrastructure, provides critical infrastructure in
cyber risk, and brings private sector experts into the Federal
service.
Each one of these goes through a different subcommittee,
but here today we are going to do something pretty different.
And I bring to your attention the President's fiscal year 2014
budget on the areas of cybersecurity. This will be the first
time in one place that we can look across all of the areas to
make sure we know what the request is, what they are not only
in individual agencies, but do we get the synergistic effect
necessary to protect our country. It is significant that this
document that you all have, which is a public document, that we
have in one place, a one-stop shop, really what the President
is requesting.
The President of the United States in his budget message to
the Congress has asked for $13 billion in order to execute the
cybersecurity strategy across the agencies of the Federal
Government. The purpose of this hearing today is to look at the
cybersecurity threat, not every program from the National
Security Agency (NSA), not every program being run by Homeland
or the Department of Justice or the great work being done by
NIST. It is to focus on the cybersecurity.
But it is a committee first and I might say a Senate first.
No other committee has tried to hold a hearing across the
different domains, agencies, and smokestacks, and also to do it
in an open, public way.
And the expertise, as I said, here from both the
subcommittee chairs and the authorizing is stunning. So we know
that we are going to be able to do it.
The President has asked for $13 billion: $9.3 billion for
the Department of Defense (DOD), $1.3 billion for the
Department of Homeland Security (DHS), $670 million for the
Department of Justice (DOJ), primarily the Federal Bureau of
Investigation, and the National Institutes of Standards and
Technology, $215 billion--$215 million. NIST has never seen
$215 billion. That is the defense guys.
Today we will hear from our Government's lead people on
this: General Alexander, the Director of the National Security
Agency and the head of Cyber Command; Rand Beers, the Acting
Deputy Secretary of Homeland Security; Dr. Gallagher, the
Acting Deputy Secretary of Commerce but the Director of NIST;
and Richard McFeely, the FBI Executive Assistant Director in
charge of the Criminal, Cyber, and Response, and Services
Branch.
I also want to acknowledge that in the last several days
many intelligence issues have been in the press, and I
understand that these are issues that are very much on the
public's mind and Members of the Senate.
Last week, in my Commerce, Justice hearing with the
Attorney General, this topic of particularly our surveillance
program came up. I pledged to Senator Shelby, a former Chair of
the Intelligence Committee, well versed on the topic, not of
the surveillance but on this, that we would have a full
committee hearing on that particular program. That is not
today. That is for another day.
I understand that our colleague, Senator Chairwoman, the
Chair of the Intelligence Committee, has scheduled a briefing
for all Senators tomorrow. And this is the second hearing that
Senator Feinstein has opened up the Intelligence Committee for
a briefing for all Senators to be able to participate. After
the Feinstein meeting tomorrow, if Senator Shelby continues to
recommend that this committee hold a hearing on this matter, I
will be happy to comply, and I pledge that to you, sir. I did
last week and so on. But we will see if it is necessary, and if
deemed so, we certainly will.
So, again, today's hearing will focus on the cyber threat,
protecting the American people, protecting the taxpayer in
their role as both citizen and taxpayer. I hope today's hearing
will focus on this very important issue, and I say to my
colleagues this is a committee hearing that is a first. It will
be not the last on this topic or other matters related to our
national security.
I now want to turn to my ranking member, Senator Shelby,
who has been active on this matter, the vice chairman of the
committee, former Chair of the Intelligence Committee. Senator
Shelby.
statement of senator richard c. shelby
Senator Shelby. Thank you, Madam Chair.
As you have pointed out, this is a very important hearing
on a topic that demands significant congressional involvement.
The cyber threat, as we all know, is increasing and becoming
more challenging as our adversaries grow bolder and more
capable. We have seen recent and stark reminders of the threat
with constant cyber attacks on the financial sector, the
Chinese hacking of the New York Times and Wall Street Journal,
Iranian attacks against a Saudi oil company, and reports that
information on our most advance weapons systems were stolen by
the Chinese.
Earlier this year, an information security company publicly
reported that Chinese attackers are running an extensive cyber
espionage campaign with the likely support of the Chinese
Government. More recently, the same company exposed Iranian
hacking in the United States.
These troubling developments remind us of how urgently we
need a coordinated effort to counter and to respond to these
attacks.
Madam Chair, this committee may be the only one with
jurisdiction over the full complement of Government
organizations involved in cybersecurity. Therefore, as you
pointed out, I think it is appropriate that we take a lead role
in the oversight of this effort, working with others. I would
like to hear, for example, how each of you today perceive the
threat and about your continuing efforts to protect critical
infrastructure against attack and to address the cyber threat
outside the recently issued Executive order. Cybersecurity is
an immediate priority, but the framework envisioned in the
Executive order will take time to develop and probably even
longer to implement.
There are still areas that need more attention and may
require legislation, such as information sharing. Additionally,
the working relationship between the Government and the private
sector is still a work in progress. Funding requirements also
remain unclear in this time of fiscal uncertainty. Clearly, a
lot needs to be done.
I look forward today to hearing from our panel of witnesses
and perhaps they can suggest some of the best ways to protect
Government systems and information as you partner with industry
to strengthen our cyber infrastructure across the board.
Thank you, Madam Chair.
Chairwoman Mikulski. Thank you, Senator.
Now we will turn to our witness panel, and then we will go
to questions, starting with myself and Senator Shelby and then
the regular order that we follow in the order of arrival.
I would like to suggest that General Alexander go first,
followed by Mr. Beers, Mr. McFeely representing Justice, and
Dr. Gallagher, you are the wrap-up guy. General Alexander, the
microphone is yours.
STATEMENT OF HON. GENERAL KEITH B. ALEXANDER,
COMMANDER, U.S. CYBER COMMAND; DIRECTOR,
NATIONAL SECURITY AGENCY; CHIEF, CENTRAL
SECURITY SERVICE
General Alexander. Senator, thank you very much.
I think what you and Senator Shelby have pointed out with
respect to cyberspace is absolutely important for us to
discuss. The threats that we face today continue to grow.
You know, it takes, for the Government, a team to work
this. So before I go any further, I do want to point out that
the team is here, and it is great to be part of that team
because no one Government department or agency can do it
itself. For us, it is going to take the partnership between
DHS, between the FBI, and with the support of NIST especially
on the Executive order that Senator Shelby brought up for us to
work together.
You know, when I look at what is going on in cyberspace and
the capabilities that are growing, this is an incredible
opportunity for us as a Nation and for nations around the
world. The technical capabilities that we have when you look at
what our children are using, the iPhones, the iPads, the
ability for education--this is a tremendous time. When we look
at what we can do with this with respect to medical care in the
future, it is a bright future for us, but it is complicated by
the fact of cyber espionage, by cyber hacking, and the threats
that Senator Shelby talked about. So I do want to hit on that.
You mentioned the evolution of this threat, and when you
look at the threat as it has gone forward, some of the things
that FBI and we see in the Department of Homeland Security work
every day is a series of exploitations into our networks. The
issue is how do you fix that. And that issue is complicated by
the fact that it is not only exploitations that are going on,
but we are seeing disruptive attacks against our Nation's
infrastructure, Wall Street, with a potential for destructive
attacks.
We as a Nation need to step forward and say how are we
going to work this. The Government team that is here today
cannot do it without support from industry. We have to have
some way of working with industry because they own and operate
the bulk of our Nation's infrastructure. But we have to do it
in a transparent way, in a legal way, and we really appreciate
the efforts of many on this panel, Senator, for what you and
others have done to try to move that legislation along. But we
do need to get there. We do need to have a way of working with
industry. And Dr. Gallagher I know will talk about parts of
this. We could not have a better person to lead it from NIST.
So thanks for what you and the team are doing. We do need to
begin that dialogue with industry. So part of what the
Executive order does is give us that opportunity to have that
dialogue.
At the same time, we have to look at what we need in
legislation and get that moving forward. So, Senator, thanks
for what you and the Intelligence Committee are doing to move
that and others.
From my perspective, Senator, you asked what is it that we
need to do. I think there are five key things that we are
working on.
First, we have to create a defensible architecture. Both
the Intelligence Community and the Defense Department are
moving forward on what we call the ``cloud architecture,'' a
joint information environment for the Defense Department and
the intel community's IT environment, the same thing for both
communities moving forward to what is a more defensible
architecture. And I think we need to move there. So that is the
first thing.
Second, we need to be able to see what is going on in
cyberspace so that we can work with industry and amongst
ourselves because getting information after an attack only
allows us to police it up. We have to have some way of stopping
it while it is going on. So we need to be able to see it.
We need a concept for operating in cyberspace not just
within the Defense Department, but amongst all three of us
because we all have a role in this, and we all play vital
roles, from the Department of Homeland Security's role for
recovery and working with commercial industry to the FBI's law
enforcement and investigative things to the Defense
Department's responsibility to defend the Nation. We have to
bring those together and then reach out to say, now, how is
that going to work with industry and how can we share
information that is vital to our common defense. We have to do
that.
We need trained and ready forces. I think that is one of
the most important things that the Congress expects of me of
Cyber Command and of NSA to, within the Department, create
trained and ready forces that are trained to a higher standard,
both on the defense and on the offense, those capabilities that
our Nation needs that are trained to that standard that know
how to operate lawfully to protect American civil liberties and
privacy and to protect this Nation in cyberspace. We have to be
able to do all three.
And we have to have a capacity to act when authorized, the
rules of engagement and the other authorities.
We are working those five.
From my perspective, the men and women of Cyber Command and
NSA--we have tremendous technical talent. We really do. And
these are great people. Our Nation has invested a lot in these
people. They do this lawfully. They take compliance oversight,
protecting civil liberties and privacy, and the security of
this Nation to their heart every day. I could not be more proud
of the men and women of NSA and Cyber Command. What we now need
to do is take the next step in moving that forward.
That is all I have at this time, Senator. I will defer now
to my colleague, Mr. Beers.
[The statement follows:]
Prepared Statement of Hon. General Keith B. Alexander
Thank you very much, Chairwoman Mikulski and Ranking Member Shelby,
for inviting me to speak to you and your colleagues. I am here
representing the Department of Defense in general and the men and
women, military and civilian, who serve at U.S. Cyber Command
(USCYBERCOM) and the National Security Agency/Central Security Service
(NSA/CSS). It is my honor to appear today with colleagues from the
Department of Justice (DOJ) and its Federal Bureau of Investigation
(FBI), the Department of Homeland Security (DHS), and the National
Institute of Science and Technology (NIST). I hope to describe some of
the challenges we face in performing the difficult but vital missions
of keeping U.S. national security systems secure, helping to protect
our Nation's critical infrastructure from national-level cyber attacks,
and working with other U.S. Government agencies, State and local
authorities, national allies, and the private sector in defending our
Nation's interests in cyberspace. Together we make up a team deeply
committed to compliance with the law and the protection of privacy
rights that works every day with other U.S. Government agencies,
industry, academia, citizens, and allies, for only our combined efforts
will enable us to make progress in cybersecurity for the Nation as a
whole.
defending the nation in cyberspace
I would like to start today by discussing the two elements of this
team that I lead. USCYBERCOM is a subunified command of U.S. Strategic
Command in Omaha, though we are based at Fort Meade. USCYBERCOM's
mission is to plan, coordinate, integrate, synchronize and conduct
activities to direct the operations and defense of Department of
Defense information networks. We also prepare to, and when directed,
conduct full-spectrum military cyberspace operations in order to enable
traditional military activities, ensure U.S./Allied freedom of action
in cyberspace, and deny our adversaries the ability to harm us or our
allies. USCYBERCOM has three operational focus areas: defending the
Nation, supporting the Combatant Commands, and defending DOD
Information Networks. As I noted when I testified before the Armed
Services Committee in March, USCYBERCOM will address these three
operational focus areas with its new Cyber Mission Forces, organized
into National Mission Teams, Combat Mission Teams and Cyber Protection
Teams.
Due to the intersecting responsibilities of the two organizations,
USCYBERCOM was placed at the headquarters of NSA/CSS at Fort Meade.
NSA/CSS collects signals intelligence on our cyber adversaries; and
provides information assurance strategies and technologies to protect
our national security systems. The conduct of these two missions is
critical to enabling cyber operations. NSA/CSS also has multiple,
technical capabilities critical to the cyber mission area, such as
high-performance computing and large-scale, distributed processing and
data storage. These are just some of the components of what we call the
cryptologic platform; it constitutes the collection of signals
intelligence and communications security capabilities that since 1952
have served users ranging from national customers, to departmental
analysts, to battlefield commanders. The defense of U.S. military
networks depends on knowing what those who would harm us are doing in
cyberspace, which in turn depends on intelligence produced by NSA and
other members of the Intelligence Community regarding adversary
intentions and capabilities.
Cyberspace is characterized by high levels of convergence of
separate and different networks and technology that have come together
to form something greater than the sum of the parts. In this regard,
USCYBERCOM's co-location with NSA/CSS mirrors the convergence in
cyberspace and is a direct result of that technological shift. What we
have learned is that if convergence is the reality of the cyber
environment, then integration must be the reality of our response. Co-
location promotes intense and mutually beneficial collaboration in an
operational environment in which USCYBERCOM's success relies on net-
speed intelligence. Although they are separate and distinct
organizations with their own missions and authorities, NSA/CSS is a
major force multiplier for USCYBERCOM, pairing the Command's operators,
planners, and analysts with the expertise and assistance of NSA/CSS'
cryptographers, analysts, access developers, on-net operators, language
analysts, and support personnel. These are close working relationships
that enable seamless, deconflicted operations that are vital to the
success of the cyber mission. Co-location also improves the
deconfliction of operations; physical proximity enhances mutual
understanding and awareness of mission areas and helps forge effective
partnerships that serve both organizations and the Nation well. Only a
tightly integrated team, and tightly integrated solutions, can do what
is required to address cyber threats at net speed.
I serve as the dual-hatted Commander, USCYBERCOM, and Director,
NSA/Chief, CSS. The dual-hatting unifies the capabilities for full-
spectrum cyber operations under a single official, maximizes the
leverage of NSA/CSS cyber capabilities, capacities, and authorities,
and establishes unity of effort in cyberspace for the Department of
Defense. It allows deconfliction of the use of the cryptologic platform
to occur with full knowledge of the needs of both organizations on a
timely basis. Together, the people under my command and direction at
USCYBERCOM and NSA/CSS work in concert but always under their
respective authorities. They direct the operation of the Department's
information networks, detect threats in foreign cyberspace, attribute
threats, secure national security information systems, and help ensure
freedom of action for the United States military and its allies in
cyberspace--and, when directed, defend the Nation against a cyber
attack.
In keeping with the DOD's Strategy for Operating in Cyberspace,
USCYBERCOM and NSA/CSS are together assisting the Department in
building: (1) a defensible architecture; (2) global situational
awareness and a common operating picture; (3) a concept for operating
in cyberspace; (4) trained and ready cyber forces; and (5) the capacity
to take action when authorized. Indeed, with another key mission
partner in DOD--the Defense Information Systems Agency (DISA), also
based at Fort Meade--we are finding that our progress in each of these
five areas benefits our efforts in the rest. We are improving our
tactics, techniques, and procedures, as well as our policies and
organizations. This means building cyber capabilities into doctrine,
plans, and training--and building them in a way that senior leaders can
plan and integrate such capabilities as they would capabilities in the
air, land, and sea domains.
The imperative to accomplish this mission grows every day. We
operate in a dynamic and contested domain that literally changes its
characteristics each time someone powers on a networked device. Make no
mistake: in light of the real and growing threats in cyberspace, our
Nation needs a strong DOD role in cyberspace. While we feel confident
that most foreign leaders believe that a devastating attack on the
critical infrastructure and population of the United States by cyber
means would elicit a prompt and proportionate response, it is possible,
however, that some regime or cyber actor could misjudge the impact and
the certainty of our resolve. In particular, we are not yet deterring
the persistent cyber harassment of private and public sites, property,
and data. Such attacks have not caused loss of life, but they have been
destructive to both data and property in other countries. The remote
assaults last summer on Saudi Aramco and RasGas, for example, rendered
inoperable--and effectively destroyed the data on--more than 30,000
computers. Cyber programs and capabilities are growing, evolving, and
spreading; we believe it is only a matter of time before the sort of
sophisticated tools developed by well-funded state actors find their
way to groups or even individuals who in their zeal to make some
political statement do not know or do not care about the collateral
damage they inflict on bystanders and critical infrastructure. The
United States is already a target. Networks and Web sites owned by
Americans and located here have endured intentional, state-sponsored
attacks, and some have incurred degradation and disruption because they
happened to be along the route to another state's overseas targets. Our
critical infrastructure is thus doubly at risk. On a scale of 1 to 10,
with 10 being strongly defended, our critical infrastructure's
preparedness to withstand a destructive cyber attack is about a 3 based
on my experience. There are variations in preparedness across sectors,
but all are susceptible to the vulnerabilities of the weakest.
Let me draw your attention to another serious threat to U.S.
interests: the continuing and systematic cyber exploitation of American
companies and enterprises, and the resulting theft of intellectual
property. Many such incidents are perpetrated by organized
cybercriminals, but foreign government-directed cyber operators, tools,
and organizations are targeting the data of American and Western
businesses, institutions, and citizens. Certain nations have a
resourced national strategy to grow their economies by intellectual
property (IP) theft. They target any company with valuable IP or a
leading position in its sector--and not just that company itself. Even
companies that have protected their information have partners that
could be ``soft'' targets. Are we susceptible? In the United States,
intrusions have occurred against the best in the security business. The
collective damage that such intrusions inflict on America's economic
competitiveness and innovation edge is profound, translating into
missed opportunities for U.S. companies and the potential for lost
American jobs. Cyber theft jeopardizes our economic well-being.
the u.s. federal cybersecurity team
No Federal department or agency is solely responsible for
addressing the cyber threat, and none has been designated as the
Federal cybersecurity lead because each brings unique authorities,
resources, and capabilities to the effort. Cybersecurity requires a
team approach, where the leadership and support roles change depending
on the nature of the threat and the required response. Together, three
departments carry out important roles and responsibilities as part of
the broader U.S. Federal cybersecurity team in order to provide for the
Nation's cybersecurity:
--The DOJ is the lead Federal department responsible for the
investigation, attribution, disruption and prosecution of
cybersecurity incidents. Within the DOJ, the FBI conducts
domestic collection, analysis, and dissemination of cyber
threat intelligence.
--The DHS is the lead Federal department responsible for national
protection against, mitigation of, and recovery from domestic
cybersecurity incidents. The DHS is also the lead for securing
unclassified Federal civilian government networks and working
with owners and operators of critical infrastructure to secure
their networks through risk assessment, mitigation incident-
response capabilities.
--The DOD is ultimately responsible for defending the Nation from
attack in cyberspace, just as it is in all other domains. In
the event of a foreign cyber attack on the United States with
the potential for significant national security or economic
consequences, the DOD, including USCYBERCOM with the support of
NSA/CSS, will be prepared to respond.
These efforts depend on shared situational awareness and integrated
operations across the U.S. Government, State and local authorities, and
international partners. Together, we are helping to increase our global
situational awareness through our growing collaboration with Federal
Government mission partners and other departments and agencies, as well
as with private industry and with other countries. That collaboration
allows us to better understand what is happening across the cyber
domain, which enhances our situational awareness, not only for DOD but
also across the U.S. Government.
Under the joint leadership of DHS and NSA, the FBI and the other
Federal cybersecurity centers created a framework to describe
cybersecurity functions and information exchanges and are now
developing an implementation plan for an information sharing
environment that will create a cross-government shared situational
awareness that is extensible to other partners such as the State and
local governments and our allies. Implementing this capability to
improve our collective response actions is one of the President's top
cyber priorities for fiscal year 2014.
Successful operations in cyberspace depend on collaboration between
defenders and operators. Those who secure and defend must synchronize
with those who operate, and their collaboration must be informed by up-
to-date intelligence. I see greater understanding today of the
importance of this synergy across the Department, the government, and
our public at large. Last fall the departments negotiated, and the
President endorsed, a broad clarification of the responsibilities of
the various organizations and capabilities operating in cyberspace,
revising the procedures we employ for ensuring that, in the event of a
cyber incident of national significance, we are prepared to act with
all necessary speed in a coordinated and mutually-supporting manner.
USCYBERCOM is also being integrated into the National Event response
process, so that a cyber incident of national significance can elicit a
fast and effective response, to include self-defense actions where
approved, necessary, and appropriate.
As part of this progress, we in the Federal Government are working
with State, local, international, and private partners. NSA/CSS, for
example, is defining security dimensions that government and private
users can utilize for ``cloud'' architectures, and has shown how we can
manage large quantities of data and still preserve strong security. We
have even shared the source code publicly so public and private
architectures can benefit from it. USCYBERCOM has sponsored not only an
expanding range of training courses but also two important exercises,
CYBER FLAG and CYBER GUARD. The former is USCYBERCOM's major Command-
level exercise, the most recent iteration of which brought in
international partners to practice force-on-force maneuvers in
cyberspace. The latter assembled 500 participants last summer,
including a hundred from the National Guards of 12 States. They
exercised State- and national-level responses in a virtual environment,
learning each other's comparative strengths and concerns should an
adversary attack our critical infrastructure in cyberspace.
resources
For the past 5 years, Federal cyber-related spending and
performance reporting have been organized around the Comprehensive
National Cybersecurity Initiative (CNCI), from which NSA/CSS received a
significant amount of funding to provide specialized capabilities and
foundational support to address the cyber threat. Last summer--and
planned as a yearly exercise--the administration issued a data call,
which includes CNCI and non-CNCI investments, in order to better
understand and track cybersecurity and cyberspace operations funding.
NSA/CSS's budget under this taxonomy represents spending under the
major cybersecurity categories: (1) Prevent malicious cyber activity;
(2) Detect, analyze, and mitigate intrusions; and (3) Shape the
cybersecurity environment. These investments are fundamental to our
overall cybersecurity strategy to develop and deploy unique cyber
capabilities that leverage the use of signals intelligence to enhance
network defense. Additional investments in cyberspace operations
provide the foundational infrastructure necessary to build those
capabilities as well as support full spectrum cyberspace operations in
direct support of Combatant Command requirements (e.g., cryptanalysis,
net-centric capabilities, data repositories, sensor deployments, and
research).
From the operational perspective, the ultimate objective of
cybersecurity is to deny the adversary any opportunity to exploit our
systems. Doing so requires that we protect ourselves from both known
and unknown threats as we execute our comprehensive strategy of
hardening our networks, defending our networks, and leveraging all
instruments of national power--both within our own networks and beyond.
We have made significant progress in realizing the mission capabilities
and cryptologic capacity required to meet the demands of operating in
cyberspace. While there is still much work to do, I'd like to highlight
a few of the ongoing efforts in implementing our strategy.
The Department of Defense is responsible for 7 million networked
devices and thousands of enclaves. USCYBERCOM and NSA/CSS work around
the clock with DISA to monitor what is happening on global networks and
the functioning of DOD's information enterprise. We are also helping
the Department build the DOD Joint Information Environment (JIE),
comprising a shared infrastructure, enterprise services, and a single
security architecture to improve mission effectiveness, increase
security, and realize IT efficiencies. The JIE will be the base from
which we can operate knowing that our networks are safer from
adversaries. Senior officers from USCYBERCOM and NSA/CSS sit on JIE
councils and working groups, playing a leading role with the office of
the DOD's Chief Information Officer, Joint Staff J6, and other agencies
in guiding the Department's implementation of the JIE. NSA/CSS in
particular serves as the Security Advisor to the JIE, and is defining
the security dimension of that architecture.
Moving to the JIE will make sharing and analytics easier while also
enhancing security. I know this sounds paradoxical but it is
nonetheless true, as NSA/CSS has demonstrated in its cloud capability
and its support for the Intelligence Community's growing Information
Technology Enterprise (IC ITE). Let me emphasize our confidence that
the JIE will save resources for the Department--moving to it will give
us greater capability and security at less cost.
Our progress, however, can only continue if we are able to fulfill
our urgent requirement for sufficient trained, certified, and ready
forces to defend U.S. national interests in cyberspace. Last December,
DOD endorsed the force presentation model we need to implement this new
operating concept. We are establishing cyber mission teams in line with
the principles of task organizing for the joint force. The Services are
building these teams to present forces for STRATCOM in support of
USCYBERCOM-delegated Unified Command Plan mission. They will soon be
capable of operating on their own, with a range of operational and
intelligence skill sets, as well as a mix of military and civilian
personnel. They will also have appropriate operating authorities under
order from the Secretary of Defense and from my capacity as the
Director of NSA/CSS. Each of these cyber mission teams is being trained
to common and strict operating standards so that they can be online
without putting at risk our own military, diplomatic, or intelligence
interests.
I must also mention our concerns over the ongoing budget
uncertainty. Foremost in the minds of many of our people are the
looming furloughs which entail up to 11 days without pay between July 7
and September 21. While many of our personnel are exempted from the
furloughs, others are not, and their absence will degrade our mission
readiness and performance this summer and beyond, and make the
development of a strong and capable cyber force more problematic. Our
people truly are our most important capability. We can and have
showcased the incredibly valuable contributions made by our entire
workforce daily in securing our networks, supporting our war fighters,
and providing unique insights into foreign intelligence targets. I want
to emphasize the harmful impact of furloughs on the vital mission and
functions we perform and on the people we have entrusted to perform or
enable them. Furloughs make hiring new personnel harder and will drive
our best personnel away to jobs awaiting in the private sector. Our
USCYBERCOM and NSA/CSS workforce, regardless of funding stream, is one
that by definition seamlessly collaborates across the many functions
and disciplines that constitute our capabilities and operations. All
are essential to the whole.
guarding privacy and civil liberties
Let me emphasize that our Nation's security in cyberspace is not a
matter of resources alone. It is an enduring principle and an
imperative. Everything depends on trust. We operate in a way that
ensures we keep the trust of the American people because that trust is
a sacred requirement. We do not see a tradeoff between security and
liberty. It is not a choice, and we can and must do both
simultaneously. The men and women of USCYBERCOM and NSA/CSS take this
responsibility very seriously, as do I. Beyond my personal commitment
to do this right, there are multiple oversight mechanisms in place.
Given the nature of our work, of course, few outside of our Executive,
Legislative and Judicial Branch oversight bodies can know the details
of what we do or see that we operate every day under strict guidelines
and accountability within one of the most rigorous oversight regimes in
the U.S. Government. For those of you who do, and who have the
opportunity to meet with the men and women of USCYBERCOM and NSA/CSS,
you have seen for yourself how seriously we take this responsibility
and our commitment to earning and maintaining your trust.
legislation
Although the February 2013 Executive order will help raise the
Nation's cyber defenses, it does not eliminate the urgent need for
legislation in these and other areas of cybersecurity. The
administration's legislative priorities for the 113th Congress build
upon the President's 2011 Cybersecurity Legislative Proposal and take
into account 2 years of public and congressional discourse about how
best to improve the Nation's cybersecurity. We support legislation
that:
--Facilitates cybersecurity information sharing between the
government and the private sector as well as among private
sector companies. We believe that such sharing can occur in
ways that protect privacy and civil liberties, reinforce the
appropriate roles of civilian and intelligence agencies, and
include targeted liability protections;
--Incentivizes the adoption of best practices and standards for
critical infrastructure by complementing the process set forth
under the Executive order;
--Gives law enforcement the tools to fight crime in the digital age;
--Updates Federal agency network security laws, and codifies DHS'
cybersecurity responsibilities; and
--Creates a National Data Breach Reporting requirement.
In each of these legislative areas, we want to incorporate
appropriate privacy and civil liberties safeguards.
The administration wants to continue the dialogue with the Congress
and stands ready to work with Members of Congress to incorporate our
core priorities to produce cybersecurity information-sharing
legislation that addresses these critical issues.
conclusion
Thank you again, Madam Chairwoman and members of the committee, for
inviting me to speak to you today. I also thank you on behalf of the
men and women of USCYBERCOM and NSA/CSS for your support, and for the
support of the Congress. We are working to mitigate the vulnerabilities
inherent in any networked environment or activity while ensuring that
the benefits that we gain and the effects we can create are
significant, predictable, and decisive. If I could leave you with one
thought about the course of events, it is that we have no choice but to
``normalize'' cyberspace operations and to make them part of the
capability set of our senior policymakers and commanders. We are
working closely with our interagency partners as well as other DOD
elements. This is a necessity, for, as I suggest above, our Nation
faces diverse and persistent threats in cyberspace that cannot be
defeated through the efforts of any single organization. Most cyber
operations are interagency efforts, almost by definition. We have
gained valuable insight from the great work of partners like the
Departments of Justice, Commerce, and Homeland Security, as well as
from the collaboration of industry, academia, and allies. Indeed, the
flow of information and expertise across the commands, agencies,
departments and foreign mission partners here and overseas is improving
slowly but steadily. We have much to gain from this partnership, but
perhaps not much more time left before our situation in cyberspace
becomes even more worrisome than today. And now I look forward to your
questions.
STATEMENT OF HON. RAND BEERS, ACTING DEPUTY SECRETARY,
DEPARTMENT OF HOMELAND SECURITY
Mr. Beers. Thank you, General Alexander, and Chairwoman
Mikulski, Ranking Member Shelby, and other distinguished
members of the committee.
We all welcome this opportunity to appear before you. As
you said, Senator Mikulski, this is a unique opportunity to
talk about the range of cybersecurity activities across the
Government, and we welcome that.
As most of you know, cybersecurity is one of the five major
missions of the Department of Homeland Security and one that we
take very seriously. The threats that we face are varied and
serious, and in that regard, our cybersecurity mission focuses
in two primary areas. They are to protect the Federal civilian
networks and to work with the private sector to protect
America's critical infrastructure.
In that regard and as the chairwoman mentioned, the
President's policy initiatives for the year ahead are to secure
Federal networks, to protect critical infrastructure, to
improve incident response, to engage internationally, and to
shape the future.
With respect to the first, this is one of the major areas
that DHS is responsible for. We are investing about $600
million in protecting Federal networks through our intrusion
protection systems and through our continuous diagnostics and
mitigation systems. We are also working heavily with America's
critical infrastructure, both public and private.
We are working under the Executive order with our partners
in NIST to create the cybersecurity framework, and this is, as
you know, an important initiative on our part. The Executive
order, as you know, is the administration's effort after an
attempt to get legislation last year. That is not to say that
we still are not interested in getting that legislation, and
that is certainly something that we want to talk about in the
time ahead.
In addition to that, we are working to improve incident
response, working with our partners in the FBI and with the
National Security Agency. This is a ``call to one, call to
all'' initiative in which we work together both in our
headquarters and our operation center in terms of sharing
information and where we work together in the field in the
deployment of teams to go to particular sites of particular
incidents in order to determine what happened and in order to
be able to provide information to other parts of the private
sector that will help them prevent the same kind of an incident
from occurring.
We are also involved in the international area with
individual countries and partners around the world, but also
with the European Union as well. While it is a small program
within the Department of Homeland Security, it is a very
important program and we have a lot of key partners that we
work with. And that is just in terms of the engagement in terms
of face to face. In terms of the information sharing, our whole
incident response structure, the National Cybersecurity
Communications and Integration Center, on a regular basis
shares information internationally with other computer
emergency readiness teams around the world in order to do with
them what we do for ourselves nationally in order to protect
cyberspace around the world.
And finally, we work in terms of our research and
development and other activities to try to shape the future.
This is an important effort that is ongoing, one in which,
as General Alexander said, we could not do if we were doing it
individually in DHS. It takes all of us here at the table to
make this work.
And I want to thank you for the opportunity to speak with
you today and to talk about DHS programs and our teamwork
together. Thank you.
[The statement follows:]
Prepared Statement of Hon. Rand Beers
Cyberspace is woven into the fabric of our daily lives. According
to recent estimates, globally interconnected communications and
information networks that operate in this space encompass more than 2
billion people with at least 12 billion computers and devices,
including global positioning systems, mobile phones, satellites, data
routers, ordinary desktop computers, and industrial control computers
that run power plants, water systems, and more.
While this increased connectivity has led to significant
transformations and advances across our country--and around the world--
it also has increased the importance and complexity of our shared risk
and requires a collaborative approach within government and between
governments and the private sector. Our daily activities, economic
vitality, and national security depend on the Nation's ability to
secure cyberspace. A vast array of interdependent information
technology (IT) networks, systems, services, and resources are critical
to communication, travel, powering our homes, running our economy, and
obtaining government services. No country, industry, community or
individual is immune to cyber risks. The word ``cybersecurity'' itself
encompasses prevention, protection and resilience against a broad range
of malicious activity from a variety of actors perpetrating denial of
service attacks, targeting our financial system to steal millions of
dollars, accessing valuable trade secrets, and intruding into
government networks and systems that control our critical
infrastructure.
Cyber attacks and intrusions can have very real consequences in the
physical world. The Department of Homeland Security (DHS) is the lead
Federal civilian department responsible for coordinating the national
protection, prevention, mitigation, and recovery from cyber incidents
and works regularly with business owners and operators to take steps to
strengthen their facilities and communities. The Department's National
Cybersecurity and Communications Integration Center (NCCIC) works daily
to enhance situational awareness among stakeholders, including those at
the State and local level, as well as industrial control system owners
and operators, by providing critical cyber threat, vulnerability, and
mitigation data to a number of organizations including through
Information Sharing and Analysis Centers, which are cybersecurity
resources for critical infrastructure sectors. Last year DHS notified
potential targets of a campaign of cyber intrusions that focused on
natural gas and pipeline companies that was highly targeted, tightly
focused and well crafted. With the assistance of our interagency
partners, we responded to this campaign with a comprehensive effort
that included outreach, technical assistance, and mitigation.
The U.S. Government has worked closely with the private sector
during the recent series of denial-of-service incidents against the
financial sector. Together with our interagency partners, we have
provided classified cyber threat briefings and technical assistance to
help banks improve their defensive capabilities. This includes
identifying and releasing hundreds of thousands of distributed denial
of service-related IP addresses and supporting information in order to
help financial institutions and their IT security service providers
improve their defenses. In addition to sharing with these private
sector entities, DHS working with the Department of State (DOS) has
provided this threat information to more than 120 international
partners, many of whom have contributed to our mitigation efforts.
