[House Hearing, 114 Congress] [From the U.S. Government Publishing Office] PROMOTING AND INCENTIVIZING CYBERSECURITY BEST PRACTICES ======================================================================= HEARING before the SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS FIRST SESSION __________ JULY 28, 2015 __________ Serial No. 114-29 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PUBLISHING OFFICE 97-918 PDF WASHINGTON : 2016 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island Chair Brian Higgins, New York Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania William R. Keating, Massachusetts Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey Scott Perry, Pennsylvania Filemon Vela, Texas Curt Clawson, Florida Bonnie Watson Coleman, New Jersey John Katko, New York Kathleen M. Rice, New York Will Hurd, Texas Norma J. Torres, California Earl L. ``Buddy'' Carter, Georgia Mark Walker, North Carolina Barry Loudermilk, Georgia Martha McSally, Arizona John Ratcliffe, Texas Daniel M. Donovan, Jr., New York Brendan P. Shields, Staff Director Joan V. O'Hara, General Counsel Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES John Ratcliffe, Texas, Chairman Peter T. King, New York Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania Loretta Sanchez, California Scott Perry, Pennsylvania Sheila Jackson Lee, Texas Curt Clawson, Florida James R. Langevin, Rhode Island Daniel M. Donovan, Jr., New York Bennie G. Thompson, Mississippi Michael T. McCaul, Texas (ex (ex officio) officio) Brett DeWitt, Subcommittee Staff Director Dennis Terry, Subcommittee Clerk Christopher Schepis, Minority Subcommittee Staff Director C O N T E N T S ---------- Page Statements The Honorable John Ratcliffe, a Representative in Congress From the State of Texas, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies................................................... 1 The Honorable James R. Langevin, a Representative in Congress From the State of Rhode Island................................. 3 The Honorable Cedric L. Richmond, a Representative in Congress From the State of Louisiana, and Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Prepared Statement............................................. 4 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security: Prepared Statement............................................. 6 Witnesses Mr. Brian E. Finch, Senior Fellow, Center for Cyber and Homeland Security, George Washington University: Oral Statement................................................. 7 Prepared Statement............................................. 9 Mr. Raymond B. Biagini, Partner, Covington and Burling: Oral Statement................................................. 15 Prepared Statement............................................. 17 Ms. Andrea M. Matwyshyn, Visiting Professor, Center for Information Technology Policy, Princeton University: Oral Statement................................................. 22 Prepared Statement............................................. 23 For the Record The Honorable John Ratcliffe, a Representative in Congress From the State of Texas, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Letter......................................................... 3 PROMOTING AND INCENTIVIZING CYBERSECURITY BEST PRACTICES ---------- Tuesday, July 28, 2015 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Washington, DC. The subcommittee met, pursuant to call, at 2:20 p.m., in Room 311, Cannon House Office Building, Hon. John Ratcliffe [Chairman of the subcommittee] presiding. Present: Representatives Ratcliffe, Perry, Donovan, and Langevin. Also present: Representative Watson Coleman. Mr. Ratcliffe. The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies will come to order. The subcommittee is meeting today to examine the potential benefits of expanding the Support Antiterrorism by Fostering Effective Technologies Act, referred to as the SAFETY Act, to clarify that on a voluntary basis cybersecurity products and services can be reviewed and certified to receive enhanced liability protections for large-scale cyber incidents. Right now, our cyber defenses are weak, and, because addressing cybersecurity vulnerabilities is costly, we need to find ways to promote and incentivize investment in cybersecurity. We need to incentivize companies to have a robust cyber-risk management plan in place. Through this hearing, we want to hear from our expert witnesses if the SAFETY Act Office at the Department of Homeland Security could be leveraged to promote and incentivize cybersecurity best practices within its existing framework. By way of history, the SAFETY Act was part of the Homeland Security Act of 2002 and is a voluntary program that currently provides incentives for the development and deployment of anti- terrorism technologies. The SAFETY Act ensures that the threat of costly litigation does not deter potential manufacturers or sellers of anti-terrorism technologies at both large and small companies from developing and putting into the marketplace products and services that could reduce the risk or mitigate the consequences of a large-scale terrorist event. Companies qualify for the protections afforded by the SAFETY Act by demonstrating through an on-going basis that they have a comprehensive and agile risk management plan. Applicants to this voluntary program must submit to a rigorous and thorough vetting process at DHS' SAFETY Act Office in order to receive liability protections in the event of an act of terrorism. Homeland security and National security challenges are constantly evolving, and the cybersecurity threat is currently growing. It is in that capacity that earlier this year we passed H.R. 1731, the National Cybersecurity Protection Advancement Act. The goal of that legislation, which passed the House with a bipartisan vote of 355 to 63 and is now awaiting Senate action, is to strengthen the sharing of cyber threat indicators to guard against criminal groups, hacktivists, or nation-state actors. Separately, we have been meeting with stakeholders to find other ways to strengthen cybersecurity, including expanding the SAFETY Act for cyber purposes. Right now, the SAFETY Act can only be triggered by an act of terrorism. However, for cyber attacks, attribution is extremely difficult to determine. Regardless of whether the hacker was a terrorist, a nation- state, a cyber criminal, or hacktivist, the impact of a devastating cyber attack would be the same. If there is something more that can be done to increase cybersecurity best practices overall and potentially reduce the likelihood of a large-scale cyber attack, this subcommittee is going to examine it. SAFETY Act coverage for cybersecurity will not solve all of our cybersecurity challenges, but it has the potential to make a significant improvement in our Nation's cyber defenses. In the coming weeks, the Committee on Homeland Security will consider House-passed legislation from the 113th Congress that would amend the SAFETY Act to establish a, ``qualifying cyber incident,'' threshold to trigger SAFETY Act liability protections for vetted cybersecurity technologies. The very creation of the Department of Homeland Security stemmed from the attacks on September 11, 2001. While we must and will remain vigilant and do everything we can to prevent another devastating attack on Americans, we must also recognize that the threat landscape in this country is changing. Cyber space is, in many ways, the new frontier, and a cyber 9/11 is only a matter of time if we fail to strengthen our cyber defenses. So we need to ensure that we are doing everything possible to harden our defenses left of boom, as they say in military parlance. This potential legislation has the potential to increase investments in the security and resilience of our Nation's critical infrastructure, including the power grids, air traffic control, and banking systems. Much of our Nation's critical infrastructure is privately owned, and in the 21st Century there now exists an interconnectedness of physical security and cybersecurity. This means that someone sitting at a keyboard can now initiate a physical injury by issuing commands at an office building, an air traffic control system, or someone's automobile, resulting in loss of life, not just the theft of personal information from a database. Many products and services weren't built with cybersecurity in mind. This is why we need to incentivize market-driven solutions to raise the bar on how we manage our cybersecurity risks. Fortunately, the United States is home to an ingenuous entrepreneurial culture, and the best high-tech companies in the world have developed products and services that can help improve the information security resilience of our critical infrastructure and for companies that improve our quality of life. If amending the SAFETY Act to include qualifying cyber incidents would better safeguard our Nation and potentially prevent a cyber attack that could shut things down and bring commerce to a screeching halt, then we owe it to ourselves and our constituents to examine the potential benefits it could provide. This is especially true given the increasing importance of cybersecurity in the lives of every American. At this time, I ask unanimous consent to insert into the record a letter from the American Gas Association, the Edison Electric Institute, and the National Rural Electric Cooperative Association in support of testimony submitted by Mr. Brian Finch on the need to clarify the SAFETY Act to ensure that significant cybersecurity incidents are clearly covered. Without objection, so ordered. [The information follows:] Letter Submitted by Chairman John Ratcliffe July 28, 2015. The Honorable John Ratcliffe, Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. The Honorable Cedric Richmond, Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Washington, DC 20515. Dear Chairman Ratcliffe and Ranking Member Richmond: On behalf of the American Gas Association (AGA), the Edison Electric Institute (EEI), and the National Rural Electric Cooperative Association (NRECA) we are writing in support of testimony submitted by Brian Finch on the need to clarify the SAFETY Act to ensure that significant cybersecurity incidents are clearly covered under the programs liability protections. The electric and gas utility industries take cybersecurity threats very seriously. Any statutory clarification would be beneficial if it helps to make more explicit that cyber attacks are covered by the SAFETY Act and that legal defenses will be available to those using its certified cybersecurity products or processes in the event of a significant cyber attack. Currently, the SAFETY Act provides that liability protections are available in the case of an ``act of terrorism,'' which is usually interpreted to include a significant cyber attack. To eliminate any doubt, Congress should make clear that it intends for a significant cyber attack to be covered. This clarification would likely result in an increase in utilization of the program and adoption of its certified cybersecurity products or processes. We appreciate the subcommittee's continued focus on this important issue. The changes Mr. Finch has suggested are important and we look forward to working with you as legislation to clarify the SAFETY Act moves forward. American Gas Association. Edison Electric Institute. National Rural Electric Cooperative Association. Mr. Ratcliffe. I am pleased to be joined today by my colleague from Rhode Island, Mr. Langevin, who is filling in for Ranking Member Richmond. The Chair now recognizes the gentleman from Rhode Island for any statement that he may have. Mr. Langevin. Thank you, Mr. Chairman. I, too, want to welcome our witnesses here today. Before I begin, Mr. Chairman, I would like to ask unanimous consent that Mrs. Watson Coleman of New Jersey be allowed to participate in this hearing, although she is not a Member of the subcommittee. Mr. Ratcliffe. Without objection. Mr. Langevin. Thank you, Mr. Chairman. Next, as you mention, the Ranking Member is traveling with the President right now, so I am sitting in. I would like to ask unanimous consent to submit his opening statement for the record. Mr. Ratcliffe. Without objection, so ordered. [The statement of Ranking Member Richmond follows:] Statement of Ranking Member Cedric L. Richmond July 28, 2015 Good afternoon Mr. Chairman and thank you for holding this hearing on cybersecurity best practices. I want to thank Dr. Andrea Matwyshyn from Princeton who has traveled to testify for us today. The Department of Homeland Security, Science and Technology Directorate, is responsible for operating the SAFETY Act through the Office of Safety Act Implementation, or the OSAI. While we are going to hear testimony today about the process for companies interested in having cybersecurity technologies designated as qualified anti-terrorism technologies under the SAFETY Act, we are also going to discuss some of the features of the draft SAFETY Act legislation that Chairman McCaul has circulated to industry. The SAFETY ACT provides Government-sponsored immunity from liability to products or services that have gone through examination by the Office of Safety Act Implementation, and then designated, or certified under the SAFETY Act. Congress has provided this kind of liability protection since 2002 to encourage innovation in the development of products and technologies for the homeland security enterprise that would help protect us from the terrorist threats or terrorist events, but only when the Secretary has determined that a terror event has taken place. It would seem to me that the large, prime contractors who already supply the Department of Defense would need little help in providing the Department of Homeland Security with the kinds of services they might need in the civilian threat arena. But small businesses are the backbone of America's workforce and innovation, creating most of the jobs in America. A SAFETY Act designation or certification for a new innovative product can improve a smaller company's bottom line and help resolve their concerns about liability protections. That was the original intent of the Act in 2002. We are all concerned about the ability of American businesses, large and small, to protect their data and networks in today's amplified cyber threat atmosphere. The question before us is how to best encourage civilian businesses to make sure their cybersecurity efforts are state-of-the-art, and how does SAFETY Act liability protection play a key role in helping us achieve that goal, in the complex, multi-layered arena of cybersecurity? I look forward to the testimony today Mr. Chairman, and I yield back. Mr. Langevin. Very good. Thank you, Mr. Chairman. So let me begin by saying that, as co-chair of the Congressional Cybersecurity Caucus with Chairman McCaul, I fully agree that organizations, public and private, must do a better job adopting cybersecurity best practices, as the consequences of cyber attacks can be devastating. I certainly also associate myself with the remarks of the Chairman in his opening statement, as well. It is also abundantly clear that network administrators are not currently employing best practices, given that over 80 percent of cyber attacks could be stopped with simple hygiene measures like patch deployment or the use of two-factor authentication. I understand that some of our witnesses today and the Chairman believe that applying existing policy, the SAFETY Act, to this problem may help improve our Nation's cybersecurity posture. I have great respect for their point of view, and I certainly believe that incentives are an avenue that we should explore. However, I do think that there are a number of questions this committee should answer as part of our consideration. First, I think we must ask ourselves what we see as the underlying purpose of the SAFETY Act. I have always viewed the legislation as having at its heart the incentivization of research, design, and development of new technologies. Today, new information security products are being released at a prodigious rate, raising questions of whether further SAFETY Act protections are necessary to spur innovation. While the shield offered under SAFETY Act certification designation can certainly also incent deployment of these new, novel technologies, we at the committee must determine whether the act is properly tailored to the problem that we are addressing. Second, we must also look into the implementation of technologies certified under the SAFETY Act. Network security is incredibly complex, and users of security products can often make mistakes in configuration or interpretation of results. For example, in the Target breach, the company's security software alerted on the malware that eventually compromised the point-of-sale terminals; however, the alert was lost in a sea of other warnings. How limits of liability would apply in such cases is an important concern. Finally, we must examine the SAFETY Act in the context of cybersecurity risk management writ large. I have consistently fought efforts in Congress to prescribe specific technology solutions, either legislative or regulatory. Information technology simply moves too fast a pace to be able to say that today's best solutions will be viable in 5 years, let alone even less than that. Instead, I have advocated adoption of risk management frameworks like NIST that help companies assess their level of cybersecurity risk and development processes to reduce that risk. One of the best practices universally praised under such frameworks is resilience--the idea that a network should not rely on a single technology for protection. Part of the reason that data breaches last for more than 6 months, on average, is that companies prioritize perimeter security without a similar focus on detecting anomalies once the network has in fact been breached. So the committee must explore whether the use of the SAFETY Act in a cybersecurity context could inadvertently make networks less resilient. There are other questions I have--for instance, the adequacy of the certification process--that I hope the committee will also explore. Let me again thank the Chairman for convening this important hearing. I thank the witnesses for appearing, and I certainly look forward to their testimony. Mr. Chairman, before I yield back, I would just ask unanimous consent that the statement of the Ranking Member of the full committee, Mr. Thompson, also be entered into the record. Mr. Ratcliffe. Without objection, so ordered. [The statement of Ranking Member Thompson follows:] Statement of Ranking Member Bennie G. Thompson July 28, 2015 Good afternoon. I want to thank Chairman Ratcliffe for calling today's hearing on encouraging cybersecurity best practices, and I want to thank the witnesses for testifying here today. I especially want to thank Dr. Andrea Matwyshyn from Princeton University who has come to share her expertise and experience with us. Today, we will be discussing the prospect of amending the SAFETY Act law to promote certification of more cybersecurity technologies as qualified anti-terrorism technologies. Given that there is draft legislation circulating, prepared by the Majority to amend the SAFETY Act in this manner, this hearing is timely. Today, under the SAFETY ACT, DHS provides immunity from liability to products or services that have been rigorously examined by the Office of Safety Act Implementation. Congress directed DHS to establish this program to encourage innovation in the development of novel anti-terrorism technologies. As I noted in a previous hearing several years ago on this matter, the Government does not charge a penny to perform exhaustive reviews of each company's product that applies for, and is qualified for, SAFETY Act approval. Mr. Chairman, I am wondering whether in our current fiscal situation, Congress should consider requesting a fee from companies with the means to seek pursue this process and desire to secure the liability protection and marketing advantage that comes with SAFETY Act certification. When this committee first began to examine the activities of the SAFETY Act Office, I encouraged the Department to perform dedicated outreach to attract small, minority, and disadvantaged businesses to obtain SAFETY Act certification, and to help them go through the complicated and time-consuming SAFETY Act approval process. The reasoning behind this emphasis was simple. Large multinational companies who are likely the prime developers of technologies in the homeland security enterprise, are mostly already involved with providing the Department of Defense technologies and services in that sphere. In contrast, small businesses with promising technologies face countless barriers to entry in the marketplace. Given that these firms are often the innovators and the backbone of America's workforce, it is important that DHS go the extra mile. A SAFETY Act designation or certification can improve a company's bottom line and help small, savvy companies create jobs. Large, well- funded companies need less help, and those companies are usually stocked with a bevy of corporate lawyers to guide them through any concerns about liability protections or access to DHS acquisitions. The draft legislation that is in circulation has no special emphasis on small businesses. I am hopeful that as the bill moves through the legislative process, we can come together to ensure that it does. I would also put on the record my concern that that the funding to expand the Safety Act Office would not be ``new money'' but rather taken from other DHS activities. It is important to know where that money would be taken from and what capabilities or programs would be affected or diminished. More broadly, there are basic questions about how this legislation would drive innovation with respect to cyber technologies. We would not want to foster an environment in the marketplace where companies grow complacent having only an interest in securing blanket liability protections outweighing the energy of innovation. I look forward to the testimony today Mr. Chairman, and I yield back. Mr. Ratcliffe. Other Members of the committee are reminded that opening statements may be submitted for the record. We are pleased today to have with us a very distinguished panel of witnesses on a very important topic. Mr. Brian Finch is a senior fellow at the Center for Cyber and Homeland Security at George Washington University. Mr. Finch has a diverse background in homeland security issues and the SAFETY Act. Thank you for being here, Mr. Finch. Mr. Raymond Biagini is a partner at Covington and Burling. He has extensive experience and background in drafting the original SAFETY Act language and also assists companies in obtaining SAFETY Act certifications. Welcome, Mr. Biagini. Finally, we are pleased to be joined by Professor Andrea Matwyshyn--did I pronounce that right? Ms. Matwyshyn. You did. Mr. Ratcliffe [continuing]. Matwyshyn, who is a visiting professor at the Center for Information Technology Policy at Princeton University. Professor, thank you for being here. I would now ask each of the witnesses to stand and raise your right hands so I can swear you in to testify. Do each of you swear or affirm that the testimony which you will give today will be the truth, the whole truth, and nothing but the truth, so help you God? Let the record reflect that the witnesses have answered in the affirmative. You may be seated. The witnesses' full statements will appear in the record. The Chair now recognizes Mr. Finch for 5 minutes for his opening statement. STATEMENT OF BRIAN E. FINCH, SENIOR FELLOW, CENTER FOR CYBER AND HOMELAND SECURITY, GEORGE WASHINGTON UNIVERSITY Mr. Finch. Chairman Ratcliffe, Ranking Member Richmond, Mr. Langevin, distinguished Members of the subcommittee, my name is Brian Finch, and thank you for inviting me to testify before you today on how to effectively promote and incentivize cybersecurity best practices. I firmly believe that promoting and incentivizing the use of cybersecurity best practices is critical to our Nation's security. The challenge, however, is determining what is, ``the best,'' or even, ``quite good.'' The SAFETY Act can help us with that right now. Let me begin by stating what I will not be promoting in my testimony. I will not advocate for expanding the liability protections offered by the SAFETY Act or what triggers those protections. I will not seek to reinterpret the original intent behind the SAFETY Act. Rather, I will discuss how cyber attacks and cybersecurity technologies are covered under the SAFETY Act as currently written. I will also cover how a minor tweak to the law will improve its use in the cybersecurity context. As this committee knows, SAFETY Act protections are triggered when the Secretary of Homeland Security declares that an, ``act of terrorism'' has occurred. Under the SAFETY Act, an act of terrorism is defined as an event that is, ``one, unlawful; two, causes harm to a person, property, or entity in the United States; and, three, uses or attempts to use instrumentalities, weapons, or other methods designed or intended to cause mass destruction, injury, or other loss to citizens or institutions of the United States.'' Nothing in that definition excludes cyber attacks. Further, note that the SAFETY Act already explicitly states that cybersecurity technologies are eligible to receive liability protections. All of the above is why the DHS has already approved cybersecurity SAFETY Act applications. Despite all of this, too many people are still unsure of whether the SAFETY Act applies to cyber attacks and cybersecurity technologies. To cure this, the House should once again unanimously pass section 202 of the National Cybersecurity and Critical Infrastructure Protection Act, or NCCIP. That section clarified the SAFETY Act by adding two new terms to it, ``cyber incident'' and ``cybersecurity technologies.'' Those new terms merely made explicit protections already available under the SAFETY Act. As we all know, the decision of Executive branch members to declare a particular event an act of terrorism in any context is a difficult one. Terms such as ``workplace violence'' and ``cyber vandalism'' are used instead of the ``T'' word. While I offer no opinions on the language used by the Executive branch to describe certain events, I can say that preventing or mitigating the outcomes that occurred in those events is exactly what Congress intended when it passed the SAFETY Act. That is why giving the Department of Homeland Security Secretary a term other than ``terrorism'' to use when bringing in the liability protections of the SAFETY Act is so important. Now, if you will allow me, I would like to provide two examples where, if we could clarify the SAFETY Act, it would allow for vastly improved cybersecurity best practices. First, let me talk about cyber risk groups. Companies could use risk-pooling mechanisms like risk-purchasing or risk- retention groups to increase their defenses and better mitigate risks. Here's how that would work. First, a group of similarly- situated companies would agree to use certain security standards or technologies, such as, for instance, detonation chambers or the NIST Cyber Framework. Next, those companies would then either jointly purchase a cyber insurance policy or create a pool of insurance that they would all maintain and participate in. Third, the risk group would also agree to pursue SAFETY Act protections for the security standards that they have agreed to commit to adhering to. All of this would be possible thanks to the vetting conducted under a clarified SAFETY Act. I would add that this pooling-risk purchasing agreement would be of particular value to small businesses, as well as to companies in historically underserved communities, as it would allow their dollars to travel further. Next, cyber HMOs. I argue that cyber insurers should be using a health insurance model to promote best practices. Why? Because, under the cyber HMO model, it promotes wellness behavior that prevents minor scratches from developing into serious infections. That cyber HMO plan would also give the insured access to a vast network of cybersecurity vendors and professionals, as well as low-cost or free access to basic cyber hygiene, such as annual physicals, i.e., compromise assessments, or vaccines, in this case, perimeter defenses. By encouraging the use of SAFETY Act-vetted products or services, the HMO and its policyholders would have greater confidence in the tools they are using to promote cyber health. Thank you for the opportunity to testify, and I welcome any questions this committee may have. [The prepared statement of Mr. Finch follows:] Prepared Statement of Brian E. Finch July 28, 2015 Chairman Ratcliffe, Ranking Member Richmond, distinguished Members of the subcommittee, thank you for inviting me to testify before you today on how to effectively promote and incentivize cybersecurity best practices. My name is Brian Finch, and I am here today testifying in my capacity as a senior fellow with The George Washington University Center for Cyber and Homeland Security, where I am a member of the Center's Cybersecurity Task Force.\1\ I am also a partner with the law firm of Pillsbury Winthrop Shaw Pittman LLP, a senior advisor to the Homeland Security and Defense Business Council, and a member of the National Center for Spectator Sport Safety and Security's Advisory Board. --------------------------------------------------------------------------- \1\ While I am testifying in my capacity as a senior fellow with The George Washington University Center for Cyber and Homeland Security, please note that my comments represent my personal views and not necessarily any positions of the Center. --------------------------------------------------------------------------- Clearly, the implementation of best cybersecurity practices is critical to our Nation's economic security and physical safety. Our cyber enemies are numerous, growing, and increasingly sophisticated. Fortunately there is no lack of will to defend ourselves from the attacks these enemies launch. Unfortunately, given the scale, scope, and pace of cyber threats we face, our cybersecurity measures writ large tend to lag behind the said attacks. In light of those threats, I firmly believe that promoting and incentivizing the use of cybersecurity best practices and effective technologies, policies, and procedures are critical to our Nation's security. I also firmly believe that the private sector is ready and willing to adopt those best practices, technologies, policies, and procedures. Its challenge, however, is determining which of those items are in fact ``the best'' or even ``quite good.'' Moreover, we should all acknowledge that the private sector will see all of its cybersecurity decisions second-guessed in the tsunami of litigation that inevitably follows any cyber attack. Thus, programs that help companies determine which cybersecurity measures to adopt and will help them minimize their exposure to unnecessarily expensive and protracted litigation are desperately needed. Thankfully, a program already exists in the United States Code that in fact does promote and incentivize the use of cybersecurity best practices, technologies, policies, and procedures: The ``SAFETY Act.'' The SAFETY Act, which stands for the Support Anti-Terrorism By Fostering Effective Technologies, was enacted in 2002 as part of the Homeland Security Act. The SAFETY Act is one of the most responsibly designed and effectively implemented liability management programs in Government today. More importantly, it can and already has been used to promote improved cybersecurity, and, with the leadership of this committee, that success can be expanded. In my testimony below, I will go into greater detail as to how the SAFETY Act can currently be used promote the increased use of cybersecurity practices as well as effective technologies, procedures, and policies. I will also explain why I believe that some very minor statutory tweaks to the SAFETY Act would be exceptionally helpful in expanding its use in the private sector. Finally, I will also provide some examples of how the SAFETY Act could be tied to innovative ideas that will, in general, promote improved cybersecurity. important clarification regarding the scope of this written testimony I believe at the outset that it is exceptionally important to establish what I will NOT be promoting in my testimony. I want there to be no misunderstanding with respect to what actions I believe Congress or the Executive branch should be undertaking in order to allow the SAFETY Act to reach its full potential with respect to cybersecurity. Specifically, my testimony:Will NOT advocate for an expansion of the scope of the liability protections offered by the SAFETY Act. The SAFETY Act, as currently drafted, provides to the Department of Homeland Security (DHS) all of the legal authority needed to encourage the wide-spread deployment of effective and useful cybersecurity technologies, policies, and procedures; Will NOT advocate for an expansion of the types of unlawful events that may trigger the liability protections offered by the SAFETY Act. Again, as currently drafted, the SAFETY Act gives the Secretary of Homeland Security broad discretion to decide which unlawful acts that cause harm to U.S. persons, property, or economic interests can trigger its liability protections; Will NOT seek to revise or reinterpret the intent of the Members of the 107th Congress, who drafted and voted to enact the SAFETY Act; Will NOT advocate for the ability of the private sector to excuse itself completely from liability following a cyber attack, much less disincentivize the private sector from continually investing in and upgrading its cyber defenses; and Will NOT seek to undermine the ability of DHS to thoroughly review applications for SAFETY Act liability protections or require a dramatic expansion in the size or cost of the Office of SAFETY Act Implementation (OSAI), such that the program office will become unwieldy or unnecessarily costly. Instead, my testimony will advocate for a very simple proposition: That with the addition of a few well-placed words, it will become perfectly clear to the private sector that the SAFETY Act applies to cybersecurity practices, technologies, procedures, and policies. Moreover, these minor tweaks will permanently clarify that the SAFETY Act applies to cyber attacks committed by a variety of actors, as well as attacks where attribution is unclear or impossible. the safety act as drafted applies to cybersecurity technologies and cyber attacks A critical point that must be established immediately is that both the SAFETY Act statute (see 6 U.S.C. 441-444) and the implementing Final Rule (see 6 CFR 25) establish that cyber attacks can trigger the law's liability protections and that information technologies (including cybersecurity systems and services) are eligible to receive SAFETY Act liability protections. By way of review, please note that the SAFETY Act provides extensive liability protections to entities that are awarded either a ``Designation'' or a ``Certification'' as a Qualified Anti-Terrorism Technology (QATT). Under a ``Designation'' award, successful SAFETY Act applications are entitled to a variety of liability protections, including: All terrorism-related liability claims must be litigated in Federal court; Punitive damages and pre-judgment interest awards are barred; Compensatory damages are capped at an amount agreed to by both DHS and the applicant; That damage cap will be equal to a set amount of insurance the applicant must carry, and once that insurance cap is reached no further damages may be awarded in a given year; A bar on joint and several liability; and Damages awarded to plaintiffs will be offset by any collateral recoveries they receive (e.g., victims compensation funds, life insurance, etc.) Should the applicant be awarded a ``Certification'' under the SAFETY Act for their QATT, all of the liability protections awarded under a ``Designation'' are available. In addition, the Seller of a QATT will be entitled to an immediate presumption of dismissal of all third-party liability claims arising out of, or related to, the act of terrorism. The only way this presumption of immunity can be overcome is to demonstrate that the application contained information that was submitted through fraud or willful misconduct. Absent such a showing, the cyber attack-related claims against the defendant will be immediately dismissed. Additionally, when a company buys or otherwise uses a QATT that has been either SAFETY Act ``Designated'' or ``Certified,'' that customer is entitled to immediate dismissal of claims associated with the use of the approved technology or service and arising out of, related to, or resulting from a declared act of terrorism. As the SAFETY Act is currently drafted, in order for its protections to be triggered, the Secretary of Homeland Security must declare that an ``act of terrorism'' has occurred. The definition of an ``act of terrorism'' is extremely broad and includes any act that: (i) is unlawful; (ii) causes harm to a person, property, or entity, in the United States, or in the case of a domestic United States air carrier or a United States-flag vessel (or a vessel based