These developments reinforce the need for greater information sharing
and collaboration among government, industry, and individuals to reduce
the ability for malicious actors to establish and maintain capabilities
to carry out such efforts.
In addition to these attacks and intrusions, we also face a range
of traditional crimes now perpetrated through cyber networks. These
include child pornography and exploitation, as well as banking and
financial fraud, all of which pose severe economic and human
consequences. For example, in March 2012, the U.S. Secret Service
(USSS) worked with U.S. Immigration and Customs Enforcement (ICE) to
arrest nearly 20 individuals in its ``Operation Open Market,'' which
seeks to combat transnational organized crime, including the buying and
selling of stolen personal and financial information through online
forums.
Additionally, in late May 2013, the Secret Service, in close
coordination with U.S. Immigration and Customs Enforcement's (ICE)
Homeland Security Investigations (HSI) and the Global Illicit Financial
Team, arrested five individuals and seized bank accounts containing
approximately $20 million located in eight countries. The investigation
of Liberty Reserve, a transnational online payment processor and money
transfer system, led to the seizure of an online domain owned and
operated by the company. It is alleged that Liberty Reserve is used by
criminal elements worldwide to launder money and distribute illegal
proceeds globally. Liberty Reserve had approximately 1 million users
worldwide with more than 200,000 users in the United States. It is
estimated that Liberty Reserve processed more than 12 million financial
transactions annually with a combined value of more than $1.4 billion.
Overall, Liberty Reserve processed an estimated 55 million separate
financial transactions and is believed to have laundered more than $6
billion in criminal proceeds. The United States Attorney's Office for
the Southern District of New York is prosecuting this case.
As Americans become more reliant on modern technology, we also
become more vulnerable to cyber exploits such as corporate security
breaches, social media fraud, and spear phishing, which targets
employees through emails that appear to be from people they know,
allowing cyber criminals to steal personal and business information.
Cybersecurity is a shared responsibility, and each of us has a role
to play. Emerging cyber threats require engagement from government, the
private sector, law enforcement, and members of the public. The success
of our efforts to reduce cybersecurity risks depends on effective
identification of cyber threats and vulnerabilities, analysis, and
enhanced information sharing between departments and agencies from all
levels of government, the private sector, international entities, and
the American public.
department of homeland security mission in protecting government
networks and critical infrastructure
DHS is committed to ensuring cyberspace is supported by a secure
and resilient infrastructure that enables open communication,
innovation, and prosperity while protecting privacy, confidentiality,
and civil rights and civil liberties by design. The Department is
achieving its cybersecurity mission by helping to create a safe,
secure, and resilient cyber environment while promoting cybersecurity
knowledge and innovation.
DHS has operational responsibilities for securing unclassified
Federal civilian government networks and working with owners and
operators of critical infrastructure to secure their networks through
cyber threat analysis, risk assessment, mitigation, and incident
response capabilities. The Department is also responsible for
coordinating the Federal Government response to significant cyber or
physical incidents affecting critical infrastructure consistent with
Presidential Policy Directive (PPD) 21. In addition, the Department
combats cyber crime by leveraging the skills and resources of the USSS
and ICE and working in cooperation with partner organizations to
investigate cyber criminals. In addition, pursuant to the President's
recent Executive Order 13636 on Improving Critical Infrastructure
Cybersecurity as well as Presidential Policy Directive 21 on Critical
Infrastructure Security and Resilience, we are working with our
partners to strengthen the security and resilience of critical
infrastructure through an updated and overarching national framework
that acknowledges the increased role of cybersecurity in securing
physical assets.
response to cyber events
The NCCIC is a key component of DHS's ability to work with
government, industry, and international partners to protect critical
cyber and communications systems. To create shared situational
awareness, the NCCIC integrates internal analysis and data,
Intelligence Community and law enforcement reporting, and data shared
by private sector and international partners into a comprehensive
series of actionable information products, including joint products
with the Federal Bureau of Investigation (FBI). The NCCIC works closely
with those Federal agencies most responsible for helping to enhance the
cybersecurity of critical infrastructures, including the Departments of
Treasury and Energy.
In addition to Federal partners, the NCCIC also actively engages
with the appropriate private sector entities; information sharing and
analysis centers; State, local, tribal, and territorial (SLTT)
governments, including the Multi-State Information Sharing and Analysis
Center (MS-ISAC); and international partners. As integral parts of the
cybersecurity and communications community, these groups work together
to protect the portions of critical information technology that they
interact with, operate, manage, or own. The NCCIC leverages the
collective capabilities of its partners to provide joint incident
response to assist with forensic investigations, malware analysis,
review network data, and security posture assessment.
To further increase awareness of both cyber threat and resources
available, the NCCIC and the United States Computer Emergency Readiness
Team (US-CERT) have conducted approximately 50 threat briefings thus
far in fiscal year 2013 as a part of our outreach effort to our
Federal, SLTT, and private sector partners. Since 2009, the NCCIC has
responded to nearly half a million incident reports and released more
than 26,000 actionable cybersecurity alerts to the Department's public
and private sector partners. An integral player within the NCCIC, the
US-CERT also provides response support and defense against cyber-
attacks for Federal civilian agency networks as well as private sector
partners upon request. US-CERT collaborates and shares information with
State and local government, industry, and international partners,
consistent with rigorous privacy, confidentiality, and civil liberties
guidelines, to address cyber threats and develop effective security
responses. In 2012, US-CERT processed approximately 190,000 cyber
incidents involving Federal agencies, critical infrastructure, and the
Department's industry partners--a 68-percent increase from 2011. In
addition, US-CERT issued over 20,411 actionable cyber-alerts over the
past 3 years that were used by private sector and government agencies
to protect their systems.
Similar growth has been seen for the Department's Industrial
Control Systems Computer Emergency Response Team (ICS-CERT) and
National Coordinating Center for Telecommunications (NCC), whose
outreach has resulted in providing access to cyber threat information
to more than 980 and 300 entities, respectively. ICS-CERT also
responded to 177 incidents last year while completing 89 site
assistance visits and deploying 15 teams with US-CERT to assist with
significant private sector cyber incidents. This rapid increase in
production for ICS-CERT, including the dissemination of more than 800
products over the past 3 years, yielded them the award of Best Security
Team by SC Magazine at the 2013 RSA Security Conference.
The effectiveness of DHS's cyber protection, response, mitigation
and recovery relies heavily on sharing information with the private
sector. In 2011, DHS launched the Cyber Information Sharing and
Collaboration Program (CISCP), which is specifically designed to
elevate the cyber awareness of all critical infrastructure sectors
through close and timely cyber threat information sharing and direct
analytical exchange. The Department is constantly enhancing the CISCP.
In an effort to ensure the program continues to evolve with the needs
of industry, DHS has conducted numerous feedback sessions, monthly
collaboration conference calls, and three face-to-face technical
exchanges. It is also working to automate the program so that it can
share information in real-time.
In addition to the CISCP, DHS, in close collaboration with
interagency and private sector partners, is continuing to expand the
Enhanced Cybersecurity Services (ECS) program, which establishes a
voluntary information sharing program that assists critical
infrastructure owners and operators to improve protection of their
systems from unauthorized access, exploitation, or data exfiltration.
DHS works with cybersecurity organizations from across the U.S.
Government to gain access to a broad range of cyber threat information.
ECS consists of the operational processes and security oversight
required to share sensitive and classified cyber threat information
with qualified Commercial Service Providers (CSP). The ECS program
develops threat ``indicators'' with this information and provides CSPs
with those indications of active, malicious cybersecurity activity to
better protect their critical-infrastructure customers.
In fiscal year 2013, DHS has already shared more than 200,000
indicators via the ECS program and other Joint Indicator Bulletin
products with partners for computer network defense. CSPs may use these
threat indicators to provide approved cybersecurity services to
critical infrastructure entities. ECS augments, but does not replace,
entities' existing cybersecurity capabilities. The program was also
built with privacy and civil liberties protections in mind. Consistent
with their commercial agreements with the protected entities, CSPs are
not required to share with the Government, but may voluntarily do so.
The incident information is anonymized, unless the protected entity
consents to having its identity provided to DHS.
combating cyber crime
DHS employs more law enforcement agents than any other department
in the Federal Government and has personnel stationed in every State
and in more than 75 countries around the world. Since 2009, DHS has
prevented $10 billion in potential losses through cyber crime
investigations and arrested more than 5,000 individuals for their
participation in cyber crime activities.
The Department leverages the 31 USSS Electronic Crimes Task Forces
(ECTF), which combine the resources of academia, the private sector,
and local, State and Federal law enforcement agencies to combat
computer-based threats to our financial payment systems and critical
infrastructure. A recently executed partnership between ICE Homeland
Security Investigations and USSS demonstrates the Department's
commitment to leveraging capability and finding efficiencies. Both
organizations will expand participation in the existing ECTFs. In
addition to strengthening each agency's cyber investigative
capabilities, this partnership will produce benefits with respect to
the procurement of computer forensic hardware, software licensing, and
training that each agency requires. The Department is also a partner in
the National Cyber Investigative Joint Task Force, which serves as a
collaborative entity that fosters information sharing across the
interagency.
In fiscal year 2012, the Secret Service arrested 1,378 individuals
for cyber-crime violations while maintaining a 99.6-percent conviction
rate; these criminals were responsible for over $335 million in fraud
losses and could have potentially caused over $1.2 billion in fraud
loss based on financial account information in their possession at the
time of their arrest. As part of its protective duties, the Secret
Service has developed a Critical Systems Protection Program, which
assesses and mitigates the risks to critical infrastructure that could
impact Secret Service protectees or National Special Security Events
(NSSEs). This program applies risk management practices developed by
the National Institute of Standards and Technology to help critical
infrastructure owners and operators secure their systems from cyber
threats. From October 2009 to May 2013 this program has conducted over
560 advances and secured eight NSSEs.
In the course of investigating cyber crimes over the last 30 years,
the Secret Service has developed a number of cybersecurity capabilities
to support its mission. The backbone of the ECTFs is its Electronic
Crimes Special Agent Program (ECSAP), which is comprised of nearly
1,400 Secret Service special agents who have received at least one of
three levels of computer crimes-related training. These agents are
deployed in more than 98 Secret Service offices throughout the world
and have received training in forensic identification, preservation and
retrieval of electronically stored evidence. ECSAP-trained agents are
computer investigative specialists, qualified to conduct examinations
on all types of electronic evidence. These special agents are equipped
to investigate the continually evolving arena of electronic and cyber
crimes and have proven invaluable in the successful prosecution of
criminal groups involved in computer fraud, bank fraud, identity theft,
access device fraud and various other electronic and cyber crimes
targeting our financial institutions and private sector. USSS also
supports State and local law enforcement, in addition to other Federal
agencies, by making these capabilities available to support their
operations.\1\ They include computer forensics specialists, mobile
wireless investigation teams, and advanced research support.
---------------------------------------------------------------------------
\1\ Included are the following:
-- Computer forensics specialists, which in fiscal year 2012
conducted more than 7,000 digital forensics exams, totaling more than
1,100 terabytes of data;
-- Cell Phone Forensics Facility at University of Tulsa, which
since opening in 2008 has supported 6,135 exams, and 305 advanced exams
at the University of Tulsa;
-- 22 Mobile Wireless Investigations Teams, which in fiscal year
2012 conducted nearly 1,140 investigations, supporting primarily State
and local law enforcement with this advanced capability and directly
contributing to solving homicide cases and locating missing persons;
-- Advanced research support at Carnegie Mellon and development
of advanced tools for use by law enforcement partners; and
-- Support of landmark research studies, like the Insider Threat
Report, Verizon Data Breach Investigations Report, and the Trust Wave
Global Security Report, which are an effective way to share law
enforcement information, while protecting victim privacy, to develop
national understanding of cyber risks.
---------------------------------------------------------------------------
To expand its collaborative efforts, the Secret Service provides
its ECSAP training to investigators at the ICE Computer Crimes Center
as well as via the National Computer Forensics Institute (NCFI), which
is a result of a partnership between the National Protection and
Programs Directorate, the Secret Service, the State of Alabama, the
City of Hoover, Shelby County, the Alabama District Attorney's
Association, and the Alabama Securities Commission, established to
provide computer forensic training and tools to State and local law
enforcement officers, prosecutors, and judges. Investigators are
trained to respond to network intrusion incidents and conduct
electronic and cyber crimes investigations. This training also has the
benefit of providing State and local law enforcement with the skills
and tools to combat a myriad of crimes in their community. Further, the
NCFI has supported training for DHS Fusion Centers and the FBI's
National Domestic Communications Assistance Center. Responding to the
growth of cyber crimes and the level of sophistication these criminals
employ requires training, resources and greater collaboration among law
enforcement and its public and private sector partners.
Since opening in May 2008, NCFI has trained more than 2,050 State
and local officials, including more than 1,360 police investigators,
525 prosecutors and 165 judges from all 50 States and three U.S.
territories.
In addition to these activities, ICE HSI's Cyber Crimes Center (C3)
delivers computer-based technical services to support domestic and
international investigations into cross-border crime. C3 is made up of
the Cyber Crimes Unit, the Child Exploitation Investigations Unit and
the Computer Forensics Unit. This state-of-the-art center offers cyber
crime support and training to Federal, State, local and international
law enforcement agencies. C3 also operates a fully equipped computer
forensics laboratory, which specializes in digital evidence recovery,
and offers training in computer investigative and forensic skills.
cooperation across the federal government
Successful response to dynamic cyber threats requires leveraging
homeland security, law enforcement, national defense, and intelligence
authorities and capabilities, which respectively promote domestic
preparedness, criminal deterrence and investigation, and national
defense. DHS, the Department of Justice (DOJ), and the Department of
Defense (DOD) each play a key role in responding to cybersecurity
incidents that pose a risk to the United States. To achieve a whole of
government response to specific cyber incidents, DHS, DOJ, and DOD
synchronize their operations. The leaders of DHS, DOJ, and DOD have
held a series of meetings to clarify the lanes in the road in cyber
jurisdiction. The group agreed that DHS' primary role is to protect
critical infrastructure and networks, coordinate mitigation and
recovery, disseminate threat information across various sectors and
investigate cybercrimes under DHS's jurisdiction. DOJ is the lead for
investigation, enforcement, and prosecution of those responsible for
cyber intrusions affecting the United States. As part of DOJ, the FBI
conducts domestic national security operations; investigates,
attributes, and disrupts cybercrimes; and collects, analyzes, and
disseminates domestic cyber intelligence. DOD's role is to defend the
Nation, gather intelligence on foreign cyber threats, and to protect
national security systems. DHS supports our partners in many ways. For
example, the United States Coast Guard as an Armed Force has partnered
with U.S. Cyber Command and U.S. Strategic Command to prepare for
military cyberspace operations as directed. In coordination with DOS,
DHS also works with international partners in strategic and operational
engagements.
While each agency operates within the parameters of its
authorities, the U.S. Government's response to cyber incidents of
consequence is coordinated among these three agencies such that ``a
call to one is a call to all.'' Synchronization among DHS, DOJ, and DOD
not only ensures that whole of Government capabilities are brought to
bear against cyber threats, but also improves Government's ability to
share timely and actionable cybersecurity information among a variety
of partners, including the private sector.
presidential policy directive 21 and cyber executive order 13636
America's national security and economic prosperity are
increasingly dependent upon the cybersecurity of critical
infrastructure. With today's physical and cyber infrastructure growing
more inextricably linked, critical infrastructure and emergency
response functions are inseparable from the information technology
systems that support them. The Federal Government's role in this effort
is to share information and to encourage enhanced security and
resilience, while also identifying gaps not filled by the marketplace.
As mentioned previously, the enhanced information sharing programs
supported by Executive Order 13636 and PPD-21 help secure critical
infrastructure and increase its resilience against cyber and physical
attacks, as well as natural disasters and terrorist attacks.
To complement PPD-21, Executive Order 13636 promotes more efficient
sharing of cyber threat information with the private sector and directs
the establishment of a cybersecurity framework to identify and
implement better security practices among critical infrastructure
sectors. Through partnerships between the Government and private
sector, the critical infrastructure cyber systems upon which much of
our economic well-being, national security, and daily lives depend are
being better protected. PPD-21 and Executive Order 13636 reinforce
holistic thinking and action in the realms of security and risk
management and the issuance of these important documents allows us to
build upon and enhance our existing partnership model with our key
private sector and SLTT partners. Implementation of Executive Order
13636 and PPD-21 will also drive action toward system and network
security and resilience. The Department is well positioned to make
advances in the space defined by the cyber-physical security nexus that
PPD-21 and Executive Order 13636 address.
budget priorities
The fiscal year 2014 budget supports initiatives to secure our
Nation's information and financial systems and to defend against cyber
threats to private-sector and Federal systems, the Nation's critical
infrastructure, and the U.S. economy. Taken together, the
administration's initiatives strengthen the security and resilience of
critical infrastructure against evolving threats through an updated and
overarching national framework that acknowledges the linkage between
cybersecurity and securing physical assets.
Included in the fiscal year 2014 budget are enhancements to the
National Cybersecurity Protection System (NCPS) to prevent and detect
intrusions on Government computer systems and to the National
Cybersecurity and Communications Integration Center to protect against
and respond to cybersecurity threats. The budget also leverages the new
operational partnership between ICE and USSS through the established
network of USSS ECTFs to safeguard the Nation's financial payment
systems, combat cybercrimes, target transnational child exploitation
including large-scale producers and distributors of child pornography,
and prevent attacks against U.S. critical infrastructure.
--Federal Network Security.--$200 million is included for Federal
Network Security, which manages activities designed to enable
Federal agencies to secure their IT networks. The budget
provides funding to further reduce risk in the Federal cyber
domain by enabling continuous monitoring and diagnostics of
networks in support of mitigation activities designed to
strengthen the operational security posture of Federal civilian
networks. DHS will directly support Federal civilian
departments and agencies in developing capabilities to improve
their cybersecurity posture and to better thwart advanced,
persistent cyber threats that are emerging in a dynamic threat
environment.
--NCPS.--$406 million is included for Network Security Deployment,
which manages NCPS, operationally known as EINSTEIN. NCPS is an
integrated intrusion detection, analytics, information-sharing,
and intrusion-prevention system that supports DHS
responsibilities to defend Federal civilian networks.
--US-CERT.--$102 million is included for operations of US-CERT, which
leads and coordinates efforts to improve the Nation's
cybersecurity posture, promotes cyber information sharing, and
manages cyber risks to the Nation. US-CERT encompasses the
activities that provide immediate customer support and incident
response, including 24-hour support in the National
Cybersecurity and Communications Integration Center. As more
Federal network traffic is covered by NCPS, additional US-CERT
analysts are required to ensure cyber threats are detected and
the Federal response is effective.
--SLTT Engagement.--In fiscal year 2014, DHS will expand its support
to the MS-ISAC to assist in providing coverage for all 50
States and 6 U.S. territories in its managed security services
program. MS-ISAC is a central entity through which SLTT
governments can strengthen their security posture through
network defense services and receive early warnings of cyber
threats. In addition, the MS-ISAC shares cybersecurity incident
information, trends, and other analysis for security planning.
--Cybersecurity Research and Development.--The fiscal year 2014
budget includes $70 million for the Science and Technology
Directorate's research and development focused on strengthening
the Nation's cybersecurity capabilities.
--Cyber Investigations.--The fiscal year 2014 budget continues to
support ICE and USSS to strategically investigate domestic and
international criminal activities, including computer fraud,
network intrusions, financial crimes, access device fraud, bank
fraud, identity crimes and telecommunications fraud, benefits
fraud, arms and strategic technology, money laundering,
counterfeit pharmaceuticals, child pornography, and human
trafficking occurring on or through the Internet. The budget
continues to enable these DHS law enforcement agencies to
provide computer forensics support and training for law
enforcement partners to enable them to effectively investigate
cyber crime and conduct other highly technical investigations.
ICE projects a fiscal year 2014 expenditure of $13.8 million
for the Cyber Crimes Center supporting investigations to
identify, disrupt, and dismantle domestic and transnational
criminal organizations engaged in crimes facilitated by use of
computers and cyberspace. In addition, ICE expects to spend
$96.5 million on investigations of cyber crime/child
exploitation. Other investigations of illicit trade, travel and
finance all make use of cyber investigative techniques
including computer forensic analysis. The Secret Service's
ECTFs will also continue to focus on the prevention of cyber
attacks against U.S. financial payment systems and critical
infrastructure through aggressive investigation and information
sharing.
--Cyber Protection.--The fiscal year 2014 budget includes $13.5
million to enhance the Secret Service's ability to secure
protective venues, National Special Security Events and
associated Critical Infrastructure/Key Resources from cyber
attacks.
cyber legislative priorities
It is important to note that the Executive order directs Federal
agencies to work within current authorities and increase voluntary
cooperation with the private sector to provide better protection for
computer systems critical to our national and economic security. It
does not grant new regulatory authority or establish additional
incentives for participation in a voluntary program. We continue to
believe that a suite of legislation is necessary to implement the full
range of steps needed to build a strong public-private partnership, and
we will continue to work with the Congress to achieve this.
To help us achieve our mission, we have created a number of
competitive scholarship, fellowship, and internship programs to attract
top talent. We are growing our world-class cybersecurity workforce by
creating and implementing standards of performance, building and
leveraging a cybersecurity talent pipeline with secondary and post-
secondary institutions nationwide, and institutionalizing an effective,
ongoing capability for strategic management of the Department's
cybersecurity workforce. Congress can support this effort by pursuing
legislation that provides DHS with the hiring and pay flexibilities we
need to secure Federal civilian networks, protect critical
infrastructure, respond to cyber threats, and combat cybercrime.
conclusion
The American people expect us to secure the country from the
growing danger of cyber threats and ensure the Nation's critical
infrastructure is protected. The threats to our cybersecurity are real,
they are serious, and they are urgent. I appreciate this committee's
guidance and support as, together, we work to keep our Nation safe.
STATEMENT OF RICHARD A. MCFEELY, EXECUTIVE ASSISTANT
DIRECTOR, CRIMINAL, CYBER, RESPONSE, AND
SERVICES BRANCH, FEDERAL BUREAU OF
INVESTIGATION, DEPARTMENT OF JUSTICE
Mr. McFeely. Good afternoon, Madam Chairwoman, Vice
Chairman Shelby, and members of the committee.
It is difficult to overstate the potential impacts cyber
threats pose to our economy, our national security, and the
critical infrastructure upon which our country relies. That is
why the FBI, along with our key partners sitting at the table
here, are strengthening our cyber capabilities in the same way
we enhanced our intelligence and national security capabilities
in the wake of 9/11.
I want to talk briefly about what the FBI's response has
been, but I echo both of these two gentlemen's comments that
this is a whole of Government approach when it comes to
addressing this issue.
In the last year within the FBI, we have undergone a
paradigm shift in how we conduct cyber operations. While we
previously watched, collected information, and added to our
understanding of the adversaries' intentions, we did not always
take action by seeking to disrupt them as we might in a
counterterrorism case. We are now, working with our partners,
successfully disrupting and impacting the individuals behind
the keyboard who have made it their mission to attack, steal,
spy, and commit terrorist acts against our Nation and its
citizens. Instead of watching foreign countries steal our
intellectual property, we are going out to companies and trying
to prevent it.
For example, working with DHS, we now routinely provide
private industry and our law enforcement partners overseas with
IP addresses that are responsible for launching attacks against
our country. Just last week, the FBI, Microsoft, and the
financial services industry conducted separate but coordinated
operations to successfully disrupt more than 1,000 botnets,
networks of compromised computers that had been infected with a
malware known as Citadel. The botnets were part of a massive
global cyber crime operation estimated to be responsible for
more than half a billion dollars in financial fraud.
These actions are part of a larger U.S. Government strategy
led by the National Cyber Investigative Joint Task Force, or
NCIJTF, to target botnet creators and distributors. They
exemplify how the FBI and our partners are using private/public
partnerships both domestically and internationally to protect
the public from cyber criminals.
At the NCIJTF, which serves as the deconfliction center on
cyber threat investigations among 19 U.S. and two international
agencies, the Government is coordinating its efforts at an
unprecedented level. This coordination involves senior
personnel at key agencies. While it is led by the FBI, it now
has Deputy Directors from the National Security Agency, DHS,
the Central Intelligence Agency (CIA), the U.S. Secret Service,
and U.S. Cyber Command.
We must recognize that to work together we have to make
sure that we keep pace and surpass the capabilities of our
cyber adversaries. As General Alexander described earlier, the
leaders of the FBI, DHS, and NSA met last fall and clarified
the lanes in the road to cyber jurisdiction. And I believe that
the collective opinion among the worker levels is that there is
now an unprecedented level of cooperation not seen since the
immediate post-9/11 era.
In addition to strengthening our partnerships in
Government, we have significantly enhanced our collaboration
with the private sector. As part of that outreach, we have
begun to provide industry partners with classified threat
briefings and other information and tools to help repel
intruders. Among these tools is a new platform we are
developing for trusted industry partners to report cyber
incidents to all of Government in real time. Known as
iGuardian, it is based on a successful guardian terrorist
threat tracking and collaboration system developed after 9/11.
We are also developing an automated malware analysis tool to
which law enforcement and industry partners could submit
samples of malware for triage and analysis. We expect an
unclassified version of this system to be piloted with the
private sector this fall.
And while we have been primarily focused on cyber
intrusions, which we see as the greatest cyber threat to our
national security, we are working with our State and local law
enforcement partners to identify and address gaps in the
investigation and prosecution of Internet fraud crimes. The
FBI, the U.S. Secret Service should not bear all responsibility
for this. We believe that there is a huge space for our State
and local partners to join us in this fight.
To address these gaps, we have developed a pilot program,
in collaboration with the International Chiefs of Police and
other law enforcement organizations to enhance the Internet
fraud targeting packages that the FBI's Internet Crime
Complaint Center, or IC3, currently provides to State and local
law enforcement for investigation and potential prosecution.
I thank you for the opportunity to be here today and look
forward to answering questions.
[The statement follows:]
Prepared Statement of Richard A. McFeely
Good afternoon Chairwoman Mikulski, Vice Chairman Shelby, and
members of the committee. I appreciate the opportunity to appear before
you today to discuss the cyber threat, how the Federal Bureau of
Investigation (FBI) has responded to it, and how we are marshaling our
resources and strengthening our partnerships to more effectively combat
the increasingly sophisticated adversaries we face in cyberspace.
the cyber threat
As the committee is well aware, the frequency and impact of cyber
attacks on our Nation's private sector and government networks have
increased dramatically in the past decade, and are expected to continue
to grow. Since 2002, the FBI has seen an 84-percent increase in the
number of computer intrusion investigations.
Our adversaries in the cyber realm include spies from nation-states
who seek our secrets and intellectual property; organized criminals who
want to steal our identities and money; terrorists who aspire to attack
our power grid, water supply, or other infrastructure; and hacktivist
groups who are trying to make a political or social statement. It is
difficult to overstate the potential impact these threats pose to our
economy, our national security, and the critical infrastructure upon
which our country relies. The bottom line is we are losing data, money,
ideas, and innovation to a wide range of cyber adversaries and much
more is at stake.
Director Mueller has said he expects the cyber threat to surpass
the terrorism threat to our Nation in the years to come. That is why we
are strengthening our cyber capabilities in the same way we enhanced
our intelligence and national security capabilities in the wake of the
September 11th attacks.
federal bureau of investigation response
The FBI recognized the significance of the cyber threat more than a
decade ago and, in response, created the Cyber Division and elevated
the cyber threat to our number three national priority (only after
counterterrorism and counterintelligence). We also significantly
increased our hiring of technically trained agents, analysts, and
forensic specialists and expanded our partnerships with law
enforcement, private industry, and academia.
We have made great progress since the Cyber Division was first
created in 2002. Prior to that, we considered it a success when we
recognized that networks were being attacked. We soon enhanced our
ability to determine attribution knowing who was breaking into our
computers and networks and to track Internet Protocol (IP) addresses
back to their source. Now, the question we ask ourselves is, ``How are
we going to take action on that information?''
The perpetrators of these attacks are often overseas, but in the
past, tracking an IP address back to its source in a foreign country
usually led to a dead end. To address this problem, we embedded cyber
agents with law enforcement in several key countries, including
Estonia, Ukraine, the Netherlands, Romania, and Latvia. We have also
worked with several of these countries to extradite subjects from their
countries to stand trial in the United States.
Building on the success of our international outreach, we are
currently expanding our Cyber Assistant Legal Attache program to the
United Kingdom (U.K.), Singapore, Bulgaria, Australia, Canada, the
Republic of Korea, and Germany.
recent successes
A prime example of international collaboration came in the 2011
takedown of Rove Digital, a company founded by a ring of Estonian and
Russian hackers to commit a massive Internet fraud scheme. The scheme
infected more than 4 million computers in more than 100 countries with
malware. The malware secretly altered the settings on infected
computers, enabling the hackers to hijack Internet searches using rogue
servers for Domain Name System (DNS) routers and re-route computers to
certain Web sites and ads. The company received fees each time these
Web sites or ads were clicked on or viewed by users and generated $14
million in illegitimate income for the operators of Rove Digital.
Following the arrest of several alleged co-conspirators in Estonia,
FBI agents, linguists, and forensic examiners assisted Estonian
authorities in retrieving and analyzing data linking them to the
scheme. Seven individuals have been indicted in the Southern District
of New York in this case. Two of the six for which the United States
sought extradition have been remanded to U.S. custody and have recently
pleaded guilty to wire fraud and computer intrusion.
While the FBI and our partners have had multiple recent
investigative successes against the threat, we are continuing to push
ourselves to respond more rapidly and prevent attacks before they
occur.
One area in which we have had great success with our overseas
partners recently is in targeting infrastructure we believe has been
used in Distributed Denial of Service (DDOS) attacks, and preventing it
from being used for future attacks. Since October 2012, the FBI and the
Department of Homeland Security (DHS) have released nearly 168,000
Internet Protocol addresses of computers that were believed to be
infected with DDOS malware. We have released this information through
Joint Indicator Bulletins (JIBs) to more than 130 countries via DHS'
National Cybersecurity and Communications Integration Center Team as
well as our Legal Attaches.
These actions have enabled our foreign partners to take action and
reduced the effectiveness of the botnets and the DDOS attacks. We are
continuing to target botnets through this strategy and others.
next generation cyber
The need to prevent attacks is a key reason we have redoubled our
efforts to strengthen our cyber capabilities while protecting privacy,
confidentiality, and civil liberties. The FBI's Next Generation Cyber
Initiative, which we launched in 2012, entails a wide range of
measures, including focusing the Cyber Division on intrusions into
computers and networks--as opposed to crimes committed with a computer
as a modality; establishing Cyber Task Forces in each of our 56 field
offices to conduct cyber intrusion investigations and respond to
significant cyber incidents; hiring additional computer scientists to
assist with technical investigations in the field; and expanding
partnerships and collaboration at the National Cyber Investigative
Joint Task Force (NCIJTF).
At the NCIJTF--which serves as a coordination, integration, and
information sharing center among 19 U.S. agencies and two foreign
governments for cyber threat investigations--we are coordinating at an
unprecedented level. This coordination involves senior personnel at key
agencies. NCIJTF, which is led by the FBI, now has deputy directors
from the National Security Agency (NSA), DHS, the Central Intelligence
Agency, U.S. Secret Service, and U.S. Cyber Command. We recently
invited our Five Eyes partners to join us at the NCIJTF. Australia
agreed, and embedded personnel there in May. The U.K. is scheduled to
do so in July 2013. By developing partnerships with these and other
nations, NCIJTF is working to become the international leader in
synchronizing and maximizing investigations of cyber adversaries.
We recognize that we must work together more efficiently than ever
to keep pace with and surpass our cyber adversaries. To that end, the
leaders of the FBI, DHS, and NSA recently held a series of meetings to
clarify the lanes in the road in cyber jurisdiction. The group agreed
that the Department of Justice (DOJ) is the lead for investigation,
enforcement, and prosecution of those responsible for cyber intrusions
affecting the United States. As part of DOJ, the FBI conducts domestic
national security operations; investigates, attributes, and disrupts
cybercrimes; and collects, analyzes, and disseminates domestic cyber
intelligence. DHS's primary role is to protect critical infrastructure
and networks, coordinate mitigation and recovery, disseminate threat
information across various sectors and investigate cybercrimes under
DHS's jurisdiction. The Department of Defense's role is to defend the
Nation, gather intelligence on foreign cyber threats, and to protect
national security systems.
Earlier this year, the U.S. Intellectual Property Enforcement
Coordinator released the administration's Strategy on Mitigating the
Theft of U.S. Trade Secrets. As part of the strategy, the Department of
Justice, including the FBI, will continue to prioritize prosecutions
and investigations of foreign corporate and state-sponsored trade
secret theft. Further, the FBI is expanding its efforts to fight
computer intrusions that involve the theft of trade secrets by
individuals, foreign corporations, and nation-state cyber hackers.
While we are primarily focused with our Federal partners on cyber
intrusions, we are also working with our State and local law
enforcement partners to identify and address gaps in the investigation
and prosecution of Internet fraud crimes.
Currently, the FBI's Internet Crime Complaint Center (IC3) collects
reports from private industry and citizens about online fraud schemes,
identifies emerging trends, and produces reports about them. The FBI
investigates fraud schemes that are appropriate for Federal prosecution
(based on factors like the amount of loss). Others are packaged
together and referred to State and local law enforcement. However, we
have learned that very few of these referred cases are being worked.
To close this gap, we have developed a pilot program in
collaboration with the International Association of Chiefs of Police,
the Major City Chiefs Association, and the National Sheriffs'
Association to enhance the Internet fraud targeting packages IC3
provides to State and local law enforcement for investigation and
potential prosecution. During the first phase of the pilot, IC3 will
develop better investigative leads for direct dissemination to State
and local agencies, beginning with the Utah Department of Public
Safety.
private sector outreach
In addition to strengthening our partnerships in government and law
enforcement, we recognize that to effectively combat the cyber threat,
we must significantly enhance our collaboration with the private
sector. Our Nation's companies are the primary victims of cyber
intrusions and their networks contain the evidence of countless
attacks.
In the past, industry has provided us information about attacks
that have occurred, and we have investigated the attacks, but we have
not always provided information back. We realize the flow of
information must go both ways. As part of our enhanced private sector
outreach, we have begun to provide industry partners with classified
threat briefings and other information and tools to help them repel
intruders.
Among them is a new platform we are developing for trusted private
industry partners to report cyber incidents to us in real time. Known
as iGuardian, it is based on the FBI's successful Guardian terrorist
threat tracking and collaboration system. Guardian has also been
enhanced to accept cyber incident reporting from fusion centers and
State and local law enforcement.
Over the past year, we have been engaged in classified briefs on
nearly a daily basis at NCIJTF with private-sector partners and
representatives of our Nation's most critical infrastructure sectors.
Earlier this year, in coordination with the Treasury Department, we
provided a classified briefing on threats to the financial services
industry to executives of more than 40 banks who participated via
secure video teleconference in FBI field offices around the country.
In addition to these actions, we are also expanding our
partnerships with private industry and academia through initiatives
like InfraGard--a public-private coalition of 55,000 members to protect
critical infrastructure--and the National Cyber-Forensics and Training
Alliance, a proven model for sharing private sector information in
collaboration with law enforcement.
fiscal year 2014 budget request
The combined result of these actions is that the FBI has undergone
a paradigm shift over the past year in how we are responding to the
cyber threat, particularly national security cyber threats. While we
previously watched, collected information, and added to our
understanding of our nation-state adversaries' intentions, we are now
looking to disrupt and deter the individuals behind the keyboard who
have made it their mission to attack, steal, spy, and commit terrorist
attacks against our Nation and its citizens.
Instead of watching foreign countries steal our intellectual
property, we're going out to companies and trying to prevent it. For
example, in coordination with DHS, we will provide organizations with
IP addresses that are likely to launch attacks against them or the e-
mail addresses used to send their employees messages with links to
malicious software, in a technique known as ``spearphishing.''
Undertaking these new actions and initiatives requires additional
personnel and other resources. That is why, to help the FBI combat this
rapidly developing and diverse threat, the fiscal year 2014 budget
request includes an additional 152 positions (60 Special Agents, 1
Intelligence Analyst, and 91 Professional Staff) and $86.6 million to
help address this threat.
conclusion
In conclusion, Chairwoman Mikulski, to counter the threats we face,
we are engaging in an unprecedented level of collaboration within the
U.S. Government, with the private sector, and with international law
enforcement.
We are grateful for the committee's support and look forward to
continuing to work with you and expand our partnerships as we determine
a successful course forward for the Nation to defeat our cyber
adversaries.
Thank you again for the opportunity to be here today. I would be
happy to answer any questions you may have.
STATEMENT OF HON. DR. PATRICK D. GALLAGHER, ACTING
DEPUTY SECRETARY, DEPARTMENT OF COMMERCE;
DIRECTOR, NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY
Chairwoman Mikulski. Dr. Gallagher.
Dr. Gallagher. Thank you. Chairwoman Mikulski and Vice
Chairman Shelby, members of the committee, it is a distinct
pleasure to be here today to join my colleagues to talk to you
about cybersecurity.
Since I am batting cleanup, I want to touch quickly on just
two topics.
First is the all-of-Government approach. Good teamwork is
based on playing your position, and the NIST position is based
on our mission. We are a measurement science and standards
organization, and our role is to support industry, the owners
and operators of this infrastructure, as they respond to the
information that they get from our Intelligence Community, from
our law enforcement community, and from Homeland Security.
This is a top priority for NIST. In our fiscal year 2014
budget request, there was a $24 million increase to
cybersecurity R&D programs at NIST. This is on top of making
our total investment of $68 million. This funding enables our
R&D performance in a number of critical areas, including the
National Initiative for Cybersecurity Education, an interagency
effort; the National Strategy for Trusted Identities in
Cyberspace; the National Cybersecurity Center of Excellence;
and implementation of Executive Order 13636, ``Improving
Critical Infrastructure Cybersecurity.''
Second, I would like to give you a quick update on the
Executive order. As many of you know, under the order, NIST has
been directed to work with industry to develop a framework of
cybersecurity practices, methods, and so forth that supports
the performance goals established by the Department of Homeland
Security. For this to be successful, two major elements have to
be part of the approach.
First is an effective partnership between the agencies, and
that is occurring. In fact, we memorialized this with a
memorandum of understanding between DHS and NIST and with close
working collaborations with my colleagues here.
And second, the cybersecurity framework must be developed
through a process that is industry-led, open and transparent to
all of the stakeholders because it is by having industry
develop their own practices that are responsive to the
performance goals that we end up with an output that is
technically robust, because it draws on their expertise, and is
aligned with business interests and practice.
This is not a new or novel or approach for NIST. We have
utilized a similar approach in the recent past to address other
national priorities, including the smart grid and cloud
computing.
Madam Chair, I appreciate the challenge before us. The
Executive order is very aggressive in the timing for the
framework process. It is to be developed within 1 year. The
first draft is due in 120 days. Today marks the halfway point
in that process. We have issued, in support of this effort, a
request for information and have gathered input from industry
and other stakeholders. We have held the first two of four
planned workshops to support this process, and we will use
these workshops to finalize and develop the framework because
it is this type of approach that allows us the appropriate
level of collaboration and engagement with industry.
In May, we released the initial findings and the early
analysis from the request for information. That release marks
the transition from sort of gathering facts to actually
building the framework. In 8 months, we will have an initial
draft of the framework, including an initial list of standards,
guidelines, and practices, and then following that, we will
work with our agency partners to finalize the framework. But
even after the framework is done, the work is really only just
beginning. Adoption and use of the framework is going to raise
new issues to address. The goal at the end of this process is
for industry to adopt the framework themselves so it becomes an
ongoing process that enhances cybersecurity.
The President's Executive order lays out an urgent and
ambitious agenda, but it is designed around an active
collaboration between the public and private sectors, and I
wholeheartedly believe that partnership is the essential
ingredient for its success.
In short, the cybersecurity challenge, both in the dot-gov
and in the dot-com domain, is greater than it has ever been.
Active collaboration among the private sector and between the
public and private sectors is really the only way we can meet
this challenge, leveraging both sides' roles, responsibilities,
and capabilities.
And we have a lot of work, and I look forward to working
with this committee to make it happen. Thank you.
[The statement follows:]
Prepared Statement of Hon. Dr. Patrick D. Gallagher
Chairwoman Mikulski, Vice Chairman Shelby, members of the
committee, I am Patrick Gallagher, Under Secretary of Commerce for
Standards and Technology and Director of the National Institute of
Standards and Technology (NIST), a nonregulatory bureau within the U.S.
Department of Commerce. I am also currently serving as the Acting
Deputy Secretary of Commerce. Thank you for this opportunity to testify
today on NIST's roles and responsibility for cybersecurity.
the role of the national institute of standards and technology in
cybersecurity
NIST's overall mission is to promote U.S. innovation and industrial
competitiveness by advancing measurement science, standards, and
technology in ways that enhance economic security and improve our
quality of life. Our work in addressing technical challenges related to
national priorities has ranged from projects related to the Smart Grid
and electronic health records to atomic clocks, advanced nanomaterials,
and computer chips.
In the area of cybersecurity, NIST has worked with Federal
agencies, industry, and academia since 1972, when it was given the
responsibility for the development of the Data Encryption Standard. Our
role to research, develop and deploy information security standards and
technology to protect information systems against threats to the
confidentiality, integrity and availability of information and
services, was then strengthened through the Computer Security Act of
1987 and reaffirmed through the Federal Information Security Management
Act of 2002.
Consistent with our mission, NIST actively engages with industry,
academia, and other parts of the Federal Government including the
Intelligence Community, and with elements of the law enforcement and
national security communities. These collaborations inform our efforts
in coordinating and prioritizing cybersecurity research, standards
development, standards conformance demonstration and cybersecurity
education and outreach.
Our broader work in the areas of information security, trusted
networks, and software quality is applicable to a wide variety of
users, from small and medium enterprises to large private and public
organizations including agencies of the Federal Government and
companies involved with critical infrastructure.
We employ collaborative partnerships with our customers and
stakeholders in industry, government and academia, to take advantage of
their technical and operational insights and to leverage the resources
of a global community. These collaborative efforts and our private
sector collaborations in particular, are constantly being expanded by
new initiatives, including in recent years through the National
Initiative for Cybersecurity Education (NICE), National Strategy for
Trusted Identities in Cyberspace (NSTIC), the National Cybersecurity
Center of Excellence (NCCoE), and through development of the
Cybersecurity Framework under Executive order (EO) 13636, ``Improving
Critical Infrastructure Cybersecurity.''
My testimony has four parts today: I'll discuss the role of NIST in
protecting Federal information systems; our engagement with industry;
our work under the President's Executive order; and how our funding
supports all of those efforts.
the role of the national institute of standards and technology in
protecting federal information systems
The E-Government Act of 2002, Public Law 107-347, recognized the
importance of information security to the economic and national
security interests of the United States. Title III of the E-Government
Act, known as the Federal Information Security Management Act of 2002
(FISMA), included duties and responsibilities for the National
Institute of Standards and Technology to develop standards and
guidelines for Federal information systems.
The NIST Special Publications (SPs) and Interagency Reports (IRs)
provide management, operational, and technical security guidelines for
Federal agencies and cover a broad range of topics such as BIOS
management and measurement, key management and derivation, media
sanitization, electronic authentication, security automation, Bluetooth
and wireless protocols, incident handling and intrusion detection,
malware, cloud computing, public key infrastructure, risk assessments,
supply chain risk management, authentication, access control, security
automation and continuous monitoring.
Beyond these documents--which are peer-reviewed throughout
industry, government, and academia--NIST conducts workshops, awareness
briefings, and outreach to ensure comprehension of standards and
guidelines, to share ongoing and planned activities, and to aid in
scoping guidelines in a collaborative, open, and transparent manner.
In support of FISMA implementation, in recent years NIST has
strengthened its collaboration with the Department of Defense, the
Intelligence Community, and the Committee on National Security Systems,
through the Joint Task Force Transformation Initiative, which continues
to develop key cybersecurity guidelines for protecting Federal
information and information systems for the Unified Information
Security Framework.
This collaboration allows the most broad-based and comprehensive
set of safeguards and countermeasures ever developed for information
systems. This unified framework provides a standardized method for
expressing security at all levels, from operational implementation to
compliance reporting. It allows for an environment of information
sharing and interconnections among these communities and significantly
reduces costs, time, and resources needed for finite sets of systems
and administrators to report on cybersecurity to multiple authorities.
To support agency implementation of cloud technology, NIST has
worked with the General Services Administration (GSA) to help establish
the Federal Risk and Authorization Management Program (FedRAMP) to
identify security assessment requirements, and prototype a process for
approving Third-Party Assessment Organizations (3PAOs) that demonstrate
capability in assessing Cloud Service Provider (CSP) information
systems for conformance to identified standards and guidelines.
Given the Department of Homeland Security's (DHS's) important role
in Federal agency cybersecurity, our partnership with DHS informs
NIST's collaborative efforts. Earlier in the year I signed a Memorandum
of Agreement with DHS Undersecretary Rand Beers to ensure that our work
with industry on cybersecurity standards, best practices, and metrics
is fully integrated with the information sharing, threat analysis,
response, and other work of DHS. We believe this will help enable a
more holistic approach to addressing the complex nature of the
challenge facing Federal agencies.
the national institute of standards and technology's engagement with
industry
It is important to note that the impact of NIST's activities under
FISMA extend beyond providing the means to protect Federal IT systems.
They provide the cybersecurity foundations for the public trust that is
essential to our realizing the national and global productivity and
innovation potential of electronic business and its attendant economic
benefits. Many organizations voluntarily follow these standards and
guidelines, reflecting their wide acceptance throughout the world.
Beyond our responsibilities under FISMA, under the provisions of
the National Technology Transfer and Advancement Act, Public Law 104-
113, and related OMB Circular A-119, NIST is tasked with the key role
of encouraging and coordinating Federal agency use of voluntary
consensus standards and participation in the development of relevant
standards, as well as promoting coordination between the public and
private sectors in the development of standards and in conformity
assessment activities. NIST works with other agencies, such as the
State Department, to coordinate standards issues and priorities with
the private sector through consensus standards organizations such as
the American National Standards Institute (ANSI), the International
Organization for Standardization (ISO), the Institute of Electrical and
Electronic Engineers (IEEE), the Internet Engineering Task Force
(IETF), and the International Telecommunication Union (ITU).
A partnership with industry to develop, maintain, and implement
voluntary consensus standards related to cybersecurity best practices
promotes the interoperability, security and resiliency of this global
infrastructure and makes us all more secure. It also allows this
infrastructure to evolve in a way that embraces both security and
innovation--allowing a market to flourish to create new types of secure
products for the benefit of all Americans.
NIST also conducts cybersecurity research and development in areas
such as security for Federal mobile environments and techniques for
measuring and managing security. These efforts focus on improving the
cybersecurity of current and future information technologies, and on
improving the trustworthiness of IT components such as claimed
identities, data, hardware, and software for networks and devices.
In addition, NIST recognizes that further development of
cybersecurity standards will be needed to improve the security and
resiliency of critical U.S. information and communication
infrastructure. The availability of cybersecurity standards and
associated conformity assessment schemes is essential to these efforts,
which will help enhance the deployment of sound security solutions and
build trust among those creating and those using the solutions
throughout the country.
Additionally, the State of Maryland, Montgomery County, and NIST
have jointly established the National Cybersecurity Center of
Excellence (NCCoE), a public-private collaboration for accelerating the
widespread adoption of cybersecurity technologies. Through the creation
of standards-based reference designs, templates, and example
``builds,'' the NCCoE will reduce barriers for companies that see the
deployment of more secure technologies as too costly, too complicated,
or technically infeasible. Reducing these economic, educational, and
technical barriers to adoption can improve the security posture, and
increase the competitiveness, of U.S. industry.
The NCCoE tackles some of the most pressing cybersecurity
challenges identified by the members of one or more economic sectors.
These challenges are then synthesized into specific ``use cases'' that
include technical details that allow the NCCoE to develop an integrated
solution based on commercially available technology. All of this work
is done in an open and collaborative process: the use cases are
published for public comment on the NCCoE Web site; the solutions are
developed in collaboration with the private sector, other government
agencies, and academia; the NCCoE hosts workshops and public meetings
to exchange expertise and validate the practicality of the solutions
under development; and when complete, the entire set of material
necessary to recreate the NCCoE example solution is made available to
the public.
The NCCoE is a unique opportunity that brings together, under one
roof, experts from industry, government, and academia to develop
practical, interoperable, and usable cybersecurity solutions. The
center collaborates with the private sector primarily through three
channels:
--A Sector Community of Interest.--Open to the public, with primary
participation drawn from sector-specific businesses (e.g.,
healthcare, financial services, energy, etc.).
--National Cybersecurity Excellence Partnership Companies.--U.S. IT
and cybersecurity companies that have committed to share
technology and engineering staff with the NCCoE on persistent
basis.
--Use Case Collaborators.--Companies that are providing a secure
technology and engineering expertise as a part of an integrated
solution for a specific use case.
The National Strategy for Trusted Identities in Cyberspace (NSTIC)
is another key area in which NIST engages with industry. Under NSTIC,
NIST is working with a wide array of stakeholders on creation of an
online environment--the ``Identity Ecosystem''--that addresses the
myriad security and convenience problems caused by passwords, and
allows individuals and organizations to better trust one another, with
minimized disclosure of personal information. The Identity Ecosystem
will be a user-centric online environment, supported by a framework of
technologies, policies, and agreed-upon standards, which will enable
individuals to transact business in a way that is more secure,
convenient and privacy-enhancing everywhere they go online.
In the Identity Ecosystem, consumers will be able to choose in the
marketplace from a variety of identity solutions--both private and
public--that would issue trusted credentials that could be used in lieu
of passwords across the Internet. Key attributes of the Identity
Ecosystem include privacy, convenience, efficiency, ease-of-use,
security, confidence, innovation, and choice. Creating this Identity
Ecosystem requires a partnership between the private sector, advocacy
groups, public sector agencies and others--all of whom are currently
working to support NSTIC by collaborating in the privately led Identity
Ecosystem Steering Group (IDESG). The request continues and expands
existing efforts to coordinate Federal activities needed to implement
NSTIC.
NIST also supports the continued work under the National Initiative
for Cybersecurity Education (NICE). As we all know, cybersecurity is
much more than technological solutions to technical problems; it is
also highly dependent on educated users who are aware of and routinely
employ sound practices when dealing with cyberspace. NIST will continue
to work with the Federal Government, and with State, local, and tribal
governments, for improving cybersecurity education. NIST will ensure
coordination, cooperation, focus, public engagement, technology
transfer, and sustainability of NICE. NIST works with DHS and other
Federal agencies in the implementation of the cybersecurity education
framework to address national cybersecurity awareness, formal
cybersecurity education, Federal cybersecurity workforce structure, and
cybersecurity workforce training and professional development.
Small businesses face particular cybersecurity challenges, as they
tend to have more limited resources that must be well applied to meet
the most obvious and serious threats. The vulnerability of any
individual small business may not seem significant, other than to the
owner and employees of that business. However, given that over 95
percent of all U.S. businesses are small- and medium-size businesses
(SMBs), a vulnerability common to a large percentage of SMBs poses a
threat to the Nation's economic base. SMBs frequently cannot justify an
extensive security program or a full-time expert. Nonetheless, they
confront serious security challenges and must address security
requirements based on identified needs.
Cognizant of the needs of SMBs, NIST partners with the Small
Business Administration (SBA) and the Federal Bureau of Investigation's
InfraGard program to sponsor computer security workshops and provide
online support for small businesses. Through these efforts, experts in
computer security are made available to offer small business owners an
overview of information security threats, vulnerabilities, and
corresponding protective tools and techniques, with a special emphasis
on providing useful information that small business personnel can apply
directly or use to task contractor personnel.
In fiscal year 2012, NIST, SBA, and the FBI hosted 25 small
business information security workshops in Oklahoma, Louisiana,
Colorado, New Hampshire, Connecticut, Minnesota, Texas, California,
Indiana, Ohio, and New Mexico, and provided online support to SMBs
throughout the United States.
the national institute of standards and technology's role in executive
order 13636, ``improving critical infrastructure cybersecurity''
As you know, on February 13, 2013, the President signed Executive
Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' which
gave NIST the responsibility to develop a framework to reduce cyber
risks to critical infrastructure (the Cybersecurity Framework). As
directed in the Executive order, NIST, working with industry, will
develop the Cybersecurity Framework and the Department of Homeland
Security (DHS) will establish performance goals. DHS, in coordination
with sector-specific agencies, will then support the adoption of the
Cybersecurity Framework by owners and operators of critical
infrastructure and other interested entities, through a voluntary
program. NIST is also working closely with partners throughout the
interagency--including the Intelligence Community--to ensure that the
Framework leverages their expertise and role as the Framework is
developed.
A Cybersecurity Framework is an important element in addressing the
challenges of improving the cybersecurity of our critical
infrastructure. A NIST-coordinated and industry-led Framework will draw
on standards and best practices that industry already develops and
uses. NIST coordination will ensure that the process is open and
transparent to all stakeholders, and will ensure a robust technical
underpinning to the framework. This approach will significantly bolster
the relevance of the resulting Framework to industry, making it more
appealing for industry to adopt.
This multi-stakeholder approach leverages the respective strengths
of the public and private sectors, and helps develop solutions in which
both sides will be invested. The approach does not dictate solutions to
industry, but rather facilitates industry coming together to offer and
develop solutions that the private sector is best positioned to
embrace. Any efforts to better protect critical infrastructure need to
be supported and implemented by the owners and operators of this
infrastructure.
Underlying all of this work, NIST sees its role in developing the
Cybersecurity Framework as partnering with industry and other
stakeholders to help them develop the Framework. In addition to this
critical convening role, our work will be to compile and provide
guidance on principles that are applicable across the sectors for the
full range of quickly evolving threats, based on inputs from DHS and
other agencies. NIST's unique technical expertise in various aspects of
cybersecurity related research, technology development and an
established track record of working with a broad cross-section of
industry and government agencies in the development of standards and
best practices positions us very well to address this significant
national challenge in a timely and effective manner.
NIST's initial steps towards implementing the Executive order
included issuing a Request for Information (RFI) in February to gather
relevant input from industry and other stakeholders, and asking
stakeholders to participate in the Cybersecurity Framework process.
NIST is following up the RFI process with continued engagement with
stakeholders through a series of workshops and events to ensure that we
can cover the breadth of considerations that will be needed to make
this national priority a success. We have already initiated an
aggressive outreach program to raise awareness of this issue and begin
engaging industry and stakeholders. NIST will continue to bring many
diverse stakeholders to the table. Last week, a 3-day workshop hosted
by Carnegie Mellon University in Pittsburgh allowed NIST to engage with
stakeholders to discuss the foundations of the Framework and the
initial analysis.
The Executive order requirement for the Framework to be developed
within 1 year, and a preliminary framework due within 8 months gives
this task a sense of urgency. Throughout the year, you can expect NIST
to use its capabilities to gather the input needed to develop the
Framework.
In a year's time, once we have developed an initial Framework, we
will continue to need to work with DHS, sector-specific agencies, and
the specific sectors themselves to build strong voluntary programs for
specific critical infrastructure areas. Their work will then inform the
needs of critical infrastructure and the next versions of the
Framework. The goal at the end of this process will be for industry to
take and manage the Cybersecurity Framework--allowing it to evolve when
needed.
Although this Executive order will help raise the Nation's cyber
defenses, it does not eliminate the urgent need for legislation in
these and other areas of cybersecurity. The administration's
legislative priorities for the 113th Congress build upon the
President's 2011 cybersecurity legislative proposal and take into
account 2 years of public and congressional discourse about how best to
improve the Nation's cybersecurity.
The administration is working toward legislation that:
--Facilitates cybersecurity information sharing between the
Government and the private sector as well as among private
sector companies. We believe that such sharing can occur in
ways that protect privacy and civil liberties protections,
reinforce the appropriate roles of civilian and intelligence
agencies, and include targeted liability protections;
--Incentivizes the adoption of best practices and standards for
critical infrastructure by complementing the process set forth
under the Executive order;
--Gives law enforcement the tools to fight crime in the digital age;
--Updates Federal agency network security laws, and codifies DHS'
cybersecurity responsibilities; and
--Creates a national data breach reporting requirement.
In each of these legislative areas, the right privacy and civil
liberties safeguards must be incorporated. The administration wants to
continue the dialogue with the Congress and stands ready to work with
members of Congress to incorporate our core priorities to produce
cybersecurity information sharing legislation that addresses these
critical issues.
national institute of standards and technology support for cyber
research and development
As highlighted today cybersecurity is a top priority for NIST,
which has been reflected in our recent budget requests. In fiscal year
2013 NIST has proposed to increase cybersecurity spending by $7.5
million with most of this increase supporting NIST's efforts to develop
a framework to reduce cyber risks to critical infrastructure in support
of the EO. In the President's fiscal year 2014 budget request NIST has
requested a $24 million increase to its cybersecurity research and
development (R&D) programs for a total NIST investment in cybersecurity
and related efforts of $68 million. The requested increases for NIST in
fiscal year 2014 will provide additional support for NIST's roles in
cyber education, identity management, and will support R&D to improve
the security and interoperability of our Nation's cyberspace
infrastructure, accelerate the development and adoption of
cybersecurity standards in support of administration priorities, and to
support the leading-edge work of the National Cybersecurity Center of
Excellence (NCCoE).
conclusion
The cybersecurity challenge facing critical infrastructure--both in
the ``dot-gov'' and the ``dot-com''--is greater than it ever has been.
Active collaboration within the public sector, and between the public
and private sectors, is the only way to effectively meet this
challenge, leveraging both sectors' roles, responsibilities, and
capabilities.
Thank you for the opportunity to present NIST's views regarding
cybersecurity security challenges. I appreciate the committee holding
this hearing. I look forward to working with the committee to help
address these pressing challenges. I will be pleased to answer any
questions you may have.
Chairwoman Mikulski. Thank you very much, Dr. Gallagher and
all four witnesses.
Today the way we will function is we will follow the 5-
minute rule. We will go in order of arrival.
We also know that this hearing does not preclude the
subcommittees from also continuing their own hearings where
they will even probe more deeply. And also, after we have
concluded all of our questioning, we will also understand that
there will be certain aspects--in order to drill down, we will
also have an additional classified forum this afternoon in the
classified section in the Capitol Visitor Center. But now we
will be in full and open session, not precluding further
hearings by the subcommittees.
General Alexander--well, to all, just to reiterate the
President's budget, the President has requested $9.2 billion
for DOD: $1.2 billion, almost $1.3 billion, for DHS; for all of
DOJ, including the FBI, $589 million; $215 million for
Commerce, primarily in NIST; the National Science Foundation,
$197 million; General Service Administration, $50 million;
Department of State, $37 million.
When one hears $13 billion, that is a lot of money.
However, we are in an enduring war where our citizens are under
attack from identity theft to State secrets, trade secrets,
business secrets, et cetera.
But our question today is, is $13 billion adequate in the
various areas? Number one. And number two, when we spend the
$13 billion, will we also avoid the kind of things where--
sometimes we throw money at a new problem, and often we have
what I call techno-boondoggles. We have seen it at the FBI in
the past. We have seen in Homeland Security in the past. We
have seen it at DOD. So this is what we are doing.
But let us go right to the President's request and the
purpose. As I understand from the administration's priorities,
the administration's priority--and if you look in the budget
statement to us--secure the Federal networks, lead by example
and make sure our networks are safe and secure, protect
critical infrastructure, improve incident response, engage
internationally. Number three, shape the future.
General Alexander, you will be getting--if we pass this
budget where the request is for $9 billion, I understand that
$3.5 billion will be to protect the DOD network. We understand
that. But what will you use the other $5.8 billion to do and
how will we get security for that dollar and avoid the problems
of the past?
General Alexander. Well, thanks, Senator. It is a lot of
money, and I can tell you that from our perspective, what we
are talking about here is not just protecting our networks, but
developing the forces that we need. So part of that money goes
for training and outfitting the teams at Cyber Command and our
components need. Part of that money goes for the information
assurance and fixing the networks--you hit on part of that--and
developing future architectures.
So when I look at this from my perspective, I believe this
is right, the right amount. I know the administration and the
Defense Department has already looked internally to this budget
to see where we can take cuts, and we did. We cut it back to
what we thought was the minimum that we could use and still do
this job.
You pointed out, Senator, that for the Defense Department,
our job is to protect the Nation and our networks and building
up the infrastructure that we need both within DOD and amongst
the services and Cyber Command. That is where that $5.8 billion
goes. So it is split across all those. It does not go to one
lump. It helps each of the services, Defense Intelligence
Agency, and Cyber Command do their missions.
$2.17 billion, as you pointed out and others, goes to NSA
for doing their job and is part of the intel community's
budget. So that is rolled in there as well.
$582 million goes to U.S. Cyber Command, and that is for
five key areas: leases for teams, setting up the teams,
training our teams, starting the military construction to have
a place to house these teams, for our headquarters, and for
research, development, training, another $68 million.
So I think it is the right number. I think we have looked
at where we could take savings and have done that. I also think
it is important to state that the Department sees this as an
area to help ensure the Nation is ready as we look at the rest
of our force posture. This is going to be key to our future.
That is all I have, Senator.
Chairwoman Mikulski. Just a follow-on question. In your
testimony--this goes to protecting critical infrastructure, an
obsession I think of this committee and something we have
concentrated on very keenly when we were working on authorizing
legislation under Lieberman-Collins, or Collins-Lieberman, or
now Collins and a lot of us.
But in your testimony, sir, you say from 0 to 10 in our
capacity to defend our critical infrastructure, you rate us at
a 3. A 3. A 3 to protect our grid, a 3 to protect our financial
services. And my question then is of the money that you are
getting, I understand Homeland Security is supposed to protect
us against domestic threats. Where do you come in and where
does Homeland Security come in? And is part of your money also
used to do the services to support them?
General Alexander. Well, we do work together, but our
monies--they are not overlapping in this case, as you point
out.
Specifically, the Defense Department has two sets of roles
and responsibilities here. One, to build, operate, and defend
the DOD networks. That is the one responsibility and that is a
big cost because that is our global forces, and that is the
biggest bulk of the money that is here. The second part is to
develop the teams to defend the Nation from a cyber attack, and
that is where we come in.
Now, we work with DHS. We work with FBI in setting up the
op centers and funding and supporting those op centers so that
we can communicate amongst us, but DHS has that responsibility
to work with industry to set the standards to work recovery and
that part. FBI has the responsibility to do law enforcement
investigations. We have the responsibility on the NSA side for
the foreign intelligence and to defend against an attack. So
what we are doing is developing the capabilities and the teams.
We are still going to need legislation to do those operations.
Chairwoman Mikulski. Well, I could have follow-up, but I
want to turn to Senator Shelby.
Senator Shelby. Thank you, Madam Chairman.
Dr. Gallagher, I will address my first question to you.
Since NIST has been tasked under the Executive order with
developing a framework to reduce cyber risk of critical
infrastructure, could you explain how the NIST process will
work, how the development of a framework to reduce cyber risk
differs from the development of standards to reduce such risk?
And what do you believe will compel private industry, which I
think is so important, to implement the framework that it has
developed?
And given the evolution of technology, which you are very
much into, all of you, generally in cyber threats specifically,
how useful is the development of a broad-based, generic
framework long term? Will NIST just be chasing its tail, so to
speak, or will you be able to get ahead of the curve? I would
be interested for you to share your thoughts here, how the
framework and the standards and so forth will apply or could
apply.
Dr. Gallagher. Well, thank you very much.
Senator Shelby. I know that is a mouthful.
Dr. Gallagher. I am going to do my best.
The idea behind the framework is very simply to get
industry to develop a set of practices, standards,
methodologies, whatever it would take that if implemented would
improve cybersecurity performance. So we used the term
``framework'' as a term of art to refer to whatever you would
put into place that would result in enhanced cybersecurity
performance. That will include a large measure of standards.
And the idea behind having industry do it, with NIST acting
as a technical supporting role and a convener, has a couple of
motivations. First of all, it addresses the capacity. Industry
is the one developing IT technology and communication
technology, and therefore, they know where this technology is
going and they can bring that skill and that expertise into the
process to develop these standards.
Second, this Internet is a global infrastructure, and these
companies operate at a global scale. And by embedding security
performance into the products and services themselves, we can,
in fact, achieve a cybersecurity performance than is much
broader than our borders, much broader than what we would buy
directly. It embeds it in the market. It in fact gives our
companies the power to shape those technologies around the
world.
In terms of chasing our tail, I think in a time when this
technology is moving so quickly and when the threat environment
is changing right in front of us, this is going to be an
ongoing challenge. But I think the bottleneck cannot be NIST.
We are simply not large enough to support this on our own. Our
role really has to be viewed as did we help industry come up
with a vehicle where they can organize and be responsive to
this. That is the only way sufficient technical capacity can be
brought to bear in my view.
Senator Shelby. Let me pick up on that, if I could. The
Executive order, as I understand it, discusses the development
of a broad framework which presumably, I would think, means it
will be generic in order to have broad applicability to all
critical infrastructure sectors. But how will, doctor, a
generic framework address the inherent differences in our
critical infrastructure and their unique needs for being
protected against cyber attacks? In other words, if we are not
addressing sector-specific needs, how can we be sure that we
are actually helping to protect any of these industries from a
cyber attack?
And last in this same vein, how do you bring industry on
board? Because they have systems, trade secrets, formulas,
everything, you name it, to protect and the Government would
have to protect those and should. How will that work?
Dr. Gallagher. So you are exactly right. The question you
asked about industry's capacity to come together and carry this
out is actually the central question. How generic and how
sector-specific this framework looks is, in fact, the exact
question that the participants in the framework are tackling.
The good news is that in spite of the strong differences
across sectors, looking at energy or agriculture or
transportation and so forth, they are dependent on a core set
of communication and IT technologies. And one of the big
advantages they have to working together to set a common
platform is that they can drive that performance into the
market and they can buy these computer services and IT
equipment at better cost because they are helping to shape the
entire market.
And that really gets to one of the questions you raised
earlier, which is how do you drive adoption of this framework.
I think the bottom line is doing good cybersecurity has to
become good business. In the end, this is all going to be about
alignment. These framework practices have to be compatible with
profitable and well run companies. It may very well turn out
that the framework discussions are more about management and
business practices than they are about technical controls, and
that is okay if it helps us achieve the level of performance we
are looking for.
Senator Shelby. Thank you, Madam Chair.
Chairwoman Mikulski. Senator Leahy.
Senator Leahy. Thank you, Madam Chair.
You know, like most Vermonters, I have had a lot of concern
about section 215 of the PATRIOT Act, section 702 of the
Foreign Intelligence Surveillance, the FISA. We have had a
number of common sense proposals in the Judiciary Committee to
improve these provisions, but the Intelligence Community has
told us that really we obviously do not have the ability as
simple Senators to know anything as well as you do, and so they
do not need changes. I am told they are critical to our
counterterrorism efforts. The Congress should not tinker with
them at all. We should simply trust you to use them the right
way, and they should not be made permanent.
I do not think that is wise. I think that there should be
sunset provisions, and we should look at them periodically and
we should actually debate them in a free and open society.
Now, we have information, recently declassified by the
Director of National Intelligence, and I am not going into
questions of whether he contradicted himself on a couple of
answers. But taking what he has recently declassified, it
appears that section 702 collection he said was critical to
disrupting the Zazi case in New York City, but it is not clear
that data collected pursuant to 215 of the PATRIOT Act was
similarly critical or crucial.
So, General Alexander, let me ask you this. Aside from
these two cases, has the Intelligence Community kept track of
how many times phone records obtained through section 215 of
the PATRIOT Act were critical to discovery and disruption of
terrorist threats?
General Alexander. I do not have those figures today.
Senator Leahy. Are those figures available?
General Alexander. We are going to make those figures
available----
Senator Leahy. How soon?
General Alexander. Over the next week, it would be our
intent to get those figures out. I have talked to the Intel
Committee on that yesterday. I think it is important to----
Senator Leahy. Wait a minute. You talked to the intel
community about this yesterday, but you did not have the
figures yesterday.
General Alexander. I gave an approximate number to them in
a classified----
Senator Leahy. Okay.
General Alexander. Classified. But it is dozens of
terrorist events that these have helped prevent.