principally in the United States on which United States income tax is paid and whose insurance coverage is subject to regulation in the United States), in or outside the United States; and (iii) uses or attempts to use instrumentalities, weapons, or other methods designed or intended to cause mass destruction, injury, or other loss to citizens or institutions of the United States. The Secretary has broad discretion to declare that an event is an ``act of terrorism,'' and once that has been declared, the SAFETY Act statutory protections will be available to the Seller of the QATT and others. Critically, nothing in the SAFETY Act statute or Final Rule requires that there be a finding of a ``terrorist'' intent in order for the Secretary to declare that an ``act of terrorism'' occurred. Indeed, the only discussion of ``intent'' when defining an ``act of terrorism'' comes in the third part. There, all Congress drafted was that the attack must have used a weapon or other instrumentality ``intended'' to cause some form of injury. Congress had every opportunity to explicitly or implicitly limit qualifying ``acts of terrorism'' to politically, religiously, or other ideologically motivated actions by specifically-defined groups or persons. It chose not to do so, instead stating that, for purposes of the SAFETY Act, an ``act of terrorism'' was simply an intentional unlawful act intended to cause harm to U.S. persons, property, or economic interests. It can only follow then that the SAFETY Act statute can (and is) interpreted to include cyber attacks as an act that can be considered an ``act of terrorism'' and may serve as a trigger for the protections of the SAFETY Act. Further, it is vital to note that the SAFETY Act Final Rule includes cybersecurity products and services in its definition of ``Qualified Anti-Terrorism Technologies,'' or ``QATT,'' or technologies that are eligible to receive SAFETY Act protections. This point is readily demonstrated by the fact that DHS, through its Office of SAFETY Act Implementation, has already approved a number of cybersecurity products and services. By that measure alone, we know that the SAFETY Act applies to a variety of cybersecurity products and services. Still, it is important to understand the statutory and regulatory basis for the coverage of cybersecurity products and services under the SAFETY Act. We can start with the SAFETY Act itself, specifically in 6 USC 444(1), defines a ``Qualified anti-terrorism technology'' as follows: ``For purposes of this part, the term ``qualified anti-terrorism technology'' means any product, equipment, service (including support services), device, or technology (including information technology) designed, developed, modified, or procured for the specific purpose of preventing, detecting, identifying, or deterring acts of terrorism or limiting the harm such acts might otherwise cause, that is designated as such by the Secretary.'' (emphasis added). Note that this definition specifically covers ``information technology'' and, further, that the only characteristic needed by any product, equipment, service, device, or technology in order to be considered as a QATT is that the item ``is designed, developed, modified, or procured for the specific purpose of preventing, detecting, identifying, or deterring acts of terrorism or limiting the harm such acts might otherwise cause.'' Thus, by its explicit terms, information technologies--a term that includes cybersecurity products and services--are eligible to be considered as a QATT under the SAFETY Act. We should also consider the QATT definition set forth in 6 CFR Part 25.2, which reads as follows: ``Qualified Anti-Terrorism Technology or QATT--The term `Qualified Anti-Terrorism Technology' or `QATT' means any Technology (including information technology) designed, developed, modified, procured, or sold for the purpose of preventing, detecting, identifying, or deterring acts of terrorism or limiting the harm such acts might otherwise cause, for which a Designation has been issued pursuant to this part.'' (emphasis added). DHS also explicitly refers to information technologies when defining Qualified Anti-Terrorism Technologies and also links ``information technologies'' to any Technology designed, etc. to combat an ``act of terrorism.'' Therefore, any Technology designed, developed, modified, procured, or sold for the purpose of preventing, detecting, identifying, or deterring ``acts of terrorism'' will be eligible to be defined as a QATT. That includes cybersecurity products and services. I would also refer the committee to the SAFETY Act Final Rule's definition of ``Technology,'' which is as follows: ``Technology--The term `Technology' means any product, equipment, service (including support services), device, or technology (including information technology) or any combination of the foregoing. Design services, consulting services, engineering services, software development services, software integration services, threat assessments, vulnerability studies, and other analyses relevant to homeland security may be deemed a Technology under this part.'' (emphasis added). Please note that here again DHS specifically used the term ``information technology,'' once again establishing that cybersecurity products, equipment, or services will be considered a ``Technology'' for purposes of the SAFETY Act. Please note too that when elaborating on the types of ``design services'' that may be considered a ``Technology'' (a definition that includes various types of software development and support services), DHS stated that ``analyses relevant to homeland security may be deemed a Technology under this part.'' See 26 CFR Part 25.2. The use of the general term ``homeland security'' is of great import to this hearing. As this committee is well aware, DHS's ``homeland security'' mission is an ``all hazards'' one, which includes protecting against cyber threats in all forms. Indeed, in recent years the cybersecurity mission--whether related to terrorist groups, nation- states, organized crime, individuals, or others--has become a primary mission area for DHS. It follows then that when DHS defined ``Technologies'' for SAFETY Act purposes to include software services related to ``homeland security,'' it intended that term to encompass cyber attacks in their myriad of forms. In summary, then, there is no question that cyber attacks, regardless of who conducted them or why, and cybersecurity products and services are eligible to receive SAFETY Act protections under the plain language of the SAFETY Act statute and the Final Rule as originally drafted. the nation would benefit if congress were to amend the safety act in a way that makes its coverage of cyber attacks cybersecurity technologies even more explicit Despite the fact that the SAFETY Act, as already drafted, encompasses both cybersecurity products and services and cyber attacks unconnected to specific ``terrorist'' groups or motivations, too many people are unsure of whether the SAFETY Act applies to exactly those items and situations. In short, the only way to rectify the situation is for Congress to slightly amend the SAFETY Act to make explicit its coverage of cyber attacks and cybersecurity products and services. Thankfully, the path and process for clearing up the SAFETY Act's application in the cyber context has already been blazed, and all this committee and the House of Representatives need to do is retrace its steps. In the 113th Congress, Members of this committee, including Chairman McCaul, Ranking Member Thompson, Representative Meehan, and Representative Clarke introduced the National Cybersecurity and Critical Infrastructure Protection Act (NCCIP). Section 202 of the NCCIP would have slightly altered the SAFETY Act by essentially adding two new terms to the existing law: ``Cyber incident'' and ``cybersecurity technologies.'' These new terms would be inserted after the words ``act of terrorism'' and ``anti-terrorism technologies,'' respectively, in the existing SAFETY Act law. The purpose of these new terms was simple and straightforward: Make it 100% clear to potential users of the SAFETY Act that the law applies to cybersecurity products and services as well as to cyber attacks that one might not colloquially put in the same category as the terrible events of Sept. 11, 2001 or the Boston Marathon bombings. These changes were apparently not controversial to this committee or this Chamber, as H.R. 3696 passed the House by unanimous voice vote. Unfortunately, due to timing issues that prevented the resolution of some concerns by a few Senators, Section 202 was not included when the final version of H.R. 3696 passed the Senate and was signed into law. Still, I remind this committee again that Section 202 was passed unanimously by the House, and so this committee should pass the SAFETY Act clarifying language once again. This clarification continues to be absolutely vital for a variety of reasons. First, I can state without qualification to this committee that the vast majority of eligible SAFETY Act applicants do not realize after reading its statutory language that the SAFETY Act covers non- ``terrorist''-related cyber attacks or even cybersecurity products and services in general. Rather, most people who are not steeped in the nuances and history of the SAFETY Act simply see the words ``act of terrorism'' and ``Qualified Anti-Terrorism Technologies'' and think only in terms of al-Qaeda, ISIS, right-wing militias, and the like. The statute or Final Rule evidences no such limitations, and, further, there is no legislative history that I am aware of that would definitively limit the application of the SAFETY Act to such groups, their actions, or items designed to deter, defeat, or combat them. Inclusion of Section 202 language would eliminate that confusion. All parties would now be fully on notice of the application of the SAFETY Act to cyber incidents and cybersecurity technologies, thus allowing everyone to get on to the business of deciding whether the SAFETY Act is right for them or if the product or service merits the liability protections it offers. Second, inserting the term ``cyber incident'' would be of great value to the Executive branch, particularly the Secretary of Homeland Security. Under the SAFETY Act, the decision to declare an incident an ``act of terrorism'' is assigned to the Secretary of Homeland Security. Thus she or he is the person who decides whether a company that holds a SAFETY Act award may actually assert the defense in Federal court. Without that designation, the defenses of the SAFETY Act are not available under the law to the SAFETY Act awardee. As the past few years have demonstrated, the decision of Executive branch members to declare a particular event an act of terrorism in any context is a difficult one. From the shootings at Fort Hood to the cyber attack on Sony Pictures, and even to the recent cyber attack on the U.S. Office of Personnel Management, the Executive branch treads very cautiously when deciding how to describe an incident. Creative terms such as ``workplace violence'', ``cyber vandalism'', or even references to a general ``security breach'' are used instead of the ``T'' word. I offer no opinions on the terms used by the Executive branch in those incidents, yet I would dare say we all agree that there is no disagreement on their impact on American lives and our economy. Lives were lost, businesses were crippled, and Government programs have been crippled for years to come. It is those outcomes--or more specifically preventing or mitigating them--that Congress was focused on when it passed the SAFETY Act in 2002. That is why adding the term ``cyber incident'' as defined in Section 202 of NCCIP is a vital tool to give to the Homeland Security Secretary. The Secretary should have the same flexibility to acknowledge the seriousness of a given incident, and, in the case of the SAFETY Act, trigger specific liability protections, without having to utilize a term that may cause a larger than necessary impact. Section 202 thus represents a simple tool with which to wield the SAFETY Act with greater delicacy. Finally, I must emphasize that the language of Section 202 only clarifies the SAFETY Act and is entirely consistent with the original intent of the law. Section 202 does not expand the SAFETY Act, as have argued. When one looks back at the creation, implementation, and use of the SAFETY Act, it has always been clear that the purpose of the law has been to promote the use by the private sector of useful and effective security products and services in order to deter or mitigate massively damaging unlawful events. The SAFETY Act was designed to help mitigate those events by providing the possibility of limited liability protections following the unlawful ``act of terrorism.'' These liability protections were deemed needed because of concerns about potentially endless litigation following a major attack. Time has borne out those concerns. The attacks of 9/11 spurred litigation that lasted more than a decade and whose costs ran well into the hundreds of millions of dollars. Similar litigation arising out of the 1993 World Trade Center attack also lasted for more than a decade, and now every new terrorist incident spurs numerous new lawsuits. Cyber attacks are no different. High-profile attacks spur multiple lawsuits, and indeed the cost of managing litigation post-cyber attack is beginning to represent one of the most expensive consequences of a cyber attack. Considering that millions of cyber attacks occur daily, and that these attacks are growing more sophisticated and successful with each passing moment, liability protections for cybersecurity vendors and users are absolutely critical. This is especially true given that many of these attacks are conducted by foreign governments and are essentially unstoppable by the private sector. That fact will not deter plaintiffs' counsel, however, and so no matter how good a product is or how much is invested in defensive programs, companies will still face massive litigation. That trend cannot continue, and so it is only proper to use the SAFETY Act as originally intended to control that outrageous trend. In summary then, clarifying--but not amending--the SAFETY Act so that it explicitly covers cyber incidents and cybersecurity technologies is not only appropriate given the seriousness of the cyber threat. It is also appropriate given the general misunderstanding of how the SAFETY Act works and the need to provide flexibility to the Homeland Security Secretary when determining whether to let the protections of the SAFETY Act be applied. optimizing use of a clarified safety act Clarifying the SAFETY Act so that it clearly applies to non- ``terrorist'' cyber attacks and cybersecurity products and services will have multiple benefits. Please allow me to highlight two examples of improved cybersecurity this committee would likely support that would benefit from a clarified SAFETY Act. (1) ``Cyber Risk Groups'' One challenge facing private-sector companies when implementing cyber defenses is how to effectively cooperate with other companies to protect themselves and best use their limited resources. Particularly using a clarified SAFETY Act, companies could use risk-pooling mechanisms to increase their defenses and better mitigate risk. Risk-pooling mechanisms come in a number of forms, including ``risk purchasing'' and ``risk retention'' groups. Those groups allow collections of companies (usually similarly situated in terms of industry sector) to jointly purchase or create insurance coverage that would otherwise be unavailable or excessively expensive. Here's how it can work: 1. A group of similarly-situated companies agree to form a risk purchasing or retention group in order to obtain cybersecurity insurance. 2. The companies agree to use certain security standards or technologies (for instance SANS 20 controls, ``detonation chambers,'' information sharing via dedicated ``private clouds,'' the recent National Institutes of Standards and Technologies voluntary cybersecurity framework, etc.) 3. The companies then pool their resources to either jointly purchase an existing cyber insurance policy or to create a pool of insurance that they would maintain. 