Senator Leahy. Okay, so dozens.
Now, we collect millions and millions and millions of
records through 215, but dozens of them have proved crucial or
critical. Right?
General Alexander. For both here and abroad in disrupting
or contributing to the disruption of terrorist attacks.
Senator Leahy. Out of those millions, dozens have been
critical.
General Alexander. That is correct.
Senator Leahy. Would you get me the specific--even it has
to be in classified, the specific cases you are talking about?
General Alexander. We will, but we are going through the
Intelligence Committee to do this. Tomorrow I will give as
clear as we have vetted precisely what we have done on each of
those. And the reason that I want to get this exactly right,
Senator, is I want the American people to know that we are
being transparent in here.
Senator Leahy. No, no. You are not giving it to the
American people. You are giving in a classified to specific
Members of Congress. Is that correct?
General Alexander. Well, there are two parts. We can give
the classified. That is easy. But I think also for this debate
what you were asking--and perhaps I misunderstood this, but I
think you were also asking what we could put out unclassified.
And so the intent would be to do both.
Senator Leahy. You can do that within a week?
General Alexander. That is our intent. I am pushing for
that and perhaps faster, if I do not get any kicks from behind
me.
Senator Leahy. If you do not get any what?
General Alexander. Kicks from the people behind me who are
doing the work because we do want to get this right. And it has
to be vetted across the community so that what we give you, you
know, is accurate and we have everybody here, especially
between the FBI and the rest of the Intelligence Community, who
can say this is exactly correct.
Senator Leahy. Now, DNI Clapper said that section 702
collection was critical to discovery and disruption of the plot
to bomb the New York City subway system, the Zazi case. Is that
correct?
General Alexander. That is correct. In fact, not just
critical, it was the one that developed the lead on it. So I
would say it was the one that allowed us to know it was
happening.
Senator Leahy. But that is different than section 215.
General Alexander. That is different than section 215.
Senator Leahy. 215, phone records; 702----
General Alexander. So if I could, I could explain this.
Senator Leahy. No, go ahead.
General Alexander. Because I do think it is important that
we get this right, and I want the American people to know that
we are trying to be transparent here, protect civil liberties
and privacy, but also the security of this country.
On the New York City one, the Zazi case, it started with a
702 set of information based on operatives overseas. We saw
connections into a person in Colorado. That was passed to the
FBI. The FBI determined who that was, Zazi, and phone numbers
that went to that. The phone numbers on Zazi were the things
that then allowed us to use the business records, FISA, to go
and find out connections from Zazi to other players throughout
the communities, specifically in New York City. That is how
those two worked together.
Senator Leahy. Was 215 critical?
General Alexander. I think 215 is critical in corroborating
and in helping us understand----
Senator Leahy. Was it critical in Zazi?
General Alexander. Not to Zazi because the first part to
Zazi went to the 702.
Senator Leahy. And Headley? Was either 702 or 215 critical?
General Alexander. 702 on Headley and some on the business
record, FISA, for corroborating.
And I think it is important to understand because this is
an issue that I think will be part of the debate. And I would
put on there, Senator, also the Boston. I think we need to walk
through that so that what we have on the business record, FISA,
what we have on 702, what you debate, the facts that we can
give you is what we do with that, how we tip that to the FBI,
if we took that away, what we could not do, and is that
something that when we look at this from a security
perspective----
Senator Leahy. Of course, in Boston, if you are talking
about the marathon case, what the FBI could have done was to
pass on the information to the Boston authorities. They said
they did not. That might have been helpful too.
But my time is up. I mention this only because before it is
brought up in the Judiciary Committee, we are going to be
asking some very, very specific questions.
General Alexander. So if I could, Senator, I just want to
make sure that we are clear on one point. When I say
``dozens'', what I am talking about here is that these
authorities complement each other in helping us identify
different terrorist actions and help disrupt them. They
complement each other. So what you are asking me is to state
unequivocally that A or B contributed solely to that. The
reality is they work together. And we have got to help make
that clear to you----
Senator Leahy. And I will be waiting to see those specific
examples either in open or classified fashion.
Chairwoman Mikulski. Senator Cochran.
Senator Cochran. Madam Chair, thank you.
Let me first ask General Alexander a question. In testimony
that was received by the Armed Services Committee, there was a
discussion about how to provide incentives to talented military
personnel who might be interested in becoming involved in the
cybersecurity field. I know it is hard to contemplate how you
just wave a magic wand and have all of the talented people
available in the right places with the right responsibilities.
What do you see as a first step in trying to get an
infrastructure of leadership organized appropriately to carry
out these missions?
General Alexander. Senator, thanks.
I think the most important part, top to bottom, is the
training, coming up with a clear training program, which we
have done with the services and with NSA to develop a set of
standards. I think the training, in and of itself, helps us
build a great cyber force, and it is that training for the
leaders so we have training at the staff officer level, at the
team level, all the way down to the individual operator. And we
are standardizing that training amongst the services and
between NSA and Cyber Command.
I think raising those standards up has a couple of
benefits. The soldiers, sailors, airmen, marines, and civilians
that come into this field get great training, and it is
something that they look forward to. And the operations that
they do are significant. I think they really feel good about
what they are able to do for our country. So from my
perspective, it starts with training and building that kind of
a force.
You mentioned incentives, Senator, if I could. I think
incentives is going to play a key part in this. As incentive
pay for languages plays a key part, I think incentives for our
cyber force is also going to play a key part. And we have had
discussions with the services about how to start that. We do
not have that in this program yet, but that is something that
we are looking at.
Senator Cochran. Does the Department of Defense have the
resources to maintain a number of cyber test ranges across the
services and agencies, for training and research purposes? I
know you carry out exercises that test the compatibility of
cyber capabilities with conventional weapons and other weapons
systems. Could you share with the committee what your thoughts
are about cyber ranges and whether you plan to dedicate certain
areas exclusively for these purposes?
General Alexander. Senator, that is a great question and
one that we are putting a lot of effort into because I do think
we need to bring the ranges together so that we have a joint
approach to this.
One of the things that I would point out is the service
academies play a cyber defense exercise together, and this gets
into your range issue. And when you look at so how do you
defend your networks in a way--the service academies compete
against each other for seeing who has the most defensible
network. When you think about that, in a cyber range what you
want people to do is to practice their tactics, techniques, and
procedures in a sterile environment so nothing bad happens. It
only happens inside that. They can learn. We have seen that on
the military side. The National Training Center and other
things are great places for that. We need to do the same here.
So those that are defending our networks know what the
adversaries are going to do and are prepared for all those
contingencies. It helps raise that. And I think bringing the
ranges together ensures that they are operating at the right
level as a joint team.
Senator Cochran. My staff informed me that last week our
committee received a notice that about one-half of NSA's
personnel in the Cyber Threat Center could be furloughed as a
result of sequestration. Now, that is a fine ``How do you do?''
Has there been any attention given to what you are going to do
to address shortfalls due to sequestration?
General Alexander. So we have worked this. It is across the
Defense Department. So the sequestration for all the military
has been standardized across all the departments. The NSA--on
the intelligence side is not there--but all of Cyber Command--
our civilians will be sequestered. Right now that is an 11-day
or 1 day a week for the last 11 weeks of the fiscal year. That
has a significant impact on us and all others that will be
furloughed. I think that is a key issue and has significant
impact on our people. And it goes right back to how do you hire
good people and then furlough them. This is a tough issue that
not only we face but the rest of the Department.
Senator Cochran. Thank you, Madam Chair.
Chairwoman Mikulski. Thank you, Senator Cochran, and thank
you for raising the sequester issue. It has been raised at the
intel hearing when we listened to the worldwide threat right as
we were moving into the continuing funding resolution. DNI
Clapper asked for more flexibility. Of course, he wanted more
money but more flexibility. We were precluded by the House from
putting that in the bill. I think the intel community, which is
primarily particularly a DOD civilian force--you need that
flexibility.
So we look forward to working on both sides of the aisle
and both sides of the dome to be able to do this.
I just would like to share with the committee the order. We
are going to go to Durbin, then Johanns, Merkley, Collins, Tom
Udall, Senator Coats, Senator Landrieu, and Senator Feinstein,
you came before the testimony started. So instead of
alternating, we will go right to you. Then we will go to
Senator Boozman and then Senator Pryor. That is our order of
our lineup. So now it is going to be Durbin, Johanns, Merkley,
Collins. Senator Durbin.
Senator Durbin. Thank you, Madam Chair. And thanks as well
to Senator Mikulski for bringing the cyber issue into sharp
focus for the entire Senate with our bipartisan briefing.
I was on the Intelligence Committee right at the time of 9/
11. I saw what happened immediately afterwards. There was a
dramatic investment in intelligence resources for our Nation to
keep us safe and a dramatic investment in the personnel to
execute the plan to keep us safe.
I trusted--and I still do--that we were hiring the very
best, trusting them to not only give us their best in terms of
knowledge but also their loyalty to our country.
I would like to ask you about one of those employees who is
now in a Hong Kong hotel, and what we know about him is as
follows. He was a high school dropout. He was a community
college dropout. He had a GED degree. He was injured in
training for the U.S. Army and had to leave as a result of
that. And he took a job as a security guard for the NSA in
Maryland. Shortly thereafter, he took a job for the CIA in what
is characterized as IT security in the Guardian piece that was
published.
At age 23, he was stationed in an undercover matter
overseas for the CIA and was given clearance and access to a
wide array of classified documents.
At age 25, he went to work for a private contractor and
most recently worked for Booz Allen, another private contractor
working for our Government.
I am trying to look at this resume and background. It says
he ended up earning somewhere between $122,000 and $200,000 a
year. I am trying to look at the resume background for this
individual who had access to this highly classified information
at such a young age with a limited educational and work
experience, part of it as a security guard, and ask you if you
are troubled that he was given that kind of opportunity to be
so close to important information that was critical to the
security of our Nation.
General Alexander. I do have concerns about that. Over the
process, Senator, I have grave concerns over that. The access
that he had, the process that we did--and those are things that
I have to look into and fix from my end and across the intel
community, Director Clapper said we are going to look across
that as well. I think those absolutely need to be looked at.
I would point out that in the IT arena, in the cyber arena,
some of these folks have tremendous skills to operate networks.
That was his job for the most part from the 2009/2010 as an IT,
a system administrator within those networks. He had great
skills in that area.
But the rest of it, you have hit on the head. We do have to
go back and look at these processes, the oversight on those--we
have those--where they went wrong and how we fix those.
Senator Durbin. Let me shift to another topic raised by
Senator Leahy, section 215. 10 years ago, I first introduced
legislation known as the SAFE Act. It was a bipartisan bill to
reform the PATRIOT Act. My cosponsors included Senators Chuck
Hagel, John Kerry, and Barack Obama. My most significant
concern with 215 was that it would be used to obtain sensitive
personal information of innocent Americans who had no
connection to any suspected terrorism or spy activity.
When the PATRIOT Act was up for reauthorization in 2005, I
worked to establish a new standard for 215, and under the
standard, the FBI would have broad authority to obtain any
information, even tangentially connected to a suspected
terrorist or spy, such as the examples you used in the Zazi
case. 702 information could have led to 215 phone record
information on any suspect. But under my provision, innocent
Americans with no connection to any of these activities or
suspects would be protected.
The Republican-controlled Senate approved my reform to 215
unanimously. However, the Bush administration objected. It was
removed in the conference committee.
2009, I tried again with no success to put this protection
of innocent Americans back into the PATRIOT Act.
Now the cloak has been lifted by media reports that the NSA
obtained phone records of millions of innocent Americans with
no connection to terrorism. The data includes the numbers of
both parties to the calls, the location of the callers, the
time and duration of the calls. I have been briefed on these
programs, and I obviously will not discuss their details here.
But it appears to me the Government could obtain the useful
information we need to stay safe and still protect innocent
Americans.
My question to you is this. Section 215 can be used to
obtain, ``any tangible thing'' that could include medical
records, Internet search records, tax records, credit card
records, et cetera.
Last year, the Government filed 212 section 215 orders.
That is an increase from 21 such orders in 2009. So clearly,
this authority is being used for something more than phone
records.
So let me ask you. Do you think section 215 giving you
authority to secure tangible things could include the
categories of information that I just listed?
General Alexander. I do not use those, so I am not aware of
anything that goes that--that would be outside of NSA. All we
use this for today is the business records, FISA.
I would point out--I just want to characterize something
that you said here. As you know, this was developed--and I
agree with you. We all had this concern coming out of 9/11. How
are we going to protect the Nation? Because we did get
intercepts on Midar, but we did not know where he was. We did
not have the data collected to know that he was a bad person.
And because he was in the United States, the way we treat it is
he is a U.S. person. So we had no information on that, and if
we did not collect that ahead of time, we could not make those
connections.
So what we create is a set of data and we put it out here,
and then only under specific times can we query that data. And
as you know, Senator, every time we do that, it is auditable by
the committees, by the Justice Department, by the court, and by
the administration. We get oversight from everybody on this.
Senator Durbin. I am over my time, but here is the point.
If you knew that a suspect had made a call into area code 312,
the city of Chicago, it certainly defies logic that you need to
collect all of the telephone calls made in the 312 area code on
the chance that one of those persons might be on the other end
of the phone. Now, if you have a suspected contact, that to me
is clear. I want you to go after that person. What I am
concerned about is the reach beyond that that affects innocent
people.
General Alexander. So we agree at least on that part.
And the next step, I think, in the debate that we actually
need to talk about is so what happens if you do not know he is
in 312 yet. And so something happens, and now we say who was he
talking to. So let us take Midar. You had authorized us to get
Midar's phones in California. But Midar was talking to the
other four teams. Under the business record, FISA, because we
had stored that data in a database, we now have what we call
reasonable, articulable suspicion. We could take that number
and go backward in time and see who he was talking to. And if
we saw there were four other groups, we would not know who
those people were. We would only get the numbers. We would say
this looks of interest and pass that to the FBI. We do not look
at the identities of it. We only look at the connections.
Senator Durbin. I am way over time. I am not going to dwell
on it.
You have just given a clear illustration where you had
specific information about telephone contacts, which I do not
quarrel with. What I quarrel with is collecting all of the
information in California on telephone records to try to find
that specific case. That to me seems overly broad.
Chairwoman Mikulski. Thank you very much.
Senator Johanns.
Senator Johanns. General Alexander, I want to talk to you
about Cyber Command, but Senator Durbin has raised a very
interesting question. And let me just follow up on this.
Would this lead--the scenario that he has laid out--to a
telephone record search for all of Omaha? Or walk us through
that.
General Alexander. So the methodology would be what is put
into a secure environment called ``detail records.'' These are
to/from records and at a selected time. So we do not know
anything that is in there. We will not search that unless we
have some reasonable, articulable suspicion about a terrorist-
related organization. If we see that, we have to prove that we
have that. Then given that, we can now look and say who was
this guy talking to in the United States and why.
Senator Johanns. And so you could search across the breadth
of telephone records.
General Alexander. All you are looking for on that is so
who did he talk to.
Senator Johanns. Yes.
General Alexander. And so the system just gives us back who
he was talking to. But if you did not collect it, how do you
know who he was talking to? And so the issue really becomes if
you do not have the information--so I do not give you any
connections. I just give you a number and say, now, find who he
is talking to. You do not have the information.
So this was the debate. I mean, you bring it up because
this came up 10 years ago. So how do we do that? How do we
solve this problem? And the answer was we want to protect civil
liberties and privacy. We do. And we want to protect the
country. So the thought was a reasonable approach that we all
agreed on--the Congress, the courts, the administration--was we
will put this in a way that we have tremendous oversight by the
court. And so every time your people, a small set of those, can
go in, they have to have a reason to go in and look at the
data. And when they get something out, they have to look at it
and say does this meet the reporting guidelines and put that in
the report. Only a few reports a year go out on that, just a
handful--handfuls.
Senator Johanns. Does this extend beyond telephone records?
For example, could you check and see what that person is
Googling? Could you check and see who that person is e-mailing?
General Alexander. So there are two parts of your question
here.
So going to the next step, once we identify a person of
interest, then it goes to the FBI. The FBI will then look at
that and say what more do we need to now look at that
individual themselves. So there are issues and things that they
would then look at if passed to them.
Senator Johanns. So the answer to the question is yes.
General Alexander. Yes, you could. I mean, you can get a
court order to do that. So in either case----
Senator Johanns. But would that take a court order?
General Alexander. It would. To do any kind of search in
these areas on a U.S. person, you have to have a court order.
Senator Johanns. So now you have gotten into phone records.
You have gotten into who they might be Googling. You have
gotten who they might be e-mailing. What else do you feel that
you can get?
General Alexander. So I am not sure of your question. On a
terrorist acting in the United States----
Senator Johanns. Well, you do not know if it is a terrorist
yet. You have got this reasonable suspicion, which is not even
probable cause. You have just got this kind of uneasy notion,
this feeling that something is happening here.
General Alexander. So that is the----
Chairwoman Mikulski. Wait, wait. Let us just stop here a
minute. We are not going to inhibit your questions, but I think
we need to clarify that the activity in which you are
operating, General Alexander--so we are getting into probable
cause, a lot of these that are absolutely important in a
debate. But you will be functioning also with a warrant.
Senator Feinstein, did you want to clarify? Just if we
could.
Senator Feinstein. If I may.
Chairwoman Mikulski. And I am going to come back and give
you more time. Senator Johanns, you will get more time.
Senator Johanns. Thank you.
Senator Feinstein. If I may quickly, Senator.
It is my understanding you have the metadata. You have the
records of what appears on a phone bill, and if you want to go
to the content, then you have to get a court order, the same
thing you would do in a criminal case. You would have to get a
court order that would permit you to collect the content of the
call. You can ask him if that is right or wrong.
General Alexander. But it is correct.
Senator Johanns. And I assume that, but I am not talking
about content at this point. I am not asking if you can read
somebody's emails. I am assuming at some point there would be a
legal standard by which you could do that. Being a lawyer, I
know that.
What I am only getting to is you have identified for us
that you can get phone contacts. I am asking can you get Google
contacts. Can you get e-mail contacts? I am not talking about
reading the e-mail or seeing what they are saying back and
forth. I am not at that point. But what I worry about is how
far do you believe this authority extends. Can you get Google
contacts? Can you get e-mail contacts? Again, I am not asking
about reading the e-mail.
General Alexander. So I think there are a couple things
here that I want to make sure that we have got.
The BR-FISA only talks about phone contacts, phone
metadata. That is all that program talks about. So any program
that we have--and Senator Feinstein, if you want to get the
content, you would have to get a court order. In any of these
programs, you know we have court orders for doing that, with
oversight by the Congress, by the courts, and by the
administration.
So my concern in all of this is that I think this is an
area where we have to give you both the detail--and I think we
need this for the American people. They need to understand it
so they can see what we are doing and what the results of it
are. I do think that is important.
I also believe--you know, we had this debate several
times--and Senator Durbin brought it up--from 2001 on. And this
is one now where we need to bring out, because of these leaks,
the rest of the story, show what we do, what it protects the
country from, and have the debate. Does it make sense? In order
to do that, I think what we have to give you is the rest of
that data. Tomorrow we will put that in a classified session,
but the intent would be to try to get as much out publicly so
that everybody has the information, where we can.
And the reason that I hesitate a little bit here is I do
not want to make the mistake that causes the statements that I
have for our country to lose some form of protection and we get
hit with a terrorist attack because I made that mistake.
Senator Johanns. And I thank the Chair for the additional
time. I will wrap up with a comment.
The concern here--the American public is fearful that in
this massive amount of data you get, that there is the ability
of the Federal Government to synthesize that data and learn
something more than maybe what was ever contemplated by the
PATRIOT Act. That would be number one.
The second thing is a more personal issue, and it kind of
gets into some of the concerns about Cyber Command. And that
is, you are in this hugely unique role. We have always had this
view of separating the civilian leadership politically elected
from the military leadership, and yet you have got this dual
hat. And it creates a concern not about you because you have
got a remarkable record, and I thank you for your service. But
it is a very, very concerning role that we find you in, at
least for Mike Johanns. And I just think we have got to get
some information out to the public because right now we are all
getting bombarded with questions that many of us at the rank
and file level in the Senate cannot answer. I am not the chair
of the Intelligence Committee. I am not the ranking member. I
do not serve on the committee. And the impression has been
created that people are parked in our office giving us daily
briefings on this or monthly briefings and that has not been
the case. So we need to know.
Chairwoman Mikulski. Senator Johanns, I think you had an
excellent line of questioning, and I must say the tone and
demeanor are appreciated.
Senator Johanns. Thank you.
Chairwoman Mikulski. And, General Alexander, we are going
to move on from this topic. I think you have that. Senator
Merkley has been waiting. What we are now moving into is a
domain that is not the parameters of this hearing, though this
Senator will not inhibit any Senator from asking any question
they want.
I want to remind the Senators that tomorrow in the
Feinstein hearing, many of these can be followed and I hope it
is a learning experience that when you go to Feinstein, your
questions will even be as cogent and comprehensive as they are
here today.
So, Senator Merkley, we are going to turn to you now.
Senator Merkley. Thank you very much, Madam Chair.
And thank you, General. You referred to section 215, and
215 requires an application for production of any tangible
thing. And it says in it that this application must have a
statement of facts showing reasonable grounds that the tangible
things sought are relevant to an authorized investigation. So
we have several standards of law embedded in this application,
a statement of facts, reasonable grounds, tangible things that
are relevant to an authorized investigation.
Now, as it has been described in this conversation and in
the press, the standard for collecting phone records on
Americans is now all phone records all the time all across
America. How do we get from the reasonable grounds, relevant
authorized investigation, statement of facts to all phone
records all the time, all locations? How do you make that
transition and how has the standard of the law been met?
General Alexander. Well, so this is what we have to deal
with the court, and I think that we go through this court
process. It is a very deliberate process where we meet all of
those portions of 215. We lay out for the court what we are
going to do, and to meet that portion that you just said, the
answer is we do not get to look at the data. We do not get to
swim through the data.
Senator Merkley. Let me stop you there because these are
requirements to acquire the data, not to analyze the data, to
acquire the data. This is the application to acquire the data.
So here I have my Verizon phone, my cell phone. What
authorized investigation gave you the grounds for acquiring my
cell phone data?
General Alexander. I want to make sure I get this exactly
right. You know, I think on the legal standards and stuff, on
this part here, I think we need to get the Department of
Justice and others because it is a complex area. And you are
asking a specific question. I do not want to shirk that, but I
want to make sure I get it exactly right. And so I do think
what we should do, as part of perhaps the closed hearing
tomorrow, walk through that with the intent of taking what you
have asked and seeing if we can get it declassified and out to
the American people so they see exactly how we do it because I
do think that should be answered.
Senator Merkley. General, thank you. Let me fill in the
middle piece here. In between----
Chairwoman Mikulski. Senator Merkley, I would like to help
you out. I think Senator Merkley has asked an excellent
question, and you want to get it right. And the answer, I would
suggest, should be in writing. That way you get it right and he
gets his answer. How does that sound?
General Alexander. We will take that for the record.
Senator Feinstein. If you will yield. I have asked that
that question get answered tomorrow at the hearing by DOJ,
Senator Merkley, exactly as you have delivered the question.
Chairwoman Mikulski. Okay. But either way, Senator Merkley
should get his answer, and I would suggest perhaps both in
writing, your hearing, and into his hands.
Senator Merkley. I thank the Chair, both chairs.
If I can elaborate on the piece that I would like answered,
is that okay, Madam Chair?
Chairwoman Mikulski. It is your time.
Senator Merkley. In between these two pieces, a FISA court
gives an interpretation of the plain language of the law. Their
interpretation is what translates the standards in the law into
what is governable in terms of what you can do.
I had an amendment last December that said these findings
of law that translate the requirements that are in the law into
what is permissible needs to be declassified so we can have the
debate.
I believe that what you just said is you want that
information to be declassified that explains how you get from
these standards of law to the conduct that has now been
presented publicly. Did I catch that right? And do you support
the standards of law, the interpretations of the FISA court of
the plain language to be set before the American people so we
can have this debate?
General Alexander. I think that makes sense. I am not the
only decisionmaker in the administration on this process. So
there are two issues. I am not equivocating. I just want to
make sure that I have put this expectation exactly right, and
that is I do not want to jeopardize the security of Americans
by making a mistake and saying, yes, we are going to do all
that. But the intent is to get the transparency there.
So, Senator, I will work hard to do that, and if I cannot
do that, I will come back to you and tell you why and then we
should have that discussion and run it out. And I would defer
to the chair of the Intel Committee, but I think that is
reasonable to get this out.
Now, having said that, I do not have the legal background
that perhaps you have in this area. I want this debate out
there for a couple reasons. I think what we are doing to
protect American citizens here is the right thing. Our agency
takes great pride in protecting this Nation and our civil
liberties and privacy and doing it in partnership with this
committee, with this Congress, and with the courts. We have
everybody there. We are not trying to hide it. We are trying to
protect America. So we need your help in doing that. This is
not something that is just NSA or the administration doing it
on its own. This is what we--that our Nation expects our
Government to do for us. So we ought to have that debate. We
ought to put it out there and we have got to put those two
together. So I just want to put that one caveat there, and if I
can make it happen, I will.
Senator Merkley. General, I thank you for your expression
of support.
I also want to thank Chair Feinstein who helped develop and
sent a letter expressing this concern about the secrecy of the
interpretations of the FISA court. I do think it is time that
that become understandable in public because otherwise how in a
democracy do you have a debate if you do not know what the
plain language means. I do have concerns about that
translation. I will continue this conversation and thank you.
Chairwoman Mikulski. Senator Collins.
Senator Collins. Thank you, Madam Chairman.
Madam Chairman, I am actually going to ask a question about
computer security, but before I do so, I do want to give
General Alexander a chance to answer a very quick question that
has to do with Americans' concern about their own private
computer security and privacy.
I saw an interview in which Mr. Snowden claimed that due to
his position at NSA, he could tap into virtually any Americans'
phone calls or emails. True or false?
General Alexander. False. I know of no way to do that.
Senator Collins. Thank you. I just wanted to clarify that
because perhaps that is one issue we could put to rest.
Now let me switch to the computer security question.
Chairwoman Mikulski. Oh, boy.
General Alexander. We are not ready for those.
CRITICAL INFRASTRUCTURE: INCIDENTS REPORTING
Senator Collins. In the President's budget, it is mentioned
that the Nation has four top cyber risks, and the first one
listed is one that has been of great concern to me since we
produced the bill last year that, unfortunately, could not get
past a filibuster, and that is attacks that are aimed at our
critical infrastructure. And Secretary Beers, I am going to ask
you this question.
The General has alluded to the fact that much of our
critical infrastructure is owned or operated by the private
sector. In fact, it is 85 percent that is in the private
sector. And our FBI witness has talked about the iGuardian
program which encourages private industry partners to report
cyber incidents to the Government in real time.
Our legislation last year had a requirement that the owners
and operators of critical infrastructure--not all
infrastructure, critical infrastructure--would be required to
report major cybersecurity incidents. Does the administration
still support mandatory reporting in such cases?
Mr. Beers. Senator, that was our position then and that
remains our position at this point in time. Obviously, we are
prepared to work with the Congress. You all ultimately write
the legislation. But that remains the administration's
position.
Senator Collins. Thank you.
In that legislation, we did pay attention to the need for a
more expert cyber workforce, and boy, this latest account,
which Senator Durbin did such a great job of going through the
resume of this individual, just underscores how much work there
is to be done in making sure that whether it is public sector
or private sector, that we have a well vetted, well qualified
cyber workforce.
I would like to hear from all four of you on whether you
are having difficulties in recruiting individuals who have the
skills that you need and doing the appropriate vetting of them
so that we can avoid having the hiring of a young high school
dropout, community college dropout, did not complete his
military service, young person with so little experience being
given access to so much classified information. And, General
Alexander, we will start with you and then just go down the
panel.
General Alexander. Well, Senator, I would just like to
state first that in the military, we are going to hire young
folks out of high school, who graduate from high school, to
work in this area. And the key will be the training that we
give them.
Now, ideally we would like to get 4 years out of a top-
notch engineering school for some of the military positions,
but we will not get that. So what we have is a responsibility
to train them, bring them into the force and train them. And we
have a program, but it takes several years to get somebody
trained in this area, as you know. So in effect, what we are
running is a cyber college for many of our young enlisted folks
to get them to the requisite skills.
On the NSA side, we are able to hire more college graduates
into the Government side of that.
What I need I think is greater scrutiny. What I need to go
back and look at is what am I getting with my contract support
and what are their capabilities and how do we manage that from
a Government perspective. So that is something I have concerns
about and I have got to go back and address.
QUALIFIED WORKFORCE: RECRUITING AND RETAINING
Senator Collins. Secretary Beers.
Mr. Beers. Senator, we have a major initiative underway, as
you are well aware. We have defined our cyber workforce. We are
matching the positions with the skill set that is required to
serve in those positions. We are also in the process of looking
to hire another 600 individuals to augment that 1,500-person
workforce. We have a series of programs, one with community
colleges where we are looking to find people who have taken the
correct, appropriate courses at the community college level who
we can hire as beginning workforce members and train them up.
We also have a program in conjunction with NSA that goes to
colleges and universities that have Centers for Excellence that
provide us with top-notch 4-year graduates. And then we have an
effort to reach out to the private sector to find individuals
there.
I think we have an excellent workforce, but we have, as you
well know, a provision that was in the bill that you worked
on----
Senator Collins. Correct.
Mr. Beers [continuing]. And that we would like to see in
any cyber legislation that gives us some assistance in terms of
both recruiting and retaining that kind of a workforce which
would allow us comparable pay and benefits to what NSA is able
to offer to its workforce.
Thank you.
Senator Collins. Thank you. I know my time has expired. So
I am going to ask the other two witnesses to submit their
answers for the record.
But I thank the whole workforce issue is absolutely
critical. We did have that as an important part of our bill
last year.
Thank you, Madam Chairman.
Chairwoman Mikulski. I think you are absolutely right,
Senator Collins, and thank you for asking a question actually
on the topic, though it is our security.
And we are going to turn now to Senator Udall, but just to
add to that, as we go to Senator Udall, we keep hearing Snowden
had the skills. Well, maybe he did. You know, but just because
you are a swimmer and you are a champion swimmer does not mean
we ought to make you a Navy SEAL. So I will leave it at that.
Senator Udall.
Senator Udall. Thank you, Madam Chair, and I thank the
entire panel for their service to the country in these very
difficult times.
First, I would like to welcome Dr. Pat Gallagher. Although
his career took him away from Albuquerque, Dr. Gallagher is a
native of New Mexico, and I want to recognize him for his
leadership at NIST and his commitment to public service. Pat,
it is good to have you here today.
American citizens, businesses, and Government agencies face
serious cyber threats, and you have talked about some of these
here today. Personal data, trade secrets, and national security
secrets are at risk from intrusion by independent hackers and
foreign governments. And I have supported cybersecurity
legislation in the Senate, and I support funding for our
cybersecurity defense.
But the elephant in the room today here is--and we have
been talking about it some--that many Americans are also
becoming more concerned about what their own Government is
doing with domestic surveillance. Last week, we learned of
widespread collection of Americans' phone records under section
215 of the PATRIOT Act, also the massive-scale online
surveillance through the PRISM system conducted under FISA
section 702.
I want to let you know, I voted against the PATRIOT Act in
2001 and the FISA Amendment Act in 2008. I have also voted
against their reauthorizations since then. Several of us
attempted to add privacy protections to these laws but faced
strong resistance, as Senator Durbin indicated.
Today I am sending a bipartisan letter to the Privacy and
Civil Liberties Oversight Board asking them to make it a
priority to investigate the bulk phone records collection and
the PRISM program to determine whether they, number one, are
conducted within the statutory authority granted by Congress
and, number two, take the necessary precautions to protect the
privacy and civil liberties of American citizens under the
Constitution.
The Board was created by the Congress based on a
recommendation of the 9/11 Commission, but it has taken years--
many of you realize this and know this--to get a full
membership and a chairman. I have been working to get this
Board operational since I was in the House, and I believe it
can provide an important check against civil liberties abuses.
Richard Clarke, who was the counterterrorism aide under
three Presidents I believe, just wrote an article recently on
this and suggested we would not have the problems today if we
had stood up this Board much more quickly.
General Alexander, will the NSA cooperate with any
investigation conducted by the Privacy and Civil Liberties
Oversight Board into the agency's collection and analysis
programs?
General Alexander. Senator, we will. And I think, in fact,
my Deputy met with the Board yesterday and actually briefed
them for a couple of hours on both programs so that they
understood. And I do not know if you have gotten feedback from
that, but my understanding is I think it went well.
I think you bring up a very important point here because I
do think what we are doing does protect Americans' civil
liberties and privacy. The issue is to date we have not been
able to explain it because it is classified. So that issue is
something that we are wrestling with. How do we explain this
and still keep this Nation secure? That is the issue that we
have in front of us.
So you know that this was something that was debated
vigorously in the Congress, both the House and the Senate,
within the administration and now works for the court. So when
you look at this, this is not us doing something under the
covers. This is what we are doing on behalf of all of us for
the good of this country. Now what we need to do, I think, is
to bring as many facts as we can out to the American people.
So I agree with you, but I just want to make that clear
because the perspective is that we are trying to hide something
because we did something wrong. We are not. We want to tell you
what we are doing and tell you that it is right and let the
American people see this. I think that is important, but I do
not want to jeopardize the security of our country or our
allies. So that is what we have to weigh in what we look at
what we are going to declassify to allow this very public
debate.
Senator Udall. General, I very much appreciate your answer,
but it is very, very difficult, I think, to have a transparent
debate about secret programs approved by a secret court issuing
secret court orders based on secret interpretations of the law.
I know there are many other questions here, and I am going
to ask the ones in closed session when we get together later in
the week. I have several other questions on cybersecurity, but
I see my time has expired and so I will submit those for the
record.
But thank you very much for your answers, and I very much
appreciate you meeting with the Board and briefing them on what
you are doing. I think that they are a good counterbalance in
terms of what is going on here in terms of asking questions and
then being able to, I hope, have the credibility of the
American people to answer some of these questions also. Thank
you.
Thank you, Madam Chair.
Chairwoman Mikulski. We are now going to turn to Senator
Coats, but before we do, I want to respond to a Tweet about me
from Rosie Gray. Rosie Gray said on her Tweet 17 minutes ago,
``Senator Barb is trying hard to keep the other Senators from
asking General Alexander any more about data mining programs.
Not everybody might be watching C-SPAN.'' So I want to say to
Rosie and to others who might read from Rosie there is no
attempt here to muzzle, stifle any Senator from asking any line
of questions.
And so we have an open hearing, but the purpose of the
hearing was on the enduring war of cybersecurity. While we
might be concerned about data mining and who is reading our--
the phone records, et cetera, we are also concerned about
stealing the--the cyber fraud that is going on against our
senior citizens, our identity theft, stealing our cures for
cancer that are pending over at the Food and Drug
Administration (FDA). So we are here on cyber. But any Senator
can ask any question at this hearing that they want to.
So, Rosie, it is an open hearing. ``Hi.'' Look forward to
keeping in touch.
Senator Coats.
Senator Coats. Well, I want to send a message to Rosie
also.
As a member of the other party, Senator Mikulski,
chairwoman of this committee, has been extremely tolerant of
our diversion from what the purpose of this appropriations
hearing was. This is the Appropriations Committee. Our purpose
is to determine what kind of financial resources our agencies
need to address critical issues facing our country, and we have
diverted, thanks to the tolerance of the Chair, to a critical
question but one that, as General Alexander said, is scheduled
to be and will be thoroughly discussed with every Member of
Congress and with the public to the extent that is possible.
General, I appreciate your answer to Senator Udall's last
question. You are walking a very difficult tightrope here
because there are demands that you release previously
classified information to not just Members of Congress, but to
the general public. And if you do not do that, this frenzy of
mischaracterization of these programs will continue in the
public. And so you are caught between a rock and a hard place.
I regret that.
I have been urging my colleagues that before they draw a
conclusion and go public with that conclusion, they first learn
about the counterterrorism program because the more you learn
about the program, the more you realize the enormous effort
that has been made to respect the privacy and civil liberties
of Americans and the hurdles you have to go through to get the
most minimal list of information.
I think as the public hears more mischaracterizations of
this program, like the government listens to and saves all the
phone records all the time and the public interprets that as
meaning everything that has been said over a phone is stored
somewhere and you can go in and retrieve it or abuse the use of
these programs. You have tried to clarify the program a number
of different times in terms of what you collect and what you do
not collect and how you have to go through a legal process in
order to even begin to ascertain information that is necessary
for you to come to some conclusion about whether or not this
country is about to be attacked by terrorists.
Well, let me ask you this question. Given the fact that
this issue has swept across the country and we are in a
position where we have to disclose more about it in order to
calm the public misperception of what it is, are there
consequences? Do we have to look at both sides of this
question, one, being transparent, addressing civil liberties
but, two, the importance of keeping some missions and some
activities in a classified manner so that those that are
intending to do us harm do not learn about our counterterrorism
efforts and therefore make adjustments to bypass the very
methods that we have to potentially prevent a serious attack
against the United States?
I would like you to address that question, particularly in
relationship to what you have said about 9/11 and how perhaps
if we had had these programs in place at the time, we could
have prevented that, and a little bit more about the
consequences of--as some have suggested--simply opening this up
for the whole world, including people sitting in places where
they are trying to determine how they can best attack the
United States.
General Alexander. Senator, thank you for the question
because that is my concern. Great harm has already been done by
opening this up, and the consequence I believe is our security
is jeopardized. There is no doubt in my mind that we will lose
capabilities as a result of this and that not only the United
States but those allies that we have helped will no longer be
as safe as they were 2 weeks ago. So I am really concerned
about that.
I am also concerned that as we go forward, we now know that
some of this has been released. So what does it make sense to
explain to the American people so they have confidence that
their Government is doing the right thing? Because I believe we
are and we have to show them that. And you said it right. We
have great people working under extremely difficult conditions
to ensure the security of this Nation and protect our civil
liberties and privacy. They do a great job. Actually I would
like the American people to know that because they would be
tremendously proud of the men and women of NSA who have done
this for us for the last decade. It is a great story.
The issue is that we then have to debate is how much do we
give out and what does that do to our future security. That is
where the real debate is going to take place because that is
the issue that is now before us. There is water, broken glass,
and everything else on the floor. We now can look at that, but
what we are going to have to do as a Nation going forward is
say what can we do, and that is where the Congress, I believe,
has to stand up on behalf of the American people.
Some of these are still going to be classified and should
be because if we tell the terrorists every way that we are
going to track them, they will get through and Americans will
die. That is wrong. And our allies. We have got to come up with
a way of doing this.
And you know, I thought the great part about this program
was that we brought the Congress, the administration, and the
courts all together. We did that. That is what our Government
stands for under the same Constitution. We follow that
Constitution. We swear an oath to it.
So I am concerned and I think we have to balance that. I
would rather take a public beating and people think I am hiding
something than to jeopardize the security of this country.
Now, having said that, some of this is out there, and it is
right that we have that debate. And so what makes sense to put
out there so that people will know that what we are doing is
right, we ought to do that. And I think that part will be good
for the country.
And there are other parts that I think you need to weigh in
and say, but do not do that. And that is where you, the
administration, and potentially the courts ought to come
together and say, so now what do we do.
Chairwoman Mikulski. Thank you.
Senator Coats. Thank you. I appreciate that statement and I
think it should be made in the record and published across the
Nation.
Chairwoman Mikulski. Senator Landrieu.
Senator Landrieu. Thank you so much.
I would like to follow up by saying, General Alexander, I
am so proud of you for being in charge of this because your
demeanor through this whole hearing has, once again, proven to
me that you are the right person for this job, and the four
stars that you wear indicate a great understanding of the
balance that you are trying to achieve.
Perhaps these facts might support what Senator Coats and
others have been trying to express, given the important, but
difficult questioning.
U.S. Cyber Command says there are 250,000 attacks on U.S.
Government networks every hour, 6 million a day. And among the
attackers are 140 foreign spy organizations. This is what our
men and women are up against. We are not in a scrimmage. We are
in a war. It is a very serious issue, and we are way behind the
eight ball in my view in terms of allocation of resources, as
much as we are struggling to clarify roles and responsibilities
and balance this new war that we have never fought before under
a Constitution that is probably the best and most open in the
world. I think they need a little space.
Second, I have every confidence in this chairman to provide
leadership. This hearing is one of the best hearings, Madam
Chair, I have ever participated in in the almost 18 years I
have been here. I thank you for it.
And I have great confidence in Senator Feinstein. I do not
think there is a Member of the Senate in either party that
would question her integrity on this issue as head of our
Intelligence Committee trying to balance the civil liberties
representing the State of California, which probably has the
strongest views on this of any State, and the military which
has been engaged in war since the beginning of time but never
one like this.
So I just want to say I am very proud of our military and
very proud of you, General Alexander. And I hope that in the
classified hearing that more of this can be brought to light.
And I most certainly am going to be explaining this to my
constituents in an appropriate, balanced way.
CRITICAL INFRASTRUCTURE: CYBERSECURITY IMPROVEMENTS
But I want to say one other thing to you, Mr. Beers. Your
staff is terrific. They briefed me privately yesterday on
several briefings. I want to share this and then ask a
question.
When I asked them to sort of describe the scope of
cybersecurity and the challenge before us, they said, well,
Senator, somebody has described it like this. They said the DOD
is dot-mil. It is the Coke bottle cap. You think about a Coke
bottle. It is just the cap of the Coke bottle. The Federal
civilian Government, which is dot-gov, is like the Coke bottle
itself, and the companies and citizens, which is dot-com, is
the entire room the bottle is in. So while all the questions
are being peppered right now to the top of this Coke bottle,
Madam Chair, the room that we are in is the battleground that
we are fighting in. And it takes huge resources and an
unbelievable amount of commitment and compromise between the
Government and the private sector.
So what I want to ask the Secretary of Homeland, since that
is my--and I am very proud to be the chair of the subcommittee.
When the President issued his Executive order on improving
critical infrastructure cybersecurity, it requires not only
you, Mr. Secretary, but Commerce--Treasury is not here--to come
up with a report. That report is actually due today. It is 120
days from it. Do you have the report? Can you comment about, if
you do not have it, when you are going to have it and one or
two of the top findings in that report that you are going to be
giving to the Congress I hope sometime soon?
Mr. Beers. Senator, yes, the report is done. The report has
been sent to the Office of Management and Budget (OMB) and the
White House. I trust that Commerce and Treasury have also
submitted their report on incentives. It will be subjected by
OMB to an interagency process, and at the end of the process,
the expectation is to release it to you all and the private
sector for comment.
What we want out of this is to pull together--and we have
had workshops to talk about incentives. We had one--what--last
week in Pittsburgh to draw in the private sector to give us
their ideas about incentives to have critical infrastructure
adopt the cybersecurity framework.
That report will cover such things as insurance as a
possibility. It will cover such things as certification with
some liability protections as a possibility. These are all
still ideas that are in a formative stage, and I do not think
it is appropriate at this point to make those initial reports
public. But the intention of the administration is to make
those reports public to you, the Congress, and to the private
sector.
Chairwoman Mikulski. But not because they are secret. It is
because they are incomplete. Is that correct?
Mr. Beers. Yes, ma'am. That is correct. What we need to
make sure is that everybody who has a stake in this in the
Government has an opportunity to comment on it and then to get
it back out to you and the private sector.
Senator Landrieu. My time is up. And I am going to ask
General Alexander in writing what his view is of the goal of
the National Guard in cybersecurity for the Nation. You know,
they play a very interesting role in our States. I have written
you several times about it. I am going to write again to
clarify their role.
And finally, for the record, to follow up on Senator
Collins, the Department of Homeland Security under your
leadership, Secretary, has awarded a $300,000 grant to the
Cyber Innovation Center in Louisiana which is starting a very
scalable and proven model to create the cyber warriors of the
future. And I look forward to talking with you more about that
in conjunction with the chairman.
Chairwoman Mikulski. Thank you, Senator Landrieu. You, as
the chair of the Homeland Security Subcommittee, along with
Senator Coats, who is your ranking member I believe--I really
would hope you would do your due diligence in getting ready for
the bill--pursue this topic because we covered a lot of topics
today. But we really count on you in the homeland security
area.
Senator Feinstein.
Senator Feinstein. Thanks very much, Madam Chairman, and
thank you for holding this hearing, and I thank all our
witnesses for their service to our country.
Just to be corrected, if I need to be corrected, I would
like to just quickly read my understanding of section 215.
The section 215 business records provision was created in
2001 in the PATRIOT Act for tangible things, hotel records,
credit card statements, et cetera, things that are not phone or
e-mail communications. The FBI uses that authority as part of
its terrorism investigations.
The NSA only uses section 215 for phone call records, not
for Google searches or other things. Under section 215, NSA
collects phone records pursuant to a court record. It can only
look at that data after a showing that there is a reasonable,
articulable suspicion that a specific individual is involved in
terrorism actually related to al Qaeda or to Iran. At that
point, the database can be searched, but that search only
provides metadata of those phone numbers of things that are in
the phone bill. So the vast majority of records in the database
are never accessed and are deleted after a period of 5 years.
To look at or use content of a call, a court warrant must be
obtained.
Is that a fair description or can you correct it in any
way?
General Alexander. That is accurate, Senator. Thank you.
Senator Feinstein. Thank you very much.
Let me express my hope once again. You expressed some
things to us yesterday in Intelligence. I think it is really
very important to show the cases where this has been used and
has been effective and do that tomorrow at the classified
briefing for all Senators. Will you do that?
General Alexander. Senator, we are going to bring those. We
will bring a layout of all those that have happened. And we
will work with the interagency as quickly as possible so that
the aggregate numbers can be released by you and others so that
the Nation knows how much this has really done to protect us
and our allies.
Senator Feinstein. Good. That is appreciated.
Now, let me go to cyber. As you know, the vice chairman of
our committee, Saxby Chambliss, with whom I work closely--we
have been sitting down trying to forge a consensus information-
sharing bill in cyber. Senator Coats, Senator Collins, Senator
Mikulski are all members of this committee. And one of the main
things is the extent of liability protection, the importance of
the domestic portal of entry for cyber attacks.
I would like to ask that you describe what is meant by a
civilian portal for Senators assembled here today and also the
rationale, why this is important for privacy and other reasons.
General Alexander. Senator, thanks for that question.
The reason, from my perspective, for a portal to one of the
civilian infrastructures is so the Nation knows that somebody
is not going directly to an intelligence or a military thing
with secret information, but rather, give it to, for example,
DHS and it can be pushed to FBI and NSA Cyber Command because
we all see the data at the same time. And the public will have
great confidence that what we are doing is exactly right. Or
send it to FBI depending on the type and then FBI can shoot it
to both of us. So you have a way of doing this. I think that is
critical, given the discussion that we have on the other parts,
is that the American people know that we are being transparent.
We do not look at our cyber infrastructure to know what is
going into Wall Street, as an example. And so if there is an
attack on Wall Street, I will not see it until afterward. And
so think of that as a missile coming into Wall Street. The
people that do see it, like the Internet service providers,
could tell us that--could--but there is no guarantee and there
is no quick way of doing that.
Cyber legislation is needed for that. We need to be able to
share that information, and all of us need it because we all
will have a role there. Our role would be defend the country.
If this is a nation state trying to take down Wall Street, you
want us to act.
So I think that is the reason for having that civilian
portal. That was a longer answer than you probably wanted, but
that is why I think all of that is needed.
Senator Feinstein. Thank you.
Let me go to another subject quickly and that is liability
protection. And you talked to us a little bit about what the
liability protection standards should be in a bill. There are
two parts of it. One is for use of a Government countermeasure,
and the other is voluntary information-sharing between two
companies. I think many members feel companies will not share
unless they have immunity from liability. Could you comment on
that?
General Alexander. So there are two different aspects, as
you stated, and one is how do you share with the Government and
what action do you take. And so here is where I think my
personal thoughts on this are that if the Government asks the
company to do something to protect the networks or to do
something and a mistake is made and it was our fault, then they
should have liability protection for that. And they should not
stand up and have to be sued. So I think there is a case for
that.
But if they go company to company or if they are sharing
data back and forth, as they do today, I am not sure that the
Government needs to provide liability insurance that way.
So I think there are two different things.
Now, this is something that the administration--your folks
and we ought to bring everybody together, if that is the key
point, and iron that out. I think we want to get it right.
There are subtleties to what we just said. So there are
different cases and conditions upon when we would act and how
we would act and what level of liability you would have. And so
I think those are the ones that we truly got to get exactly
right.
From my perspective, we just cannot grant everybody gets
liability protection. And on the other hand, we do not want to
say do something for the Government and if it goes bad, you are
on your own. So I think there is something in the middle there
that we have to get right, and from my perspective it is when
the Government is asking them to do something, we ought to have
at least part of that liability protection.
Senator Feinstein. Thank you.
Thank you, Madam Chairman.
Chairwoman Mikulski. Senator Boozman and then Senator
Tester.
Senator Boozman. Thank you, Madam Chair, and thank you all
so much for being here.
I do have some questions about the situation we are in, but
I think what I would like to do is wait until we get into the
classified. I think you have said about as much as you could
say in a setting like this.
I do think that the Senator from Nebraska, though, raised
an important consideration that we are probably not talking
about enough. I think by any standards, this is a very far-
reaching program that really does have tremendous implication
to the general public. And having the military--as he said,
your record is exemplary. You are a tremendous American. My dad
did 20 years active duty, and I will do anything I can to help
you all in that regard.
But I do think that the idea of having military control--we
have had those firewalls in the past, and that is a discussion
at some point that I think we need to have and would appreciate
again at some point your contribution in that. But I do think
that that is very, very important. And like you said, we are
not talking about that.
In regard to cybersecurity, Secretary McFeely, what are the
top countries--and you can chime in on this also, General. What
are the top countries that are pinging us? Who is involved in
this?
Mr. McFeely. We do have an answer for that. I believe that
would be a more appropriate discussion in our classified
setting.
Senator Boozman. So it is not okay to say who is getting
after us?
Mr. McFeely. I do not believe in this setting based on the
fact that our information and our assessment is based on our
classified work--I do not believe that--I think I would be
overstepping a line.
Senator Boozman. Okay.
You mentioned in your testimony the FBI's collaboration
with State and local law enforcement. Again, it is hard for
them to deal with this. This is something that they are not,
most of the time, equipped to do. Do you feel that the Federal
Government, specifically the FBI, is doing enough to aid our
State and local departments when they are faced with a cyber
attack?
Mr. McFeely. You mean specific governments or are we
working with State and local law enforcement----
Senator Boozman. Yes, State and local law enforcement.
Mr. McFeely. So I think the short answer to that is no, but
I am happy to report that we have, I believe, a working plan
moving forward. About 2 months ago, we met with various
associations representing the police and sheriffs and
investigators at the State and local side. And through
conversation going through really a discussion of where law
enforcement is with the cyber threat, we realized collectively
that information is not flowing down to the State and local
departments, and even in the instances where it was, they did
not have the capability or the level of competence to even
address it.
We decided that we needed to address that. We have worked a
pilot plan out, and the centerpiece of this will be the
Internet Crime Complaint Center where we literally get
thousands of complaints in a year from people who have been
defrauded over the Internet. Most of the complaints that come
in do not meet Federal prosecutive guidelines. In other words,
it is not something that a United States Attorney's office
would routinely prosecute and it is not something, because
these are fraud-type complaints, either the FBI or Secret
Service would routinely investigate. But because State and
local's competence level is not at the level where it should
be, it is just simply falling off.
Chairwoman Mikulski. I could not hear your word to Senator
Boozman. I could not hear you. Are you saying ``confidence'' or
``competence''?
Mr. McFeely. Competence, technical capabilities.
So what we have worked out is a pilot project where we are
going to package up these types of threats and actually
disseminate them direct to the major departments where the
victims are located. At the same time, we are going to increase
our outreach to State and local law enforcement and give them
the tools and the training that they need to get them up to
that level of technical competence that they need.
Senator Boozman. Thank you.
Mr. Beers. Senator, could I add to that, please?
COLLABORATION WITH STATE AND LOCAL LAW ENFORCEMENT
Senator Boozman. Yes, sir, sure.
Mr. Beers. So our Secret Service, working with the FBI in a
number of cases, as Mr. McFeely indicated, in the joint task
force--we have a National Computer Forensics Institute in
Alabama. We have trained over 1,300 State and local law
enforcement prosecutors and judges in order to be able to deal
with this.
What we are dealing with here--that is, mostly their
competence or the part of, not the national security threats
but the criminal fraud threats--is the stealing of credit cards
and other personally identifiable information and using that to
take money out of banks around the world. You heard about the
$46 million that was taken out of two banks from the Middle
East, including a large amount in this country. That is the
kind of training where we can give them the competence and we
can work with them, and that is something that we and the FBI
are trying to do very much. The outreach that we have had to
the various police associations and other things are part of
it.
But the main thing is to get the training and then to work
together. A lot of this happens overseas and that is where we
have to be involved in order to be able to trace those
activities overseas, which State and local law enforcement do
not really have the ability to do. But it is a joint program
and really quite successful.
Senator Boozman. Thank you, Madam Chair.
Chairwoman Mikulski. Senator Tester.
Senator Tester. Thank you, Madam Chair.
And I want to thank you all for being here, particularly
General Alexander. I want to thank you for coming today. Thank
you for your service to our country. And I have been looking at
the slides the committee provided, and they are very helpful.
We are going to spend more than $13 billion in unclassified
cyber activities. Seven agencies are involved, excluding the
network defense that every agency must do.
According to my notes, after the WikiLeaks incident in
2010, a Presidential Executive order directed agencies to
improve classified network security and create a committee to
oversee those improvements. So we have had 3 years to improve
the control of classified networks and information. Whatever
one thinks of Edward Snowden, it looks to me as if we have also
got a big problem that is internal, not external.
So you tell me that the President has requested $13 billion
in cyber spending for fiscal year 2014, and yet a contractor,
not even somebody who is accountable to your chain of command
or anyone else in the Government, is able to get his hands on a
copy of a FISA court order allowing the collection of metadata
from Verizon. How on earth does this happen? And why does a
contractor have access to information that we are spending $13
billion to prevent outsiders from getting their hands on?
General Alexander. So that is one of the grave concerns we
both have in that in our networks, the system administration of
those networks, the IT infrastructure, was outsourced about 14
years ago to push more of our work out to contractors. As a
consequence, many in Government, not just us, have system
administrators who are contractors working and running our
networks. Now, they do not have total visibility of the
network, but they get key parts to it. And in this case, this
individual was a system administrator with access to key parts
of the network. So we have got to address that. That is of
serious concern to us and something that we have to fix.
Senator Tester. I mean, from your perspective, do you
anticipate a recommendation coming forward that this work be
done in house instead of contract?
General Alexander. Senator, I am not prepared to make that
statement yet. I do not want to react because there are good
contractors out there that are doing a good job. I think what
we have to do is come back and perhaps look at the oversight
mechanism that we have, the checks and balances that are in the
system, the automated checks and balances that exist, and what
we can do to improve those. As you may know, what the
Department is going through in the joint information
environment would greatly assist in protecting this data. So
going to what we call JIE is a huge step in the right
direction.
I think those cloud security and encrypting data is things
that we can and should do, but that is going to take time. I do
not want to mislead you. This is a significant effort for the
Defense Department to move to, but it is one that I know I have
personally talked to the Secretary on and the Chairman. We are
pushing this. It is the right way to go. I wish we had it. I
wish we would go back in time. NSA is doing the same.
BANK ATTACKS
Senator Tester. Financial services. I am told by folks that
I deal with on the Banking Committee that almost every night
somebody is trying to hack their system.
Do you have the mechanism by which you can follow up if a
bank gave you an IP address that they think that is doing the
problem? And if it is not the right question for you, General,
you can ship it any way you want. Or do you not have the
mechanism to be able to follow up?
General Alexander. So we do as a team, the team here.
Almost assuredly, if it is a criminal or other, it would start
with the FBI being on the team. We may have people on the team.
If the FBI saw this was a foreign one, they would tip that over
to us. So we act as a part. DHS has a key role in that team to
see what it is. We have made great progress in bringing that
team together.
The bottom line to your answer is someone on this team
would take it. Normally that leadership would probably be, the
cases you described, FBI with DHS and us.
Mr. Beers. Sir, on that, we gave out 200,000 IP addresses
to individuals within this country--to the banks--excuse me--to
block when those distributed denial of services attack. Some of
those were overseas. We also sent them to friendly governments
overseas. So as a matter of course, we do this on a regular
basis as part of this tripartite team.
Senator Tester. Okay. So let me ask you this. If a bank
comes to you with an IP address that they believe was trying to
hack their system, do you guys follow up on that?
Mr. Beers. In exactly the same way. The three of us, the
three agencies that we represent, go and provide some forensic
assistance with respect to that particular incident, and then
we provide a larger mitigation message out to the rest of the
community so that particular form of attack cannot be
replicated.
Senator Tester. Then do you go back to the bank that has
initiated this investigation and tell them what you have done?
Mr. Beers. We do, and when we put out the information, we
do not necessarily indicate which bank was affected. We
anonymize that information unless that particular firm wants it
public.
Senator Tester. Okay. So when a bank comes up to me and
says, look, we give them IP addresses and they do not follow up
on it, you would classify that as being baloney?
Mr. Beers. Sir, I cannot speak to each and every one of
those instances, but what I am telling is the way we work as a
team in order to try to do that. And if there are banks that
have spoken to you about this, we would be happy to get back to
them if they are prepared for you to tell me about that.
Senator Tester. I do not know that they are, but maybe they
are. I cannot say. Actually multiple banks have talked to me
about that.
So I just want to say thank you very much. I will tell you
that there has been a lot--if I might editorialize just for a
second, Madam Chair. There has been a lot of concern about what
has happened in the last couple weeks. And I do not serve on
the Intelligence Committee. I do serve on Homeland Security,
but I do not serve on the Intelligence Committee. And I will
tell you that I think it is positive for this country to be
having the discussion we are having. And there may be some
negatives involved here, but I think it is positive to have the
discussion so that we are thinking about civil liberties and we
are thinking about freedom as it relates to our national
security. You guys all have a tough job, but we will get
through this and hopefully we will secure both our security and
our freedoms when this is done.
Thank you very much.
Chairwoman Mikulski. Senator Murray.
Senator Murray. Madam Chairman, thank you very much for
having this hearing.
Is ``baloney'' a Montana name?
Senator Tester. I was being very nice. I was going to refer
to cow excrement here.
QUALIFIED WORKFORCE: CENTERS OF EXCELLENCE
Senator Murray. We were lucky.
Again, thank you so much for having this hearing.
Let me just start by saying that I think our Nation's most
important cybersecurity resource is its cyber workforce.
Without the right people using it, even the most sophisticated
technology is really only of limited use. That is why I think
it is important that we successfully identify, recruit, and
train a cyber workforce to form the foundation of any national
cybersecurity plans.
DHS and NSA's Centers of Academic Excellence are really
important tools in this effort, and my State, Washington State,
hosts a number of these Centers of Excellence. We have the
Information Assurance Education Centers at the University of
Washington--Tacoma and the University of Washington--Bothell.
We have the Information Assurance Research Center at the
University of Washington--Seattle, and the Information
Assurance 2-year Education Center at Whatcom Community College.
And together those programs offer cybersecurity education and
training at the 2-year, undergraduate, masters, and Ph.D.
level.
Secretary Beers and General Alexander, if you could comment
on how you think these Centers of Excellence play into your
respective cyber hiring pipelines and workforce development
programs, I would love to hear your comments on that.
Mr. Beers. Let me go first on that. We absolutely are
dependent upon that form of education as a way to get qualified
individuals into our workforce. We at DHS have an outreach
program to community colleges generally but also to these
Centers of Excellence as well as to universities. The only
comment that I would make is we do not have enough people
around the country trained to do all the jobs that we in
Government and the private sector need to have done. I think
that is really one of the educational frontiers for this
country is to create that kind of a workforce for all of us. So
that is certainly something that we support very much at DHS.
Senator Murray. General, do you want to comment?
General Alexander. Senator, thank you for that question
because that is a huge program that we do with more than 140
different schools collectively between DHS, NSA. And the
curriculums that we set up there with those schools--this is
not just you get a thing, you go do it. They actually set up a
curriculum that helps ensure that the students that are going
through that will have the background we need in information
assurance, and now in cyber operations, a new one. So there are
double credentials that they can get. And I just encourage your
schools. I know everybody is looking at that, and we are
getting tremendous pressure.
These are very difficult to get into. This is not something
that we just grant. It is interesting because we got a number
of schools to bring this forward. Some of them do not meet the
qualifications and do not get that accreditation. So they work
through that. We work with them. We have a great outreach. I
think this is great for our country to build these kinds of
people----
Senator Murray. We absolutely must have that workforce. I
agree.
I know that a coherent national cybersecurity strategy
really requires some cooperation. You have got to have
collaboration between Government, private industry, and
academia. And as we saw with the development of the information
economy on the Internet, clustering these universities,
companies, and the appropriate Government agencies together
offer some really great benefits. Within the cybersecurity
industry, the South Puget Sound in my State has emerged as a
leading cyber cluster, if you will. The unique and nationally
recognized resources the region has to offer have created a
great environment for cybersecurity to really flourish. They
have some great stakeholders who help make this possible,
including the Center for Information Assurance and
Cybersecurity at the University of Washington. We also have
great influential technology and defense companies, Microsoft,
Amazon, Boeing, and we have two military installations, Joint
Base Lewis-McChord and Washington National Guard Camp Murray in
the South Puget Sound. And I have seen personally how those
relationships have really benefited that region.
And, Secretary Gallagher, I would love it if you could talk
about the importance of these so-called cyber clusters like the
one we have in my State and what steps NIST and Commerce are
taking to really promote those.
Dr. Gallagher. So the notion of clusters as a way of sort
of creating this amplification effect that you talk about is
broader even than just cybersecurity. In fact, it is a key part
of our strategy in other areas like advanced manufacturing. And
what tends to happen is you get sort of a critical mass where
you have enough expertise that it creates an attracting and
pooling, and that talent base really starts to create wins. So
you attract the right kinds of companies and government
agencies and academic programs.
I think it has to be a key part of the cybersecurity
education effort as well because in the end, you are talking
about workforce development. And so you are going to have to
bring together--that is one of the reasons the public/private
partnerships are going to be such a key element here. We are
seeing some of that already. Senator Mikulski provided a
program funded through NIST, the National Cybersecurity Center
of Excellence, which leverages Maryland and Virginia which have
also been looking at this sort of effect, to bring in companies
to work collaboratively on cybersecurity and create this
tipping-in effect that you so eloquently described that are
part of clusters.
Senator Murray. Great. Well, I am a big proponent of that.
I am out of time, but I did want to submit a question about
the National Guard. I think as we move forward, we are going to
have to make sure that we are coordinating with them. They are
going to be our boots on the ground if there is ever an issue,
and I am hoping that we are doing the right things to support
them. So, Madam Chairman, I would like to just submit that
question.
Chairwoman Mikulski. Thank you very much, Senator. And we
hope that through the respective subcommittees, there will be
follow-ups that will go even deeper to this.
In terms of your clustering, we in Maryland feel we are at
the epicenter of cybersecurity because we have the National
Security headquartered there. We have the National Institute of
Standards headquartered there. We hope to have the FBI
headquartered there. We have the University of Maryland----
Senator Murray. Yes. Well, we will take the west side of
the country.
Chairwoman Mikulski. But thank you very much.
I think, Senator Shelby, did you want to say something,
sir?
Senator Shelby. I just have one last observation. I just
want to thank the panel, all of you, for your service to the
country, the way you have conducted yourself before you got
here today, and what you have done here for the day for
America. And I think it has to be said. We have worked together
a long time. Thank you.
ADDITIONAL COMMITTEE QUESTIONS
Chairwoman Mikulski. Well said, Senator Shelby.
If there are no further questions this afternoon, Senators
may submit additional questions for the committee's official
record, and we request the witnesses' response within 30 days.
[The following questions were not asked at the hearing, but
were submitted to the Departments for response subsequent to
the hearing:]
Questions Submitted to Hon. General Keith B. Alexander, Commander, U.S.
Cyber Command Director, National Security Agency Chief, Central
Security Service
Questions Submitted by Senator Patty Murray
Question. Currently, the development, marketing, sale, and resale
of software exploits, including attack capabilities, is legal and
unregulated making it one of the few remaining unregulated weapons
markets.
Is it in the United States' interest to allow the open and
unfettered sale of these exploits and other attack capabilities? What
steps are currently being taken to protect the United States against
the proliferation of these capabilities?
Answer. We share the concerns of the Committee and others about the
unfettered proliferation of malicious cyber tools and the potential
misuse of those tools to inflict harm against U.S. interests and those
of our allies. With other agencies, we are studying the global export
market for cyber technologies, and what actions may be prudent for
national security, while being mindful of U.S. industry's need to
innovate to meet global demand for cyber defense capabilities.
Question. Given the risk that cyber attack poses to critical
infrastructure and other important domestic systems, creating and
maintaining a robust cyber civil defense is essential. Traditionally,
National Guard units have played a central role within civil defense
and in Washington State, the 262nd Network Warfare Squadron--the first
operational non-flying wing within the Air National Guard--has extended
its response and support capabilities to cyberspace.
What steps is CYBERCOM taking to coordinate with Guard units like
the 262nd to improve homeland readiness and resilience in the face of
cyber attack?
Answer. Currently, we conduct exercises and training with the 262nd
Network Warfare Squadron focused on responding to a domestic cyber
attack against critical U.S. infrastructure. These events involve
intense collaboration and coordination across Federal, State, and
private sector boundaries. Going forward, we are working with
USNORTHCOM and the National Guard Bureau to develop a broad framework
for integrating the National Guard into the Cyber Mission Forces. This
framework will guide the Service components as they work to incorporate
additional cyber capabilities into their forces.
______
Questions Submitted by Senator Richard J. Durbin
cyber executive order--role of the executive order versus cyber
legislation
Question. President Obama issued Executive Order (EO) 13636 in
February of this year. What is the effect of this Executive order? Is
it improving your ability to share information with the private sector?
Answer. The overall effect of the Executive order is to jump-start
some key initiatives that begin to address the cybersecurity threat.
--With implementation of the Enhanced Cybersecurity Services, a USG/
industry partnership program, the robust cybersecurity
protections currently afforded only to the Defense Industrial
Base primarily through cleared commercial service providers
will be made available to all critical infrastructure sectors
while minimizing the potential for divulging our classified
sources and methods.
--The cybersecurity framework to be developed by the National
Institute of Standards and Technology in partnership with
industry will help owners and operators of critical
infrastructure to understand the levels of security measures
that are needed to make it more difficult for adversaries to
penetrate their networks.
--The voluntary certification program is designed to encourage and
assist owners and operators of critical infrastructure to adopt
those standards to harden their networks.
--All three efforts recognize that cybersecurity is a team effort and
must be done with full collaboration within Government and with
industry and other private stakeholders.
I think it is essential; however, that all parties realize that the
Executive order (EO) is only a first step in addressing the threat and
not a substitute for actual legislation. The EO can move us only so
far, and it does not eliminate the need for Congress to enact
cybersecurity legislation.
While the Executive order does make some headway in enabling and
facilitating some cybersecurity information sharing across a larger
portion of the critical infrastructure, such sharing remains largely
one-sided--from the USG to private sector. With so much of the critical
infrastructure owned and operated by the private sector, the Government
is often unaware of the malicious activity targeting our critical
infrastructure. These blind spots prevent the Government from being in
a position to either help defend the critical infrastructure or to
defend the Nation from a cyber attack, if necessary. This can only be
overcome through legislation that removes statutory barriers to
cybersecurity information sharing and provides the narrowly scoped
liability protections needed to incentivize two-way, real-time
information sharing between the private sector and the Government.
Similarly, we need legislation that encourages industry cooperation in
the development and implementation of the cybersecurity standards that
will secure their networks.
Question. When he signed the Executive order, President Obama also
underscored the need for comprehensive cybersecurity legislation, since
the scope of the Executive order is limited. What are your legislative
priorities in terms of items you believe should be included in cyber
legislation?