4. The risk group also agrees to pursue SAFETY Act protections for the standards it has created and committed to adhering to. 5. As part of the agreement, any company that fails to adhere to the security standards will be asked to leave the group at the next renewal period. Using a clarified SAFETY Act on top of the insurance pool effectively limits the exposure of the group to the amount of insurance they have purchased, or even a portion thereof. Further, this arrangement also potentially allows more of the insurance funds to be used for losses the company has directly suffered (damaged equipment, lost data, business interruption, etc.) rather than losses suffered by third parties. The pool arrangement allows companies to collaborate and establish a baseline of security that each would commit to maintaining, all of which fall under the umbrella of a review by DHS. None of this would be possible without a clarified SAFETY Act. I would add the pooling/risk purchasing agreement would be of particular value to small businesses or ones that serve historically underserved communities. For instance, cooperatives that provide utility services would benefit greatly from this arrangement as it would allow them to provide broader cybersecurity at reasonable costs to their members. Considering that their members are in historically underserved communities, this would be an excellent public benefit every member of this committee could support. (2) ``Cyber HMOs'' A challenge this committee and others have faced is how to use cyber insurance to promote best cybersecurity practices. That problem remains unsolved, but I contend a clarified SAFETY Act can help the Nation better utilize insurance solutions. First, I start with the proposition that cyber attacks are a constant threat, much more akin to medical claims than property or casualty claims. We know they will occur on a regular basis, and so insurers need to establish an infrastructure that supports constant care over a lifetime. Following on the health care analogy, cyber insurers should view their policies through the lens of a health insurance model and not a general liability or casualty policy. In my mind, it follows then that cyber insurers should develop cyber policies using a ``HMO'' model. Under that model, the insurer's goal will be to promote the ``right'' kinds of claims--ones that encourage healthy behavior. Yet even with the incentivizing of healthy behavior, inevitably some sort of disease will work its way into the blood stream. The cyber HMO model works well here too as it will support interventional care that prevents minor scratches from developing into a serious infection. A best-case scenario would work out this way: A ``cyber HMO'' is established, which companies can gain access to by paying monthly premiums along with associated ``co-pays,'' ``deductibles,'' and similar expenses typically associated with a health insurance plan. That cyber HMO plan would give the insured access to a vast network of cybersecurity vendors and professionals at discounted rates that could be called upon in the event of a problem (the ``co-pays'' and ``co-insurance'' equivalents). The cyber HMO plans would also provide low-cost or even free access to basic ``cyber hygiene'' care, such routine diagnostic examination of information technology systems, perimeter defense systems, and other basic defense systems (the ``annual physical'' and ``low-cost or free vaccine'' equivalents). More ``advanced'' defense systems could be subject to a higher co- pay and deductible, and companies could even chose to go ``out of network'' if they want, but they would have to shoulder more of the cost. The clarified SAFETY Act would help here, too, by helping decide whether a cybersecurity product or service should be ``covered'' under this insurance model. By encouraging the use of products or services vetted by DHS through the SAFETY Act, the HMO and its policyholders would have greater confidence in the tools they are using to promote cyber health. The ``cyber HMO'' is one that actively rewards healthy cyber behavior--a Gordian knot that no carrier has been able to untie yet using traditional insurance models. That's a critical piece of the cybersecurity puzzle, as the challenge has been how to get companies to engage in effective cybersecurity, rather than any form of cybersecurity. conclusion Thank you for the opportunity to testify before the committee today. I will be happy to answer any questions you might have. Mr. Ratcliffe. Thank you, Mr. Finch. The Chair now recognizes Mr. Biagini for 5 minutes for his opening statement. STATEMENT OF RAYMOND B. BIAGINI, PARTNER, COVINGTON AND BURLING Mr. Biagini. I thank you, Mr. Chairman. Thanks for having me here. I thank the Members of the committee for this opportunity. Indeed, it's a privilege to speak with you about the possible expansion of the SAFETY Act to cover qualifying cyber incidents. Let me address in short what I see as the key questions for this committee's consideration. First, are liability protections needed to incentivize companies to enhance their own cybersecurity systems and to incentivize providers of cyber solutions to design more effective technologies? I believe the answer is yes. In short, we face a potentially devastating existential cybersecurity threat. As I outline in my written remarks, the magnitude of this threat cannot be overstated. The 9/11 Commission authors likened a cyber attack on U.S. critical infrastructure to the terrorist threat before September 11, calling the cyber domain as the battlefield of the future. Those distinguished authors of the Commission report recommended legislation to incentivize the design and deployment of cybersecurity. We only have to look at the recent hack at OPM to confirm that the cyber wolf is knocking at our critical-infrastructure door. There is also a sense that corporations are moving too slowly to upgrade and enhance their own cybersecurity within their corporate walls. Regarding cyber insurance, carriers often lack the data they need to quantify losses from cyber attacks. When they do write cyber insurance, it often has large deductibles, inadequate limits, and exclusions for attacks by nation-states. This is particularly concerning for companies involved in cybersecurity in the critical infrastructure arenas of health care, financial, electrical, and energy. The laudable efforts by NIST to get companies to participate in the basic cyber hygiene program may be progressing too slowly. So I believe the enormity of the risk, coupled with the slowness of corporations' self-policing, and with some softness in the insurance markets, a surgical, legislative, incentivizing solution is appropriate. But the second question is: Why turn to the SAFETY Act as a vehicle to be used for this incentivizing approach? I have had the fortunate experience over the past 13 years to not only witness but to play an active role in the significant evolution of the SAFETY Act, as itself a truly best practice among homeland security companies big and small. The SAFETY Act has, in fact, stimulated companies to do cutting- edge research, design, development, and deployment of anti- terror technology and to incur the end-users to buy and deploy SAFETY Act technologies. From the very beginning of the act, small companies have benefited. The first recipient of SAFETY Act coverage was a small company, Michael Stapleton Associates, who got SAFETY Act coverage for their anti-terror training regimen for bomb- sniffing dogs. Fast-forward to today. DHS is granting SAFETY Act coverage to the likes of the Port Authority of New York and New Jersey for a complement of highly sophisticated anti-terror technologies to protect the new Freedom Tower. They have provided SAFETY Act coverage to the Kentucky International Airport and its cybersecurity programs and to a small and growing number of cybersecurity companies providing vulnerability assessments and resiliency testing of cyber networks. The SAFETY Act Office has shown that they can expedite coverage when deployments are subject to Federal contracts and give great weight to technologies that have preexisting positive track records in the Federal or military space. In short, the SAFETY Act and its implementers have shown a demonstrable ability to evolve and address emerging technologies of increasing complexity. Properly resourced, I believe they can do so in the SAFETY Act if it is expanded through this amendment. I want to mention that I know--that, indeed, the SAFETY Act is helping to improve the technology that is out there, and here is why. Every day, almost every week, I get approached by companies that would like to pursue SAFETY Act coverage, and many, many times I tell them they are not ready. They are not ready for SAFETY Act coverage at this time, because they don't have the bona fides yet. They may not have had sufficient testing done or self-evaluation of their technologies. They may not have done important hazards analysis or risk analysis. They may not have done the operational and training manuals that the SAFETY Act Office will require them to have. Many, many times, those same applicants come back around about 2 months later or 3 months, and they have the bona fides, and they have improved their technology, and now they are ready to seek SAFETY Act coverage. So, in this sense, the SAFETY Act has, indeed, acted as a gatekeeper. The last point I would like to make, Mr. Chairman, is that, as you mentioned, oftentimes the SAFETY Act--amending the SAFETY Act to cover cyber attacks. Cyber attacks cannot often be attributed to terrorists. It just makes sense to amend the SAFETY Act, because cyber attackers, by nature and often deliberately, do not leave behind the ``whodunnit'' signature that terrorists crave, in fact proclaim, after they commit a horrific attack. The amendment here properly focuses on the ``what,'' did the cyber attack cause material damage severely affecting the United States, not on the ``who,'' in terms of whether it was a terrorist or not. I believe that the cause here is worthy, the circumstances are sufficiently compelling, and I believe the results will be salutary. Thank you, Mr. Chairman. [The prepared statement of Mr. Biagini follows:] Prepared Statement of Raymond B. Biagini July 28, 2015 Good afternoon. Thank you, Chairman Ratcliffe, and the Members of this subcommittee, for the opportunity--indeed privilege--to speak with you today about this important topic of potentially expanding the U.S. SAFETY Act to provide needed liability protections arising out of ``qualifying cyber incidents,'' as that term is described in the proposed amendment. I support the proposed approach. I have a particularly keen interest in this topic, and note that I have always been hesitant to engage in activities that might lead to the amendment of the SAFETY Act, because I am the original author of the core liability protection provision of the SAFETY Act. I wrote that provision in June 2002 at the request of some of our law firm's homeland security contractor clients. Together, we examined the legal landscape and homeland security marketplace immediately following the horrific attacks of 9/11 and quickly recognized the need for new legislation to address key public policy needs: To stimulate companies, large and small, to research, design, develop, and deploy cutting-edge anti-terror technology without fear of enterprise-threatening liability suits. To stimulate the terror insurance market which had stopped providing terror coverage after the 9/11 attacks. To enhance homeland security in the United States and abroad. Guided by these policy considerations, I drafted in June 2002 the ``Certification'' section (now Section 863(d)(1), (2), and (3)) of what became the U.S. SAFETY Act, passed by Congress in November 2002 as part of the Homeland Security Act. In short, the SAFETY Act is landmark legislation, eliminating or minimizing tort liability for sellers or providers of anti-terror technology (``ATT'') approved by U.S. Department of Homeland Security (``DHS'') should suits arise in the United States after an act of terrorism. As described more fully below, DHS has awarded SAFETY Act coverage for hundreds of cutting-edge anti-terror products and services since its inception in 2002, thereby satisfying many of the policy concerns described above. In fact, in many respects, the SAFETY Act has become a homeland security industry ``best practice'' risk management technique, spurring companies, including small businesses, to research, design, develop, and deploy anti-terror technology to protect America without fear of ``enterprise-threatening'' tort liability should there be another 9/11 terror incident. But given the remarkably rapid expansion over the past several years of increasingly penetrating cyber attacks on key sections of the American economy and Government infrastructure, it is time to thoughtfully consider a surgical upgrade of the SAFETY Act so that that law can ``catch up'' to the realities of the cyber threat we now face. In short, the proposed legislation recognizes a fundamental principle: The ``trigger'' of liability protections for a ``qualifying cyber attack'' should turn not on the identity of the attacker, i.e., is he or she a terrorist, but on the severity of the attack on critical U.S. interests. Moreover, this amendment will begin to requite the public policy concerns that existed in 2002 and exist today--the need to incentivize companies to further develop cutting- edge cyber solutions and to upgrade and enhance their cybersecurity systems; and the need to stimulate the availability of cyber insurance, particularly for key high-value cyber targets in the energy, aviation, electrical, and health care industries. These public policy and marketplace dynamics auger for thoughtful consideration of this proposed legislation. a. key features of the safety act 1. Liability Protections Should a company obtain SAFETY Act tort protection from DHS, these protections fall into one of two categories: ``Certification--the highest form of protection--creates a presumption that the seller of ATT is immediately dismissed from suit unless clear and convincing evidence exists that the seller acted fraudulently or with willful misconduct in submitting data to DHS during the application process. Certification coverage also eliminates punitive damages claims; requires that any suit after an act of terrorism be filed in Federal court; and caps the awardee's liability, usually at its terror insurance limits.'' Certification coverage is usually awarded by DHS when the applicant's technology has been widely deployed and has a track record of ``proven effectiveness.'' The lesser form of SAFETY Act coverage is known as ``Designation'' coverage and is usually provided when the anti-terror technology has limited actual deployment in the field: ``Designation--provides all of the protections under Certification coverage except the presumption of dismissal.'' Importantly, certification and designation protections apply ``up and down'' the supply chain, i.e., the awardee's subcontractors, vendors, and distributors ``derivatively'' obtain the same SAFETY Act tort protections as the awardee. But most important, those that buy or deploy SAFETY Act-approved technology--whether they are commercial or Government customers--also are protected derivatively from tort liability arising out of an act of terror. 2. Limits on the Liability Protections The SAFETY Act's liability protections are triggered only if DHS's Secretary designates a particular incident an ``act of terrorism'' under the SAFETY Act. ``Act of terrorism'' is defined as an unlawful act causing harm to a person, property, or entity in the United States, using or attempting to use instrumentalities, weapons, or other methods designed or intended to cause mass destruction, injury or other loss to citizens or instrumentalities of the United States. The Secretary of DHS will determine on a case-by-case basis whether a particular terrorist attack is covered under the SAFETY Act. This threshold statutory requirement to first designate a particular attack as an ``act of terrorism'' under the SAFETY Act before the liability protections are applicable is an obvious limitation that may not be necessary or appropriated in considering whether to expand the SAFETY Act to ``qualifying cyber incidents.'' The SAFETY Act can also apply ``extraterritorially,'' i.e., even if the act of terror occurs outside the United States, the SAFETY Act can apply to suits filed in the United States so long as the ``harm,'' to include financial harm, is suffered by U.S. persons, property, instrumentalities, or entities. And SAFETY Act protections can also apply ``retroactively'' to cover anti-terror technologies that an applicant has already deployed and which are substantially equivalent to those technologies for which it has obtained coverage. The SAFETY Act defines ``loss'' as death, injury, or property damage, including business interruption loss. The definition of ``anti- terror technologies'' includes ``any product, equipment, service (including support services), device, or technology (including information technology)'' which has a material anti-terror purpose. Finally, in order to obtain the tort liability protections, an applicant for SAFETY Act coverage must carry terror insurance which will respond to third-party tort liability suits arising out of a covered act of terrorism. The cost of the insurance cannot unreasonably distort the pricing of the anti-terror technology. The terror coverage limits usually become the applicant's ultimate ``cap'' on liability. In practice, if an applicant does not have terror coverage, the SAFETY Act Office will work with the applicant to find terror coverage at a price that the applicant can afford. b. the safety act as implemented since 2002 Over the past 13 years, particularly in the last 7-8 years, DHS has vigorously implemented the SAFETY Act, providing coverage to hundreds of companies--from small businesses to some of the largest corporations in the world--for the anti-terror products or services they provide in the United States and abroad. In fact, the first SAFETY Act award went to a small company, Michael Stapleton Associates, for its bomb-sniffing dog training regimen, its X-ray screening, and bomb detection system. Representative SAFETY Act awards over the past 13 years include coverage for: threat and vulnerability assessment protocols; airport baggage handling systems; biometrically-secured airport identification and access system under the Registered Traveler Program; perimeter intrusion detection systems; cargo inspection systems deployed at ports and borders; physical security guard services; secure broadband wireless communications infrastructure and command-and-control systems; lamp-based infrared countermeasure missile-jamming systems; anti-IED jamming systems. In some of these cases, the SAFETY Act Office was able to ``expedite'' its review and award of coverage by giving weight to the fact that these anti-terror products and services had proven effectiveness through long-term deployments with Federal and military customers. Importantly, DHS has also awarded SAFETY Act coverage to private and quasi-Governmental entities for their security protocols, procedures, and policies used to determine the nature and scope of security they deploy to protect their own facilities and assets. Specifically, a major chemical company obtained coverage for its facility security services, including its vulnerability assessments, cybersecurity, emergency preparedness and response services, and its perimeter security, at its facilities that were governed by the Maritime Transportation Security Act; the Cincinnati/Northern Kentucky Airport obtained coverage for its security management plan, its operations and training procedures for its airport police, rescue, and firefighting personnel, its emergency operations center, and airport security plans; the New York/New Jersey Port Authority obtained coverage for the security assessments and design/architectural engineering services incorporating security-related design features at the New Freedom Tower and World Trade Center site; the NFL obtained coverage for the stadium security standards and compliance auditing program; three large professional sports venues obtained coverage for their security practices and protocols; the New York Stock Exchange Security System obtained coverage for its command-and-control and integration of a multi-layered security system. These significant awards, as well as the fact that the Federal Acquisition Regulations now require Federal agencies issuing homeland security solicitations to first consult with the DHS SAFETY Act Office to determine if expedited coverage is appropriate, have helped the SAFETY Act toward reaching its full potential. c. the proposed legislation: a limited but appropriate expansion of the safety act to cover qualified cyber incidents 1. Current Atmospheric Conditions The cyber threat to U.S. Governmental institutions and critical infrastructure as well as to commercial entities is increasing at an alarming rate. Examples include: the recent hack into OPM affecting over 22 million individuals, apparently by China; the 2014 attack on J.P. Morgan involving cyber theft of data belonging to 76 million households, likely by Russia; the attack on Sony Pictures, apparently by North Korea; the indictment of 5 Chinese military officials for hacking proprietary data held by Westinghouse and U.S. Steel. Indeed, on July 22, 2014, the 9/11 Commission authors likened the threat of a cyber attack on U.S. critical infrastructure to the terrorist threat before September 11, 2001, calling ``the cyber domain as the battlefield of the future.'' These authors urged legislation to incentivize enhanced cybersecurity. Further, the United States has identified cyber attacks as the single greatest threat to National security and at the forefront of the Nation's defense and critical infrastructure, characterizing cyber attackers as undeterred by the threat ``we'll shutdown your systems'' if you attack ours. In addition to these policy-level concerns, market dynamics are at work. Many companies are slow to improve their systems to prevent or mitigate against an attack. Cyber insurance for key sectors of the economy, especially critical infrastructure, e.g., health, financial, can be hard to get and expensive, often containing significant exclusions. The U.S. goal to strengthen cybersecurity resilience by having industry voluntarily follow NIST guidelines is progressing slowly. DHS, Commerce, and Executive branch agencies have suggested that tort mitigation legislation may be necessary to stimulate industry to enhance cybersecurity and the insurance industry to increase its footprint in the cyber market. 