Answer. I believe that cyber legislation needs to:
--Eliminate the statutory information sharing barriers and facilitate
two-way, real-time cybersecurity information sharing between
the private sector and the Government as well as among private
companies. Any legislation must instill confidence that such
sharing will protect privacy and civil liberties, and will
preserve the longstanding, respective roles and missions of
civilian and intelligence agencies. It also needs to provide
reasonable liability protections for companies in order to
incentivize such information sharing.
--Build on the efforts under EO 13636 to develop a cybersecurity
standards framework and certification program by incentivizing
the private sector to adopt the framework to protect its
networks.
cyber executive order--protecting privacy and civil liberties
Question. The Executive order requires Federal agencies to develop
cybersecurity efforts in accordance with the Fair Information Practice
Principles, as well as other policies, principles, and frameworks to
protect privacy and civil liberties. I worked with a number of other
Senators to ensure that the Cybersecurity Act of 2012 included
provisions to protect privacy and civil liberties.
What specific steps can government agencies take to ensure that
privacy and civil liberties are protected as we enhance our Nation's
cybersecurity?
Answer. I believe that the U.S. Government could take the following
steps to ensure that privacy and civil liberties are protected:
--Ensure transparency by establishing processes and procedures based
on Fair Information Practice Principles for the U.S. Government
receipt, retention, use, and disclosure of cyber threat
information received from the private sector.
--Require independent review and oversight to ensure that use and
sharing restrictions are being enforced.
--Leverage technology to establish a transparent, real-time, policy-
based, machine-to-machine messaging construct that
automatically enforces the policy/rules for use and any
restrictions on sharing.
______
Questions Submitted by Senator Mary L. Landrieu
cybersecurity role for the national guard
Question. On June 13, 2013, the day of the Appropriations Committee
hearing entitled ``Cybersecurity: Preparing for and Responding to the
Enduring Threat'', the Committee received a report from the Department
of Homeland Security (DHS) and Department of Defense (DOD) which was
due to Congress on May 1, 2012, as prescribed in the joint explanatory
statement accompanying the fiscal year 2012 DHS Appropriations Act
(Public Law 112-74). The purpose of the report was to outline the
capabilities of a coordinated response to a cyber attack by DHS and the
National Guard and how critical relationships can be established across
the agencies to fulfill cybersecurity responsibilities. The information
provided, which was submitted separately by the two agencies, outlines
on a high-level, the programs DHS and DOD (as a whole) are maintaining
for a response. Unfortunately, the report falls short of providing
Congress an understanding of the DHS and National Guard's capacity to
respond to a cyber attack jointly. In order for Congress to better
understand the gap between capacity and need, a sense of scope is
required.
How many National Guard cybersecurity personnel currently exist,
and where? Are they employed in teams or individually? If they are
employed in teams, how many teams are there and where are they located?
Answer. Although these questions are better directed to the
National Guard Bureau, I understand that there are approximately 1,000
National Guard personnel in cybersecurity positions. The U.S. Army
National Guard is filling 8-person Computer Network Defense teams in
each State that operate part-time in support of State missions.
Additionally, the U.S. Air Force has established Air National Guard
units in Washington, Delaware, Rhode Island, Maryland, California, and
Kansas. USCYBERCOM continues to explore with the Services the unique
capabilities the National Guard brings to the Total Force and the role
they will have in securing our Nation in cyberspace.
Question. As DOD and DHS are building the capacity the Federal
Government needs to protect against and respond to a cyber attack: what
specific role is being considered for the National Guard; and how is
the Guard's ability to switch between title 32 authorities and title 10
authorities being taken into consideration?
Answer. We are working through the best way to strategically
integrate the National Guard into the cyber national defense mission to
include the Guard's particular authorities and capabilities. Most
importantly, National Guard forces should complement the Total Force in
the same way that they do for other missions. As part of a Total Force
solution, the National Guard forces will need to be trained to the same
standard as the active forces to meet those requirements.
Although we are focused on working with the Services and the
National Guard Bureau on how these personnel can help meet DOD
requirements, the Department is actively engaged with its interagency
partners and the States to improve our ability to respond to
cybersecurity challenges in a whole-of-Government approach that
leverages all appropriate authorities.
It is also important to note that, as Chairman of the Joint Chiefs
of Staff General Martin Dempsey stated in recent congressional
testimony, title 32 may not provide authorities for operating in
cyberspace. Any activities on networks within a State's jurisdiction
which have effects outside of that jurisdiction would have to be
conducted under title 10 authorities. This will be an important factor
in the planned integration of the National Guard into the cyber
national defense mission.
Question. Is there a cost savings associated with utilizing the
National Guard based on current training? How much?
Answer. In coordination with the services, the Department is
working out how to create an effective cyber workforce by looking
across the Total Force in a way that best meets DOD cyber requirements.
As a critical element of building its force structure, USCYBERCOM has
established common training requirements for all of its personnel,
Active component, Reserve component, or civilian.
We are eager to leverage the skills and training of all our team
members while we ensure that they are properly trained and certified to
carry out their USCYBERCOM mission. It is very difficult to estimate
potential savings based upon current training of personnel, as it will
be highly dependent both upon the particular training and certification
an individual has previously received and how much training meets the
requirements of roles to which the personnel will be assigned.
Question. Are there skills identified within the National Guard
that cut down the time needed to train a cyber airman or soldier to be
able to respond to a cyber attack?
Answer. The services retain training and accreditation authorities
for all training. Each service will make a determination on what
civilian skills, experience, and credentials might be credited for
required military training.
USCYBERCOM is establishing common training requirements for all of
its forces. Skills may help them progress and support their ability to
operate, while ensuring that all of our forces are trained to the same
standard.
cyber test beds/ranges
Question. General Alexander testified that the services,
departments, and agencies need to work together to ensure that they
have adequate test bed and range space to safely organize, train, and
equip the cyber warriors, operators, managers, researchers, and agents
across the Federal Government.
What are the specific requirements that your departments and their
various agencies have for test bed and range space?
Answer. Test bed and range spaces must support training on all
aspects of the USCYBERCOM mission as specified by the Joint Cyber
Training and Certification Standards and the Cyber Forces Concept of
Employment. They also need to be capable of supporting training,
exercise, and mission rehearsal events from multiple locations on a 24/
7/365 basis.
Question. What specific outcome will those established requirements
render in trained personnel and tactics?
Answer. Testing and range space that fulfills those requirements
will foster an environment that ensures the Cyber Mission Forces are
consistently trained and certified to perform operations in defense of
the Nation and, when authorized, to project force. Methods of training
tactics development will include force on force, force vs. simulated
opposition forces, and force vs. live opposition forces.
Question. What is the current test bed and range capacity available
to each of your departments?
Answer. USCYBERCOM has access to the Department of Defense's four
cyber ranges that support testing and training: the Joint Information
Operations Range, the Department of Defense Information Assurance
Range, the National Cyber Range, and the C4 Assessment Division.
USCYBERCOM also has limited in-house standalone test labs.
Question. What is the wait time or backlog based on the access you
currently have?
Answer. Currently, exercise events are developed to meet specific
requirements for the training audience. In correlation with the
development, wait time varies based on range schedule availability and
planning. Based on historical data from recent range events, the
average wait time is 60-90 days for a small (10-15 participants) event,
and 6-9 months for large-scale exercises such as Cyber Flag.
Question. Have you identified additional test bed or range space
that you would like to acquire, use, or lease?
Answer. USCYBERCOM is working with the Joint Information Operations
Range, the DOD Information Assurance Range, the National Cyber Range,
and the C4 Assessment Division to identify future capacity needed to
accommodate projected DOD cyber testing and training requirements.
Question. What are the fiscal year 2013 and 2014 funding levels for
testing and training space?
Answer. Although USCYBERCOM has access to these ranges, we do not
program their funding nor are the ranges under a single program
manager. The Command is collaborating with the range program managers
in a federation of the willing in order to coordinate strategic
planning/programming. For specific USCYBERCOM events, COCOM Engagement
and Training Transformation funding was allocated from the baseline
USCYBERCOM fiscal year 2013 exercise funding and fiscal year 2014
funding will likely be similar.
Question. What percentage of your required testing and training
needs will you be able to meet in fiscal year 2013 and 2014?
Answer. Of the projected training and certification events to
support the Cyber Mission Force, approximately 30 percent of the events
can be supported by the test beds and ranges currently available to
USCYBERCOM. However, the Command is working with the Joint Information
Operations Range, the DOD Information Assurance Range, the National
Cyber Range, and the C4 Assessment Division to identify the capacity
needed in fiscal year 2014 and beyond to accommodate projected DOD
cyber testing and training requirements.
______
Questions Submitted by Senator Tom Udall
role of national laboratories in promoting cybersecurity
Question. General Alexander, our National Labs--which are the crown
jewels of our Nation's research system--are active in efforts to
promote cybersecurity. In my home State of New Mexico, Sandia National
Laboratories is engaged in efforts to secure the national electrical
grid from cyber attack. Los Alamos National Laboratories is a leader in
quantum cryptography. Sandia also has partnerships with universities
and the private sector. They're helping computer science students
become cyber professionals.
Could you discuss what role our National Labs should have in
protecting our Nation from cyber attack?
Answer. Our National Labs are incredible resources that continue to
make vital contributions to cybersecurity and broader national
security. The three areas that you have identified are three of the
most important ways that the National Labs are supporting U.S.
cybersecurity efforts: advanced research to secure our vulnerable
infrastructure from cyber threats; the improvement of our abilities to
transmit and store data securely; and, potentially most importantly,
the development of the cybersecurity professionals that are our most
critical asset.
need for international cooperation for cybersecurity standards
Question. General Alexander, your testimony describes how
USCYBERCOM is working to defend the Nation against threats from
cyberspace, especially those that could involve attacks directed by
foreign states. But cyberspace does not really recognize national
borders, and we have many shared interests in terms of cybersecurity
with other nations. Stopping cyber criminals, for example, requires
cooperation from other countries. Earlier this year, a criminal network
involving hackers from several countries allegedly stole $45 million
from banks using fake ATM cards.
How do we ensure our national security while also working toward
better international cooperation in the area of cybersecurity?
Answer. International cooperation on cybersecurity is a requirement
to ensure our national security. Global cooperation is necessary to
address the threat, build consensus on the norms of responsible conduct
in cyberspace, and address ongoing malicious activity. For our
military, cybersecurity cooperation, including shared situational
awareness, is foundational to interoperability and mission success
globally as is the case in other domains.
Question. How do we reduce cyber vulnerabilities while protecting a
free and open Internet for all?
Answer. As the President's International Strategy for Cyberspace
says, ``To realize fully the benefits that networked technology
promises the world, these systems must function reliably and securely.
People must have confidence that data will travel to its destination
without disruption Assuring the free flow of information, the security
and privacy of data, and the integrity of the interconnected networks
themselves are all essential to American and global economic
prosperity, security, and the promotion of universal rights.'' A
cyberspace that rewards innovation, empowers individuals, develops
communities, safeguards human rights, and enhances personal privacy
will strengthen national and international security. We will reduce our
cyber vulnerabilities and defend our networks with smart policies that
combine national and international resilience with vigilance and a
range of credible response options. Building capacity and fostering
innovation is necessary to achieve reliable, secure, and safe platforms
and build confidence in globally interconnected networks. This is why
partnerships are so important: domestic and international, public and
private sectors.
china and theft of intellectual property
Question. General Alexander, your testimony mentions the systematic
theft of American intellectual property. This is a serious challenge,
particularly if aided and abetted by foreign states. President Obama
reportedly raised concerns about this with Chinese President Xi Jinping
last week.
How should our Nation respond if such directed cyber thefts are not
curtailed?
Answer. In February 2012, the administration published a
comprehensive strategy on mitigating the theft of U.S. trade secrets,
which is currently being implemented. Consistent with the Strategy, we
need to respond to cyber intrusions that result in the theft of
American intellectual property in three ways. First, the U.S.
Government must work with like-minded countries to clearly define
acceptable and unacceptable behaviors in cyberspace and to promote
related international norms, including effective criminal and civil
enforcement. Second, the U.S. Government must work with private sector
entities to develop more defensible network architectures and computing
devices that do not contain vulnerabilities that countries such as
China can exploit for economic gain. As these network architectures and
computing devices are hardened, we must promote development, sharing
and deployment of industry-led voluntary best practices in the private
sector to protect U.S. intellectual property, including trade secrets.
Third, the U.S. Government must continue to develop and implement
defensive cyber capabilities to protect the Nation from threats to its
economic health and stability.
______
Questions Submitted by Senator Thad Cochran
Question. All witnesses, we have heard about the importance of
cooperation and clearly defined lanes of responsibility across the
Federal Government for our cybersecurity efforts. What are your
respective roles in receiving and sharing threat information with the
private sector?
Answer. We are leaning forward to the maximum extent authorized to
share knowledge across the U.S. Government and private sector. In
accordance with EO 13636, and consistent with its legal authorities and
mission responsibilities, NSA/CSS provides classified cyber threat
information and associated network defense guidance to DOD, DHS, and
DOJ/FBI to use in support of their specific cybersecurity roles and
responsibilities. Through the voluntary Enhanced Cybersecurity Services
and Defense Industrial Base Enhanced Cybersecurity Services programs,
NSA/CSS is working with DHS and DOD to provide classified cyber threat
and technical information to eligible critical infrastructure companies
or commercial service providers that offer security services to
critical infrastructure.
Question. All witnesses, I think we all recognize the importance of
defending our Nation's critical infrastructure against cyber attacks. A
foreign or terrorist cyber attack on our electric grid, water systems,
or financial systems could cause widespread damage and even have
detrimental effects on our economy and consumer confidence. There has
been much discussion about how involved the Federal Government should
be in defending infrastructure owned by non-Federal entities. How would
you define the threshold for what types of non-Federal infrastructure
might qualify as ``critical'' for these purposes?
Answer. I believe the definition of ``critical infrastructure''
used in PPD-21 Critical Infrastructure Security and Resilience is a
reasonable one, and it applies to both Federal and non-Federal critical
infrastructures. It defines critical infrastructure as those ``systems
and assets, whether physical or virtual, determined by a sector
specific agency or DHS to be so vital to the United States that the
incapacity or destruction of such systems and assets would have a
debilitating impact on security, national economic security, national
public health or safety, or any combination of those matters.''
Question. General Alexander, a British newspaper recently reported
on a program called ``Prism,'' in which it referred to collection under
section 702 of the Foreign Intelligence and Surveillance Amendments
Act. The newspaper reported that the law ``allows for the targeting of
any customers. . . who live outside the U.S. or those Americans whose
communications include people outside the U.S.'' Can you explain if and
how this description may be inaccurate?
Answer. The quoted statement is inaccurate. Section 702 does not
allow the Government to target Americans inside or outside the United
States.
Section 702 of FISA allows ``the targeting of persons reasonably
believed to be located outside the United States to acquire foreign
intelligence information.'' 50 U.S.C. 1881a(a).
Additionally, the statute provides several express limitations,
namely that such acquisition:
(1) may not intentionally target any person known at the time of
acquisition to be located in the United States;
(2) may not intentionally target a person reasonably believed to be
located outside the United States if the purpose of such acquisition is
to target a particular known person reasonably believed to be in the
United States; may not intentionally target a United States person
reasonably believed to be located outside the United States;
(3) may not intentionally acquire any communication as to which the
sender and all intended recipients are known at the time of acquisition
to be located in the United States; and
(4) shall be conducted in a manner consistent with the fourth
amendment to the Constitution of the United States.
50 U.S.C. 1881a(b).
An acquisition authorized under section 702 must be conducted in
accordance with targeting procedures reasonably designed to ``ensure
that any acquisition authorized. . . is limited to targeting persons
reasonably believed to be located outside the United States.'' 50
U.S.C. 1881a(c) and (d)(1). These targeting procedures are subject to
judicial review and approval by the Foreign Intelligence Surveillance
Court (FISC). 50 U.S.C. 1881(d)(2). Minimization procedures must also
be adopted and are subject to FISC review. 50 U.S.C. 1881(e)(2) Among
other requirements, joint authorizations by the U.S. Attorney General
and Director of National Intelligence under section 702 must attest
that ``a significant purpose of the acquisition is to obtain foreign
intelligence information'' and that the acquisition complies with the
above limitations. 50 U.S.C. 1881a(g)(2).
Question. All witnesses, we've often heard that there is a
potential for a Cyber Pearl Harbor, or an unexpected cyber attack on
our Nation by a foreign entity that has dramatic and lengthy
consequences. I think it may be difficult for most Americans, and even
members of this Committee, to visualize how exactly such an attack
would be carried out and what it would look like. Can you help us to
better understand these things? Are the appropriations this Committee
has been recommending sufficient to help prevent such an attack?
Answer. In a 20 July 2012 opinion piece published online in the
Wall Street Journal, President Obama reflected on lessons learned from
a national-level exercise conducted the previous month to test how well
Federal, State, and local governments and the private sector can work
together in a crisis. According to the exercise scenario, that crisis
was the result of a cyber attack by unknown hackers who had inserted
malicious software into the computer networks of private-sector
companies that operate most of our transportation, water, and other
critical infrastructure systems. The simulated consequences included
train derailments across the country, including one carrying industrial
chemicals that exploded into a toxic cloud. Water treatment plants in
several State had shut down, contaminating drinking water and causing
Americans to fall ill. This worst-case scenario included both cyber and
physical consequences and targeted our Nation's critical
infrastructure. In October 2012 Secretary of Defense Panetta described
a cyber Pearl Harbor as just such a combination of events.
We believe the administration budget requests are on target and we
appreciate the Committee's willingness to fund them. Our strength in
facing this threat relies on the entire U.S. Federal Cybersecurity
Operations Team including DHS, DOJ/FBI, and DOD to counter cyber
threats. We each have specific, critical roles, responsibilities, and
authorities. We are already working together as part of the Federal
effort to counter cyber threats, and we are partnering to implement EO
13636 to improve the cybersecurity of our critical infrastructure.
There are issues with being able to see and prepare for a cyber attack,
as no single public or private entity has all of the required
authorities, resources, or capabilities to either respond to or prevent
a serious cyber attack on our critical infrastructure. We must address
this threat as a team by sharing the unique insights into cyber threats
that both the Government and the private sector have and by hardening
our critical infrastructure and making it more resilient to cyber
threats. We need legislation that removes existing barriers to the
sharing of cyber threat information between the private sector and the
U.S. Government at network speed, while ensuring that privacy and civil
liberties are protected. We also need legislation that offers
incentives to encourage core critical infrastructure operators to
harden their networks.
______
Questions Submitted by Senator Mike Johanns
cyber command
Question. General Alexander, I would like to ask several questions
about the potential elevation of Cyber Command to a unified combatant
command. Last year's National Defense Authorization Act included
language that instructs DOD to brief Congress on any proposal to
elevate the command. The language asks for specific information such as
a clear statement of mission, an outline of national security benefits,
as well as a cost estimate.
Has DOD prepared this required information and have you shared it
with Congress?
Answer. If the administration were to make such a significant
change to the Unified Command Plan, it would certainly share the
details with Congress.
Question. Do you agree that it would be inappropriate to stand up a
new unified command without possessing this information and sharing it
with Congress for review?
Answer. I believe that Congress should be informed on the analysis,
decisionmaking factors, and outcome of any changes to the Unified
Command Plan.
Question. In particular, what would be the costs associated with
elevating Cyber Command to a unified combatant command beyond the
initial establishment of the command--costs specifically related to
operations?
Answer. If the decision is made to elevate USCYBERCOM to a unified
command, it is unknown at this time whether there would be costs beyond
the initial establishment of the command related to operations. Any
cost increases or decreases will be dependent upon the responsibilities
and authorities assigned.
Question. I have heard some assert that no additional allocation
would be needed to elevate Cyber Command. Regardless of whether costs
are absorbed by taking away from other DOD missions or expending newly
allocated tax dollars, there will be operational expenses. What is
DOD's estimation of these expenses?
Answer. If the decision is made for significant changes to the
Unified Command Plan--such as creating an additional unified command--
there will likely be costs involved. The exact costs and any potential
effect on the overall DOD budget, however, will be dependent upon a
variety of implementation factors including assigned responsibilities,
authorities and manning.
Question. What do you believe are the advantages and disadvantages
of dual-hatting an individual as both the commander of a unified
command and of the National Security Agency?
Answer. Currently, the dual-hatting of the Director of the National
Security Agency and the Commander of USCYBERCOM is a strategic
advantage for the Nation. It has enabled DOD to leverage NSA's
capabilities needed for the conduct of USCYBERCOM's mission. The
concept ensures that the most knowledgeable officer on the global
cryptologic platform maintains superior situational awareness,
empowering swift and effective decisionmaking associated with national
intelligence and military objectives.
Question. In light of the widespread concern about an appropriate
balance between national security and the privacy rights of American
citizens, is there wisdom in avoiding giving one person virtually
unprecedented power as the head of both a unified command and a
civilian intelligence agency?
Answer. I do not believe that there is. It is imperative that the
Commander of USCYBERCOM understand the global cryptologic platform. The
dual-hat relationship facilitates this knowledge and ensures that the
Commander can maintain situational awareness and respond when required
in an extremely high-paced, complex, technical environment--while
applying to both jobs a single ethos of protecting privacy rights.
Question. What is the timeline for Secretary Hagel's decision?
Answer. I do not know if there is a timeline for any decision on
this topic.
Question. At one point there was talk that DOD might slip this
important change into an out-of-cycle adjustment to the Unified Command
Plan (UCP). Can you assure us this will not be the case?
Answer. Any final recommendation on changes to the Unified Command
Plan to the President will be made through the Secretary of Defense.
Question. Will you commit to us that before a final decision is
made, Congress will be provided a mission statement, clearly defined
parameters for combat action, and cost estimate?
Answer. I am sure that the Secretary of Defense will work with the
White House to ensure that our oversight committees have the
information that they need to be comfortable with any decisions
regarding the status of this command.
______
Questions Submitted to Hon. Rand Beers, Acting Deputy Secretary,
Department of Homeland Security
Questions Submitted by Senator Patty Murray
Question. Currently, the development, marketing, sale, and resale
of software exploits, including attack capabilities, is legal and
unregulated making it one of the few remaining unregulated weapons
markets.
Is it in the United States' interest to allow the open and
unfettered sale of these exploits and other attack capabilities? What
steps are currently being taken to protect the United States against
the proliferation of these capabilities?
Answer. The Department of Homeland Security (DHS) works closely
with public and private sector partners to coordinate the discovery and
responsible disclosure of software vulnerabilities before they can be
exploited. DHS cybersecurity experts are following the evolution of the
software vulnerability marketplace, including legitimate ``bug bounty''
programs, to ensure that our resources are being applied to address
gaps in vulnerability discovery and mitigation that industry alone
cannot correct. DHS's Science and Technology Directorate, through its
Software Quality Assurance project, is developing technologies to
improve techniques in software quality assurance tools to better detect
these types of vulnerabilities in software systems. DHS S&T will offer
these technologies and improvements through the Software Assurance
Marketplace (SWAMP), a state-of-the-art facility designed to advance
our Nation's cybersecurity by providing a collaborative research
environment to improve software development activities that will
protect the national cyber and critical infrastructure systems against
the proliferation of these software vulnerabilities and threats. In
addition, DHS is working with our international industry and government
partners to ensure that software and supply chain risks can be
proactively addressed worldwide.
Question. The North American Electric Reliability Corporation
(NERC) has been among the more successful industry solutions to
ensuring basic levels of cybersecurity across whole sectors of critical
infrastructure. While its mandatory cybersecurity standards are broadly
implemented across the bulk power system, NERC's voluntary standards
are minimally adhered to. Compounding this dynamic is the length of
time NERC takes to issue new mandatory standards; many of the voluntary
standards issued since the last ruling are recognized as essential
cybersecurity measures in the face of today's cyber threats. Given that
NERC is a leader across the greater realm of critical infrastructure, I
am concerned with the cyber readiness of other sectors.
How can Congress facilitate the formulation and adoption of
acceptable standards within the current regulatory framework and create
the structures needed to develop these standards in the first place
within the sectors that lack them?
Answer. Congress can leverage the consultative process adopted
during the development of the National Institute of Standards and
Technology's Cybersecurity Framework called for in section 7 of
Executive Order (EO) 13636, as well as regulatory agencies' assessments
of current regulatory frameworks from section 10 of the EO, to assess
the need for new or updated standards and ensure that such standards
are flexible and adaptable given evolving technologies and unique risk
environments. Congress can also work with DHS, Sector-Specific Agencies
(SSAs), the independent regulatory agencies, and the private sector to
understand the constraints that limit adoption and to implement
voluntary or legislative solutions to reduce burdens or increase
benefits of adoption or compliance. By assessing whether, and how, a
lack of standards or standard adoption is resulting in sub-optimal
cybersecurity outcomes, Congress can promote solutions associated with
a measurable business case, and encourage the adoption of particular
standards by sector organizations, SSAs, insurers, and other relevant
bodies. This may also include the promotion of particular incentives,
such as those identified in the DHS, DOC and Treasury responses to the
EO 13636/Presidential Policy Directive-21 tasking on incentives
studies.
______
Questions Submitted by Senator Richard J. Durbin
cyber executive order--role of the executive order versus cyber
legislation
Question. President Obama issued Executive Order 13636 in February
of this year. What is the effect of this Executive order? Is it
improving your ability to share information with the private sector?
When he signed the Executive order, President Obama also
underscored the need for comprehensive cybersecurity legislation, since
the scope of the Executive order is limited. What are your legislative
priorities in terms of items you believe should be included in cyber
legislation?
We'd like to hear from all the witnesses on this issue.
Answer. Facing persistent and constantly evolving threats to our
Nation from cyber attacks that could disrupt our power, water,
communication and other critical infrastructure, the President issued
Executive Order (EO) 13636 on Improving Critical Infrastructure
Cybersecurity and Presidential Policy Directive (PPD) 21 on Critical
Infrastructure Security and Resilience. These policies reinforce the
need for a holistic approach to security and risk management.
Implementation of the EO will drive action toward system and
network security and resiliency, and will also enhance the efficiency
and effectiveness of the U.S. Federal Government's work to secure
critical infrastructure and make it more resilient. Information sharing
is a critical component of a comprehensive strategy, and section 4 of
the EO directs the Department of Homeland Security (DHS) to expand its
reporting and dissemination of cyber threat information, expedite
security clearances, and expand the use of private sector subject
matter experts in the Federal Government in order to build and
strengthen information sharing partnerships.
Section 4 also directs DHS to expand the Enhanced Cybersecurity
Services (ECS) program to all critical infrastructure sectors.
The ECS program coordinates the protection, prevention, mitigation,
and recovery from cyber incidents through information sharing
initiatives with business owners and operators to strengthen their
facilities and communities. ECS is a voluntary information sharing
program that assists critical infrastructure owners and operators as
they improve the protection of their systems from unauthorized access,
exploitation, or data exfiltration. DHS works with cybersecurity
organizations from across the Federal Government to gain access to a
broad range of sensitive and classified cyber threat information. DHS
develops indicators based on this information and shares them with
qualified Commercial Service Providers (CSP), thus enabling them to
better protect their customers who are critical infrastructure
entities.
ECS augments, but does not replace, an entity's existing
cybersecurity capabilities. It does not involve any Federal Government
monitoring of private networks or communications, and information
relating to threats and malware activities detected by the CSPs is not
directly shared between the critical infrastructure CSP customers and
the Federal Government. Any information shared by a CSP customer is
done so voluntarily, in an anonymized fashion. As directed in EO 13636,
the ECS program is available to each of the 16 critical sectors.
Although this EO will help to bolster the Nation's cyber defenses,
it does not eliminate the urgent need for legislation in these and
other areas of cybersecurity. The administration's legislative
priorities for the 113th Congress build upon the President's 2011
Cybersecurity Legislative Proposal and take into account 2 years of
public and congressional discourse about how best to improve the
Nation's cybersecurity.
The administration believes that legislation should:
1. Facilitate cybersecurity information sharing between the
Government and the private sector, as well as among private sector
companies, while protecting privacy and civil liberties, reinforcing
the appropriate roles of civilian and intelligence agencies, and
including targeted liability protections;
2. Incentivize the adoption of best practices and standards for
critical infrastructure by complementing the process set forth under
the EO;
3. Give law enforcement the tools to fight crime in the digital
age;
4. Update Federal agency network security laws, and codify DHS's
cybersecurity responsibilities;
5. Create a National Data Breach Reporting requirement that
includes notification to law enforcement personnel.
Privacy and civil liberties safeguards must be a core component of
each of these legislative areas.
cyber executive order--protecting privacy and civil liberties
Question. The Executive order requires Federal agencies to develop
cybersecurity efforts in accordance with the Fair Information Practice
Principles, as well as other policies, principles, and frameworks to
protect privacy and civil liberties. I worked with a number of other
Senators to ensure that the Cybersecurity Act of 2012 included
provisions to protect privacy and civil liberties.
What specific steps can government agencies take to ensure that
privacy and civil liberties are protected as we enhance our Nation's
cybersecurity?
Answer. The Department believes that protecting privacy and civil
liberties requires attention in all phases of cybersecurity activities.
In addition to following the Fair Information Practice Principles and
any applicable laws or other frameworks that protect individual rights,
agencies can do the following to ensure that privacy and civil
liberties are protected as we enhance our Nation's cybersecurity:
1. Proactively engage with program managers and staff to identify
cybersecurity activities;
2. Identify any potential privacy or individual rights concerns
associated with those activities;
3. Implement proactive privacy and civil liberties protections
4. Assess activities in a way to minimize risks to privacy and
individual rights;
5. Develop policies and procedures to mitigate any remaining risks
to individual rights.
The Department recognizes that the involvement of the privacy and
civil rights and civil liberties advocacy community is helpful both for
purposes of establishing an advisory relationship and for building
robust oversight into security processes. For EO and PPD
implementation, DHS hosted five sessions with these communities to
educate them on the Department actions for critical infrastructure
security and resilience and to solicit their expert guidance as
programs are put into place.
Privacy is an integral component of the DHS cyber mission. Within
the Office of Cybersecurity and Communications (CS&C), the ECS program
and the National Cybersecurity Protection System (NCPS), or EINSTEIN,
are good examples of how DHS builds privacy and civil liberties
protections into cyber activities. DHS conducted both classified and
unclassified Privacy Impact Assessments (PIA) for both programs, to
fully assess the privacy protections in place. These PIAs provide a
comprehensive understanding of the CS&C cybersecurity programs, further
increasing transparency. The DHS Office for Civil Rights and Civil
Liberties has also provided advice to both ECS and EINSTEIN program
leadership since the inception of the programs to ensure that
appropriate protections are built in. The Office has also provided
civil liberties training to the U.S. Computer Emergency Readiness Team
(US-CERT) personnel, articulating principles for operators to ensure
the protection of individual rights.
Specifically, the ECS program exemplifies how the Department is
working to build cybersecurity partnerships based off of transparency
and privacy protections. ECS is a voluntary information sharing program
through which the Federal Government provides sensitive and classified
cyber threat indicators to Commercial Service Providers (CSP), enabling
them to augment the cybersecurity services available to critical
infrastructure entities. ECS does not monitor private networks or
communications. While CSPs may provide anonymized, aggregated
information about encountered threats, this high-level information is
strictly used to ascertain the effectiveness of information sharing and
to help DHS better respond to critical infrastructure's needs.
Additionally, DHS conducts quarterly reviews of indicators and
signatures and has conducted an overall Privacy Compliance Review of
the EINSTEIN program. We also work to ensure that NPPD collects only
the data necessary to support computer network defense activities.
Standard operating procedures ensure that we minimize data collection
to only the information that we determine is analytically relevant to
pre-defined known or suspected cyber threats.
This commitment to the protection of privacy and civil liberties in
DHS cybersecurity activities is longstanding. As part of the Cyberspace
Policy Review conducted by the administration in 2009, the Department
met with privacy and civil liberties advocates and academics (at a Top
Secret/Sensitive Compartmented Information [TS/SCI] level) to discuss
the Advanced Persistent Threat landscape and the Federal Government
response. That meeting led to the creation of a subcommittee of DHS's
Data Privacy and Integrity Advisory Committee (DPIAC), which is briefed
regularly at the TS/SCI level. Last year, the DPIAC subcommittee
produced a report that sets forth recommendations for DHS to consider
when evaluating the effectiveness of cybersecurity pilots and for
specific privacy protections for DHS to consider when sharing
information from a cybersecurity pilot with other agencies.
______
Questions Submitted by Senator Mary L. Landrieu
cybersecurity role for the national guard
Question. On June 13, 2013, the day of the Appropriations Committee
hearing entitled ``Cybersecurity: Preparing for and Responding to the
Enduring Threat'', the Committee received a report from the Department
of Homeland Security (DHS) and Department of Defense (DOD) which was
due to Congress on May 1, 2012 as prescribed in the joint explanatory
statement accompanying the fiscal year 2012 DHS Appropriations Act
(Public Law 112-74). The purpose of the report was to outline the
capabilities of a coordinated response to a cyber attack by DHS and the
National Guard and how critical relationships can be established across
the agencies to fulfill cybersecurity responsibilities. The information
provided, which was submitted separately by the two agencies, outlines
on a high-level, the programs DHS and DOD (as a whole) are maintaining
for a response. Unfortunately, the report falls short of providing
Congress an understanding of the DHS and National Guard's capacity to
respond to a cyber attack jointly. In order for Congress to better
understand the gap between capacity and need, a sense of scope is
required.
How many National Guard cybersecurity personnel currently exist,
and where? Are they employed in teams or individually? If they are
employed in teams, how many teams are there and where are they located?
As DOD and DHS are building the capacity the Federal Government
needs to protect against and respond to a cyber attack: what specific
role is being considered for the National Guard; and how is the Guard's
ability to switch between title 32 authorities and title 10 authorities
being taken into consideration?
Is there a cost savings associated with utilizing the National
Guard based on current training? How much?
Are there skills identified within the National Guard that cut down
the time needed to train a cyber airman or soldier to be able to
respond to a cyber attack?
Answer. Successful response to dynamic cyber threats requires
leveraging homeland security, law enforcement, and military authorities
and capabilities, which respectively promote domestic preparedness,
criminal deterrence and investigation, and national defense. DHS, the
Department of Justice (DOJ), and the Department of Defense (DOD) each
play a key role in responding to cybersecurity incidents that pose a
risk to the United States. While each agency operates within the
parameters of its authorities, the U.S. Government's response to cyber
incidents of consequence is coordinated among these three agencies such
that ``a call to one is a call to all.'' Synchronization among DHS,
DOJ, and DOD not only ensures that whole-of-government capabilities are
brought to bear against cyber threats, but also improves the Federal
Government's ability to share timely and actionable cybersecurity
information among a variety of partners, including the private sector.
In terms of specific National Guard activities, DHS defers to DOD.
cyber test beds/ranges
Question. General Alexander testified that the services,
departments, and agencies need to work together to ensure that they
have adequate test bed and range space to safely organize, train, and
equip the cyber warriors, operators, managers, researchers, and agents
across the Federal Government.
What are the specific requirements that your departments and their
various agencies have for test bed and range space? What specific
outcome will those established requirements render in trained personnel
and tactics?
Answer. The Department has a variety of requirements for test beds
and range space, which DHS uses for internal employee training
exercises, broader cybersecurity training for owners and operators
within each of the 16 critical infrastructure sectors, and joint cyber
exercises with partners. DHS likewise has longstanding requirements for
a research-focused test bed that allows for the realistic and at-scale
evaluation of innovative defensive technologies.
Improving cybersecurity is a global challenge and, as a critical
piece of research infrastructure, the test bed needs to be accessible
to international researchers. The Experimental Research Testbed project
(formerly the Cyber Defense Technology Experiment Research Testbed
Program or DETER) began in 2004 as a joint effort between the DHS
Science and Technology Directorate (S&T) and the National Science
Foundation (NSF) to address the need to research and understand new
cybersecurity risks and threats in a safe environment. This
international access requires that the test bed operate without
classification restrictions or technology restricted by International
Traffic in Arms Regulations (ITAR). The test bed must be securely
accessible over the Internet so as to not require international
researchers to have to travel to the physical location of the test bed.
Additionally, since DHS S&T is focused on not only operating a research
test bed, but also on conducting research to advance state-of-the-art
test bed technology, it is critical that the software utilized is
available as Open Source. Put simply, the availability of Open Source
software allows researchers to transition technology advances to
additional facilities. The software used in the test bed has been
transitioned to four other facilities and is in the process of being
deployed internationally. Test beds at those additional facilities can
be connected together through ``federation'' techniques and experiments
spanning multiple facilities can be conducted accordingly. This
federation allows for greater capacity and access to unique resources,
such as the power system test bed at the University of Illinois--Urbana
Champaign.
Other agencies use the Experimental Research Testbed as a platform
to develop and evaluate defensive mechanisms against cyber attacks on
infrastructure. For example, the Defense Advanced Research Projects
Agency (DARPA) currently uses the test bed as a consolidated evaluation
platform for one of its programs--a leveraging of resources that saves
DARPA the time and expense of constructing individual test beds for its
six participants. In return, DARPA has provided both hardware and
upgrades to the Experimental Research Testbed project.
Question. What is the current test bed and range capacity available
to each of your departments? What is the wait time or backlog based on
the access you currently have?
Answer. Currently, the Experimental Research Testbed has more than
3,500 active users from 29 different countries and is comprised of
nearly 700 PC-based nodes spread between California and Virginia. It is
a shared resource capable of running hundreds of concurrent
experiments. The capacity of the test bed is enhanced by state-of-the-
art virtualization techniques that intelligently assign resources to
different components of an experiment based upon the level of fidelity
needed. This capability is under active development and is allowing the
test bed's capacity to continually grow without requiring additional
hardware.
For smaller scale experiments, there is generally no wait time for
researchers. For larger experiments that require the dedication of a
large portion of the test bed, researchers may be required to wait
several days until enough resources can be dedicated. The test bed is
also used as a learning environment by over 70 college and university
classes per semester. Test bed access therefore can become constrained
during finals when large numbers of students attempt to access it to
finish assignments.
Question. Have you identified additional test bed or range space
that you would like to acquire, use, or lease?
Answer. DHS S&T is collaborating with NSF to conduct a
comprehensive study across the cybersecurity research landscape to
determine future requirements. This study is expected to be completed
in mid-fiscal year 2014 and will be used to identify what additional
test bed capabilities and capacity are required.
Question. What are the fiscal years 2013 and 2014 funding levels
for testing and training space?
Answer. DHS S&T will be funding the Experimental Research Testbed
project at $4.8 million in fiscal year 2013, and plans to fund it at
$4.8 million in fiscal year 2014.
Question. What percentage of your required testing and training
needs will you be able to meet in fiscal years 2013 and 2014?
Answer. DHS S&T's Experimental Research Testbed project currently
fulfills the identified test bed requirements for cybersecurity
research. The capabilities and capacity of the test bed will continue
to improve in order to better address advancing threats and
increasingly complex research challenges.
role of the secret service in cyber investigations
Question. On March 13, 2013, Jenny A. Durkan, United States
Attorney, Western District of Washington, testified before the House of
Representatives Committee on Judiciary, Subcommittee on Crime,
Terrorism, Homeland Security, and Investigations, discussing
``Investigating and Prosecuting 21st Century Cyber Threats.'' In her
testimony she highlighted eight significant cyber investigations, four
of which were Secret Service cases, a component of DHS.
We hear much about DHS's role in the securing of cyber space; what
is DHS's role in investigating cyber crimes targeting our financial
infrastructure?
Answer. DHS's law enforcement components are essential to securing
the Nation from cyber criminals and cyber attacks. Investigating,
arresting, and supporting the successful prosecution of criminal cyber
actors is a critical element of the Department's strategy to safeguard
and secure cyberspace. Effective investigations identify and lead to
the arrest of the individuals and groups behind cyber attacks and
otherwise disrupt the criminals responsible for such attacks. During
the course of their investigations, DHS law enforcement components also
develop criminal intelligence that can provide public and private
sector entities with the knowledge and tools necessary to detect and
disrupt future attacks.
Industry representatives such as Symantec estimate that cyber crime
costs the U.S. taxpayer more than $110 billion annually.\1\ While
public discourse tends to center on the potential for national-level
cyber attacks, cyber crime in the aggregate does serious damage to our
Nation every day, and fighting cyber crime is an important part of
keeping our Nation safe and our economy strong. DHS, through the
investigative authority of the U.S. Secret Service, is focused on
protecting the Nation's financial system from exploitation by cyber
criminals. The U.S. Secret Service has adapted its investigative
techniques over the years to address the emerging trends of cyber
criminals. For example, since passage of the Comprehensive Crime
Control Act of 1984, the U.S. Secret Service has arrested over 30,644
individuals for cybercrime violations with an attributed fraud loss of
over $2.7 billion and potential fraud loss of over $33 billion.
---------------------------------------------------------------------------
\1\ Norton 2012 Cybercrime Report: http://www.norton.com/
2012cybercrimereport
Ponemon Cost of Cybercrime (if extrapolated): http://www8.hp.com/us/en/
hp-news/press-release.html?id=1303754
---------------------------------------------------------------------------
In 2001, Congress likewise recognized the U.S. Secret Service for
its expertise in preventing, detecting, and investigating potential
attacks against critical infrastructure and financial payment systems
and directed the agency to develop a national network of Electronic
Crimes Task Forces based on the successful model of the New York
Electronic Crimes Task Force. Today, the U.S. Secret Service operates
31 domestic and international Electronic Crimes Task Forces that merge
the skills and knowledge of representatives from Federal, State, local,
private industry, and academic partners in furtherance of protecting
the Nation's critical infrastructure and financial payment systems from
cyber crime. In fiscal year 2012, the U.S. Secret Service arrested
1,378 individuals for cyber crime violations responsible for over $355
million in fraud losses and over $1.2 billion in potential losses.
These investigations culminated with the Department of Justice
attaining a 99.6-percent conviction rate for these cases.
We also work with a variety of international partners to combat
cybercrime. For example, through the U.S.-EU Working Group on
Cybersecurity and Cybercrime, which was established in 2010, we develop
collaborative approaches to a wide range of cybersecurity and
cybercrime issues. In 2011, DHS participated in the Cyber Atlantic
tabletop exercise, a U.S.-EU effort to enhance international
collaboration of incident management and response, and in 2012, DHS and
the EU signed a joint statement that advances transatlantic efforts to
enhance online safety for children. U.S. Immigration and Customs
Enforcement (ICE) also works with international partners to seize and
destroy counterfeit goods and disrupt Web sites that sell these goods.
Since 2010, ICE and its partners have seized over 2,000 domain names
associated with businesses selling counterfeit goods over the Internet.
To further these efforts, the administration issued its Strategy on
Mitigating the Theft of U.S. Trade Secrets last month. DHS will act
vigorously to support the Strategy's efforts to combat the theft of
U.S. trade secrets--especially in cases where trade secrets are
targeted through illicit cyber activity by criminal hackers.
In addition, since opening in May of 2008, the National Computer
Forensics Institute (NCFI) has held over 90 Cyber and Digital Forensics
courses in 13 separate subjects. The NCFI has trained more than 2,000
State and local investigators, prosecutors, and judges. This
institution serves as the Nation's only center dedicated to instructing
State and local law enforcement in digital forensics and equips
graduates to conduct network intrusion and electronic crimes
investigations. Several hundred prosecutors and judges, as well as
representatives from the private sector, have also received training on
the impact of network intrusion incident response, electronic crimes
investigations, and computer forensics examinations.
DHS is committed to working with its partners across government and
the private sector to protect the Nation's critical financial
infrastructure from cyber attack. To achieve this goal, DHS will bring
to bear the tremendous investigative resources of its law enforcement
components against those who attempt to do us harm.
Question. Would you characterize the recent $45 million ATM scheme,
investigated by the Secret Service among others, as representative of a
trend in global cybercrime?
Answer. The facts relayed in the recently unsealed indictments
against eight of the individuals involved in the theft of over $45
million from various ATMs in New York City are an example of the highly
sophisticated, organized, transnational cyber-criminal activity
impacting the Nation's financial system. This case is just one example
of a number of recently ``unlimited cash-out'' operations conducted in
a highly coordinated fashion by transnational networks of cyber
criminals.
The ATM case demonstrates, as numerous cybersecurity experts have
confirmed in testimony before congressional committees, that the
majority of network intrusions are carried out by criminal actors whose
sole motivation is financial gain. The suspects distributed the stolen
data to organized crews of street criminals in more than 20 countries
who then encoded the information on magnetic-stripe plastic cards.
While this particular case was conducted by a transnational network of
highly technical hackers, other U.S. Secret Service investigations have
demonstrated that many financial intrusions are successfully executed
against networks because of weak or stolen credentials. DHS is
committed to not only reducing this threat through effective
investigations, but also working with financial institutions through
the Financial Services Information Sharing and Analysis Center to help
them better secure their computer systems.
Question. What additional resources might be needed by the
investigative arms of DHS to properly combat this type of fraud?
Answer. Investigating cybercrime requires highly trained and
experienced criminal investigators. ICE and the U.S. Secret Service are
expanding participation in the existing Electronic Crimes Task Forces
(ECTF), which will strengthen the Department's cybercrimes
investigative capabilities and realize efficiencies in the procurement
of computer forensic hardware, software licensing, and training. The
U.S. Secret Service-led ECTF model has been in existence for over 20
years. Hiring and training additional law enforcement investigators in
the U.S. Secret Service would enhance the Department's capacity to
respond to and investigate cybercrime directed at the Nation's
financial infrastructure. Additional resources would also allow DHS to
increase the capacity of the Secret Service's network of ECTFs and
further develop its international cyber investigative working groups to
respond to transnational threats to critical infrastructure.
Improving cybersecurity requires public-private partnerships, and
the vast scope of cybercrime directed at the United States means that
our partners at the State, local, and tribal governmental levels are
vital to the national effort. In order to develop State and local
capacity to investigate cybercrimes, the U.S. Secret Service operates
the NCFI in Hoover, Alabama. This facility is the Nation's only
federally funded training center dedicated to instructing State and
local law enforcement officials about the complexities associated with
cybercrime investigations. The NCFI is capable of training over 2,000
State and local police investigators, prosecutors and judges in
cybercrime investigations every year. Since 2008, the NCFI has been
funded annually at $4 million. The current level of funding, for
example, allowed NCFI to train and equip over 600 police investigators,
prosecutors and judges in 2012. These officials have come from all 50
States and three U.S. territories.
Cyber criminals often operate outside the borders of the United
States, and related investigations accordingly require extensive
cooperation with international law enforcement agencies. Additionally,
law enforcement agencies have long recognized that the most critical
capability for transnational organized crime is to quickly and quietly
move large quantities of money across borders. The anonymity of
cyberspace affords a unique opportunity for criminal organizations to
launder huge sums of money undetected. The cyber crime investigations
of the U.S. Secret Service depend heavily on developing and maintaining
effective international law enforcement partnerships. The Department of
State and the Department of Justice are critical partners in developing
these international relationships and in the execution of international
law enforcement action through multilateral assistance treaties.
Funding to support the international investigations of DHS law
enforcement components, training for its international law enforcement
foreign partners, and associated investigative travel costs would
enhance DHS's investigative capabilities.
Question. What will be the impact of the dismantling of Liberty
Reserve and their digital currency system by the Secret Service, its
Electronic Crimes Task Forces, Immigration and Custom Enforcement
investigators, and the IRS on illegal cyber money laundering
operations?
Answer. Over the course of its 7-year existence, Liberty Reserve
emerged as the principal means by which cyber criminals around the
world distributed, stored, and laundered the proceeds of illegal
activity. Liberty Reserve facilitated a broad range of online criminal
activity, including narcotics trafficking, child pornography, computer
hacking, investment fraud, credit card fraud, and identity theft.
Annually, Liberty Reserve processed more than 12 million financial
transactions with a combined value of $1.4 billion. Since its founding
in 2006, Liberty Reserve processed an estimated 55 million separate
financial transactions and is believed to have laundered more than $6
billion in criminal proceeds.
The dismantling of Liberty Reserve by the U.S. Secret Service and
its partners in the Global Illicit Financial Team--IRS-CI and ICE-
Homeland Security Investigations (HSI)--significantly impacted the
cyber criminal community, forcing cyber criminals to seek alternative
means to fund their illicit activities.
role of dhs in capability building for law enforcement cyber
investigations
Question. We are seeing more examples of cyber threats being
encountered and responded to by State and local law enforcement
officials. In many instances, however, these officials do not have the
appropriate type of training to fully understand what they are
investigating may go beyond the incident they have encountered.
Is DHS involved in developing the cyber law enforcement
capabilities of State, local, and tribal entities for investigating
these types of cyber crimes?
Is this an appropriate role for DHS agencies to fulfill?
Answer. DHS has a well-established role in developing and
supporting State, local, tribal, and territorial (SLTT) capabilities.
Included are the efforts of numerous components to develop SLTT
capabilities and operational relationships to effectively investigate
cyber crime. For example, the first U.S. Secret Service ECTF that was
established in 1995 boosted cyber law enforcement capabilities in
coordination with State and local authorities. Since 2001, when
Congress directed that a nationwide network of ECTFs be established,
the U.S. Secret Service has worked in partnership with SLTT
authorities, the private sector, and academia to develop cyber
capabilities for the common purpose of preventing, detecting, and
investigating various forms of electronic crimes, including potential
terrorist attacks against critical infrastructure and financial payment
systems.
In partnership with the State of Alabama, the Secret Service
established the NCFI in Hoover, Alabama, for the purposes of training
SLTT law enforcement officials on cyber law enforcement methods and
techniques. Since opening in 2008, the NCFI has trained over 2,000
State and police investigators, prosecutors, and judges in cybercrime
investigations. These officials have come from all 50 States and three
U.S. territories. The investigators trained by the NCFI are nominated
by local Secret Service field offices where they can apply their skills
as members of the ECTFs.
When it opened in 2008, the NCFI offered instruction in one of five
cyber investigation curriculums. As of 2013, the NCFI offers 13
separate curriculums designed to address developing cyber trends. For
example, the NCFI worked last year with DHS to develop cyber analytical
training for State and local law enforcement members staffing the cyber
intelligence fusion centers throughout the Nation. An intra-agency
agreement between the Federal Emergency Management Agency and the
Secret Service will allow the NCFI to fund three more cyber analyst
courses for fusion center members this year. Additionally, in August
2012, the NCFI partnered with the Federal Bureau of Investigation to
conduct two NCFI training courses to State and local law enforcement
officials assigned to the FBI's National Domestic Communications
Assistance Centers. Currently, the NCFI operates at 25 percent of its
capacity on a $4 million annual budget. Additionally, the NCFI through
its curriculum established a national standard of training in
cybercrime investigations, network intrusion response, computer
forensics, and electronic crime prosecution.
ICE-HSI has a workforce that is well-trained to deal with
cybercrime. HSI has several hundred special agents that routinely deal
with cyber crime, and we operate ICE's Cyber Crime Center, or C3, and
routinely provide investigative expertise and assistance to State,
local, and tribal entities when consulted for assistance concerning
transnational cyber crime. These efforts are an appropriate role for
HSI to fill and to ensure that transnational criminal organizations are
fully identified and dismantled via successful prosecutions.
______
Questions Submitted by Senator Tom Udall
role of national laboratories in promoting cybersecurity
Question. Secretary Beers, our National Labs--which are the crown
jewels of our Nation's research system--are active in efforts to
promote cybersecurity.
In my home State of New Mexico, Sandia National Laboratories is
engaged in efforts to secure the national electrical grid from cyber
attack. Los Alamos National Laboratories is a leader in quantum
cryptography.
Sandia also has partnerships with universities and the private
sector. They're helping computer science students become cyber
professionals.
Could you discuss what role our National Labs should have in
protecting our Nation from cyber attack?
Answer. The National Labs are essential for providing enduring and
multi-disciplinary research and development capabilities to help solve
complex national security problems, including cyber-related problems.
Among other things, the Labs provide unique facilities and
infrastructure in support of talented subject matter experts who work
to develop technologies and other solutions that help the Nation
protect against and recover from cyber attacks. The S&T Cyber Security
Division (CSD) has had great success in working with the Labs on
several key cybersecurity initiatives. For example:
--S&T CSD has frequently worked with Sandia National Labs to red-team
developed cybersecurity solutions.
--The Pacific Northwest and Oak Ridge National Labs currently serve
as principal investigator researchers for a number of S&T CSD's
research and development contracts.
--The S&T CSD Transition to Practice Program is currently working
with multiple National Labs (Sandia, Los Alamos, Lawrence
Livermore, Oak Ridge, and Pacific Northwest) to transition
numerous developed cybersecurity technologies into the
government and private sectors.
NPPD also works with DHS S&T to ensure that cybersecurity research
and development efforts are fully coordinated with ongoing programmatic
requirements. With Pacific Northwest and Sandia National Labs, the
Deputy Assistant Secretary for Cybersecurity Coordination participates
in external review boards to review and shape research conducted at
these Labs and to gain insight into research areas that may meet NPPD
and S&T requirements in cybersecurity. S&T and the Homeland Security
Enterprise should continue to leverage the strengths of the National
Labs in cybersecurity to help respond to and mitigate the threats from
cyber attacks.
In addition, the National Labs provide advanced modeling,
simulation and analysis, and cyber training. This includes work with
the National Infrastructure Simulation and Analysis Center, a joint
partnership with Sandia and Los Alamos to identify and address
potential impacts to the sectors from possible cyber-related incidents
and consequence analysis with the DHS NPPD Homeland Infrastructure
Threat and Risk Analysis Center (HITRAC). HITRAC also works on
ascertaining impacts from cyber manipulation of industrial control
systems including leveraging the expertise of Idaho National Labs as a
partner. This analysis can inform partners, policymakers, and homeland
security professionals about the potential consequences of a cyber-
related incident and sector resilience to such events.
mobile phones and cybersecurity awareness
Question. Secretary Beers, this year, there will be more mobile
phones than people on the planet. Today, our wireless devices are not
just phones, but pocket computers. We use them for sensitive
transactions, including mobile banking and online purchases.
But GAO recently found that cyber threats are increasing for mobile
devices and the information they store. GAO recommended that DHS and
NIST work together to ``establish a baseline measure of consumer
awareness . . . related to mobile security.'' GAO also recommends the
development of performance measures that use the baseline to assess the
effectiveness of initiatives to educate the public about cybersecurity.
Could you share any thoughts on how best to raise public awareness
for cyber security threats to mobile devices?
Answer. Public awareness is best developed in partnership with the
mobile device communications service providers, which have a financial
interest in the quality of their service. Part of that quality of
service would include ensuring proper protection of their customers'
mobile devices. Increased awareness and the capabilities sought can be
developed through thoughtful engagement with standing advisory groups
such as the National Security Telecommunications Advisory Committee.
Part of the engagement might focus on consumer and supplier
adoption of the update practices similar to those used to protect
desktop systems. Anti-malware protection and timely updates of
applications and operating systems is just as important for mobile
devices (phones and tablets) as for desktop computers. The same is true
for other networked devices like multifunction printers that themselves
host sophisticated operating systems and applications.
Mobile banking and third-party payment systems continue to increase
in popularity due to the efficiencies they provide to the consumer and
financial institutions. This has resulted in cybersecurity challenges
that merit attention. As part of DHS's responsibilities to secure key
conveyances in the global economy and the U.S. Secret Service's role to
protect the financial system from criminal exploitation, the Department
works closely with its partners across government and in the private
sector to not only raise awareness of these risks, but establish
effective ways to mitigate these growing risks. Recently the Federal
Deposit Insurance Corporation (FDIC) published information about the
current landscape of mobile banking. As a starting point for financial
institutions seeking to adopt mobile banking services, the FDIC
references risk management strategies outlined in the Federal Financial
Institutions Examination Council IT Examination Handbook. That
handbook, however, does not discuss mobile devices specifically. The
FDIC's statements instead relate to mobile banking and not necessarily
mobile payment systems.
While there accordingly may be some good cybersecurity work being
done on the mobile banking side, the consumer likely does not make a
distinction and may assume the same level of cybersecurity attaches
whether they use mobile banking or mobile payment systems. For example,
most users connect their mobile payment systems, such as PayPal,
directly to their checking accounts or other bank accounts. Disparate
levels of cybersecurity between the two could result in a systemic
security risk, where a compromise to one (mobile payment systems) has
the potential for causing loss in both. In essence, both become a
single system with shared, lowest-denominator, vulnerability. More
broadly, current third-party application security is primarily based on
device/operating system policies regarding application signing and
privileges. Unfortunately, the devices must rely on transmission
protocols (like SMS) that were not designed with security in mind. For
example, the U.S. Secret Service Cell Phone Forensic Facility at the
University of Tulsa is working to show how SMS payment systems can be
attacked using simple and widely available wireless devices. Further
research is needed to assess all attack vectors to determine what
further mitigation is necessary.
The Federal Government can raise public awareness about mobile
device cyber risk by continuing to support fundamental research to
identify vulnerabilities and to develop effective mitigation and
protection measures. Both the U.S. Secret Service's Cell Phone
Forensics Facility at the University of Tulsa and its ongoing
partnership with Carnegie Mellon CERT serve as outstanding examples of
how the Federal Government can effectively partner with academia for
this purpose. S&T has launched a research program to improve the
security of mobile devices and enable better detection of malicious
applications. These research efforts not only serve to raise awareness
of these sorts of vulnerabilities, but also to develop effective
mitigation and protection measures.
Question. What is the proper role for government and industry to
promote best practices for both companies and consumers?
Answer. Government and industry are well positioned to
collaboratively promote best practices for companies and consumers.
Government can measure awareness across a large consumer base and use
this baseline measure to further assess its performance as it employs
public cybersecurity awareness initiatives, such as the
Stop.Think.Connect.TM campaign. In addition, as the
developer, producer, and consumer of mobile device products, industry
has an invaluable sense of which security practices are effective.
Government can convene and organize collaborative processes that ensure
the best practices from within Government and from across industry are
brought together and made available to wide range of consumers, both
technical and nontechnical. Where appropriate, Government can build
these best practices into its outreach and awareness efforts.
Among its activities, DHS provides and promotes a trusted
environment for exchange of information between industry mobile device
communications service providers, manufacturers, and Government in
order to identify and develop consensus on best practices in mitigating
the ongoing emerging cyber threats being deployed to exploit privacy of
their mobile devices. The best practices are pushed to the public
through industry partners and Government outreach.
Currently, DHS promotes cybersecurity and resilience via enhanced
processes and diagnostics in partnership with industry and academia.
DHS enables public-private collaboration focused on reducing
exploitable software weaknesses and addressing means to improve
capabilities that routinely develop, acquire, and deploy resilient
information technology (IT) products. Among its activities, DHS:
--Enables partners and citizens to secure their part of cyberspace by
providing public-private collaboration in advancing security
and resilience of IT throughout the lifecycle;
--Focuses on reducing exploitable weaknesses and addressing means to
improve capabilities that routinely develop, acquire, and
deploy resilient products;
--Enables security automation and measurement through the use of
common indexing, reporting and scoring capabilities for
malware, exploitable software weaknesses, counterfeit and
tainted hardware, and common attacks on IT assets.
______
Questions Submitted by Senator Thad Cochran
Question. All witnesses, we have heard about the importance of
cooperation and clearly defined lanes responsibility across the Federal
Government for our cybersecurity efforts. What are your respective
roles in receiving and sharing threat information with the private
sector?
Answer. The success of DHS's cyber mission relies heavily on the
response to dynamic cyber threats through the leveraging of homeland
security, law enforcement, and military authorities and capabilities,
which respectively promote domestic preparedness, criminal deterrence
and investigation, and national defense. DHS, the Department of Justice
(DOJ), and the Department of Defense (DOD) each play a key role in
responding to cybersecurity incidents that pose a risk to the United
States. While each agency operates within the parameters of its
authorities, the Federal Government's response to cyber incidents of
consequence is coordinated among these three agencies such that ``a
call to one is a call to all.'' Synchronization among DHS, DOJ, and DOD
not only ensures that whole-of-government capabilities are brought to
bear against cyber threats, but also improves the Federal Government's
ability to share timely and actionable cybersecurity information among
a variety of partners, including the private sector.
For its part, the DHS cyber mission relies on its ability to
establish shared situational awareness of potentially harmful activity,
events, or incidents across multiple constituencies to improve the
ability of diverse and distributed partners to protect themselves. To
do this, the DHS National Cybersecurity and Communications Integration
Center (NCCIC) incorporates information and data received through its
own analysis, Intelligence Community, and law enforcement reporting,
along with data shared by private sector and international partners
into a comprehensive series of actionable information products, which
are shared with partners in easy to digest machine-readable formats.
Multidirectional sharing of alerts, warnings, analysis products,
and mitigation recommendations among Federal, State, local, tribal, and
territorial governments, private sector, information sharing and
analysis centers, and international partners is a key element of the
NCCIC's cyber and communications protection and prevention framework.
The NCCIC continuously works with a broad range of partners to explore
and innovate new ways to enhance information sharing and move closer to
network speed communications.
In order to meet DHS's public-private cybersecurity data sharing
and analytical collaboration mission, the Department has developed a
critical infrastructure Cyber Information Sharing and Collaboration
Program (CISCP) and the Enhanced Cybersecurity Services (ECS) program.
The CISCP program mission is to improve the defensive posture of DHS's
critical infrastructure partners by:
--Sharing a view of current threats and vulnerabilities affecting
both critical infrastructure and Federal Government sources
among Federal Government and industry cybersecurity analysts.
--Aligning those analysts in collaborative engagements regarding
cyber threat detection, prevention, mitigation, and response
efforts to reduce risks to critical infrastructure information
technology and communications networks, systems, and data.
The goal of the CISCP program is an effective information sharing
framework among the Federal Government, Information Sharing and
Analysis Centers and related organizations, information and
communications technology service providers, and their respective
critical infrastructure owner/operator members and customers.
Within the CISCP program, Federal Government and industry partners
contribute threat data, adding to the volume of information currently
available for analysis by the DHS CISCP analytical team. Because the
act of providing threat or attack data may harm competitive or other
commercial interests of DHS's industry partners, significant steps are
taken by the CISCP Team to both conceal the source of data provided and
to protect Protected Critical Infrastructure Information (PCII). First,
all data is anonymized so that analysis of submitted data is not
carried out or based upon the identity of the submitter absent their
express authorization. The CISCP program data is governed using the
Traffic Light Protocol (TLP), which is a set of designations used to
ensure that sensitive information is shared with the correct audience.
It employs four data-sharing categories (red, amber, green, and white)
to indicate different degrees of sensitivity and the corresponding
sharing considerations to be applied by the recipients. Regular
analyst-to-analyst technical threat exchanges (both classified and
unclassified) involving Federal Government and industry partners are
likewise held to share details of cyber threat activity and mitigation
recommendations. To join CISCP, stakeholders sign a Collaborative
Research and Development Agreement that provides them with
opportunities to establish physical access to DHS's NCCIC watch floor
and to receive clearances up to the TS/SCI level.
In addition to the CISCP program, DHS actively collaborates with
public and private sector partners every day through the ECS program to
respond to and coordinate mitigation efforts against attempted
disruptions and adverse impacts to the Nation's critical cyber and
communications networks and infrastructure. Expanded in February 2013
by EO 13636, the ECS program coordinates the protection, prevention,
mitigation, and recovery from cyber incidents through information
sharing initiatives with business owners and operators to strengthen
their facilities and communities. ECS is a voluntary information
sharing program that assists critical infrastructure owners and
operators as they improve the protection of their systems from
unauthorized access, exploitation, or data exfiltration. ECS augments,
but does not replace, an entity's existing cybersecurity capabilities;
rather it responds to high level malware threats that DHS, working with
other experts, has determined pose the greatest threat to critical
infrastructure.
DHS works with cybersecurity organizations from across the Federal
Government to gain access to a broad range of sensitive and classified
cyber threat information, and in responding to major cyber incidents
also comes into possession of such information. It would ordinarily be
difficult to share classified and sensitive information about high-
level cyber threats with a broad range of private sector partners.
Doing so could jeopardize intelligence sources and methods as well as
law enforcement investigations. It likewise could undercut private
sector partners who provide DHS with threat information under the
categorical exclusion (confidentiality assurance) provided available
under the PCII authorities.
DHS develops indicators based on threat information and shares it
with a relatively small number of qualified CSPs, thus enabling them to
better protect their customers who are critical infrastructure
entities. In addition, the ECS program does not involve Government
monitoring of private networks or communications; any monitoring is
strictly voluntary, and solely occurs between the CSP and the protected
critical infrastructure entity. Collection of communications content,
and for that matter metadata, is not directed, or permitted under the
ECS program. The information returned to the Federal Government by the
CSPs is limited to anonymized, aggregated information about the threats
detected, and the critical infrastructure sectors at which the threats
were directed. Any information shared by a CSP customer is done so
voluntarily, in an anonymized fashion, and for a limited tenure. CSPs
or critical infrastructure entities may choose to be involved with the
Federal Government in other ways--for instance reporting a cybercrime
or seeking technical assistance in case of a major cyber incident--but
such involvement is not related to the conduct of the ECS program and
occurs independently of it.
The U.S. Secret Service also shares information that it derives
through its cyber crime investigations, primarily through its 31
Electronic Crimes Task Forces (ECTF). The ECTFs hold quarterly meetings
to share information with the U.S. Secret Service's public and private
sector partners, in addition to providing a conduit for sharing
information with organizations facing specific cyber risks. In addition
to ECTFs, the U.S. Secret Service and U.S. Immigration and Customs
Enforcement (ICE) Homeland Security Investigations (HSI) support
research efforts that provide extensive and detailed data on cyber
crime trends. These reports include the Verizon Data Breach
Investigations Report, the Trust Wave Global Security Report, and the
U.S. Secret Service Computer Emergency Response Team's (USSS-CERT)
Insider Threat Report. In addition to these annual research reports,
the U.S. Secret Service regularly sends special agents trained through
the agency's Electronic Crimes Special Agent Program to speak at
cybersecurity and law enforcement conferences. The agents provide
information to improve awareness of cybercrime methods and trends.
Question. All witnesses, I think we all recognize the importance of
defending our Nation's critical infrastructure against cyber attacks. A
foreign or terrorist cyber attack on our electric grid, water systems,
or financial systems could cause widespread damage and even have
detrimental effects on our economy and consumer confidence. There has
been much discussion about how involved the Federal Government should
be in defending infrastructure owned by non-Federal entities. How would
you define the threshold for what types of non-Federal infrastructure
might qualify as ``critical'' for these purposes?
Answer. The term ``critical infrastructure'' is defined in section
1016(e) of the USA Patriot Act of 2001 (42 U.S.C. 5195c(e)), namely
systems and assets, whether physical or virtual, so vital to the United
States that the incapacity or destruction of such systems and assets
would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of those
matters. This definition is used to determine which infrastructure,
whether it is owned by a Federal entity or not, qualifies as critical.
Question. Deputy Secretary Beers, I recognize the important role
that cyber research and development plays in ensuring we maintain a
technological edge against those who wish to harm our Nation's civilian
computer systems. I note that your department requested fiscal year
2014 funding for such initiatives, including experimental research
testbed projects. Your Department is still a relatively young one and
you don't have the robust laboratory network that other Departments
have. How are you collaborating with other Departments such as Defense
and Energy to advance important research in cybersecurity and existing
University capabilities? What are some of the technological challenges
that we face?
Answer. DHS S&T conducts large parts of its cybersecurity research
and development (R&D) program in collaboration with other organizations
across the Federal Government. For example, the S&T Cyber Security
Division (CSD) is an active part of the National Information Technology
Research & Development organization (NITRD), which coordinates R&D
planning across the Federal Government, chartered through the
President's National Science & Technology Council and the Office of
Science and Technology Policy. NITRD developed a National Cybersecurity
R&D Plan, published in December 2011, and has carried forward and
sustained this collaborative planning. CSD also leads the working group
effort developing the National R&D Plan for Critical Infrastructure
Security & Resiliency, which is a tasking from the EO 13636/PPD-21
guidance published this past February.
CSD's collaboration with other Federal agencies and organizations
extends into specific R&D program efforts, including but not limited to
the following:
--DHS S&T and the Department of Defense (DOD) collaborate in their
Small Business Innovation Research (SBIR) program efforts,
including a combined annual review.