2. Why Amend the SAFETY Act to Cover Non-Terror-Based ``Qualifying Cyber Incident?'' There are numerous reasons that a discriminate expansion of the SAFETY Act makes sense as a means to mitigate increasing cyber threats. The first has to do with the inherent characteristics and differences between a cyber versus terrorist attack. In the latter, public ownership and notoriety of who the perpetrator is, remains a distinct goal and desire of those perpetrating a terrorist attack. Also, while their methods of accomplishing the terror attack are usually simple and ``low-tech,'' what matters to the terrorist is that the victims (as well as his competitors) know WHO committed the heinous act. By contrast, the cyber attacker prefers to be cloaked in secret, to act stealthily, not revealing highly-complex methods, sources, or signatures, while being able to suddenly and massively disrupt broad technological networks. As such, the proposed SAFETY Act amendment appropriately focuses on whether a qualifying cyber incident causes ``material levels of damage'' and ``severely affects'' the United States, as the ``trigger'' for coverage, not on whether the attacker can be labeled a ``terrorist.'' Second, over the past 13 years, pursuit of SAFETY Act coverage has become a ``best practice'' for companies in the homeland security market, which necessarily requires such companies to demonstrate ``proven effectiveness'' of their anti-terror products or services. Indeed, DHS already has awarded coverage for certain cybersecurity solutions and technologies. DHS's focus on ``proven effectiveness'' will apply equally to cyber solution providers and those companies that are deciding on the quality and scope of their cyber threat protections program. As such, the SAFETY Act should have the salutary benefit of improving the quality of cyber technology and use, thereby hardening networks and enhancing the level of cybersecurity generally throughout the United States. Third, as a prerequisite to obtaining SAFETY Act protection, the Act has always required an applicant to maintain terror insurance coverage; the amendment would similarly require an applicant to maintain cyber insurance to obtain the protections. This combination of liability protections and insurance requirements spurred the terror insurance markets to open up and will likely have the same effect on cyber insurance markets, particularly in the highly-vulnerable aviation, health, electric, and energy critical infrastructure arenas. Similarly, if SAFETY Act liability protection is provided to those companies providing proven cyber solutions, especially to high-value targeted industries, the insurance markets will likely respond positively because of the layer of immunity and claims-elimination protection afforded to its insureds if they are sued after a ``qualifying cyber incident.'' Fourth, the procedures for obtaining SAFETY Act coverage have been demonstrated to be reasonably predictable and, when needed, nimble. These procedures include protocols for expediting or ``fast-tracking'' applications; modifying a coverage award when a company's technology has materially changed; and renewing coverage after an initial award. Companies who fail to update DHS with material changes to their technology or fail to provide the technology or service as outlined to DHS in obtaining SAFETY Act coverage could find themselves without protection should a lawsuit arise. That said, the challenge for the SAFETY Act Office will be to obtain the necessary resources and expertise to handle an increased number of cyber-based SAFETY Act applications and to be able to nimbly but meaningfully review cyber applications which inherently involve changing technologies and threat environments. Finally, the proposed legislation does not conflict with the Senate information-sharing and monitoring bills. These bills focus on the important need to enhance a specific critical activity--the sharing of cyber threat information between and among commercial and Governmental entities--by providing protection for such sharing and monitoring companies from liability arising out of these specific activities. The proposed House legislation is focused on those companies that design, develop, and deploy and use cyber solutions, e.g., threat and theft protection; vulnerability assessments; fraud and identity protection, etc. The House legislation is meant to incentivize a broad swath of providers and users of such cyber technology by providing significant tort protections afforded under the SAFETY Act should a ``qualifying cyber incident'' occur. conclusion The proposed legislation to discriminately expand the SAFETY Act is reasonably calculated to address both policy-based concerns and market dynamics. Its emphasis on the severity and impact of the cyber attack and not on the identity of the attacker as the trigger for protection is appropriate. DHS's continued requirement that a technology--cyber or otherwise--have a record of ``proven effectiveness'' and the statutory requirement to carry cyber insurance, will likely spur higher quality technology and more available insurance. The challenge for the DHS SAFETY Act Office will be to have sufficient qualified resources who can conduct meaningful and timely reviews in an atmosphere of rapidly- changing technology and threats. In the end, this amendment, like the original SAFETY Act, should be driven by a common spirit and intent: To take proactive legislative incentivizing steps now--to avoid a catastrophic debilitating incident involving a major critical infrastructure or economic sector of the United States. This proposed discriminate amendment of the SAFETY Act is a step in the right direction. Mrs. Watson Coleman. Mr. Chairman. Mr. Ratcliffe. Thank you, Mr. Biagini. The Chair now recognizes Mrs. Watson Coleman. Mrs. Watson Coleman. Thank you, Mr. Chairman, and thank you, Mr. Langevin. I just want to take this opportunity to acknowledge and welcome and thank Dr. Andrea Matwyshyn for being here today and being a part of this very impressive panel. Dr. Matwyshyn is currently the Microsoft visiting professor at the Center for Technology Policy at Princeton University, which is part of the 12th Congressional District that I am proud to serve. She is a legal academic studying technology innovation and its legal implications, particularly corporate information. In 2013 to 2014, she served as a senior policy advisor and academic in residence at the U.S. Federal Trade Commission, focusing her work on corporate information security issues. She is a full professor of law at Northeastern University and a faculty affiliate of the Center for Internet and Society of Stanford Law School. She has had many very impressive appointments at many very impressive schools, from the Wharton School, the University of Pennsylvania, all the way to the Singapore Management University, Cambridge University, University of Oxford, and Notre Dame. Prior to entering academia, she was a private attorney, focusing her work on technology transactions. She has previously testified on issues of information security, and she is called upon and often quoted on these issues. We are delighted to have her today, and thank you for having this hearing and providing this opportunity for us to hear from her. Thank you. With that, I yield back. Mr. Ratcliffe. The gentlelady yields back. I thank the gentlelady for that introduction, and also glad to have you as part of our subcommittee today. A number of the Democratic Members of this subcommittee are traveling with the President presently overseas, so we very much appreciate you being here with us today. With that, the Chair recognizes Dr. Matwyshyn for 5 minutes for her opening statement. STATEMENT OF ANDREA M. MATWYSHYN, VISITING PROFESSOR, CENTER FOR INFORMATION TECHNOLOGY POLICY, PRINCETON UNIVERSITY Ms. Matwyshyn. Thank you. Chairman Ratcliffe, Member Langevin, and other distinguished Members of the subcommittee, it is my great honor to be with you here today to discuss the topic that I have devoted my academic career to studying: Information security and the National crisis that we face in working toward making our Nation more secure, both in terms of our defense and in terms of our economy in particular. The SAFETY Act was passed in 2002, and, at that time, it undoubtedly served as a critically-stimulating impetus for the emergence of physical space products from entrepreneurs to enable our society to move toward a more secure physical environment. However, the SAFETY Act in 2015 is, unfortunately, not an optimal fit for the information security ecosystem. The information security ecosystem is one that is driven by constant, frequently overnight, innovation. As such, expanding or interpreting the SAFETY Act to provide liability limitation for product, certain products only, in the information security ecosystem will disrupt rather than encourage an already successfully burgeoning market of cutting-edge information security products and services. The market is projected to reach approximately $93 billion worth of information security products and services in the next 2 years. We are seeing many successful IPOs; we are seeing venture capitalists investing heavily. Expanding or including information security within the SAFETY Act liability limitations will, in essence, negatively shift the purchasing behaviors of companies away from determining products based on the recommendations of their information security engineers and code quality toward the recommendations of CFOs, general counsel, and other perhaps less technologically-sophisticated individuals who are concerned about risk mitigation rather than information security first and foremost. As such, the certification period is not a fit for information security technologies. Instead, it is likely to engender a false sense of security in enterprises and may, unfortunately, incentivize them to, for example, fail to comply with the new ISO standards in information security or to obtain the relevant information security policies that the insurance industry increasingly offers, with over 50 major insurance companies now having robust offerings set in this space. The next few points I will briefly mention are elaborated upon more thoroughly in my written testimony. As I was preparing for this hearing, the availability of information regarding the transparency of the process of certification was, in my opinion, not as thorough as I would have hoped to be able to have an objective assessment of it. In particular, it is critical that any certification that provides the substantial benefit of a limitation of liability be driven by an independent, rigorous, third-party testing, including penetration testing and all the state-of-the-art technology measures that would be best suited to this kind of certification. With DHS having, unfortunately, limited capability in enforcement, this means that companies may be unwilling to correct their technologies in a timely manner when DHS even finds a problem. In fact, we see this behavior from companies in the current marketplace. So the expansion or inclusion of the SAFETY Act limited liability framework for information security products would, unfortunately, I believe, create disincentives to fix, timely patch, and well-disclose in security advisories the types of information that is absolutely critical to companies and to our agencies in defending us in a holistic approach with respect to the information security threats that we face. Context is everything, and the only way that we will succeed in defending our Nation and our economy is through a multi-lateral, coordinated approach between the public sector and the private sector that is sensitive to this set of moving pieces that need to be coordinated simultaneously. Finally, the expansion of this limited liability could impair the work of other agencies, including the FCC and the FTC. I have Federalism concerns, where the States, I believe, are the appropriate laboratories of experimentation first for any liability limitation approach. Thank you. [The prepared statement of Ms. Matwyshyn follows:] Prepared Statement of Andrea M. Matwyshyn July 28, 2015 Chairman Ratcliffe, Ranking Member Richmond, Representative Langevin, and other distinguished Members of the committee, it is my honor to be here with you today to discuss the future of information security in the United States and the SAFETY Act. My testimony today reflects cumulative knowledge I have acquired during my last 16 years as both a corporate attorney and academic conducting research on the legal regulation of information security. My testimony also reflects the practical business knowledge I have obtained through long-standing relationships with insiders at Fortune 100 technology companies, technology entrepreneurs, consumer rights advocates, and independent information security professionals. Finally, this testimony is informed by insights acquired during my service as the Federal Trade Commission's Senior Policy Advisor/Academic in Residence, advising on matters of information security. During the last decade, awareness of information security has dramatically increased in both the public and private sector, and State data security statutes have contributed significantly to this improvement. However, the field of information security is still in its early years, and the overall level of information security knowledge and care that currently exists in the United States is still inadequate. As high-profile data breaches such as the security failures of organizations such as OPM and Sony permeate the news, citizen confidence in the data stewardship capabilities of both companies and Government agencies is eroding. Dramatic information security improvements are necessary throughout both the public and private sector, and it is this social context that frames today's legal and policy conversation around the SAFETY Act. The SAFETY Act's primary feature--a grant of limited liability to companies whose products are certified by the Department of Homeland Security and to their customers--is a poor fit for stimulating improvements and incentivizing adherence to best practices in information security. SAFETY Act certifications for information security products are not likely to lead to improved information security in either the public or private sector. Instead, such grants of limited liability for information security products and services are more likely to have the inverse effect. They are likely to unintentionally create incentives for lower quality in information security products and services, indirectly undermining National security and consumer protection advancement. 1. Limitations of liability are likely to disrupt information security innovation in the marketplace--an outcome that contradicts the goals of the SAFETY Act--and to create disincentives for corporate purchasing based on information security technical efficacy The marketplace for information security products and services has dramatically evolved since the passage of the SAFETY Act. While the SAFETY Act's liability limitation incentives for creation of new information security products may have been helpful in 2002, in 2015 they are unnecessary. The market for information security is robust and has matured significantly: According to some estimates, sales of digital security products and services are likely to approach $80 billion worldwide in 2015 and rise to $93 billion in the next 2 years.