--Department of Energy (DOE) Laboratories are conducting several
elements of the DHS S&T Cyber Security research program.
--DHS S&T has accepted several research projects transitioned from
the Defense Advanced Research Projects Agency
--The DHS S&T Trustworthy Cyber Infrastructure for the Power Grid
program is conducted in partnership with DOE.
The DHS S&T Transition to Practice program is drawing promising
cybersecurity technologies from the DOE National Laboratories to
support its final development and transition into operational
capability and use.
The December 2011 NITRD report, ``Trustworthy Cyberspace: Strategic
Plan for the Federal Cybersecurity Research and Development Program,''
describes in detail the technological challenges that DHS faces. Those
challenges fall into four overall areas:
--Advancing a balance of both long-term science and near-term
engineering improvements;
--Understanding and addressing the interconnections of technological
and human systems;
--Understanding cyber complexity and addressing major risks and
increasing resilience;
--Transitioning capabilities and improvements into operational use.
In 2000, the U.S. Secret Service instituted the USSS-CERT liaison
program in partnership with Carnegie-Mellon University's Software
Engineering Institute (SEI) in Pittsburgh, Pennsylvania--a federally
funded research and development center (FFRDC) sponsored by the DOD.
The USSS-CERT program sponsors the development and implementation of
innovative, cost-effective solutions to meet emerging cyber threats
across the full spectrum of operations. The Federal Government, through
its collaborative model with the CMU-SEI, and the FFRDC, realizes
significant cost savings by leveraging participating agencies'
resources to accomplish shared objectives with the cost-effective
benefits. The U.S. Secret Service's partnership and presence at SEI
represents the U.S. Secret Service's long-standing commitment to
developing mission critical systems; cybercrime applications; and
malware analysis and applications that identify, assess, and mitigate
threats to the Nation's financial systems, critical infrastructure, and
persons and facilities protected by the U.S. Secret Service.
Question. All witnesses, we've often heard that there is a
potential for a ``Cyber Pearl Harbor,'' or an unexpected cyber attack
on our Nation by a foreign entity that has dramatic and lengthy
consequences. I think it may be difficult for most Americans, and even
members of this Committee, to visualize how exactly such an attack
would be carried out and what it would look like. Can you help us to
better understand these things? Are the appropriations this Committee
has been recommending sufficient to help prevent such an attack?
Answer. The Department currently sees malicious cyber activity
attacks against critical infrastructure from foreign nations and
nonstate actors. Their methods range from distributed denial of service
attacks and social engineering to viruses and other malware introduced
through remote access, thumb drives, supply chain exploitation, and
leveraging trusted insiders' access. These attacks are becoming more
frequent and more sophisticated, putting at risk the Nation's critical
infrastructure, which underpins the economy, provides the public with
basic day to day needs, and ensures the Nation's basic security and
well-being. Ultimately, a significant cyber incident may come in many
forms and the vulnerabilities that have yet to be identified may be the
most important. Because of this increasing risk, DHS is working
alongside interagency, private sector, and international partners to
enhance resilience, harden systems, and prepare for a variety of
national response scenarios.
We thank the Committee for its ongoing support for the Department's
cybersecurity activities. However, DHS cybersecurity programs have been
impacted by sequestration. For example, funding has been reduced for
operations and maintenance and analytical contracts supporting the
National Cybersecurity Protection System (NCPS). While this will not
affect when NCPS E3A will reach initial operating
capability, full operating capability will be delayed beyond fiscal
year 2015 if sequestration continues. Funding has also been reduced for
licensing and installing sensors for continuous monitoring at Federal
agencies and some features of the Federal dashboard will be delayed
until fiscal year 2014. Finally, funding for other cybersecurity
activities, such as the U.S. Computer Emergency Readiness Team, funding
for the Software Engineering Institute, the GFIRST Conference, updates
to the Cyber Security Evaluations Tool, and the number of onsite risk
assessments to the Transportation sector have been impacted by
sequestration.
______
Questions Submitted to Hon. Dr. Patrick Gallagher, Acting Deputy
Secretary, Department of Commerce Director, National Institute of
Standards and Technology
Questions Submitted by Senator Patty Murray
Question. The electricity subsector is already subject to mandatory
and enforceable cybersecurity standards. As NIST works to comply with
the Executive order on cybersecurity, how is NIST working to ensure the
Framework will include these existing standards?
Answer. [A response was not provided by press time.]
Question. Understanding that cyber threats are constantly evolving
and that owners and operators of critical infrastructure have to make
decisions just like the Federal Government on what needs to be secured,
how is NIST including risk management practices within the Framework
activities?
Answer. [A response was not provided by press time.]
______
Questions Submitted by Senator Richard J. Durbin
cyber executive order--role of the executive order versus cyber
legislation
Question. President Obama issued Executive Order 13636 in February
of this year. What is the effect of this Executive order? Is it
improving your ability to share information with the private sector?
Answer. The Executive order directs the National Institute of
Standards and Technology (NIST) to lead the development of a framework
to reduce cyber risks to critical infrastructure. The framework is
intended to be used on a voluntary basis throughout an entire
organization--including by the most senior executives who oversee an
organization to the officials and staff responsible for managing
information technology-based resources. It is designed specifically for
companies and other entities that are part of the critical
infrastructure, especially owners and operators of critical
infrastructure, to identify, assess, and manage cyber risk. However,
other organizations--large and small and with varying business needs--
will benefit by reducing risks and protecting their assets and mission-
driven work by using the framework.
When he signed the Executive order, President Obama also
underscored the need for comprehensive cybersecurity legislation, since
the scope of the Executive order is limited. What are your legislative
priorities in terms of items you believe should be included in cyber
legislation?
We'd like to hear from all the witnesses on this issue.
Answer. The administration's legislative priorities for the 113th
Congress build upon the President's 2011 Cybersecurity Legislative
Proposal and take into account 2 years of public and congressional
discourse about how best to improve the Nation's cybersecurity.
The administration is working toward legislation that:
--Facilitates cybersecurity information sharing between the
government and the private sector as well as among private
sector companies. We believe that such sharing can occur in
ways that protect privacy, confidentiality, and civil
liberties, reinforce the appropriate roles of civilian and
intelligence agencies, and include targeted liability
protections.
--Incentivizes the adoption of best practices and standards for
critical infrastructure by complementing the process set forth
under the Executive order;
--Gives law enforcement the tools to fight crime in the digital age
while protecting privacy, confidentiality, and civil liberties;
--Updates Federal agency network security laws, and codifies DHS'
cybersecurity responsibilities; and
--Creates a National Data Breach Reporting requirement.
In each of these legislative areas, the right privacy,
confidentiality, and civil liberties safeguards must be incorporated.
The administration wants to continue the dialogue with the Congress and
stands ready to work with members of Congress to incorporate our core
priorities to produce cybersecurity information sharing legislation
that addresses these critical issues.
cyber executive order--protecting privacy and civil liberties
Question. The Executive order requires Federal agencies to develop
cybersecurity efforts in accordance with the Fair Information Practice
Principles, as well as other policies, principles, and frameworks to
protect privacy and civil liberties. I worked with a number of other
Senators to ensure that the Cybersecurity Act of 2012 included
provisions to protect privacy and civil liberties.
What specific steps can government agencies take to ensure that
privacy and civil liberties are protected as we enhance our Nation's
cybersecurity?
Answer. In April 2013, NIST published the Security and Privacy
Controls for Federal Information Systems and Organizations, Special
Publication (SP) 800-53, Revision 4. Appendix J provides a structured
set of privacy controls, based on best practices that help
organizations comply with applicable Federal laws, Executive orders,
directives, instructions, regulations, policies, standards, guidance,
and organization-specific issuances. The privacy controls are based on
the Fair Information Practice Principles (FIPPs) embodied in the
Privacy Act of 1974, section 208 of the E-Government Act of 2002, and
Office of Management and Budget (OMB) policies. There are eight privacy
control families, each aligning with one of the FIPPs. They provide
steps government agencies can take to ensure that privacy protected as
we enhance our Nation's cybersecurity.
However, unlike the longstanding framework for evaluating privacy
impacts under the FIPPs, there exists no similar, corresponding
framework that supports general evaluations of the potential broad
range of impacts that might occur within the collection of individual
rights described as ``civil liberties.'' Policies typically focus on
the protection of individual rights, and civil liberties issues arise
within government frameworks (or specific programs implementing those
frameworks) where implementation of the framework fails to account for
those rights. Consequently, in addition to the specific NIST guidance
described above, the Department of Homeland Security has established an
interagency Assessments Working Group, consisting of representatives of
the privacy and civil liberties officials of agencies involved in
implementing the Executive order. The purpose of this group is to
provide a forum for assisting agencies in meeting their
responsibilities under the Executive order, including identifying
cybersecurity activities and how to apply both the Fair Information
Practice Principles and other applicable policies, principles and
frameworks that provide privacy and civil liberties protections in
these activities. Due to the highly divergent nature of critical
infrastructure entities (including State and local government, private
sector, quasi-governmental) the exact bundle of rights which are
applicable in any given workplace will be highly variable; we recognize
this challenge. The Department of Commerce is an active participant in
this Working Group.
As we noted above, the administration also supports legislation
that would facilitate cybersecurity information sharing between the
government and the private sector as well as among private sector
companies. We believe that such sharing can--and must--occur in ways
that protect privacy, confidentiality, and civil liberties, reinforce
the appropriate roles of civilian and intelligence agencies, and
include targeted liability protections.
______
Questions Submitted by Senator Tom Udall
role of national laboratories in promoting cybersecurity
Question. Dr. Gallagher, our National Labs--which are the crown
jewels of our Nation's research system--are active in efforts to
promote cybersecurity.
In my home State of New Mexico, Sandia National Laboratories is
engaged in efforts to secure the national electrical grid from cyber
attack. Los Alamos National Laboratories is a leader in quantum
cryptography.
Sandia also has partnerships with universities and the private
sector. They're helping computer science students become cyber
professionals.
Could you discuss what role our National Labs should have in
protecting our Nation from cyber attack?
Answer. NIST recognizes the value of Department of Energy's
National Laboratories cutting-edge research in addressing national
priorities including cybersecurity. The results from the laboratories
cybersecurity research are instrumental in the development of next
generation standards and best practices. Currently, we are working with
Department of Energy's Laboratories on critical cybersecurity
challenges such as security for the advanced metering infrastructure.
engagement with industry groups
Question. Dr. Gallagher, I would like to ask about NIST's work with
industry partners. When it comes to developing guidelines and standards
for cybersecurity, is NIST getting the level of cooperation it needs
from industry stakeholders? Are there areas where more engagement is
needed?
Answer. NIST employs collaborative partnerships with our customers
and stakeholders in industry, government, academia, and consortia to
leverage their technical and operational insights and the resources of
a global community. These collaborative efforts and our private sector
collaborations in particular, are constantly expanding through new
initiatives, including in recent years through the National Initiative
for Cybersecurity Education (NICE), National Strategy for Trusted
Identities in Cyberspace (NSTIC), the National Cybersecurity Center of
Excellence (NCCoE), and in implementation of Executive Order 13636,
``Improving Critical Infrastructure Cybersecurity.''
federal cybersecurity standards and new computing trends
Question. Dr. Gallagher, last month NIST revised its Federal
cybersecurity guidelines, which many agencies follow.
Could you discuss how new computing tools and trends, such as the
move to ``cloud computing'' and mobile devices creates new potential
cyber vulnerabilities?
Answer. Mobile devices and cloud computing have already
significantly changed business capabilities, allowing employees access
to information resources wherever and whenever they need it. These
technologies offer both an opportunity and a challenge. Their unique
capabilities--including their always-on, always-connected nature--can
facilitate more efficient and effective business, but also create new
challenges to ensure the confidentiality, integrity and availability of
information accessed by these devices.
To address the security challenges and accelerate the Federal
Government's secure adoption of cloud computing, NIST is playing a
leading role in developing standards and guidelines, in close
consultation and collaboration with standards bodies, the private
sector, Federal departments and agencies, and other stakeholders.
NIST's long-term goal is to provide thought leadership and guidance
around the cloud computing paradigm to catalyze its use within industry
and government.
NIST is working collaboratively with industry to bridge the
security gaps in mobility. For example, NIST has ongoing work to
identify properties and capabilities of roots of trust needed to secure
next generation mobile devices. This work examines issues relating to
boot firmware protections; integrity measurement and reporting of
critical firmware and software; secure storage; device authentication;
and application and data isolation.
What are the main takeaways from NIST's cybersecurity guidance to
Federal agencies?
Answer. NIST cybersecurity guidance builds on the guiding principle
of mission-focused, risk-based information security. NIST performs
research and develops standards, best practices, testing and metrics in
order to provide protections against threats to the confidentiality,
integrity and availability of information and services. Through
collaborations with industry and academia, NIST's programs in areas
such as risk management, cryptography, identity management,
authentication, key management, security automation, privacy,
usability, biometrics, configuration baselines, vulnerability
management, and trusted hardware are designed to give practical,
affordable and innovative guidance and metrics for today's computing
platforms and information management.
mobile phones and cybersecurity awareness
Question. Dr. Gallagher, this year, there will be more mobile
phones than people on the planet. Today, our wireless devices are not
just phones, but pocket computers. We use them for sensitive
transactions, including mobile banking and online purchases.
But GAO recently found that cyber threats are increasing for mobile
devices and the information they store. GAO recommended that DHS and
NIST work together to ``establish a baseline measure of consumer
awareness . . . related to mobile security.'' GAO also recommends the
development of performance measures that use the baseline to assess the
effectiveness of initiatives to educate the public about cybersecurity.
Could you share any thoughts on how best to raise public awareness
for cybersecurity threats to mobile devices?
Answer. NIST is leading the National Initiative for Cybersecurity
Education (NICE) initiative, involving more than 20 Federal departments
and agencies, to ensure coordination, focus, public engagement,
technology transfer and sustainability. DHS, FCC, and FTC are among the
leads for the awareness components of NICE, including the development
of baseline and progress information as part of their ongoing
cybersecurity awareness campaigns. Interactions through this campaign
suggest public awareness and practices with regard to mobile security
are limited and this has led to the development of a ``Safety Tips for
Mobile Devices'' resource by the STOP.THINK.CONNECT campaign and a
recent blog post on ``Being Smart with your Smartphone.''
Question. What is the proper role for government and industry to
promote best practices for both companies and consumers?
Answer. Government and industry must work together to promote best
practices for companies and consumers. NIST works closely with industry
on the research, development and outreach necessary to provide
standards and guidelines, tools, metrics and best practices to protect
our Nation's information technology infrastructure for business and
industrial control systems. Through these collaborations, NIST
continues to develop cybersecurity standards, security metrics, and
product assurance programs to promote, measure, and validate the
security attributes of information systems and services. As technology
advances and security requirements evolve, NIST, with its industry
partnerships, can critically evaluate existing standards, guidelines,
and technologies to ensure that they adequately reflect the current
state of the art.
______
Questions Submitted by Senator Thad Cochran
Question. All witnesses, we have heard about the importance of
cooperation and clearly defined lanes responsibility across the Federal
Government for our cybersecurity efforts. What are your respective
roles in receiving and sharing threat information with the private
sector?
Answer. NIST works with Federal agencies and private sector
companies to develop underlying standards and best practices that are
used to support a wide array of information sharing activities. These
standards and best practices are a fundamental component of providing
coordination between organizations, allowing for rapid and accurate
sharing of information between government and industry, and industry to
industry. The collaborative development approach ensures that the needs
of all sectors are adequately addressed, leading to an information
sharing ecosystem that benefits all organizations.
Question. All witnesses, I think we all recognize the importance of
defending our Nation's critical infrastructure against cyber attacks. A
foreign or terrorist cyber attack on our electric grid, water systems,
or financial systems could cause widespread damage and even have
detrimental effects on our economy and consumer confidence. There has
been much discussion about how involved the Federal Government should
be in defending infrastructure owned by non-Federal entities. How would
you define the threshold for what types of non-Federal infrastructure
might qualify as ``critical'' for these purposes?
Answer. Executive Order 13636 defines critical infrastructure as
the systems and assets, whether physical or virtual, so vital to the
United States that the incapacity or destruction of such systems and
assets would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of those
matters. NIST is working with critical infrastructure owners and
operations and their partners to define a cybersecurity framework that
reduces cyber risks to critical infrastructure. The Draft Cybersecurity
Framework includes a set of standards, methodologies, procedures, and
processes that align policy, business, and technological approaches to
address cyber risks.
Question. All witnesses, we've often heard that there is a
potential for a ``Cyber Pearl Harbor,'' or an unexpected cyber attack
on our Nation by a foreign entity that has dramatic and lengthy
consequences. I think it may be difficult for most Americans, and even
members of this Committee, to visualize how exactly such an attack
would be carried out and what it would look like. Can you help us to
better understand these things? Are the appropriations this Committee
has been recommending sufficient to help prevent such an attack?
Answer. NIST considers a cybersecurity threat to be any
circumstance or event with the potential to adversely impact
organizational operations (including mission, functions, image, or
reputation), organizational assets, individuals, other organizations,
or the Nation through an information system via unauthorized access,
destruction, disclosure, modification of information, and/or denial of
service. This includes threats that are immediate, have significant
reach across the Internet and rapidly propagate. Ensuring we are able
to develop solutions that can scale globally, protect technological
innovation, and keep up with the threats are of utmost importance to
NIST and the Department of Commerce as a whole.
Unlike a physical attack that has to conform to physical
constraints, a cyberattack can have velocity, reach, and scale that
does not have these limiting factors. A cyberattack can occur at the
speed of a digital transmission, our interconnected systems can extend
the reach beyond traditional kinetic limitations and with the
intersections of cyber and physical systems, the scale of impacts can
go beyond disruption or disclosure of sensitive information. A
cyberattack can potentially have a physical impact, conducted at the
speed, reach of the Internet and at the scale of our interconnected
systems.
NIST appreciates the Committee's continued support and funding for
the critical cybersecurity efforts at NIST.
______
Questions Submitted to Richard A. McFeely, Executive Assistant
Director, Criminal, Cyber, Response, and Services Branch, Federal
Bureau of Investigation
Questions Submitted by Senator Richard J. Durbin
cyber executive order--role of the executive order versus cyber
legislation
Question. President Obama issued Executive Order (EO) 13636 in
February of this year. What is the effect of this Executive order? Is
it improving your ability to share information with the private sector?
Answer. Implementation of Executive Order (EO) 13636 is underway
across the U.S. Government (USG). The Federal Bureau of Investigation
(FBI) is optimistic that, once fully implemented, the Executive order
will lead to better information sharing between the private sector and
the government. Consistent with the USG policy (articulated in section
4 of EO 13636) ``to increase the volume, timeliness, and quality of
cyber threat information shared with U.S. private sector entities,''
the FBI has prioritized the efficient, effective, and appropriate
sharing of cyber threat information with authorized entities and is
working with the Department of Homeland Security (DHS) to ensure a
consistent, whole-of-government solution to sharing cyber threat
information with the private sector.
Among these changes, we have modified the means by which we share
information with the private sector to prevent intrusion into
companies' networks and the exfiltration of their data and intellectual
property. For example, the FBI has increased the level of detail it
provides to industry partners in briefings regarding cyber threats. The
National Cyber Investigative Joint Task Force conducts these briefings
for private sector, government, and critical infrastructure partners on
a near-daily basis. In partnership with DHS and the Treasury
Department, we also provided a detailed briefing on financial services
industry threats to executives of more than 40 banks who participated
in a secure video teleconference. Detailed briefings have also been
provided to those in the energy sector, which is a key part of our
Nation's infrastructure.
In addition, the FBI is working with DHS to release Joint Indicator
Bulletins (JIBs) to anti-virus companies, Internet service providers,
and foreign partners. These JIBs contain information regarding Internet
Protocol (IP) addresses that are believed to be infected with malware.
Since October 2012, the FBI has released approximately 170,000 IP
addresses to more than 130 countries through DHS's U.S. Computer
Emergency Response Team and our Legal Attache. We have also released
nine FBI Liaison Alert System notices to victims of intrusions and to
trusted partners. These notices contain specific and technical
actionable intelligence related to threats. Furthermore, as required by
EO 13636, the Deputy Attorney General (DAG) has issued instructions
regarding the timely production of unclassified reports of cyber threat
information. The DAG instructions require the FBI to produce timely
reports that contain sufficient technical and threat detail to
facilitate cybersecurity defense and response activities. Furthermore,
all components of the Department of Justice (DOJ) are required to
update their systems to increase the volume, timeliness, and quality of
cyber threat information that is shared with U.S. private sector
entities so they can better protect and defend against cyber threats.
Question. When he signed the Executive order, President Obama also
underscored the need for comprehensive cybersecurity legislation, since
the scope of the Executive order is limited. What are your legislative
priorities in terms of items you believe should be included in cyber
legislation?
Answer. We would be pleased to work with DOJ, DHS, and others to
identify legislative measures that may enhance cybersecurity, and we
look forward to providing our views of any possible legislation
pursuant to DOJ's role in assisting in the development of the
administration's position.
cyber executive order--protecting privacy and civil liberties
Question. The Executive order requires Federal agencies to develop
cybersecurity efforts in accordance with the Fair Information Practice
Principles, as well as other policies, principles, and frameworks to
protect privacy and civil liberties. I worked with a number of other
Senators to ensure that the Cybersecurity Act of 2012 included
provisions to protect privacy and civil liberties. What specific steps
can government agencies take to ensure that privacy and civil liberties
are protected as we enhance our Nation's cybersecurity?
Answer. Section 5 of EO 13636 is consistent with the work USG
agencies have been doing to ensure that privacy and civil liberties are
incorporated into our cyber activities and affirms the need to continue
these efforts. Departments and agencies must also conduct regular
assessments, with subsequent reporting, and include in these
assessments an evaluation of their activities against the Fair
Information Practice Principles and other applicable privacy and civil
liberties policies, principles, and frameworks.
The FBI builds privacy and civil liberties protections into all
investigative efforts, including cybersecurity. For example, the
Domestic Investigations and Operations Guide (DIOG), which articulates
FBI policy regarding our investigative and intelligence collection
activities, outlines protections to be afforded at each step of an
investigation. All FBI operational personnel are required to complete
DIOG training and a specific privacy course, as well as yearly
information security training (which includes a privacy component). The
Privacy and Civil Liberties Unit (PCLU) in the FBI's Office of the
General Counsel is devoted to privacy and civil liberties issues,
including Bureau-wide compliance with the requirements of the Privacy
Act and the eGovernment Act. PCLU is also actively involved in
assessing the privacy and civil liberties aspects of FBI information
systems and programs through Privacy Threshold Analyses and Privacy
Impact Assessments. PCLU works closely with all FBI divisions,
including the Cyber Division, to help ensure that appropriate
protections are in place.
______
Questions Submitted by Senator Mary L. Landrieu
Question. General Alexander testified that the services,
departments, and agencies need to work together to ensure that they
have adequate test bed and range space to safely organize, train, and
equip the cyber warriors, operators, managers, researchers, and agents
across the Federal Government.
a. What are the specific requirements that your departments and
their various agencies have for test bed and range space? What specific
outcome will those established requirements render in trained personnel
and tactics?
b. What is the current test bed and range capacity available to
each of your departments? What is the wait time or backlog based on the
access you currently have?
c. Have you identified additional test bed or range space that you
would like to acquire, use, or lease?
d. What are the fiscal years 2013 and 2014 funding levels for
testing and training space?
e. What percentage of your required testing and training needs will
you be able to meet in fiscal years 2013 and 2014?
Answer to subparts a through e. As used in this inquiry, the
concepts of ``test-bed'' and ``range space'' are not used by the FBI
and we are not able to comment on them.
______
Questions Submitted by Senator Tom Udall
role of national laboratories in promoting cybersecurity
Question. Mr. McFeely, our National Labs--which are the crown
jewels of our Nation's research system--are active in efforts to
promote cybersecurity.
In my home State of New Mexico, Sandia National Laboratories is
engaged in efforts to secure the national electrical grid from cyber
attack. Los Alamos National Laboratories is a leader in quantum
cryptography.
Sandia also has partnerships with universities and the private
sector. They're helping computer science students become cyber
professionals.
Could you discuss what role our National Labs should have in
protecting our Nation from cyber attack?
Answer. The National Laboratories, which are Department of Energy
(DOE) entities, are central to cybersecurity research and development
and should continue to lead in these efforts. There are multiple areas
in which opportunities exist for FBI-National Lab partnerships that
leverage National Lab knowledge and resources to assist the FBI in
meeting investigative challenges. For example, the FBI's Operational
Technology Division and the Labs could partner to:
--Enlist the Labs' supercomputing resources to help solve the FBI's
most computationally challenging problems;
--Study where to apply quantum cryptography research to protect
against active cyber threats;
--Apply the Labs' vulnerability research to active FBI
investigations; and
--Use unsolved investigative problems to motivate National Labs'
vulnerability research.
Additionally, we continue to appreciate DOE's critical role as the
sector specific agency for the energy sector in providing a cooperative
environment to help the energy sector defend against cyber threats.
Currently, the FBI collaborates with DOE and DHS to ensure the timely
sharing of threat information with the energy sector. The FBI also
works with DOE to support a voluntary program in which energy sector
asset owners use government-developed tools to improve their
situational awareness and better protect their own assets. Asset owners
are free to share this information with the industry and government at
their discretion.
Question. Mr. McFeely, your written testimony describes how the FBI
is trying to help State and local law enforcement agencies pursue
Internet crimes. I am disturbed by your comment that very few cases
referred to State and local officials by the FBI are actually being
worked.
Could you elaborate on the FBI's pilot program you mention in your
testimony to help State and local law enforcement agencies pursue
Internet fraud and cyber crimes?
Answer. Every year, there are thousands of individual and corporate
victims of crimes facilitated through the use of computer networks or
devices with targets that are independent of those networks or devices.
These crimes are often referred to as Internet-facilitated crimes.
Because these cases frequently involve victims spread across multiple
jurisdictions and perpetrators living in foreign countries, local and
State law enforcement agencies have often viewed these crimes as the
province of Federal law enforcement agencies. Yet, while many local and
State agencies have seen the problem as too broad for their
jurisdictions, Federal agencies have not been able to prioritize these
crimes in such a way that they receive significant investigative
attention.
To properly address the threat of Internet-facilitated crimes
against U.S. victims, the FBI is establishing a platform to assist in
the development of these investigations by Federal, State, local,
tribal, and international law enforcement agencies. This platform is
being developed through the Internet Crime Complaint Center (IC3),
which has received victims' reports of Internet crimes for the past 13
years and is currently receiving approximately 300,000 complaints
annually. The FBI will leverage intelligence that has been consolidated
at IC3 and package it in a way that facilitates investigations by
appropriate law enforcement agencies, with assistance provided by the
FBI's local Cyber Task Force.
In addition to this broad program, the FBI is seeking ways to work
in cost-efficient and effective ways with State and local governments
on cybersecurity matters. For example, we have begun a pilot project
with the Utah Department of Public Safety to disseminate Internet fraud
information to law enforcement authorities throughout the State. We
will assess the results of this Utah pilot to determine whether it
should be expanded to other jurisdictions.
______
Questions Submitted by Senator Thad Cochran
Question. All witnesses, we have heard about the importance of
cooperation and clearly defined lanes responsibility across the Federal
Government for our cybersecurity efforts. What are your respective
roles in receiving and sharing threat information with the private
sector?
Answer. The FBI, which is an intelligence-driven and threat-focused
national security organization with both intelligence and law
enforcement responsibilities, is charged with investigating,
attributing, and disrupting cyber crimes. The FBI may receive
information regarding a cyber threat or incident from a victim or third
party, including those in the private sector. We are working toward
making Guardian, which is our terrorist threat tracking and
collaboration system, available to trusted industry partners to report
cyber intrusions in real time. Known as iGuardian, this system will
allow the FBI to more effectively understand and identify cyber
threats, collaborate with our government partners through the sharing
of information regarding cyber intrusions, and track pending
investigations and operations. Each incident reported through this
system will immediately be routed to CyWatch, the FBI's 24/7 cyber
operations center, where it will be vetted and assigned to an FBI Cyber
Task Force investigator.
In the course of the FBI's investigative process, we share
information with USG partners in support of their roles in the incident
response process. The information we share is used to help us and our
Intelligence Community partners understand the actions, goals, methods,
and capabilities of those posing threats, and to anticipate and prevent
future attacks against our critical infrastructure and government
systems. The FBI also notifies any additional actual or potential
victims or targets revealed through investigation and, as part of the
USG team, provides the information they need to protect their systems.
The FBI completes these activities in a manner that ensures
protection of the digital crime scene and actions are taken consistent
with preserving evidence for use in a later criminal proceeding, if it
is determined that such a proceeding is warranted.
Question. All witnesses, I think we all recognize the importance of
defending our Nation's critical infrastructure against cyber attacks. A
foreign or terrorist cyber attack on our electric grid, water systems,
or financial systems could cause widespread damage and even have
detrimental effects on our economy and consumer confidence. There has
been much discussion about how involved the Federal Government should
be in defending infrastructure owned by non-Federal entities. How would
you define the threshold for what types of non-Federal infrastructure
might qualify as ``critical'' for these purposes?
Answer. Presidential Policy Directive 21, ``Critical Infrastructure
Security and Resilience'' (2/12/13) (PPD-21) defines the term
``critical infrastructure'' as follows:
The term ``critical infrastructure'' has the meaning provided in
section 1016(e) of the USA Patriot Act of 2001 (42 U.S.C. 5195c(e)),
namely systems and assets, whether physical or virtual, so vital to the
United States that the incapacity or destruction of such systems and
assets would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of those
matters.
PPD-21 identifies 16 critical infrastructure sectors. Based on the
cyber threat to each of these sectors, the potential impact of a cyber
attack on these sectors, and the extent to which other Federal agencies
are responsible for their protection, the FBI has organized its efforts
to address the threats to these 16 critical infrastructure sectors in
the following order of priority:
--Financial Services, Chemical, Communications, Defense Industrial
Base, Energy, Healthcare and Public Health, Information
Technology, Nuclear, and Transportation;
--Food and Agriculture, Critical Manufacturing, Dams, and Water;
--Commercial Facilities, Emergency Services, and Government
Facilities.
Question. All witnesses, we've often heard that there is a
potential for a ``Cyber Pearl Harbor,'' or an unexpected cyber attack
on our Nation by a foreign entity that has dramatic and lengthy
consequences. I think it may be difficult for most Americans, and even
members of this Committee, to visualize how exactly such an attack
would be carried out and what it would look like. Can you help us to
better understand these things? Are the appropriations this Committee
has been recommending sufficient to help prevent such an attack?
Answer. As the question recognizes, the events of Pearl Harbor
represented an unexpected, surprise attack on our Nation by a foreign
entity with devastating consequences. Under this analogy, in a ``Cyber
Pearl Harbor,'' the United States might one day face, without warning,
the wide-scale disruption of a critical service that would result in
damages, both economic and physical, to include the loss of life. Along
with our law enforcement and Intelligence Community partners, the FBI
works every day to prevent and address the threat of an attack of this
scale.
Cyber-attacks are continually increasing in both frequency and
sophistication. The U.S. economy is continually threatened by cyber
activities that are difficult to detect and that deprive us of the full
value of our intellectual property, threaten our economic prosperity,
and erode our military advantages. Since 2008, appropriated funds have
provided more than 500 new FBI support, intelligence, and special agent
personnel to address cyber threats. Although these and other critical
resources have helped us counter increasingly aggressive cyber threats,
as the sophistication of malicious software increases and the demand
that critical systems be globally available grows, these systems become
ever more vulnerable to attack.
CONCLUSION OF HEARING
Chairwoman Mikulski. As previously announced and as part of
our practice on security issues, we will now move to a closed
briefing. Before we do, I would like to make some general
closing comments.
First of all, I really do want to thank the witnesses for
participating. The hearing has not been quite the way we
originally thought, but it was a good hearing. People do have a
right to know. People have a right to say their voices. That is
why we responded.
But I think the big national debate that started after 9/11
is the inherent tension between security and privacy. It is
time now for a new, fresh national debate. It is beginning in
the usual committee structure.
The second thing is that many of us are concerned about
what is the access to people and businesses' information. Now,
there are those who, because of the Snowden revelation, wonder
about Government's access to that information, whether it is
through the NSA, whether it is through the IRS, or whatever.
People are asking what is the Government doing.
The purpose of this hearing, however, is who is raiding the
information that we have. So maybe people are concerned about
what is NSA doing. But I am concerned about the people every
single day that are trying to get access to somebody's Social
Security number, their Medicare number, their checking account
number, their smart phone information so they can either steal
from them or lead to other access to their bank account, to
their other kinds of assets. So we are worried about that.
I am concerned every day about the number of people out
there, with the great intellectual entrepreneurship of our
country, that are coming up with new ideas and new products to
create the new jobs for the 21st century. And they are being
stolen in the greatest cyber espionage heist. So why find a
cure for cancer if you can try to steal it from FDA or the
Patent Office? I am worried about that.
And then I worry about things like the grid and I worry
about access to those who are trying to raid the grid. Tonight
there is a gathering storm. We fear a derecho, another derecho
maybe hitting the Maryland-Washington area. We know when the
grid is shut down, it is a terrible consequence in terms of our
society. I do not want ever to have a grid shut down here in
the Greater Capital Region or anywhere in the United States.
So the purpose of this hearing was to go after those who
have predatory intent--predatory, premeditated intent--against
either an individual, our business, or our critical
infrastructure.
There are those who are also concerned about is Government
now passing beyond a red line on civil liberties. I think we
ought to have that debate. I think we ought to have that
discussion. It could be the subject of another hearing here.
There will be the Feinstein hearing. There will be the
Judiciary Committee hearing. But you know what? This is
America. This is America and people have a right to know. They
have a right to have their public officials explain this.
So I think it has been a great hearing.
So, therefore, though, this committee will now stand in
recess after the closed briefing until the morning of Thursday,
June 20, where we will vote on our spending allocations and
also take up the very important legislation of Veterans Affairs
and our agricultural appropriations. This committee now stands
in recess.
[Whereupon, at 4:39 p.m., Wednesday, June 12, the hearing
was concluded, and the committee was recessed, to reconvene
subject to the call of the Chair.]
[all]