\1\ Information security company companies are successfully obtaining venture capital easily and engaging in IPOs,\2\ and high- quality information security products are successfully appearing in the market. Because of this healthy market growth, any selective liability limitation incentives injected today by the SAFETY Act are likely to be undesirably disruptive and damagingly counterproductive to the successfully blooming market for information security products and services. --------------------------------------------------------------------------- \1\ http://www.betaboston.com/news/2015/07/17/cybersecurity-firm- rapid7-raises-103m-in-years-first-boston-tech-ipo/. \2\ Id. --------------------------------------------------------------------------- Because of the fast pace of innovation in information security, it is likely that the liability protection offered to certified products by the SAFETY Act will outlive the optimal technical efficacy of those certified products. Yet, any technology deployed during the period of designation is protected for the lifetime of designation. Indeed, the older a certified product becomes, the more outdated and potentially vulnerable it is likely to become, particularly because material changes may require DHS notification/refiling to maintain certification. Meanwhile, the SAFETY Act liability shield remains constant across time. Thus, it is precisely the older, potentially more vulnerable certified technologies that may command a lower pricepoint and superficially appear most cost-effective to corporate decision makers without technical expertise. As a consequence, business purchasing incentives could undesirably shift away from maximizing best practices in information security in favor of maximizing liability limitation. Corporate CFOs and general counsels will be likely to override the technical judgement of the CISO and their information security engineers in at least a portion of corporate information security products purchasing decisions. Companies will therefore likely shift away from purchasing based primarily on technical efficacy toward purchasing information security products based on whether they are certified under the SAFETY Act, even when those certified products may be of inferior technical quality or a worse business fit. In granting limitations of liability to only certain information security companies under the SAFETY Act, DHS would unnecessarily manipulate an already-competitive information security marketplace, potentially hindering adoption of new information security technologies in favor of older ones. A significant and growing portion of the information security expert community does not view the use of liability limitation approaches as the correct path to improving public and private-sector information security. As vulnerabilities will increasingly lead to potential loss of human life,\3\ code quality and information security rigor in products become paramount. Similarly, sophisticated technology companies with heavy investments in information security in many cases do not necessarily support limitations of security liability, and they are concerned that less ethical companies are misrepresenting the quality of the security in their products and services. Due to low enforcement and lack of information security liability, the market currently inadequately sanctions misrepresentations of information security quality in products and services. Liability limitation for information security products will only exacerbate this code quality problem, unfairly disadvantaging the companies who purchase the best- of-breed information security products based on technical information security concerns and enterprise fit rather than based on DHS certification. --------------------------------------------------------------------------- \3\ http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m- vehicles-bug-fix/. --------------------------------------------------------------------------- Selective liability limitation through the SAFETY Act also disadvantages information security start-ups. Start-ups are most likely to be allocating resources to code development at the expense of allocating budget to the legal resources necessary to apply for a certification under the SAFETY Act. Yet, security start-ups sometimes offer the most appropriate product for a particular information security corporate need from a technical perspective. 2. The level of technical rigor in procedures in the SAFETY Act certification process are suboptimally transparent Pursuant to my review of available information regarding the SAFETY Act certification process, the process of certification is currently suboptimally transparent. Available DHS materials raise material concerns regarding the technical rigor and thoroughness of the vetting process for certification of information security products and services. DHS states in informational materials on its website regarding the certification process that it views itself as ``nonregulatory'' and that a body of unidentified ``technical experts'' will provide ``suggestions.'' The process appears to be largely applicant self-reported with respect to product and services performance and quality. It is not clear from available DHS materials that DHS performs any independent penetration testing, analysis of code quality, assessment of patching speed or quality review of self- reporting through prior applicant security advisories during the process of evaluating applications. Members of the information security research community have also raised various concerns regarding the process.\4\ For example, my consultations with private-sector vulnerability database experts have yielded potentially important unanswered questions regarding the quality of currently-certified information security products' advisory release history.\5\ --------------------------------------------------------------------------- \4\ http://www.csoonline.com/article/2918614/disaster-recovery/ fireeye-offers-new-details-on-customer-liability-shields-under-the- safety-act.html. \5\ Interview with content managers at OSVDB. --------------------------------------------------------------------------- An applicant-driven, non-transparent process is not optimal for a Governmental process culminating in the substantial privilege of a grant of limited liability for harms resulting from information security inadequacy. When these process ambiguities are added to the sub-optimally precise definitions in the SAFETY Act regarding the classification of security incidents and the broad discretion afforded to DHS in interpretation, substantial concerns exist regarding the current structure of the certification process. 3. Grants of limited liability for information security products are likely to negatively impact timely patching, code integrity vigilance, and the quality of advisory disclosures in certified information security products DHS currently lacks adequate enforcement authority to require correction of corporate information security inadequacies or to stop companies from selling dangerously vulnerable products in the marketplace. In fact, as expressly stated with visible frustration in DHS advisories, companies feel at liberty to brazenly disregard DHS's demands for correction of even serious security vulnerabilities in their products and services.\6\ Adding a layer of liability protection under the SAFETY Act for information security products would only exacerbate this bigger DHS enforcement problem, creating additional incentives for certified companies to neglect or delay patching or updating of their products. --------------------------------------------------------------------------- \6\ https://ics-cert.us-cert.gov/advisories/ICSA-14-084-01 (``Festo has decided not to resolve these vulnerabilities, placing critical infrastructure asset owners using this product at risk.'') --------------------------------------------------------------------------- Removing risk of liability eliminates an important corporate incentive for timely patching, internal vigilance regarding code quality, and release of adequate security advisory notices. The primary information security challenge faced in the marketplace today is policing the consistent quality of information security products and services in light of their increasing vulnerability across time. Deteriorating quality and unpatched information security products create a false sense of security and leave their users vulnerable to attack. The liability limitations of the SAFETY Act do nothing to improve the quality and integrity of information security products. Instead, they potentially create perverse incentives for lower levels of product and services vigilance through a liability buffer for certified companies. 4. Grants of limited liability under the SAFETY Act for information security products may indirectly disrupt information security enforcement work of other agencies, harming our economy and National security DHS's selective certification of particular information security technologies and grants of liability limitation may hinder the work of other agencies working to improve information security. In particular, the work of the Federal Trade Commission, Federal Communications Commission, Securities and Exchange Commission, and Consumer Financial Protection Bureau may be impacted. These and other agencies are currently expanding efforts to police the quality of information security and data stewardship offered by businesses to consumers and business partners. These agency efforts are still in their nascence in many cases, but ramping up swiftly. A limitation of liability would potentially meaningfully circumscribe these agencies' efficacy in using fines or disgorgements to obtain redress for consumer, businesses, and National security harms arising from information security inadequacy. This is an undesirable limitation on important work by other agencies aimed at improving information security in our economy. 5. Limiting States' rights to impose liability for corporate information security misconduct will further erode consumer trust and damage innovation in the United States Information is only as secure as the weakest link in the chain of possession. Therefore, it is essential that the highest possible floor of information security be created across organizations in both the public and private sector. However, the field of information security law is very young, and best practices of conduct continue to evolve rapidly. As such, determining the best legal regime for addressing information security liability will require experimentation on the State level to arrive at an optimal legal framework. A broader social and scholarly conversation on information security policy is desperately needed, and it requires time to develop. At this juncture I believe strongly that it is dramatically premature and undesirable to Federally limit liability for information security misconduct demonstrating a lack of due care in any form, including through the SAFETY Act. States have traditionally been the laboratories of experimentation for novel legal approaches to liability. The best course of action with respect to any consideration of limitation of liability is one exercising deference to Federalism concerns and States' regulatory interests in redressing the harms of their citizens for information security harms. Different States engage with consumer protection questions in different ways, and no National consensus currently exists with respect to the best course of action for information security liability. Federally imposing the model of the SAFETY Act liability limitations undesirably breaks with the Federalist tradition of deference to State liability determinations. It also disrupts the traditional deference of allowing State contract law to be the primary source of liability shifting determinations between contracting parties. Information security companies are usually represented by attorneys who may lack SAFETY Act expertise but who are amply capable of negotiating contractual limitations of liability with business partners, as are, in turn, the attorneys of the companies that rely on those information security. Contract and tort law are already beginning to adequately rise to the challenges presented by the information security marketplace, and Federal intervention into software liability limitation is not necessary and premature at this juncture. Thus, I strongly urge this committee to exclude information security products and services from the SAFETY Act and avoid legal approaches driven by limitations of liability in information security. Selectively granted limitations of liability through the SAFETY Act will hinder innovation in information security and negatively disrupt the information security marketplace. They are also likely to indirectly damage National security and stifle consumer protection efforts of other agencies. Instead, I urge this committee to engage with a number of untried and more promising approaches likely to stimulate wide-spread information security improvements in the private sector. One approach that holds significantly greater promise is the repurposing of SAFETY Act funding toward phased-out information security tax incentives across 10 years for small businesses and entrepreneurs. These tax benefits would offer incentives for enterprises that are operating on tight budgets to invest in information security education, hire security personnel, and purchase information security goods and services. A tax incentive approach does not suffer from the significant negative secondary consequences described above, and it offers a more immediate and direct impact on improving private-sector information security. Mr. Ratcliffe. Thank you, Dr. Matwyshyn. The Chair now recognizes myself for 5 minutes for questions. So I think, as I listen to the testimony of all three of you, where I found agreement is that you all believe that the SAFETY Act itself is working very well or as it was originally intended, and the SAFETY Act Office, likewise, is a very properly functioning part of DHS currently. I think you would all probably also agree, as we all would, that we do need to incentivize the creation of cyber technologies to provide solutions and protections for what is a very obvious and public threat to our cybersecurity right now across this country. Obviously, where I did hear disagreement was Dr. Matwyshyn, essentially, her testimony is--or your opinion, Doctor, as I understand it, is you don't think that the SAFETY Act or the SAFETY Act Office is the best place for this and could be disruptive, I think as you said, to the information security ecosystem. So let me start with Mr. Finch and Mr. Biagini and give you an opportunity to comment on that. Mr. Finch. Well, I would disagree for several reasons. First of all, first, when it comes to cutting-edge technologies being introduced into the marketplace, I actually think that one of the critical problems that we see when it comes to information security is that too many companies, as well as the Federal Government, rely on outdated technologies for far too long. A critical problem that I have seen on a regular basis, for instance, is that far too many organizations rely on outdated signature-based technologies, standard anti-virus technologies. Part of the reason that is, particularly in the private sector, is that companies are extremely concerned about liability when they switch technologies. If they switch from a proven technology to one that is, ``advanced'' or ``experimental,'' they are concerned that they can face liability for making a ``wrong decision,'' and that there would be allegations of negligence or failure to exercise due diligence. The SAFETY Act would give a level of comfort that: (A) The product has been vetted, and, (B), that there is some measure of liability protection associated with its use. The other point I would make is that, when you go through the SAFETY Act certification process--and I know Mr. Biagini is exceptionally familiar with this, as am I--it is one of the most rigorous processes that you will ever encounter when it comes to determining whether or not there is a rigorous quality control, quality analysis, and continuous improvement process in place. You will not receive SAFETY Act protections unless you have in place a rigorous program to ensure that your product continues to work once it is deployed and that you continue to match threats. It is not fire and forget. In addition, when the Department grants you liability protections, it clearly defines the threats that the device will protect against and what the liability protections will protect against. So if you have a standard signature-based anti-virus program, it will not offer you protections against non-signature-based, polymorphic, heuristic, behavioral-based malware with constantly-changing software. So simply having a SAFETY Act-approved anti-virus signature-based defense isn't going to protect you and is not going to be an incentive to not adopt new protections. Mr. Ratcliffe. Thank you, Mr. Finch. Mr. Biagini. Mr. Biagini. Yes, Mr. Chairman. Just a couple of additional points. I agree with what Mr. Finch said, and I would add, you know, the comment that there is lots of investment going on, money is pouring into this area and so forth, what will happen to all of that if and when there is a giant enterprise- threatening attack on a critical infrastructure and liability is massive and is spread around--deaths, injuries, business disruption, companies' very existence is threatened? That is what we don't want to have happen. We have to take the natural next steps to evolve the SAFETY Act to move toward that full implementation and protect companies to keep that investment going, No. 1. No. 2, as Mr. Finch mentioned and you mentioned, Mr. Chairman, at the beginning about the SAFETY Act process being an on-going process once you get SAFETY Act coverage, absolutely correct, it is not a static situation. You, as an applicant, once you get SAFETY Act coverage, if you are upgrading your technology, if you are changing your technology in any material way, you need to go to the SAFETY Act Office. They are open for business to take on any modifications. They will do it in real time. The modifications will occur. Your SAFETY Act coverage will be upgraded to cover the next versions of what you are making. So it is a very on-going process that is well done at the SAFETY Act Office. Mr. Ratcliffe. Thank you, Mr. Biagini. In your testimony, you emphasize that severity and impact, not the identity of the attacker, should be the operative consideration in triggering SAFETY Act protections. Can you give a scenario of how coverage for a qualified cyber incident would be triggered? In answering that, would you comment on whether or not you think any of the cyber incidents that have occurred to date rise to that level of severity and impact? Mr. Biagini. Well, certainly, I think an attack on the electrical grid of the United States, nuclear plants, our energy sources, our water treatment sectors, any attacks like that that would debilitate, take down our ability to deliver those kinds of absolute necessities to the American citizenry would constitute the kind of severely impactful incidents that would receive coverage under this amendment. Do any of the ones that have occurred to date, in my mind, rise to that level? Possibly. Possibly. But where I think the emphasis ought to be is on critical infrastructure--as I say, the health care system, the financial system, the energy systems, the water treatment systems, and so forth, those that make up the bread and butter, if you will, of keeping America and the populace well and safe. Attacks on those that cause great impact and material damage are the types of attacks I think should be recognized under this amendment. Mr. Ratcliffe. Thank you, Mr. Biagini. My time has expired. The Chair now recognizes Mr. Langevin for 5 minutes. Mr. Langevin. Thank you, Mr. Chairman. I again want to thank our witnesses for being here. Mr. Finch, Mr. Biagini, it seems like you have kind of gone to the doomsday end of the spectrum on this conversation. I guess I would like to ask Dr. Matwyshyn if you would respond and if you would clarify and give your perspective on that, on the SAFETY Act and liability protection, if that is the best way, as I touched base in my statement. But, also, I would like to ask you, and then the panel can also chime in, does the information security expert community uniformly support--and I am asking Mr. Richmond's question, to clarify, on this second half. Does the information security expert community uniformly support the use of liability limitation approaches as the correct path to improving public and private-sector information security? So we will start with you, Dr. Matwyshyn. Ms. Matwyshyn. It would be my pleasure to answer those questions. Taking the doomsday scenario first and foremost, it would be devastatingly misguided in protecting our National security and our economy to allow the general counsel to be selecting the products that the security team is using in defending our Nation. When we are talking about that kind of a high-stakes situation, we need to have the security experts--the engineers, the chief information security officer--using the state-of-the- art technology, whether it is certified or not, to defend us and keep us all safe. A technology at the end-of-life of certification is still certified. We could find ourselves with business decision makers implementing a 5-year-old not-fully-patched technology in critical infrastructure. That is not the optimal way to defend us against attack. Information security changes dramatically, overnight in some instances. Think about Shellshock; it changed everything. A technology that hasn't patched for Shellshock 4 years later, that is a severe problem. That is not the way that we want to be making these decisions. The liability doesn't exist yet. The case law hasn't developed. So the information security ecosystem is not being crippled by copious liability coming from all directions at them in the courts. So those concerns are premature. What is not premature is the significant need to encourage companies to responsibly implement reasonable security practices through a holistic analysis of their own enterprise and to determine the state-of-the-art technologies that best fit their business needs, particularly in critical infrastructure. Members of the information security research community do not support liability limitation approaches uniformly. In fact, many of them believe that the best security teams are being unfairly unrecognized for their efforts because of the weak enforcement of information security and that companies without the same degree of care in information security are getting the benefit of the marketing value of saying that they have top- notch information security when they actually don't. So the top-tier information security professionals are not worried, in many cases, about the risk of liability at present, because the evolution of the product ecosystem would first recognize the bottom tier of sub-optimally secure product/ services companies. That ferreting out would be a substantial benefit to the overall security of our ecosystem and the economy and our National security. So the major changes that can happen overnight in security really require the use of the best technology as it exists in that moment, not one that is driven by a choice around liability limitation. Mr. Langevin. Thank you. To Mr. Finch and Mr. Biagini, would you care to ask--could you give us your perspective on that part of the question Mr. Richmond wanted to ask? Does the information security expert community uniformity support the use of liability limitation approaches as the correct path to improving public and private- sector information security? To your knowledge, have concerns been raised by technology experts regarding this approach? Mr. Finch. Well, I obviously can't speak uniformly for the information security community, Mr. Langevin. By the way, I very much support and thank you for all your efforts with respect to cybersecurity. You are truly one of the leaders in this community. You have done more to bring attention to this subject than, I think, most people in Congress, so thank you for that. But I would say that the information security community is completely overwhelmed at this point with the number of threats. I think you would agree that it is really a triage matter for them at this point. Their problem is just being overwhelmed with the number of attacks and trying not to get fired when the incident occurs. It is not an ``if'' the incident occurs; it is not even ``when.'' It is, how long has it been occurring? So it's very much, how do we get handle on this? Part of the issue that is completely beyond their control is that they really can't do anything other than try and slow down the number of events that are occurring. There needs to be an offensive component of this, which is the responsibility of the other side of this dais. It's the Executive branch's responsibility, and that's a subject for another hearing. But when it comes to liability protection, that's absolutely a concern of a number of the members of the information security community, because, remember, now the CIO and the CISO are getting a seat at the directors and officers table at this point, and risk management is coming to their plate. They are sitting in at the board meetings. They are sitting in at the stockholder meetings. They are learning about the serious concerns. They are being fired. They are being held accountable to the boards of directors and to the CEOs and the CFOs, et cetera. So, absolutely, liability is of significant concern to them and how to manage that and, also, how to tell the difference between what is snake oil and what is not when it comes to information security technologies. That's an important consideration when it comes to SAFETY Act, as well. Even if the liability protections are not triggered by a declaration from the Secretary of Homeland Security, whether an act of terrorism or a cyber incident, the mere fact that it has been reviewed by the Department of Homeland Security is extremely helpful to a CIO or a CISO. Mr. Langevin. Mr. Biagini. Mr. Biagini. Yes, I would add one other concept. I think we have to be careful not to let the perfect get in the way of the good, if you will. The SAFETY Act process is a well-established one. The SAFETY Act Office has shown its ability to review and approve cybersecurity technologies. There is great concern about liability in that sphere. It is on top of mind of many, many companies that I deal with. You know, the process that has been established over the last 13 years has been a good one; it continues to evolve. I think it can--I'm certain it can stand and meet and beat the requirements that might be upon it with this amendment. So I would second Mr. Finch's remarks that liability is a driver here among the industry members. Even though there hasn't been a, if you will, debilitating attack yet leading to that kind of enterprise-threatening liability, what we don't want to do is wait for that to happen and then try to act with appropriate legislation. Mr. Langevin. Thank you, and yield back. Mr. Ratcliffe. The gentleman yields back. The Chair now recognizes the former district attorney from New York, my colleague Mr. Donovan. Mr. Donovan. Thank you, Mr. Chairman. I will just open this up to the panel, because I am not sure who is the person who would want to answer this or who would have the expertise. But don't companies protect their data? Don't nuclear regulatory power plants protect their systems, and the water treatment systems, without the incentive of having limited liability? Why do they need that incentive to do this, take these measures to protect themselves? I open that up to anyone who would care to answer. Or, if no one cares to answer---- Ms. Matwyshyn. I am happy to. Mr. Biagini. Would you like to? Ms. Matwyshyn. So I concur with the spirit of your question. We want our nuclear power plants and water treatment facilities to engage with the state-of-the-art of security for the purpose of protecting their operations and be driven by the desire to defend our Nation and our populace, not by concerns of limitations of liability and whether they're present or absent. That's why the engineering determinations of the state-of- the-art security technology must take precedence, or we will inevitably see the data breaches that are permeating our society currently and the types of serious incidents that are, unfortunately, regularly happening continue and escalate. The OPM breach, for example, that was much less the--if we look at the root causes, it was, yes, we have malicious actors on one side, but there were some basic, fundamental errors that could have been caught through a thorough internal audit and review process. So we have standards, such as the ISO standards, now that will encourage companies and other organizations to perform these rigorous internal audits. We all need to learn and grow together to defend ourselves together as a country rather than look for ways to limit liability and just try to engage with reasonable standards of security. The liability will, in my opinion, not emerge if companies simply engage with reasonable security measures. I trust our federalist structure of letting our courts across various States work with these issues and letting various States decide. No officer and director will ever be fired for conduct that reflects the state-of-the-art use of security practices. So the risk does not exist when companies engage with these issues in a rigorous technical manner. Mr. Donovan. The other two gentlemen, Mr. Biagini or Mr. Finch. Mr. Finch. Yes. I think companies are very much invested in cybersecurity. I know that for a fact. Every director, every C suite member that I speak to is extremely concerned about cybersecurity. They know it's a problem; they know they need to do something about it. Where they are held up, where they are paralyzed, frankly, is what do we do? They are hearing so much about, what is state-of-the-art, what is the best practice? Frankly, it changes depending on who you're talking to and what the news of the day is, with respect to a new vulnerability or a new attack. Let's remember that our adversaries truly have the advantage when it comes to cyber attacks. To use military parlance, they have complete freedom of movement. They can pick the time, the place, and the manner of their attack, with absolutely no concern about being prosecuted or having their actions interfered with. There is no threat that a law enforcement agency--particularly if you're operating under the protection of a foreign government or in a lawless area, no law enforcement agency, no government is going to come after you and disrupt your planning. So you can take your time and practice until you get it right. So, no matter how advanced your defense is, you will be penetrated. Breach after breach has demonstrated that. In a world where 500,000 pieces of malware are created on a daily basis, there is no way any company is going to be able to defend against that. To the doctor's point, what is reasonable? That is the question. That is absolutely the question. I think what we're forgetting here is that it's not necessarily about whether there's going to be a liability, finding a liability; it's about getting to the point of when a determination is made regarding liability. It's going to be extraordinarily protracted and expensive in order to get to that point. Litigation related to the 1993 World Trade Center bombing went on for over 15 years. Litigation related to the 2001 September 11 terrorist attacks went on for over a dozen years. Hundreds of millions of dollars were spent in legal fees. Now, as two lawyers at the table, that sounds really nice, but, frankly, as an American, I don't want that to happen. I'd much rather see that we have companies investing in the right technologies to mitigate those events and likely stop those events or make sure that the losses are far less significant than they actually were on those two terrible days. Mr. Donovan. My time has run out. Mr. Biagini, if I could just ask you a second--a different question. Who determines what the best practices are? Is it DHS? Is it the industry that determines the best practices? If this amendment to the SAFETY Act is done, what is going to give those companies the protection under that limited liability? Who is going to make that determination? Mr. Biagini. Congressman, a couple responses to that. Oftentimes, when we file SAFETY Act applications, there are industry standards involved, there are regulatory standards involved, there are company standards and internal standards involved that are in play with an application. When the SAFETY Act Office gets an application like that, they look at all of those. They look to see that you're complying with, if not exceeding, the various standards that may apply. In the situation with cybersecurity, I think we'll have something similar. We'll have regulatory standards. We'll probably have NIST guidelines. We'll have company standards. We'll have industry standards. The SAFETY Act Office will be looking at all of that, as they do with any application, to look for compliance and exceeding compliance. Back to your initial question about, well, aren't companies already protecting themselves, what I do for a living is I defend against tort suits that are filed in court, and I represent companies that get sued. Oftentimes, when all they can show is they're complying with minimum standards, whether it's an industry standard or a regulatory standard, in court, that doesn't go very far. That won't get them a very good defense. So, in order to incent them to go above and beyond whatever these minimum standards may be, whether they're industry or otherwise, I think that's why we're talking today about the possibility of the SAFETY Act providing those additional incentives. Mr. Donovan. Thank you. Mr. Ratcliffe. The gentleman yields back. The Chair now recognizes my friend from Pennsylvania, Mr. Perry. Mr. Perry. Thank you, Mr. Chairman. Mr. Finch, I think, as has been noted in testimony, many companies are slow to make improvements to their management of cyber risk because security costs money, obviously. How do you think amending the SAFETY Act to cover cybersecurity gives companies further incentives to adopt cyber best practices, if so? Mr. Finch. Well, first of all, utilizing SAFETY Act- approved technologies and services or going through the process actually helps contain costs, whether it's the risk-management cost associated with insurance--and, as Mr. Biagini noted as well, the actual improvement in processes, policies, and procedures, this is very much a best practices review internally as much as it is a liability review. So you actually obtain efficiencies by going through this process and identifying problems that you have internally that are fixed going through the SAFETY Act process. They have to be fixed in order to obtain SAFETY Act protections. I have had any number of applicants say to me afterwards, ``We're a better company for having gone through this process.'' Mr. Perry. But what's the cost? I mean, is there, like, a-- is there some kind of way to measure the cost by either your revenues or your sales of your personnel or some way to measure the cost per increment to determine--I mean, at the end of the day, everybody's got to meet the bottom line, so---- Mr. Finch. Absolutely. It's an individualized analysis. To be perfectly frank, there are a number of companies that elect not to go through the SAFETY Act process because they don't necessarily think that it is in their economic interest to do so, whether it's because their liability concerns aren't that significant or they don't have the dollars and they're satisfied just relying upon insurance. But the companies that feel that their liability concerns are so great, they look at the potential expense of this process--which is free, by the way. It is a free process. The Department of Homeland Security doesn't charge anything. Where money is involved, it's internal personnel time involved in putting together an application. If you need to retain outside counsel or a consultant, you can have someone work with you in order to put that application together. That typically runs in the tens of thousands of dollars. When you amortize that over a 5-year period, it's not very much money for a company to go through that process. But, at the end of the day, you know, you did hit on a very important point, which is that, you know, companies don't have unlimited amounts of money to spend on cybersecurity. They still have to operate a successful business. This is actually a very important point that we need to talk about, as well, which is that companies could spend as much money as they have in their treasury on cybersecurity products and services and best practices, and they will still get breached, and they will still face litigation after that breach for having negligent design or negligent implementation of their security program. In all likelihood, that case will still go to a jury or to a decision by a court. Companies will say, well, what are we supposed to do in order to actually prove that we did the right thing? They may eventually be vindicated in court. I'm sure if someone like Mr. Biagini is representing them, they will come out just fine. But, again, they will wind up spending a lot of money on something like that. So we want to avoid that kind of situation. We want to give them confidence and say, look, not only are you doing the right thing and spending your money wisely, but we'll also give you a little bit of limited liability protection, not a complete grant of immunity--that's not what this program is--but we will give you some liability protections. One other thing I would like to say very quickly. I think that if you were to include cyber attacks and cybersecurity technologies as a small amendment to the SAFETY Act, one of most exciting opportunities that I see being utilized in this context is shifting the focus from cyber defenders to other companies involved in information technology. When I was in 7th grade, I had a project in wood shop where we had to take an egg, and, using a few small pieces of paper and wood sticks, we had to build a crate around the egg and drop it from 5 feet and hope that the egg didn't break. Of course, I failed. I'm not very good at technical things, which is why I'm a lawyer. I'm also not good at math, full disclosure. But the point is that cybersecurity is like that brown paper around the egg. What's the underlying egg? It's the hardware and the software. That hardware and software has lots of bugs and vulnerabilities. I think a wonderful application that is waiting out there is to have the underlying software and hardware developers go through the SAFETY Act process. As Mr. Biagini knows--he talked about it with the airports, the port authority, et cetera--the infrastructure itself, not necessarily the defensive technologies, is now actually applying. Wouldn't it be great if Adobe Flash actually built security into its own product so we didn't have to design all these security products to stop it from having vulnerabilities that are exploited by the Chinese and the Russians? Mr. Perry. Thank you, Mr. Chairman. I yield. Mr. Ratcliffe. The gentleman yields back. Because we have a number of questions that haven't been answered, the Chair will entertain a second round of questions. I recognize myself for 5 minutes. So, Mr. Finch, to the points that you were just making with regard to litigation and limited liability and the costs associated with that, I guess I would like to hear a little bit about how the SAFETY Act Office currently works with insurance companies. Then, separately, can you discuss how adding cyber incidents as a trigger to the SAFETY Act would potentially spur growth in the cyber insurance marketplace? You know, underwriters and actuaries grapple with risk analysis, and it would seem to me that this change would help with that, but I would like your perspective on that. Mr. Finch. Sure. With respect to the SAFETY Act Office working with the insurance community, it works with a number of carriers as well as brokers to help determine what the marketplace is for insurance. Because, remember, under the SAFETY Act statute, there are actually statutory limitations as to the types of insurance or the amounts that the SAFETY Act can impose as a requirement on applicants. There are two. No. 1, an application cannot be forced to carry more insurance than is available on the world market. Second, an applicant cannot be forced to carry an amount of insurance that would unreasonably distort the price of their product, i.e., make them uncompetitive. So the SAFETY Act Office has to stay somewhat in contact with the carrier and broker community in order to understand what the terrorism insurance marketplace will look like and will now also have to stay in contact with the cyber insurance marketplace to understand what that looks like. Again, it is an interesting one, because the cyber insurance marketplace mostly relates to data breaches, at this point. It is actually a fairly limited marketplace, only about $3 billion in global capacity. The most insurance that any one company can obtain is maybe $200 million, $250 million for a data breach. Note what is missing: Physical damage, personal injury, loss, et cetera. That is not an insurance marketplace that is really available. Having the SAFETY Act out there, having carriers know that they can sell this insurance but, with the SAFETY Act, they will actually be insuring products and services that they know have been vetted, will help them. It will help them collect data that will be useful for actuarial purposes and actually provide a more stable marketplace that will support their business model at the end of the day. I would also add, too, that I was recently at an insurance conference, and it's a fairly obvious point but not one I had necessarily thought of--and, again, another failing of mine is sometimes I miss the very obvious things right in front of my face. But we as individuals do not carry one insurance policy for everything in our life. We have life insurance, we have disability insurance, we have health care insurance, we have automobile insurance, we have homeowners insurance, et cetera. For some reason, we have been thinking about cybersecurity insurance as a one-policy-fits-all program. I don't think that is correct. I think there are multiple cyber insurance policies that need to be available. I think the SAFETY Act would actually help stimulate that, whether it is my cyber HMO model, whether it is the reimbursement policies that we're currently taking about or some other types of cyber insurance programs that we haven't even thought about at this point. The problem is so broad and so significant that the SAFETY Act could help serve as a stimulus to really diversify the insurance marketplace. Mr. Ratcliffe. Mr. Biagini. Mr. Biagini. Yeah, just a few comments on that. Think about it in this sense. If an insured has these liability protections and they end up being a first line of defense should there be a cyber incident that results in lawsuits, the carrier is going to be more willing to sell insurance into that scenario, into that potential situation, if it already knows that the insured could defend itself in those lawsuits well with these kind of tort protections. That is exactly what has happened when the SAFETY Act was passed initially, is it granted these presumption of dismissal protections, it capped liabilities, and so forth. That stimulated the insurance market back into action, along with the passage of TRIA. So I've seen a direct connection over the years in that sense. Also, you know, when an applicant comes to the SAFETY Act Office and is trying to get SAFETY Act coverage and doesn't have insurance--terror insurance, in this case--the SAFETY Act Office will work with that applicant, will look for quotes in the insurance market that would be consistent with the revenues that this applicant is generating from this particular technology. It is a very synergistic process whereby the SAFETY Act Office is being very responsive to that applicant. It is also pulsing insurance and getting insurance involved and ultimately writing insurance for that--having that applicant get a modicum of insurance in order to get the SAFETY Act coverage. So it is a very--there's a lot of synergy with the whole process of getting SAFETY Act coverage with the insurance industry. Mr. Ratcliffe. Thank you, Mr. Biagini. Dr. Matwyshyn, as I read your testimony, your written testimony, it seemed to me that your perspective is that the liability limitation that would be granted through the SAFETY Act would be a disadvantage for cybersecurity start-ups. It would seem to me that most folks would see a SAFETY Act designation or a certification that comes with the rigorous vetting that DHS would do--would see that as an advantage. So I want you to comment on how you see it as a disadvantage. Ms. Matwyshyn. I'd be happy to. The first step in being able to file for the certification requires hiring a very expensive attorney. When two high-level information security engineers get together in a garage to start a start-up, they don't have that money. They are frequently the ones who are creating the state-of-the-art security products. So we are disadvantaging their new, fledgling start-up, which may be the state-of-the-art technology and best capable to defend us and our infrastructure, in the purchasing decision of a corporate decision maker who looks at the choice of security technologies not solely through the lens of the technical rigor of a security engineer but perhaps primarily through the lens of liability limitation, broadly speaking, and other corporate concerns. Getting the state-of-the-art technologies in place is the paramount goal, to the extent we can achieve it inside our economy and inside our infrastructure. So that's my concern with the entrepreneurship limitations that would result, I think, from an expansion of this act. Mr. Ratcliffe. Thank you, Dr. Matwyshyn. Gentlemen, I want to give you--my time has expired, but I want to give you an opportunity to respond to what you just heard from Dr. Matwyshyn and that perspective that she has. Mr. Biagini. Well, the doctor may be interested in knowing that, oftentimes, we take on clients that we don't bill and that have a technology that would make a difference in the marketplace. They need to be able to get it off the ground. They need to be able to sleep at night that, if they do sell it into the marketplace, they won't get sued out of existence if there is a terrorist attack or, in this case, a cyber incident. Having SAFETY Act coverage has been the difference, many times, between that small company that decides to just sit on the sidelines and not do any further development and getting the coverage which gives them a boost in the marketplace, confidence to sell their technology into the marketplace without the fear of being sued out of existence. That has happened many times in my practice. Mr. Ratcliffe. As a follow-up to that, do you happen to know what percentage of SAFETY Act certifications right now go to small businesses? Mr. Biagini. I would not. I would just be guessing. Mr. Finch. Mr. Chairman, I think that would actually be a question for the Office of SAFETY Act Implementation, which actually leads me to a point I'm rather remiss in not making earlier, which is that I do think what's been left out of this discussion is how well the Office of SAFETY Act Implementation operates. I would dare say that they are the best-functioning element within the Department of Homeland Security. You know, we may have our disagreements with them at times, but I've always found them to be fair and reasonable. They are extremely dedicated to their work. To Dr. Matwyshyn's point, they are exceptionally helpful to small businesses and are very, in fact, proud of the fact that they will work with small businesses to help guide them through the process without the aid of counsel or a client. It is, of course, a voluntary program. There is no obligation to retain an attorney. The clients that Mr. Biagini and I represent typically want to retain an attorney because this is fundamentally a legal process and the general counsel wants to have a counsel involved. But there are also plenty of companies that do this on their own. I know, in particular, that there are any number of small companies that have gone through this process and have done so quite successfully on their own, working with the SAFETY Act Office, which is dedicated not to approving applications just for the sake of approving them but helping applicants be successful. Mr. Ratcliffe. Thank you, Mr. Finch. The Chair now recognizes Mr. Langevin for his questions. Mr. Langevin. Thank you, Mr. Chairman. Before I begin, just to answer the Chairman's question, from CRS, in 2013, 60 technologies were approved under the SAFETY Act, including 22 from small businesses, that's 37 percent; 14 from medium-size businesses, that's 23 percent; and 24 from large businesses, or 40 percent. So, if I could, I will go to Dr. Matwyshyn before I have a couple questions I'd like to ask. This has obviously been a wide-ranging discussion today and great point-and-counterpoint, which is how I would like to debate. So I will ask if there is anything that really stands out that you would like to mention for the record. Then I have a couple questions. Ms. Matwyshyn. Yes, just a few points. First and most fundamentally, the question of whether an enterprise is compromised or attacked goes to whether there are underlying vulnerabilities. So the first step in a strong information security program of any sort is the self-analysis to identify those vulnerabilities. Buying a product that has a certification will not address the underlying corporate information security problems that exist in various enterprises. Also, those purchased products are frequently misimplemented. So having the in-house staff necessary to engage with the technical-rigor piece of this is absolutely essential. But one historical fact that, if I may, I'd like to bring to our attention is that there is a robust evolution happening in contracting practices across various entities with respect to information security liability shifting. So we have private- sector, private-ordering solutions that are getting at some of these problems that we're talking about today. We just need to let the market work through some of these problems in private- ordering ways. So some of the liability concerns, to the extent they exist, are being addressed contractually now. That's exactly what happened after September 11. I was a practicing corporate attorney at that time, and we modified our contracts. So there were new provisions that were incorporated as needed to shift liability to address some of these types of new risks that were emerging. To the extent that the information security insurance market is emerging, it's my understanding that there is some granularity in the types of policies based on the types of enterprise that the particular insurance companies are targeting. So I think the major point that I'd like to emphasize is that the underlying defensive posture of the vulnerable enterprises needs to be the focal point of any successful holistic information security improvement program and ensuring that they are fixing the challenges that they face, the problems that they have in terms of vulnerabilities in the code that's implemented inside their organizations, first and foremost. Then the secondary concerns of purchasing various products to assist them, that is a second-tier concern. The underlying problematic flaws that they may have in their enterprise is where we start, in terms of the approach. The last point I'll just quickly mention. To that end, I think we have not yet tried certain other types of incentive programs, such as, for example, tax incentives to small businesses to encourage them to engage with education in information security, hire more information security staff, or to conduct meaningful self-audits and get auditors in. So, personally, I think that tax incentives would be a stronger way to go to raise the bottom level of the floor of information security across our economy. So I'd submit that as a potential other avenue. Mr. Langevin. Sure. Thank you. I like that point, as well. So, as a matter of fairness, I want to give both to Mr. Finch and Mr. Biagini the opportunity to say--to ask if there's anything in particular that you've been champing at the bit to clarify or add. But before I could do that, if I could just ask this one question. Hopefully, we can do this very briefly. Following up on the Chairman's earlier question, I'd like to ask each of you specifically, is there a cyber incident since 2002 that you believe should be Classified under a definition of ``cybersecurity incident''? Mr. Finch. Oh, there could be several. I think that the data breach at USIS theoretically could be a cyber incident. While that was targeted and only involved 250,000 or so records, that was conducted by a nation-state, and that was done purposefully for espionage purposes and to commit harm. It could cause all sorts of National security and other types of harm. So that, theoretically, could be a cyber incident. If there was actual dollar losses associated with the distributed denial-of-service attacks by the Iranian Government and its cohorts against the banking industry, I believe it was about 2 years ago now, theoretically, that could be a cyber incident, as well. We've been fortunate in that there's been no kinetic events that have occurred within the United States, but they have occurred. There's been gas pipeline explosions in Turkey. There has been destruction of furnaces in industrial plants in Germany, I believe it was. Those would certainly qualify as cyber incidents. I also think, though, that, you know, we're fortunate in that, you know, I'm sort-of struggling a little bit to identify some particular cyber incidents. That shows that--one concern that I've heard is that this may be overused. It actually demonstrates that this is something that wouldn't necessarily be used that often. Much like there has been no declared act of terrorism because, knock on wood, we haven't truly had a significant act of terrorism on United States soil since 9/11. In situations where we have had some, such as the Boston bombing or if you want to call the recent events in Chattanooga an act of terrorism, which, again, is beyond my purview, there really weren't any SAFETY Act-approved technologies or services in the area such that there was a need to designate the event an act of terrorism. But I do feel confident in saying that, with the spread of advanced cyber attacks capabilities, it's coming. When you can go out on the Dark Web and buy malware for $30, when you can buy zero-days for a couple hundred dollars or maybe $1,000 or $2,000, and you can buy the services of hackers for less than the cost of getting one of my daughters to clean her room, which is not a lot of money--and, in my case, my daughters still don't do it--the point is that there will be some significant, significant events that will occur in the near future, and we will all, unfortunately, realize that we live in a very dangerous cyber era. Mr. Langevin. With the Chairman's indulgence, if you'd have any points that you are champing at the bit to clarify or add? Mr. Biagini. No. Just that, prior to 9/11, I remember a number of companies doing a lot of investment in anti-terror devices and homeland security activity, and then 9/11 occurred, and all of a sudden there was things that dried up. The insurance dried up for terror coverage. Companies were not willing to do any more investment in R&D for homeland security technology. We had to stimulate that, and we did, through the SAFETY Act and TRIA and so forth. I just don't want us to be in that situation, where we do nothing here, we say status quo; an attack occurs that we can all agree on is of the kind that we're talking about; and then we're standing here saying, why didn't we do something when we had a chance? We have a chance to be proactive and to get out ahead of this and do the kinds of things that will stimulate and make sure that we are belt-and-suspendering all of this, as the doctor alluded to. I think this is one of the tools to do that. Mr. Langevin. Okay. Very good. My time is way over. I will yield back. But, if I could, Mr. Chairman, I know that Mr. Richmond had additional questions, and I have additional questions. If I could, without objection, I'd like to submit those for the record. If our witnesses would respond to those in writing, we'd be grateful. Mr. Ratcliffe. Absolutely. The gentleman yields back. I thank all of the witnesses here for your valuable testimony and the Members for all of their questions. As Congressman Langevin said, some Members have additional questions, which we'll ask you to respond to in writing. Pursuant to committee rule 7(e), the hearing record will be held open for a period of 10 days. Without objection, the subcommittee stands adjourned. [Whereupon, at 3:45 p.m., the subcommittee was adjourned.] [all]